Blockchain, cryptography, and financial services: a regulatory perspective - Speech by Gerry Cross, Director of Financial Regulation: Policy & Risk, at Blockchain Ireland Week 2022

Speech delivered at Blockchain Ireland Week 2022

Introduction

Good morning. It is good to be here. Thank you to Blockchain Ireland for the invitation to speak with you today.

Technological innovation is an important focus of attention for the Central Bank of Ireland. We are an integrated regulator with a mandate to protect consumers, safeguard financial stability and promote the sound functioning of financial firms. We also have responsibility for the efficient and effective operation of the payment system and for providing advice on the effective functioning of the economy.

Technological innovation is a key feature of the environment in which we seek to deliver this mandate. We are at a moment of significant technological transformation. The range and nature of financial services, and the manner in which they are provided to consumers and users, is rapidly changing - with all of the benefits that that can bring; and also the challenges.

Today I want to share some thoughts about the role of the financial regulation at this moment of important technology-driven change.

At the Central Bank, we seek to deploy our regulatory powers so that benefits of change and transformation are realised for the consumers and users of financial services, and for the economy, with risks appropriately mitigated. Our recently published multi-year Strategy reflects this approach with future focus being at its heart. We are in the business of regulating for the future drawing on our learnings from the past.

As stated in our Strategy success for us includes that we have played our part in fostering an innovative, resilient, and customer-focused financial sector in Ireland, which serves well the evolving needs of households and businesses into the future.

A number of challenges

From the point of view of a financial regulator the combining of cryptography, information technology and financial services is a significant development. It is exciting but also very challenging. When I say that these developments are challenging, I mean that in the positive sense of the word. Blockchain and cryptographic technology have the potential to bring significant benefits to the economy and to the users of financial services – something that it is at the heart of the mission of the Central Bank of Ireland. But to do so there are some important challenges that must be overcome – challenges both for the blockchain, and for the regulatory, community. Challenges that we should seek to overcome together. Challenges that, if and when addressed, can unlock significant benefits for the users of financial services.

Before discussing some of regulatory aspects more closely, let me consider some of the broad challenges that we face and which we should work together to address.

The use case. What does blockchain or cryptotechnology do for users? How should we think about it and approach it? Financial regulation is at its heart a purposive activity. We consider what firms or services or products are seeking to achieve – and what users understand in this respect – and then we build our regulatory approach from that starting point. Currently blockchain and the activities built on it serve a range of potential uses. That is a positive thing. Multiple potential uses is one of the most exciting features of blockchain. We are at the early stages of its development and looking forward it can be expected that blockchain and similar technologies will serve a potentially very large range of purposes – reflecting the deep potential of this technology.

Nonetheless, we do need to bring more sharply into focus the purposes and use for which blockchain is being deployed in different situations – in particular where consumers are involved. We need to be clearer about the situations where blockchain and cryptotechnology are being deployed to underpin payment services. And where they are being deployed to support investment activities or, as is often the case, speculation. There are situations where the intention seems to be to provide more of a gaming experience. And of course there are situations where they are being used to support smart contracts – something that would seem to be a truly unique and exciting proposition associated with blockchain. And beyond these are the many other uses, perhaps as yet unknown, to which this technology can be expected to be put in the area of financial services and more widely.

Understanding. This is a radically new, highly complex area of development. It is essential, if we are to successfully deliver its benefits that we bring a significant focus to the issue of understanding. This remarkable departure will only work when and if there is a much more widespread and deep understanding of the various aspects, uses and implications of the technology and the products and services built on it.
There is a currently an understanding deficit which is material and problematic. It exists amongst the regulatory community where our traditional skills and expertise have had to be, and need to continue to be, significantly enhanced to reflect the scale and significance of developments in this space.

It exists amongst the technology and crypto community who have not to date paid enough attention to understanding the legitimate and pressing concerns of regulators and responding to them.

