The use of virtual assets has introduced innovative ways in which financial activities may be conducted and, inter alia, the manner by which value may be transferred. As of April 2023, there are approximately 23,000 different virtual assets[i] and numerous related activities that continue to expand within the virtual asset ecosystem. While proponents argue that virtual assets are the answer to many issues faced in the traditional financial sector (e.g. speed, transparency and financial inclusion), it is also clear (from past events) that there are risks associated with the use of, and exposure to, virtual assets. 

Key to addressing such risks, is the need for identification and assessment of same and strategies for mitigation. Doing so would allow opportunities for virtual assets to live up to their transformative promises[ii], encourage the growth of the virtual asset ecosystem, while avoiding serious harm to participants (and arguably the financial system).  

Virtual Assets and related activities

While there is no universal definition of a virtual asset (VA), it may be defined as a digital representation of value, that utilizes in the main, distributed ledger technology (which includes a decentralized P2P architecture) and cryptography. The use of VAs is primarily associated with the transfer of value without a central authority for various purposes. VAs can be digitally traded, transferred, stored and used for payment and/or investment purposes, etc. A VA is not issued or guaranteed by a central bank or other public authority. 

VA activities are generally similar to traditional financial activities, and include issuances, payments, exchange (trading), investment and risk management, lending, borrowing, leveraging and safeguarding/administration (e.g., custody and wallet services), etc. Of course, there are also activities that are unique to the VA ecosystem, for example, flash loans. 

Protagonists claim that, among other things, VAs allow for innovative solutions for the transfer of value in a decentralized, secure and transparent manner. In that regard, VAs facilitate inter alia, financial inclusion, access to alternative sources of value (e.g. as a source of capital for businesses), investments[iii], cross border settlements and remittances[iv], etc. Given such benefits, and the continuous growth in the adoption rate of VAs, financial institutions (FIs) and virtual asset service providers (VASPs) can boost their competitiveness and identify novel business opportunities (e.g. new innovative financial products and services), among other things[v].  

Risks and exposures related to VAs.

Notwithstanding the benefits and innovative growth opportunities that VAs may provide for FIs and VASPs, VA activities are also associated with risks. Such risks include the perpetration of fraud, scams and other illicit finance, market risks (price volatility and lack of accountability), liquidity, credit, operational, cybersecurity, and reputational risks, etc. The discussion that follows below highlights some of these key risks together with some suggestions for mitigating same. 

Illicit Finance Risks: Various attributes associated with VAs have drawn the interest of criminals for the conduct of illicit finance/financial crimes. These include the inherent pseudonymity, decentralized nature, speed of transactions, global reach and opportunities for obfuscation of transaction flows or counterparties[vi]. The use of anonymity services such as tumblers and mixers also add to the attractiveness. 

There are a variety of financial crimes associated with the use of VAs, all of which involve the transmission of monetary value[vii]” including, money laundering, the illicit financing of drugs, human trafficking, ransomware, terrorism, corruption, sanctions evasions[viii]”, etc. 

For FIs (such as banks, broker-dealers, investment advisers, insurers etc), financial crime risks associated with VAs may be direct or indirect. Exposures to risks may be due to offerings such as providing VA custody[ix], facilitating payments, expanding credit[x] & investments in VA companies, deposit accounts of VASPs[xi], providing insurance coverage for VASPs, etc. Additional exposures may be channeled through customers’ wire transfers from their bank account to a VA exchange, customers’ use of credit or debit cards to purchase VAs, cash deposits retrieved from a virtual asset kiosk[xii] and deposit or withdrawal of fiat funds by payment service providers facilitating virtual asset payment services[xiii], among other things. 

For VASPs, the borderless nature of VA transactions, the volume of transactions, and potential obfuscation of transactions flows, among other things present challenges in managing risks. For example, a VASP may unknowingly be facilitating services to nested exchanges that interact with scammers, fraudsters and launderers[xiv]. Proceeds of crime in fiat may also be used to purchase VAs, or illicit VAs may be transferred via various transactions[xv]. Inadequate detection and a lack of robust ‘know your customer’(KYC) and ‘client due diligence’ (CDD) policies and procedures, failure to identify (as far as possible) originator and beneficiary information regarding VA transactions[xvi] , as well as the absence of other effective preventive and risk-mitigating measures, means high exposures to financial crimes and inadvertently facilitating illicit gains. 

Some key considerations for FIs and VASPs in mitigating potential risks associated with illicit finance include, understanding clearly the exposure of same, implementing appropriate analytics to monitor transactions[xvii] (for e.g. through the use of blockchain analytics), managing their ability to block transactions, highlight red flags and report suspicious transactions. The implementation of adequate KYC, performance of enhanced due diligence, where appropriate, and ensuring that policies and procedures address, inter alia, ongoing monitoring and incorporate best practices in maintaining effective compliance standards[xviii]. Ongoing training of management and staff should also be implemented given the highly dynamic nature of the VAs, the VA ecosystem and the regulatory environment that addresses same.

Market (volatility) risks: The volatility of VAs poses market risks for both FIs and VASPs alike. There is a risk of incurring significant losses due to swings in market prices which can be brought on by various factors within the VA ecosystem and beyond. Both unbacked and backed VAs may be subject to volatility[xix]. These risks may be transferred directly or indirectly to FIs[xx] and other VA participants. Examples of transmission channels include, holding certain VAs, spillover effects within the ecosystem (example operational failure, etc), direct or indirect exposure to participants involved in the VA ecosystem, effects as a result of withdrawal of confidence[xxi].  

Understanding the susceptibility of VAs to unpredictable volatility is one of the key steps towards mitigating risks. There should also be appropriate systems in place to continuously monitor the value of relevant VAs, manage the extent of exposure and implement a contingency plan to address the materialization of risk (including appropriate contingency capital/funding[xxii] to manage the effects of sudden swings). 

Liquidity Risks: For FIs exposed to VAs, liquidity risks[xxiii] could entail losses as a result of an inability (or perceived inability) to meet obligations in a timely manner[xxiv] due to inter alia, difficulty converting VAs held, mass withdrawals by VA related depositors[xxv], as well as unanticipated withdrawal and conversion of reserve assets held for stablecoins (as a result of redemption requests/run on stablecoin)[xxvi]. The Bank for International Settlements also notes that liquidity risks may arise as a result of, among other things, operational vulnerabilities in the VA ecosystem[xxvii]. Similar risks exist for VASPs including their inability to ensure sufficient financial resources to meet obligations as they fall due, or to attain such resources only at excessive costs, due to inter alia, unexpected withdrawals, operational disruptions etc. 

FIs and VASPs should ensure that they are clear on the drivers of potential liquidity risks (including susceptibility to unexpected swings), the potential concentration or interconnectedness of (i) relevant VAs/VA related activities and (ii) their customers; as well as the degree of exposure to same. Incorporating exposures into contingency funding strategies, implementing appropriate due diligence and ongoing monitoring to stay informed of the value of relevant VAs, managing exposures (including its ability to quickly convert volatile VAs to other stable assets) are some key factors that should be considered in mitigating risks. 

Counterparty/credit risks: FIs with customers that hold VAs representing liabilities (i.e. stablecoins with redemption rights[xxviii]) may be subject to credit risks in relation to the claim on an issuer. Loans to VA investors/participants could also lead to credit risks[xxix]. Events such as fraud/scam by issuers (e.g. rugpull), spillovers from related party transactions, failure of entities that lack sound governance or have weak consumer protections, and engage in excessive leverage within the VA ecosystem, can lead to serious losses for a FI. For VASPs, credit risks may involve the “death” of a VA (e.g. FTT token[xxx] and Terra/Luna[xxxi] which resulted in losses for entities holding/trading same), default of a stablecoin issuer, security breach, mismanagement and comingling of funds, etc.

Counterparty and credit risks could be mitigated through rigorous operational due diligence[xxxii] and ongoing monitoring of key participants or events, as well as strategizing and implementing appropriate operational workflows to address exposures[xxxiii], as far as possible. Holding adequate funds to cover potential losses could also assist in the mitigation of counterparty/credit risks.

Operational Risks: The technological infrastructure supporting the creation, use and transfer of VAs is subject to vulnerabilities and limitations. In that regard, there are operational risks that may affect, inter alia, VASPs, FIs exposed to the VA ecosystem, investors/consumers and other market participants. Risks include code errors, bugs, blackouts and other technical problems that may affect the capabilities of VA protocols[xxxiv]. When such events occur, service disruptions/system failures may lead to panic and affect the value of certain VAs[xxxv], the viability of certain VASPs, the facilitation of trading activities, inability to meet redemptions, and the operations of other participants in the market, among other things. Additionally, risks may stem from network governance issues such as a fork and/or other network decisions[xxxvi]. 

FIs and VASPs should ensure they have sound operational risk governance for “identifying and managing risks[xxxvii]” inherent in VA related products and services. Policies and procedures should outline how risks will be identified, assessed, monitored and controlled. The implementation of effective cybersecurity systems may also be key to mitigating risks, depending on the source of the operational risk and whether same is direct or indirect. 

Cybersecurity Risks: The technological nature of VAs comes with cybersecurity vulnerabilities. Cyber-attacks can take various forms including hacks, phishing attacks, malware, coding exploits, compromise of private keys, etc. 

Such attacks can affect the availability and viability of VA services/products and lead to inter alia, unauthorized transfers, data breaches and technological outages[xxxviii]; resulting in operational disruptions and monetary losses for FIs[xxxix], VASPs[xl] and investors/consumers. For example, in February 2022 a cyber-attack at IRA Financial Trust[xli] (which facilitated the purchase of VAs through a partnership with a VASP- Gemini Trust Co) led to a loss of approximately $36 million in VAs[xlii] stolen from the accounts of IRA customers[xliii]. Other examples include the hack of Binance exchange in October 2022 due to vulnerabilities with its cross-chain bridge, the BSC Token Hub[xliv]; and the withdrawal of assets from Bitmart in December 2021 through the theft of a private key. 

Implementing effective cybersecurity systems, conducting regular security audits, implementing adequate policies and procedures to address risks when materialized; as well as maintaining awareness of developments in the VA space (as it applies to security vulnerabilities) are ways in which such risks may be mitigated. 

Reputational risks: FIs and VASPs may face reputational risks associated with VAs due to, inter alia, cyber-attacks, ineffective regulatory compliance, volatility of virtual assets/instability of a token (particularly in a downswing), scams and fraud, or broader vulnerabilities that emerge in the network[xlv]. 

Similar to mitigation approaches for operational and cybersecurity risks, mitigating reputational risks, requires the implementation of stringent security protocols and regular security audits. Furthermore, entities should be transparent regarding their security practices. Ensuring compliance with evolving regulatory requirements will also aid in mitigating risks. 

Macro-level risks: 

The growing interconnectedness between the VA and traditional financial[xlvi] ecosystems and factors such as regulatory fragmentation/arbitrage (as it relates to the use of VAs) may pose, inter alia, financial stability risks for the financial sector as a whole[xlvii]. While currently limited, standard setters like the Financial Stability Board and International Monetary Fund note the potential for stability risks if VAs were to become more integrated into, inter alia, payment systems and other areas in the financial sector. Increased exposure of more financial entities could affect profitability, asset/liability mismatches, liquidity, runs on institutions, etc[xlviii]., with potential spillovers that may lead to serious harm to the financial system.  

Mitigating Risks

Below are suggested steps that ought to be considered by entities in working towards mitigating risks associated with VA and VA activities. 

Step 1: Risk Identification: 

Whether a FI or VASP, a comprehensive review of potential risks relevant to VAs, is a critical first step. Factors such as market volatility, liquidity, cybersecurity, operational and other risks (including those noted above) ought to be taken into account. Tools like a risk checklist[xlix] and risk register[l] may be valuable in ensuring a thorough identification process[li]. 

Step 2: Risk Measurement (Analysis & Assessment)

Following the identification process, each risk ought to be analyzed in various ways. Identifying possible indicators, (asking and answering key questions for each risk) is one helpful way to conduct an analysis[lii]. 

For example, in analyzing potential cybersecurity risks (which may lead to operational disruptions, losses, etc.) one could ask questions such as what are the potential vulnerabilities of identified VAs that a FI or VASP may be exposed to (including their supporting DLT - performance, capacity and reliability), what is the extent of exposure, what systems are currently in place to mitigate such vulnerabilities, is there a history of cyberattacks, gaps or coding errors, among other things. For FIs, other considerations may include whether a VASP (as a potential customer) appears to have rigorous, tested controls in place to manage cybersecurity risks, is the VASP centralized or decentralized, etc.

Focus should be placed on the likelihood of each risk materializing and the potential impact it could have on the FI or VASP. Tools such as scenario and stress testing could be employed to aid risk analysis[liii]. 

Once factors/indicators have been identified, it is important to assign a risk score to each risk and consider criticality and prioritization of identified gaps and vulnerabilities, based on inter alia, the impact if these risks materialize[liv]. 

Step 3: Risk Control and Monitoring (Implementing Appropriate Systems, Tools, Policies and Procedures)

The key to risk control and monitoring is ensuring that an entity has in place an effective and adequate risk management program that considers key risks, the likelihood of same occurring, consequences of such exposures and critically a plan of action to monitor such occurrences and to minimize the likelihood and impact should a risk materialize. That is to say, a risk management program must identify, measure, monitor, and control risks.

Risk mitigation techniques include risk avoidance, risk reduction, risk transfer, and risk acceptance, all of which could be considered in determining the most appropriate plan for an entity. 

Tools such as blockchain transactions analytics, asset research[lv], assessment of customers and third-party providers could be incorporated into any considered and well-developed plan.  

A plan should also incorporate practices such as adequate disclosure to customers, regular risk assessments (of inter alia, people, processes, data and technologies), policies, procedures and strategies that ensure effective and appropriate due diligence, governance and internal controls, adequate capital and liquidity, business continuity, etc. A plan should be developed having regard to the size, nature, operations, and structure of the entity. Staying up to date with changes in the VA ecosystem and regulatory space are also key matters that need to be incorporated into a risk management program. For example, banks would need to incorporate standards as recommended in the BCBS Prudential Standards in regard to crypto asset exposures[lvi]. Furthermore, entities should ensure that all relevant board members, management and staff are adequately trained to address emerging risks associated with the use and exposure to VAs. 

Conclusion

Virtual assets offer a number of potential benefits for FIs and VASPs alike, but the use of same also comes with risks. It is therefore important to recognize these risks, understand them and find ways of innovatively mitigating them. The above discussion provides a good starting point for building out adequate and appropriate systems, strategies, policies and procedures to mitigate key risks. 

The “technological brilliance” of VAs should be encouraged to flourish in a safe and sound manner, which includes the mitigation of key risks. Creating an ecosystem that is “secure, inclusive, sustainable[lvii]” and compliant, is critical to supporting such growth and realizing the transformative promises as expounded by proponents. 

References

[i]CoinMarketCap,‘Today’s Cryptocurrency Prices by Market Cap’, 3 April 2023, <https://coinmarketcap. com/>. See also, EarthWeb: ‘How Many Cryptocurrencies Are There in the World in 2023?’, https://earthweb.com/how-many-cryptocurrencies-are-there/

[ii] Teng, Huei-Wen et al, (2023). Mitigating Digital Asset Risks. 10.13140/RG.2.2.18471.93607. https://www.researchgate.net/publication/374144574_Mitigating_Digital_Asset_Risks

[iii] “Virtual assets incorporated into the financial market as new assets could expand investment portfolios providing functions of speculation, diversification, and hedging capabilities”: See article, ‘The growth of virtual asset market and major issues in the future’ https://www.kiri.or.kr/eng/pdf/CEO_Brief_22-6.pdf.

[iv] Virtual assets could improve the efficiency and convenience of payment and settlement systems, as their transaction fees are low and they can be transferred without physical or time constraints and engaged in transactions with versatile manners.

[v] Financial institutions can gain revenue for example from, providing currency trading services, such as conversion of cryptocurrencies into fiat currencies, and vice versa; processing payments and facilitating international cash transactions and transfers; providing escrow services; and helping customers invest directly in virtual assets: See FTI Consulting publication ‘Innovation and Trust: Imperatives in the Emerging Relationship Between Banks & VASPs’, https://www.fticonsulting.com/insights/fti-journal/emerging-relationship-banks-vasps .

[vi] See Banks for International Settlements, FSI Insights on policy implementation No 31: ‘Supervising cryptoassets for anti-money laundering’ April 2021. https://www.bis.org/fsi/publ/insights31.pdf

[vii] The use of virtual assets for illegal activities, can undermine the integrity of financial systems, create instability and erode trust. See Europol (2021), Cryptocurrencies - Tracing the evolution of criminal finances, Europol Spotlight Report series, Publications Office of the European Union, Luxembourg. https://www.europol.europa.eu/cms/sites/default/files/documents/Europol%20Spotlight%20-%20Cryptocurrencies%20-%20Tracing%20the%20evolution%20of%20criminal%20finances.pdfn

[viii] U4 Anti-Corruption Resource Center, ‘Cryptocurrencies, corruption and organized crime’, March 2023.

[ix] Various banks, including Standard Chartered, BNY Mellon and Societe Generale, offer crypto custody services.

[x] e.g. providing fiat loans collateralized by virtual assets.

[xi] In the US for example, Office of the Comptroller of the Currency (OCC) issued a cease and desist order to Safra Bank. It was alleged that the Bank gave accounts to money service businesses that facilitated crypto-asset trading, but did not address the increased Anti-Money Laundering risks associated with these accounts.

[xii] Global Digital Finance, ‘Banks Are Most Likely Exposed to Crypto-Assets Unknowingly’, March 2020: https://globaldigitalfinance.medium.com/banks-are-most-likely-exposed-to-crypto-assets-unknowingly-66922508fd54

[xiii] This is because illicit actors frequently attempt to capitalize on the non-face-to-face client interaction channels available through most payment service providers.

[xiv] Noémi També and Allison Owen, ‘Institutional Virtual Asset Service Providers and Virtual Assets Risk Assessment Guide’, August 2023. https://static.rusi.org/Institutional-VASP-VARAG-web-final.pdf 

[xv] with no immediate indicators pointing to the criminal origin being visible on the blockchain (Chainalysis 2022).

[xvi] Over a specified threshold. VASPs should have in place appropriate systems, mechanisms, policies, and procedures that would facilitate the identification, assessment, management and mitigation of their money laundering and terrorist financing risks.

[xvii] “The transparent and traceable nature of crypto transactions facilitates two unique benefits: (1) the systematic measurement of illicit activity, leading to insights into criminal networks and typologies, (2) an ability to "follow the money" in criminal investigations that is faster and more effective than following the money in cash. By leveraging the transparency and traceability of crypto transactions, we not only gain valuable tools for measuring illicit activity and understanding criminal networks but also contribute to the development of a more resilient and secure financial ecosystem”.- per TRM Lab Report, ‘Illicit Crypto Ecosystem Report’, June 2023 : https://www.trmlabs.com/report

[xviii] For example, FATF has been encouraging the adoption of the travel rule, which may be considered a key tool in mitigating financial crime risks.

[xix] For unbacked cryptoassets, valuation is dependent, in the main, on speculative demand, making them extremely volatile. While backed assets like stablecoins, could be subject to volatility as a result of insufficient reserves or runs due to confidence effects, hacks, or other issues.

[xx] Bank for International Settlements, ‘Financial stability risks from cryptoassets in emerging market economies’, Consultative Group of Directors of Financial Stability (CGDFS), August 2023: https://www.bis.org/publ/bppdf/bispap138.htm

[xxi] Ibid @ page 6.

[xxii] For FIs holding VAs as collateral, consideration should be given to how much exposure is acceptable as well as an exploration of a mixture of collateral (i.e. traditional instruments as well as VAs) to balance risks.

[xxiii] Liquidity in relation to virtual assets refers to the ease at which same may be converted to fiat or other assets (crypto or traditional). Proponents note that high liquidity indicates market stability and low volatility. 

[xxiv] The unpredictability of the scale and timing of deposit inflows and outflows may result in uncertainty and deposit volatility which could severely impact financial institutions leading to runs and reputational risks, among other things. 

[xxv] For example, the mass withdrawals by crypto entities in Silicon Valley Bank, lead to severe liquidity issues, among other things. Deposits placed by a VASP entity could present heightened risk for a FI from the combination of the unpredictable behaviour of the VASP’s customers and the volatility of VA sector’s dynamics.

[xxvi] See Federal Reserve, OCC and FDIC ‘Joint Statement on Liquidity Risks to Banking Organizations Resulting from Crypto-Asset Market Vulnerabilities’. February 2023. https://www.federalreserve.gov/newsevents/pressreleases/files/bcreg20230223a1.pdf .

[xxvii] Bank for International Settlements, ‘Financial stability risks from cryptoassets in emerging market economies’, Consultative Group of Directors of Financial Stability (CGDFS), August 2023: https://www.bis.org/publ/bppdf/bispap138.htm.

[xxviii] “Participants may be exposed to credit risk if a stablecoin loses value relative to the sovereign currency in which it is denominated or to which it is pegged, or if the issuer of the stablecoin defaults on its obligations to the participant”. See: CPMI and IOSCO ‘Application of the Principles for Financial Market Infrastructures to stablecoin arrangements’, October 2021. https://www.bis.org/cpmi/publ/d198.pdf

[xxix] See BIS discussion paper: ‘Designing a prudential treatment for virtual assets’, December 2019. https://www.bis.org/bcbs/publ/d490.pdf

[xxx] For example, the BlockFi platform, filed for bankruptcy on 28 November 2022, after borrowing USD 275 million from FTX in the form of FTT, which value collapsed significantly.

[xxxi] The collapse of Terra and stETH (an Ether-derived asset) directly affected the specialised hedge fund Three Arrows Capital, which had taken directional positions in these crypto-assets. Three Arrows Capital defaulted on debts owed to 27 companies including the Celsius and Voyager Digital platforms, which subsequently filed for bankruptcy in July 2022: See Claire Brousse and Youssef Mouheb, Eco Notepad: ‘Crypto-assets: 2022 confirmed already identified risks’: https://blocnotesdeleco.banque-france.fr/en/blog-entry/crypto-assets-2022-confirmed-already-identified-risks

[xxxii] KYC plays a key role here. FATF has recommended the implementation of the travel rule which requires identification of originator and beneficiary of transactions. The BIS Prudential Standards for Crypto Assrt Exposures, include a requirement for adequate capital to address potential losses from counterparty defaults etc.

[xxxiii]See:https://www.fireblocks.com/blog/mitigating-digital-asset-and-crypto-counterparty-risk/ and https://www.merklescience.com/what-is-counterparty-analysis-and-how-does-it-apply-to-crypto-companies

[xxxiv] Bank for International Settlements, ‘Financial stability risks from cryptoassets in emerging market economies’, Consultative Group of Directors of Financial Stability (CGDFS), August 2023: https://www.bis.org/publ/bppdf/bispap138.htm

[xxxv] “All service providers in cryptoasset markets are vulnerable to coding errors that could result in funds being lost or sharp price swings that would affect their value”. Ibid.

[xxxvi] Bank for International Settlements, ‘ Designing a prudential treatment for crypto-assets’, December 2019. https://www.bis.org/bcbs/publ/d490.htm

[xxxvii] Key phrase borrowed from the BIS on Principles for the Sound Management of Operational Risk (2011): https://www.bis.org/publ/bcbs195.pdf

[xxxviii] Chainalysis 2023cryto crime report indicated that $3.8 billion worth of cryptocurrencies were stolen by hackers from businesses in 2022: https://www.chainalysis.com/blog/2022-biggest-year-ever-for-crypto-hacking/

[xxxix] For example, “a bank holding cryptoassets may be exposed to additional ICT and cyber risks including cryptographic key theft, compromise of login credentials, and distributed denial-of-service (DDoS) attacks” : BIS discussion paper: ‘Designing a prudential treatment for crypto assets’, December 2019. https://www.bis.org/bcbs/publ/d490.pdf. Successful attacks on a financial institution could result in significant disruptions. The high degree of interconnectedness across firms can lead to rapid contagion effects.

[xl] For example, the January 2017 attack on the Coincheck cryptocurrency exchange led hackers to steal about $500 million from customers’ wallets due to weak security controls. It has also been argued that newer fintech entities tend to have fewer controls and risk management procedures than large, vertically integrated regulated intermediaries (IMF (2017a)) which could lead to greater vulnerabilities.

[xli] crypto retirement account provider.

[xlii] $21 million in Bitcoin and $15 million in Ethereum.

[xliii] See ‘Timeline of Cyber Incidents Involving Financial Institutions’, https://carnegieendowment.org/specialprojects/protectingfinancialstability/timeline

[xliv] https://www.binance.com/en/feed/post/141022

[xlv] BIS, ‘Designing a prudential treatment for crypto assets’, December 2019. https://www.bis.org/bcbs/publ/d490.pdf

[xlvi] A business disruption of a set of large financial institutions could have a significant impact due to risk concentration (Kopp et al. (2017))

[xlvii] See FSB Release: ