It is also worth noting that in some cases, prior approval or non-objection may not be required for certain digital asset-related products and services. In these instances, firms typically seek legal counsel to provide a formal opinion to this effect. Once such an opinion is obtained, risk and compliance documentation should reference this to avoid any perception of skirting regulation. Firms should nonetheless follow robust new product and service review, risk assessment and approval processes; it is highly likely that such activities will be reviewed by regulators.
Engage with regulators collectively, early and often
Where there is clarity on jurisdiction, firms should identify relevant regulatory bodies and engage with them collectively, early and often. Many of the regulatory agencies will insist that firms engage with them prior to submitting an application. This is a feature of the process, not a bug. Particularly as related to digital asset offerings, early and continuous regulatory engagement is a process of education, as much as it is a process of regulatory review and approval.
The pace of evolution and variance in business models involving new and emerging technologies mandate that regulators take a cautious approach and gain a deeper understanding of new offerings. Expect many questions and be prepared to answer everything from wallet security and customer privacy to bank relationships and customer funds flows.
Through our experience guiding firms through applications, operating model design, new product launches or compliance program transformation, Ernst & Young LLP has identified numerous points of regulatory emphasis. Firms should consider the following priorities as they engage with regulators:
- Strategic vision – Clearly defining the vision, strategic rationale and business case for the launch of digital asset products and services.
- Product and delivery model – Outline details on what the product is, how it operates and clients that will be served; and understand integration between internal and external systems.
- Financial and non-financial risk appetite – Development or enhancement of enterprise risk management framework, with a focus on identification of the incremental risks of the digital asset products and services, including how the services align with the enterprise risk appetite.
- Regulatory leading practice is to require that a risk assessment methodology exists and has been appropriately executed to evaluate the inherent and residual risk of new digital asset offerings.
- The need to thoroughly and comprehensively understand the unique risks that digital assets bring to an enterprise and how these will be mitigated cannot be understated.
- End-to-end controls – Clearly demonstrating how the identified risks will be mitigated in a robust, scalable and sustainable manner is critical. Identification of how the risks and associated controls will be actively monitored is also an area of focus.
- Some critical control examples include:
- Robust client and business acceptance framework.
- Uplift to ongoing monitoring and testing at client and product level.
- Protocol, token diligence and monitoring framework; demonstrating an understanding and implementation of appropriate tools and technology is critical.
- Exchange, custodian and token platform due diligence.
- Ability to meet regulatory reporting standards.
- Transaction signing, key management and physical security controls.
- Business continuity and resiliency.
- For traditional financial institutional, their approach to updating the liquidity and capital management plan.
- Governance - The backbone of a risk management program, and a point of particular emphasis for the regulators, is a firm’s ability to demonstrate a robust understanding of applicable risks to its business and the governance over how it will manage, monitor and report on its ability to mitigate such risks. The board must define the firm’s risk appetite, foster a culture of compliance and provide oversight of risk management programs. Management is responsible for implementing proper governance through well-documented policies and procedures that are reviewed, tested for adherence and effectiveness, and with consistent tracking, monitoring and reporting of key performance and risk indicators.
- Third party risk management (TPRM) – Introduction of third parties into the company’s funds flow or operational processes, while helpful to relieve operational burden, is an additional layer of risk and complexity to be closely managed. Regulators expect to see a TPRM program designed to mitigate the incremental risks associated with the introduction of third parties into a company’s operations. As it relates to digital assets, firms should demonstrate enhancements to the TPRM program designed to consider the unique risks of the offering, ensuring resiliency can be achieved in the third-party relationship.
- Consumer protections – The protection of consumers within their respective jurisdictions is a primary focus of state and federal regulators. Demonstration of the ability to protect and monitor client assets and data and the existence of related disclosures is key.
- Financial crimes – Financial crimes, including fraud, pose a high risk to the digital asset ecosystem. Demonstrating a robust understanding of the risks and how to mitigate them is critical to a successful regulatory relationship. Firms should be prepared to demonstrate how the company intends to mitigate financial crime risks, which is particularly complex in the digital assets space where anonymity of transactions and counterparties as well as ultra-sophisticated fraud schemes continue to impact the industry. Upgraded capabilities an infrastructure to support Know-your-Virtual Asset Service Provider (VASP), enhanced sanctions screening, negative news search and transaction monitoring are core areas of focus among others.
- Financial impact – It is expected that applicants can demonstrate a thorough understanding of the impact to the financial performance and ratios of the organization along with the mitigating limits, concentrations and management approach across balance sheet, capital, liquidity and profitability, demonstrating safety and soundness will not be compromised. If affiliated with a larger parent company, the regulator will want to understand to what extent and how the parent will backstop any losses for the applicant. For certain types of business, the regulators will further want to understand how sufficient capital and liquidity will be maintained to protect customer funds through periods of stress.
- Cyber and information security – The digital asset ecosystem is underpinned by controls to protect data and information. Confidence in the cybersecurity and protection of customer information is vital to the success of the industry. To that end, the regulators will dive deep to understand how transaction, personal and financial data is protected; what controls are in place to prevent and detect potential threats; and what response protocols are in place to address a cybersecurity event upon occurrence. Alongside financial crime, cyber and information security are at the forefront of regulators’ minds when considering new applications or an expansion of an existing license to cover new products and services.
- Ongoing sustainability – While the preparation and submission of the initial licensing application(s) can seem like a significant undertaking, the real work occurs after receiving regulatory approval to conduct the offering. Given the complexity and variety of unique challenges posed by digital assets, ensuring the right talent and skill sets are hired and retained to implement and scale the operational and risk management processes is a persistent challenge. Regulators will want to vet the management team, including compliance, cyber and risk management personnel, for relevant experience and qualifications, as well as the staffing plan for a company’s initial scale-up. The adequacy of headcount, both in number and quality, will be an ongoing point of feedback during regulatory examinations.
- Resolution planning – An emerging theme across significant players in the digital asset ecosystem is the focus around the development of recovery and resolution planning. Leading firms are developing detailed plans akin to those adopted by large, regulated banking institutions to provide detailed planning and roadmaps in how businesses may be unwound in an orderly manner. This leading practice is an indication of an emerging regulatory expectation around appropriate, planning and risk mitigation that can be leveraged to further enhance product design and capabilities.
Regulatory application expectations
State and federal regulators generally require firms to provide similar documentation and information when submitting applications for digital asset-related offerings; however, the level of scrutiny and areas of priority may vary. For activities overseen by state regulatory authorities, expect an emphasis on business resiliency, consumer protection, financial crime prevention and cybersecurity. Firms overseen by federal banking and other regulators can expect a thorough review of end-to-end controls, particularly related to the safety and soundness of the institution, with additional focus on consumer protection and financial crime prevention.
Firms engaging in digital asset offerings, regardless of regulatory regime, ultimately need to demonstrate they have robust, scalable and operationally sustainable controls that are commensurate with the risk. Importantly, firms should consider real and environmental factors when benchmarking whether a control framework is commensurate with the risk, and whether offerings can be provided in a safe and sound manner.
For firms that are regulated already today and are looking to expand their product offerings to cover digital assets or add new digital asset offerings, the focus of the regulatory engagement and application process should be on the incremental risks and controls of the additional services.