And it exists amongst many of the consumers and users – and potential consumers and users - of blockchain-based services and products. How many consumers, losing considerable sums as a result of recent significant volatility in the crypto market, will have well understood the risks that they were taking? How many will have understood – or misunderstood – the extent to which a “stablecoin” might not in fact be either stable or a coin?

There is an important need for work to enhance financial understanding and literacy so that people really understand the nature of the activity they are engaged in and the risks that they are running.

And I should be clear about this: it is difficult to see how the use of widely targeted, often highly impactful, marketing techniques – for example by social media influencers - in the absence of such understanding could represent the fulfilment of their social obligations by responsible firms.

Risk mitigation. A third key challenge is one for the innovator community. That is to fully realise the extent to which financial services are different to other areas of activity to which technological innovation and the blockchain may be applied. That is due to the fact that a crucial component of financial services activities is trust and confidence. Trust and confidence that the service provider is well run; that they will not fail leaving customers to bear losses; and, critically, that their business model is one which places the real interests of the customer genuinely at the centre of their focus. This means that a key challenge for the tech sector as it ventures further into the area of financial services is to ensure that those aspects of its culture which have proved so successful on the journey thus far, are complemented by those aspects of customer-centredness, good governance and risk management that are essential to the proper running of financial firms.

Regulatory openness. If the tech industry needs to focus on issues of culture, governance and risk management, then we regulatory folks need to challenge ourselves about how we do things and how we approach innovative technologies, products and services. Significantly impacted by the harms caused by the the great financial crisis, it has been easy for us at times to think that in our regulatory and supervisory judgement it is better to err on the side of caution and ensure that failures and harms do not occur. That is understandable, and it comes from a desire to protect consumers and the wider system. But taken too far, it is also problematic. Any sustainably productive economy and supporting financial system requires innovation and creative disruption. To the extent that financial regulation becomes overly defensive, unduly restrictive, or cautious to the point of dampening vibrant innovation it will begin to have suboptimal outcomes. Avoiding this is a challenge that we in the regulatory community must make sure that we are addressing.

Climate. It is important to mention a fifth challenge – that is climate impact. There are significant concerns about the enormous energy consumption, and thus climate related impact, associated with crypto technology. This is a very relevant concern. If climate change is our existential challenge, then it is difficult to see how that will not in the end trump innovation if the latter has a significant, negative climate impact. It is very positive that work is pressing forward to address the climate impact of proof of work methodologies. These efforts need to be taken quickly forward and need to bear early fruit.

Approvals and authorization

Ireland is a global centre for financial services with the size of the financial sector here continuing to grow significantly in recent years. It is also a tech centre with many technology firms – large, medium and small – operating from here. This is supported by an open economic approach and innovative business culture, a highly educated workforce, and a tech savvy people. All this makes Ireland a natural and attractive location for those engaged in innovative fintech activity.

From the point of view of financial regulation, we have continued to see an enhanced flow in the number of firms seeking to be and being authorised. This notably increased flow started around the time of the UK’s decision to leave the EU and has continued unabated since. For example, in the area of payments and e-money firms we have seen the number of authorised firms grow by an order of magnitude – from low single digits to over 40 - in four years, with a significant further number currently in the approvals process.

Authorisation is the entry point for firms into the financial services market. In this way, it grants permission to provide services to the public, the very nature of which confers important rights and responsibilities on the licensee.

While precise requirements vary depending on the relevant legislation applicable to each sector, they generally include that firms:

• Have appropriately sufficient financial resources, including under a plausible but severe stress;
• Have sustainable business models;
• Be well governed, with appropriate cultures, effective risk management and control arrangements in place; and
• Be able to recover if they get into difficulty, and if they cannot, they should be resolvable in an orderly manner without significant externalities.

The Bank’s financial regulatory objectives are to maintain the stability of the financial system by promoting high levels of trust and confidence in the financial system via proper and effective regulation of financial service providers. In doing this, we seek to ensure the efficacy of business models, to ensure that consumers’ interests are protected and they do not suffer losses as a result of poorly run firms. We seek to ensure that the system is governed and managed in a manner consistent with our standards of fitness and probity and that the system is not abused for money laundering or terrorist financing purposes.

