Traditional AIFMs and ManCos along the typical functional model
Portfolio Management and Oversight
How should initial and ongoing due diligence be designed for digital asset managers?
There are well-established rules and guidelines for operational due diligence of alternative investment fund managers (e.g., private equity and hedge funds) on the underlying managers and funds they invest in, and corresponding elements such as counterparties, valuation, IT, conflicts of interest, among others. Crypto-assets require a new set of due diligence considerations. Increased attention has been given to due diligence efforts by AIFMs/ManCos in the crypto context in recent years, in response to skepticism and perceptions around cryptocurrencies being utilized for criminal activity due to the anonymity and speed of transactions. To mitigate these concerns, verifying identities of parties investing in, sending or withdrawing cryptocurrencies is of growing importance.
In addition, the crypto-asset market is growing at speed and in different directions. No longer only dominated by some well-established blockchains or cryptocurrencies, other crypto-assets for example digital art, NFTs, stablecoins and other decentralized finance (DeFi) projects, are converging with “mainstream” finance, and as such due diligence has to be appropriately tailored. Other oversight elements include custody arrangements, i.e., the appropriate safeguarding/storage/documentation of crypto-assets. Historically, self-custody in the form of cold wallets was preferred, in support of decentralized finance, while nowadays more fund managers are considering the classic third-party custodian model, which has knock-on due diligence consequences, raising questions about disaster recovery and cybersecurity management, among others. Further, since crypto-assets use different underlying technologies, there are new and different risks to address concerning trade, administration and IT.
Investment Risk
How should fund risk profiles and risk limit monitoring be created or adjusted?
Typically, risk limit monitoring for AIFs takes place quarterly, but this blanket approach will most likely not be sufficient for all crypto-asset classes. Fund managers may find themselves asking whether new substance and capabilities will be required due to the idiosyncratic risk structure of digital assets. Some crypto-assets are known for their volatile and speculative nature: elements which are further exacerbated by aggressive marketing campaigns in the general public, as well as irresponsible leverage with some crypto-asset platforms allowing investors to make investments which excessively outmatch their capital base. Investors will need to be timeously and adequately alerted of the risks – and changes thereof – of buying or holding digital instruments.
Service Providers
How should new service providers catering for digital assets under management be benchmarked and selected?
When offering crypto-assets, firms will need to consider which service providers will best serve their new needs. Can existing administration, IT, tax and legal advisors cater for the firm’s crypto needs or is it preferrable to look at specialized experts? What criteria should be used to evaluate and select these service providers? With the MiCAR top-up regime we may see traditional service providers upgrade their in-house crypto capabilities instead of looking outward to out-/co-source their needs. Stability of service providers is key to avoiding service disruption and this, in combination with efforts to control compliance costs, may fuel some market consolidation whereby traditional players absorb specialized start-ups. Alternatively, we may see an emergence of a new significant, specialized player.
Compliance
What steps can be taken to combat financial crime?
The typical customer due diligence checks should be applied to crypto-asset management. In practice this is tougher to execute due to its to-date decentralized nature – banks, asset managers and authorities lack control over cryptocurrencies and their associated data. Know Your Customer (KYC) at the customer onboarding stage will be a critical compliance area. Having strong identity verification checks during onboarding and subsequent transactions stages will support traceability, anti-money laundering (AML) and counter-terrorist financing (CTF). Enhanced due diligence for politically exposed persons (PEPs) and sanction screening at the outset will also be key. Balancing these efforts, and making investing as simple and efficient as possible will be necessary for existing crypto investors who are accustomed to quick and seamless transacting.
Talent
Will upskilling of existing staff be sufficient or must new and different profiles be recruited?
Technical jobs, such as IT experts monitoring crypto protocols, smart contract engineers, programmers, compliance specialists, quality assurance professionals, crypto traders – among others – are some of the roles in high demand. Engineering and IT talent is sought after in this industry, sometimes more so than traditional financiers. Companies composed of mostly finance professionals may need to become more technical in nature. Notably, many of the characteristics in demand are unmatched by supply: the market is niche and fragmented, only just starting to converge with mainstream finance and, most significantly, tech talent globally is squeezed as companies cross-industry rapidly digitalize all workstreams. Upskilling existing staff may be a cost efficient and necessary option to fulfil the need, but since the environment is constantly evolving this too will be a challenge. This may also be an obstacle for those AIFMs/ManCos who have, over the years, had an unwavering concentration on established investment models and asset classes, where staff may find it difficult to adapt to a change in focus.
Crypto-asset service providers (CASPs) providing administration and custodian services
Strategy
Since the digital asset market is quite fragmented, which platforms and exchanges should businesses connect to from a commercial, regulatory and reputational risk standpoint?
According to Forbes, there are over 500 cryptocurrency exchanges from which to choose, over 20,000 cryptocurrency projects globally and 295 million crypto users. Consideration should be given to security, fees, reputational history, track record, length of establishment, number of crypto-assets on offer, custodial storage, among others.
Cybersecurity and IT risk
Robust controls and security arrangements are needed to minimize risk of wallet breaches. Due to the “permanent” nature of blockchain-based transactions, assets are likely to be lost in case of wallet breaches. What steps can be taken to cater for this risk?
Financial institutions will need to protect themselves and their clients from direct and indirect threats and vulnerabilities. One of the key concerns is the safekeeping of crypto-assets, which are currently accessible to investors via a private “key”. If this key is lost or hacked, there is no workaround. Assets that are lost or stolen are gone for good and investments can be permanently lost. Evaluating exchanges on their security measures – audit frequency, testing, continuous system monitoring, recovery plans – should be a priority.
Technology
Should, and if so, how, can new distributed ledger technology (DLT) be integrated with legacy IT systems?
Plugging DLT into legacy technology and systems is a difficult task. As such, where existing technologies are workable and efficient, integration may not be necessary or advisable. However, in the case of smart contracts (which are executed solely in the blockchain environment) integration could be very useful. “Smart contracts” are self-executing contracts whose terms are set out and executed via code (transaction protocol). Their purpose is to execute transactions securely, immutably and efficiently, without the involvement of an intermediary. Being able to use data outside of the DLT to trigger the execution of a smart contract and a subsequent automatic action on an external system, is an example of where system integration could significantly increase the speed of processing transactions as well as reduce manual interventions. Here, one option is to use an “oracle” (or “secure blockchain middleware”) to connect the blockchain to external data and technologies.
Business Continuity
What additional back-up plans are needed in case of operational failures such as in the case of the blockchain(s) acting as a new critical custody infrastructure?
Should the blockchain shut down due to, for example, a breakdown in network/internet availability, ledgers would temporarily stop recording transactions and thus transactions would not be processed. As such, having a business continuity planning is paramount and should be closely evaluated when selecting service providers/exchanges to partner with. Consideration may be given to the possibility to revert to offline alternatives, which are non-reliant on the internet, but development of these is still very much in the exploratory phase.
Depositary
How should the governance and oversight model be designed to address new asset classes, including target operating model considerations such as connectivity to custodians, reconciliation processes, ownership verification and control design?
Depositaries are transforming their operating models to align with the needs of digital assets, while at the same time aiming to maintain the same levels of service and safeguarding standards as for traditional assets. One of the key challenges is the fragmentation of the market, with multiple crypto-assets, exchanges and platforms in existence, each with their own unique risks and vulnerabilities. Depositaries will need to update their oversight models to cater for the differences in each asset class.