Basel Committee Final standard on the prudential treatment of banks cryptoassets
19 January 2023
19 January 2023
The Basel Committee on Banking Supervision (the Committee) has now published its finalised standard (the Standard) on the prudential treatment of banks' exposures to cryptoassets, taking into account stakeholder feedback to its initial proposals in the June 2021 consultation (see Ashurst briefing here), and the second public consultation in June 2022 (see the Ashurst briefing here).
The Standard has been endorsed by the Committee's oversight body, the Group of Governors and Heads of Supervision, and is to be implemented by 1 January 2025. It will be incorporated into the Basel Framework as a new chapter, titled 'SCO60: Cryptoasset exposures'.
The final classification system remains largely unamended from the previous consultations, now with further refinements to the eligibility criteria for the different cryptoasset groups. The final structure is as follows:
Group 1 assets must fully satisfy a set of rigorous Classification Conditions and are subject to at least equivalent capital requirements based on the risk weights of underlying exposures, as set out in the existing Basel Framework. Group 1 is further sub-categorised into:
These include tokenised traditional assets, which are generally to be treated like their traditional counterparts (subject to a potential add-on for infrastructure risk detailed below, which is now only to be applied on a discretionary basis).
The Committee's stance that only Group 1a cryptoasset are eligible for recognition as collateral for risk mitigation purposes remains unchanged.
These are cryptoassets with effective stabilisation mechanisms (stablecoins). Group 1b assets are subject to a 'redemption risk assessment' and a 'supervision/regulation requirement' providing that only stablecoins issued by supervised and regulated entities are eligible for inclusion.
The Committee has now removed the 'basis risk test' previously proposed, but has indicated a willingness to identify another statistical test that can reliably identify low-risk stablecoins. Such a test, if found, may be included ad hoc as an additional requirement to the existing tests.
While the Standard does not recognise Group 1b cryptoassets as collateral for capital requirements purposes, the Committee intends to monitor this decision for potential future revision.
The Committee's stance on permissionless blockchains has been maintained, such that digital assets underpinned by public, permissionless, blockchain networks cannot be eligible for Group 1. However, it will continually assess whether the perceived risks of permissionless blockchains can be sufficiently mitigated for their inclusion in the future.
Algorithm-based stablecoins or those stablecoins that use automated protocols to maintain their value are expressly excluded from Group 1.
This encompasses all tokenised traditional assets and stablecoins which fail to satisfy the Group 1 criteria, as well as unbacked cryptoassets. They are accordingly regarded as higher risk and subject to more conservative prudential treatment.
In response to stakeholder feedback, the Committee now recognises the risk-reduction effect of hedging transactions for certain Group 2 cryptoassets. As proposed in the previous consultation, Group 2 is now sub-divided based on a set of hedging recognition criteria such that:
Banks' exposures to Group 2 cryptoassets should generally not exceed 1% of their Tier 1 capital and any such increase will result in Group 2b capital treatment applying to the amount by which the limit is exceeded. Where exposure reaches 2%, all Group 2 exposures will be subject to Group 2b capital treatment.
In the second consultation, the Committee proposed a surcharge to encompass any unforeseen risks that may arise with the technological infrastructure of cryptoassets, given its relative nascency. It was initially proposed to increase total credit risk-weighted assets (RWA) by 2.5% of the exposure value for exposures in the banking book, and to increase total market RWA by 2.5% of the exposure value for exposures in the trading book.
The Committee has now taken the welcome approach of giving authorities discretion to apply this add-on based on any observed weaknesses as they arise, rather than mandating them to do so ex ante.
The Committee initially set out two tests for Group 1b cryptoassets, including:
The Committee has now removed the basis risk assessment, instead requiring, in addition to the redemption risk test, that only stablecoins issued by supervised and regulated entities with robust redemption rights and governance are eligible for inclusion in the category.
The Committee's initial proposal regarding banks' exposure limits to Group 2 cryptoassets has largely been adopted, with minor tweaks providing that:
The requirement for banks to seek prior supervisory approval when determining the classification of their cryptoassets has been removed. Instead, banks must notify supervisory authorities of the classification decisions made, with the potential that authorities can override such determinations where they disagree. Again, a welcome amendment which will remove unnecessary administrative burden.
Finally, the Committee has clarified which standards are applicable to custodial services provided by banks, noting the concern that otherwise the standards would require credit, market and liquidity risk assessments to customer assets where banks are acting as custodian.
The finalisation of the Standard is a welcome incremental step in global preparedness to accommodate the expected scaled transformation in financial markets underpinned by distributed ledger technology (DLT). The revisions made to the version of the Standard set out in previous consultations are welcome and signal a receptiveness from the Committee to the stakeholder need for flexibility and discretion, rather than the imposition of rigid standards prior to any risks materialising.