We also know that there is enormous value in the ongoing entry of new participants into any market. The ideas, developments, and efficiencies that new entrants bring has been a significant part of the story of the remarkable rise in living standards and quality of life across the developed world and many parts of the developing world over the past 200 years. Innovation and disruption are key drivers of progress. So it is important that in achieving our regulatory goals we do so in the manner most consistent with facilitating ongoing innovation in the financial sector.

To this end, our approach is characterised by a number of important aspects:

We seek to be approachable and clear in our expectations. That does not mean that the process will not be a challenging one – it will - but rather that in your interactions with the Central Bank you should be able to have clear and reasonable expectations of the authorisation process.

In this regard, in 2018 we established the Central Bank’s Innovation Hub. This was specifically designed to allow firms new to regulation, as well as others, to engage with us in an informal manner and understand the implications of regulation for their product or service and how to engage with us should they wish to be authorised.

Since establishment, firms from a wide variety of sectors have engaged with the Innovation Hub. The most common sectors are the payments and e-money sector and the regtech sector.

Questions on the regulatory framework frequently come from start-ups, usually to seek an informal steer on how rules might apply to their business model. These early engagements with firms can be beneficial in explaining the regulatory framework and explaining our processes which can help firms to prepare for a future application to the Central Bank.

Notably, in 2021 there was a significant increase in the number of digital asset related queries to the Innovation Hub, with digital asset related queries representing 39% of all enquiries in that year. Digital asset enquiries come from a range of sectors, including the new VASP sector, payments/e-money sector and others.

While the Innovation Hub continues to grow in popularity – with a roughly 20% increase in the number of enquiries each year - we want to ensure that it continues to provide value for us and for innovative firms. We have commenced a review of how it operates and lessons learned to see how it might be enhanced.

We seek to provide an authorisation service that is timely, transparent, fair and predictable. While the authorisation process will often be demanding, and can on occasion take more time than both parties might have hoped due to complexities and challenge, nonetheless we will seek to maintain momentum on our side, to turn around the different stages in a timely manner, and to keep you well informed as to the process and likely timelines. This was the approach that we successfully adopted for example during the high-activity phase of the pre-Brexit period and which we believe is appropriate not just generally but also during periods like the present when we are seeing high demand for authorisation.

We will also be proportionate and considered. A risk-based approach is the at the centre of all of our regulatory and supervisory activity. And we seek to deploy the same approach in relation to authorisation. If the risks are considered small, then our demands are proportionate to that.

Of course, for this to work as well as it can, there is an onus on firms to submit well considered and credible applications to a good standard to allow a proper and timely assessment to take place. Our experience is that firms which engage early, present clear and complete applications, and which understand the risks associated with their business and how they intend to manage those, find the authorisation process to be a smooth one.

It is centrally important that firms seeking authorisation understand as well as possible the demands of relevant legislative and regulatory obligations and what will be expected of them. We provide a range of information and important guidance for authorisation applicants which you should pay close attention to. An applicant who has taken the time to understand well the requirements, to internalise them in their own activities and approaches and, where relevant, to obtain helpful advice or support, will be positioned for the best experience in respect of the licensing and authorisation process.

Virtual Assets Service Providers

Let me say a little bit about our experience in respect of VASP authorisation which may prove helpful.

Ireland transposed the fifth Anti-Money Laundering Directive (5AMLD) into Irish law by way of the Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Act 2021 ("2021 Act") and the provisions of the 2021 Act that relate to VASPs commenced on 23 April 2021. All VASPs established in Ireland are required to register with the Central Bank for anti-money laundering / countering of the financing of terrorism (AML/CFT) purposes only.

The Central Bank has proactively engaged with the sector to raise awareness in relation to the obligations on VASP entities, including the following:

• We have created a dedicated VASP section on the Central Bank’s website which provides potential applicants with an overview of the AML/CFT requirements applicable to VASPs and outlines in detail the registration process. The dedicated section includes detailed guidance on how to complete the registration form; relevant guidance on Central Bank expectations, international guidance relevant to ML/TF risk assessment as well as information on the Central Bank’s approach to supervision and fitness and probity;
• All potential applicants are offered a pre-registration meeting to allow them to understand the Central Bank’s process and to seek any clarity they require;
• We have taken part in a number of outreach events involving potential VASPs to provide insight and understanding concerning the VASP registration process.

Since the commencement of the legislation a significant number of firms have expressed an intention to seek a registration through the completion of a pre-registration form. To date 55% of the pre-registration submissions have been followed up with a complete applications. The Central Bank has applied a significant level of resources to assessing these applications and as at the middle of May 2022, 80% of the complete applications have been assessed by the Central Bank and the applicant firms provided with the Central Bank’s observations on their applications and proposed AML/CFT frameworks. With respect to the remaining 20% of applications they were either incomplete applications i.e. they did not contain the necessary information and/or documentation and consequently further information has been requested from the applicant, or the applications were only recently submitted and therefore they are currently in the course of assessment by the Central Bank.

Through the review of applications received to date, the Central Bank has identified common weaknesses across a number of applications. I mention these in the hope that it may be helpful to those considering applying.

• A number of firms had not assessed and documented the money laundering / terrorist financing risks as they pertain to the firm’s customers and business activities. Such a risk assessment is the foundation for an effective ML/TF control framework and its absence results in firms submitting inadequate ML/TF frameworks;
• Several firms submitted group policies/procedures that were not sufficiently tailored to Ireland’s legislative and regulatory requirements;
• The Central Bank received several registration applications where the firm failed to demonstrate how they screen for politically exposed persons (PEPs) for both new and existing customers.

In order for the authorisation/registration process to be smooth and timely, it is essential that applications do reflect all of the key information and understanding required for registration or authorisation to ensure the speediest process. Hopefully these insights will prove helpful.

Crypto assets and regulatory frameworks

According to the European Commission’s draft Markets in Crypto Assets Regulation (MiCA), a crypto-asset is “a digital representation of value or rights which may be transferred and stored electronically, using distributed ledger technology (DLT) or similar technology.”

DLT has the potential to deliver significant benefits as it evolves and is deployed to different purposes over time. The transparency, immutability and auditability that DLT can provide could reduce transmission costs in the financial system and eliminate the need for intermediaries in some transactions. DLT could also enable proof of ownership of digital things without the need of a central authority. Furthermore, for SMEs, it could streamline capital-raising processes, potentially providing a cheaper, less burdensome and more inclusive way of financing SMEs.

It is possible that when used as a means of payment, DLT, properly configured, governed and regulated, could present opportunities in terms of cheaper, faster and more efficient payments, in particular on a cross-border basis, by limiting the number of intermediaries.¹

However, the full range of benefits of blockchain and DLT will only become apparent with ongoing use and evolution and with the further increased digitalisation of our society and economy. For us regulators the challenge is to facilitate this happening, while making sure that undue loss and damage either to users of the products or to the financial system do not occur in the meantime.

At this moment, the Central Bank has concerns about the considerable negatives associated with a range of crypto assets in particular where they are unbacked (or poorly or unreliably backed), widely and intensively marketed and promoted for consumer purchase, and increasing in their linkages to the wider financial system.

Consumers face risks from high price volatility, security issues and fraud, and have little or no protection in the face of “pump and dump” strategies and aggressive marketing. It is for these reasons that the Central Bank has issued several warnings about crypto highlighting the significant risks they pose to consumers.

Moreover crypto activity is fast evolving and could reach a point where it represents a threat to financial stability due to its “scale, structural vulnerabilities and increasing interconnectedness with the traditional financial system” (FSB, Feb 2022).² The rapid evolution of and international, cross border nature of crypto markets raises the potential for stability risks, regulatory gaps, fragmentation, and arbitrage.

Currently, crypto activities are mostly unregulated, except for AML purposes under the Virtual Asset Service Provider (VASP) Framework – in respect of which see my earlier comments. This gap in regulation needs to be addressed.

It is for these reasons that the Central Bank very much welcomes the EU Commission proposal for a new EU legislative framework for crypto activities. We are closely involved, together with our colleagues in the Department of Finance, in the EU legislative process to finalise this important regulation. The intention of the Markets in Crypto Assets (MiCA) proposal is to address the risks to consumer protection and market integrity from crypto along with specific risks to financial stability and monetary policy while also bringing regulatory clarity to the sector. It will provide a high quality, consistent framework across the EU for the ongoing development of this highly important field of innovation.

The MiCA legislation is currently in final negotiations between the European Commission, Parliament and Council, with the hope that the text is agreed by the end of June. Once entered into force the current draft timeline is 12 months for the framework for issuers Arts and EMTs and 24 months for the framework for CASPs and utility tokens.

Some of the key aspects of MiCA are the following:

MiCA: Obligations on issuers or EMT’s and ART’s

 MiCA will impose a mix of conduct and prudential requirements on issuers of Electronic Money Tokens (EMTs) and Asset-referenced Tokens (ARTs). Consumer protection features strongly, with obligations to act fairly and in the best interests of EMT and ART holders. EMT issuers will offer redemption at par (1:1) while both EMT and ART issuers will have clearly disclosed redemption obligations.

EMT and ART issuers will be required to provide clear and up to date information including updated white paper information, the disclosure of risk events, any conflicts of interest, and ensure there are clear procedures for complaints handling for consumers while ART issuers will additionally need to provide transparency on ARTs in circulation
Issuers of EMTs and ARTs will be subject to prudential requirements including capital requirements and reserves obligations including detailed policies and safe custody of same.

For both EMT and ART issuers, there will be restrictions for investment of reserves and the expectation of robust governance, including business continuity, control and risk assessment, and appropriate 3rd party contractual agreements. For issuers of ART’s there will be a ban on interest to ART holders.

MiCA: Obligations on CASPs

MiCA will impose a mix of conduct and prudential requirements on Crypto Asset Service Providers (CASPs). CASPs are firms that provide crypto asset services to third parties on a professional basis. This will include, for example, trading platforms; exchanges; custody providers; execution firms; and advice providers.

The issuance of Bitcoin and other unbacked crypto will not, because of their wholly intangible nature, be within MiCA’s scope. However, CASPs - which provide the interface between the consumer and the product - will be regulated.
CASPs will be required to be authorised in an EU member state in order to operate within the EU. As part of that authorisation they will have to set out the crypto services they want to offer to EU consumers.

MiCA will impose important consumer protection measures on CASPs, with governance obligations, minimum capital requirements, and transparency requirements. MiCA will also provide for prohibitions on insider dealing, market manipulation and the unlawful disclosure of inside information.

MiCA will introduce requirements for CASPs to issue consumer warnings where the consumer has not satisfied the conditions of the required appropriateness test. It will also introduce minimum standards for advertising and marketing.

CASPs will need to maintain segregated accounting practices to properly keep customer funds separate and suitably protected from incidents such as insolvency. And they will be required to maintain a suitable insurance that will cover its exposures in case of a partial or total technical failure.

MiCA will be a very important step forward in the regulation of crypto activities in Europe. It is the first widescope regulation. And of course, as the activities that it regulates continue to evolve and change rapidly, so our regulation will also need to keep evolve to keep pace.

Conclusion

Let me conclude here.

You will have seen from my comments that the Central Bank is committed to implementing the regulatory, supervisory and approvals approaches which allow all of us to unlock – for the benefit of consumers, businesses and the wider economy – the potential of blockchain and other technological innovation.

You will also have seen that to achieve this we will all – innovators, service providers, and regulators alike – have to work hard to address the range of exciting challenges that confront us at this stage in the evolution of tech-driven financial services.

Thank you very much for your attention.

^{______________________________}

¹ EU Commission, Regulation of the European Parliament and of the Council on Markets in Crypto-assets; p. 15.

² See: https://www.fsb.org/2022/02/assessment-of-risks-to-financial-stability-from-crypto-assets/