Cryptocurrency has the potential to disrupt the financial services industry—but that’s not necessarily bad news. There is a significant opportunity for financial institutions to embrace cryptocurrency and generate revenue with properly designed and executed crypto products and services.
However, entry into the crypto space should be tempered with caution. Entering the digital currency space requires a fundamental knowledge of how crypto works, what the market demand is, what the risk landscape is, and how to integrate crypto into the existing enterprise risk management (ERM) environment.
Related: Do You Have a Digital Payments Strategy?
A robust risk management program is crucial for any financial institution seeking to enter the digital asset space. Risks to consider include:
Regulatory risk. Before financial institutions can identify and assess cryptocurrency risk in proposed product and service offerings, the regulatory agencies must first consistently define what a crypto asset is. Right now crypto assets may be treated as property, securities, or currency—depending on the agency regulating them. The absence of a consistently applied regulatory definition of cryptocurrency creates uncertainty and risk for institutions attempting to offer crypto-related products and services.
Additional regulatory risk stems from the complex web of regulations and guidance already imposed by other regulatory authorities. These include FinCEN, state MSB licensing agencies, the IRS, and even the Financial Action Task Force (FATF). Navigating this web of regulations can be challenging. For example, there have been two IRS rulings on crypto since 2014, a recently expired FDIC comment period on crypto assets, and the OCC’s recent statement that it would be re-evaluating the agency’s stance on crypto— including four previously published interpretive letters.
Financial institutions must navigate this complex and ever-changing gauntlet of regulations.
However, regulatory risk and uncertainty surrounding crypto is just the tip of the proverbial iceberg. Depending on the type of the crypto offering being considered, financial institutions must assess numerous additional risk factors, such as IT/cyber risk, fraud risk, privacy risk, and price risk, just to name a few. Add to that the inherent crypto concerns of valuation and volatility and you have a recipe for disaster if risk is not identified, assessed, and managed appropriately.
Related: FDIC to Banks Considering Crypto: Ask for Permission, Not Forgiveness
Strategic risk. Institutions contemplating a foray into the crypto space must decide how to manage risks, including IT/cyber risk/ fraud risk, privacy risk, and price risk, among others, when setting a crypto strategy. They need to determine how crypto risk fits into their overall approach to enterprise risk.
Competition risk. The crypto market is crowded and extremely competitive, leading to competition risk issues that will influence which crypto products and services to offer. Institutions should be asking themselves:
These are important questions to ask, as there are already some companies such as Robinhood offering free crypto-related services.
Operational risk. Once a crypto project has been designed, operational risks must be identified and managed. While not an exhaustive list, key operational concerns for crypto products/services may include:
Answering these questions is made extra challenging due to the evolving nature of crypto, changes in reporting requirements (by the IRS and others), and the repeated abuse of crypto by fraudsters and money launders. As such, these operational risk issues should be surfaced and addressed early in the crypto product lifecycle.
Crypto risk doesn’t exist only at the product/service level. It should also be incorporated into the institution’s overall ERM program and evaluated in the context of the FI’s overall strategy. Any FI considering entering the digital currency space should have a robust ERM program. Crypto risk management should be integrated into existing periodic risk monitoring, methodology, and reporting frameworks. The residual risks of any crypto product/service should be reported to lines of business, senior management, and the board.
This involves developing key risk indicators (KRIs) and key performance indicators (KPIs) and applying them to the performance of crypto products/services in the context of the specific strategic goals outlined in the product design and development phase. KPIs and KRIs should be monitored on a periodic basis commensurate with their importance to achieving the stated crypto product/service objective(s) and reported to a level of management or the Board with the authority to act on them. Using a KPI/KRI infrastructure will allow senior management and the Board to course-correct as necessary, which will keep crypto risks aligned with strategic goals throughout the product lifecycle.
When considering crypto risk—as with all risks—make sure your institution is equipped to align strategy with risk and has the infrastructure in place to thoroughly risk assess and monitor risk across the enterprise. Don’t weigh the benefits of an opportunity without also considering the costs.