Although the Committee continues to display a very conservative approach to the risks that could emanate from cryptoassets and the risk of conflation between so-called 'native' assets, such as Bitcoin, and traditional assets taking tokenised form, the Standard more closely aligns with the market consensus that the nascency of DLT and similar technologies does not necessarily require a highly conservative approach, particularly given that some cryptoassets (such as those in Group 1a) are highly liquid and readily accepted in the market. Accordingly, such cryptoassets are to be rightfully treated in the same way as their conventional counterparts.
The Committee remains anxious and bearish on the utility of public blockchain networks from both supervisory control and financial crime perspectives. Whilst we believe most of these concerns are resulting from a misconception, this will focus banks' minds on instituting most cryptoassets projects based on permissioned/private blockchain networks which inevitably limits the 'true' disintermediation of the network in favour of a more governable construct.
Banks are encouraged and incentivised to innovate and experiment with stablecoins though there are important questions of policy, particularly from a financial crime perspective, that will impact whether and how fast these products can successfully emerge.
It remains to be seen how the main financial centres around the globe react to the Standard given that the Standard constitutes minimum requirements and it is within the gift of domestic authorities to 'gold plate' the Standard – this is particularly so following recent failures of intermediaries in the native cryptoassets space and in light of negative sentiment expressed by regulators and policymakers worldwide.
Whilst the Standard remains unadopted until 2025, it will de facto dictate the global regulatory approach to the prudential treatment of cryptoassets and, as such, must form an influential source for banks' policies and risk appetite decisions on an ongoing basis. With this in mind, we consider the following aspects of the Standard to be particularly noteworthy:
Whichever form of settlement finality is utilised by issuers of cryptoassets, settlement finality in cryptoasset arrangements must be properly documented so that it is clear when key financial risks are transferred from one party to another, including the point at which transactions are irrevocable. Such documentation must be publicly disclosed by the issuer and if the offering of the cryptoasset to the public has been approved by the relevant regulator on the basis of this public disclosure, the requirement will be considered fulfilled. If not, an independent legal opinion would be needed to confirm that the requirement has been met.
This is one of two contexts under the Standard where it will be necessary to obtain legal opinions (see the Minimum capital requirements for credit risk for Group 1b cryptoassets section below for the second context). The need for legal opinions in these scenarios will require new practices to emerge, including the means of determining which party should provide such opinions and in what format.
The breadth of this requirement demonstrates the Committee's expectation that infrastructure which is implemented to accommodate cryptoassets must be developed in a comprehensive and robust way that is comparable to a traditional securities settlement system.
Classification Condition 4 will effectively serve as a guideline for issuers in seeking to achieve the eligibility conditions for Group 1a and Group 1b and will likely require a significant amount of work to be undertaken in order to ensure that each of the individual requirements of Classification Condition 4 is appropriately satisfied.
(i) In respect of cryptoassets to which a bank is already exposed on 1 January 2025 (i.e. the implementation date of the Standard), the bank must inform their supervisor of the classification decisions they have reached for each cryptoasset and this information should ideally be sent well in advance of 1 January 2025 (but, if this is not possible, it must be sent as soon as practical after 1 January 2025 but with sufficient time for the supervisor to review and, if necessary, override the classification decision prior to the bank's first set of Pillar 3 disclosures after 1 January 2025).
(ii) In respect of cryptoassets that a bank may wish to acquire after 1 January 2025, the bank must inform their supervisor of the classification decisions in advance of any acquisition of cryptoassets and this advance notice must occur with sufficient time for the supervisor to review and, if necessary, override the classification decision reached prior to the bank’s acquisition of the cryptoasset.
Although the Standard will not be applicable until 1 January 2025, banks should consider implementing internal procedures that address each of the requirements above immediately so that they are sufficiently prepared for when the Standard comes into effect, especially due to point (i) above.
A specific example is provided in the Standard to illustrate this: a tokenised asset may have different market liquidity characteristics than the traditional (non-tokenised) asset. This could arise because the pool of potential investors that are able to hold tokenised assets might be different to non-tokenised assets. The Committee appears to be concluding that there could be a more pronounced relationship between liquidity risk and credit risk in respect of tokenised assets than is the case with non-tokenised assets, again emphasising the conservative approach the Committee is taking. Banks should therefore be aware that it may be necessary to approach the assessment of tokenised assets in a more nuanced way than is required for non-tokenised assets.
(i) the underlying reserve assets are held in a bankruptcy remote special purpose vehicle (SPV) on behalf of the holders of cryptoassets who have direct claims on the underlying reserve asset(s).
(ii) the bank has obtained an independent legal opinion for all laws relevant to involved parties, including the redeemer, the SPV and custodian, affirming that relevant courts would recognise underlying assets held in a bankruptcy remote manner as those of the cryptoasset holder.
As mentioned above, the need for legal opinions will require new practices to emerge, including the means of determining which party should provide such opinions and in what format. The requirement for a legal opinion in this context is likely to be particularly onerous given the requirement for the legal opinion to cover "all laws relevant to involved parties".
The Committee continues to explain that, in general, exposures involving Group 1a cryptoassets and cryptoliabilities must be treated the same as exposures involving their equivalent non-tokenised traditional assets and liabilities, including the assignment of inflows, outflows, RSF factors and ASF factors. The LCR and NSFR treatment of exposures involving cryptoassets and cryptoliabilities varies according to whether they are: (i) tokenised claims on a bank; (ii) stablecoins; or (iii) other cryptoassets.
The Committee explains that Group 1a tokenised claims on a bank must be treated as an unsecured funding instrument when they: (i) are issued by a regulated and supervised bank; (ii) represent a legally binding claim on the bank; (iii) are redeemable in fiat currency at par value; and (iv) have a stable value supported by the creditworthiness and asset-liability profile of the issuing bank rather than a segregated pool of assets. The treatment as an unsecured funding instrument is subject to certain considerations including, in respect of liabilities from own-issued tokenised claims on a bank that:
(i) To the extent the issuing bank can identify, at all times, the holder of the cryptoasset, the bank must apply the applicable outflow rate and ASF factor based on the counterparty classification of the funds provider. However, the issuing bank must not treat the liabilities associated with their cryptoassets as stable retail deposits. If the issuing bank is unable to identify, at all times, the holder of the cryptoasset, it must treat the liability as unsecured wholesale funding provided by other legal entity customers.
(ii) Tokenised claims on a bank that are used primarily as a means of payment and created as part of an operational relationship between the issuing bank and its wholesale customers must follow the categorisation methodology in the LCR framework.
Certain aspects of this section of the Standard are surprising to us. Firstly, from an anti-money laundering and counterparty relationship perspective it is unlikely that a bank would not know the identity of the holder of the cryptoasset. Secondly, we take the reference to "tokenised claims on a bank" to effectively mean a "tokenised deposit" in which case the Committee appears to be attributing less favourable liquidity treatment to a (DLT-based) tokenised claim on a bank relative to a claim on a bank which is via a traditional digital channel (i.e not DLT or a similar technology) even though they are, in substance, the same.
A specific example of a Group 1a cryptoasset is provided in the Standard to illustrate this: a tokenised bond that meets the HQLA eligibility criteria and temporarily resides on a distributed ledger to facilitate transfer. However, it is not clear if there is any specific significance being attached to an asset "temporarily" residing on a distributed ledger (as opposed to an asset "permanently" residing on a distributed ledger). Notwithstanding the use of "temporarily" in this example, the example provides support for the position that Group 1a cryptoassets residing on a distributed ledger are capable of satisfying the characteristics of HQLA.
Banks must notify their supervisory authorities of their policies and procedures, assessment results and their actual and planned cryptoasset exposures or activities in a timely manner and to demonstrate that they have fully assessed the permissibility of such activities and the associated risks and identify how they have mitigated such risks.
Risks that banks need to consider in their risk management of cryptoasset activities includes, but are not limited to, the following:
1. Cryptoasset technology risk: including: stability of the DLT (or similar technology) network; validating design of the DLT (permissionless or permissioned); service accessibility; trustworthiness of node operators and operator diversity.
2. General information, communication and technology (ICT) and cyber risks: in particular, the additional ICT and cyber risks that a bank holding cryptoassets may be exposed to (e.g. cryptographic key theft).
3. Legal risks: including: accounting; taking control/ownership; disclosure and consumer protection; uncertain legal status.
4. Money laundering and financing of terrorism: where banks provide services to Virtual Asset Service Providers (VASP), or to customers involved in Virtual Asset activities, or through engaging in VASP activities themselves, banks need to apply the risk-based approach set out by the Financial Action Task Force for the purposes of AML and CFT.
5. Valuation: this risk needs to be considered due to the fact that many cryptoassets pose valuation challenges (due to, for example, their volatility and variable pricing on different exchanges, especially as most cryptoassets are traded on unregulated marketplaces). Such challenges can result in losses for banks in a variety of contexts tied to mispricing due to inadequate operational processes.
1. business activities related to cryptoassets and how these translate into components of the risk profile of the bank;
2. risk management policies related to cryptoasset exposures;
3. the scope and main content of the bank’s reporting related to cryptoassets; and
4. the most significant current and emerging risks relating to cryptoassets and how such risks are managed.
In accordance with the general guiding principles, banks must disclose information regarding any material Group 1a, Group 1b, Group 2a and Group 2b cryptoasset exposures on a regular basis, including (for each specific type of cryptoasset exposure) information on:
1. the direct and indirect exposure amounts;
2. the capital requirements; and
3. the accounting classification.
Banks must also include exposures to Group 1 cryptoassets in the relevant existing disclosure templates that apply to traditional assets (e.g. for credit risk and market risk).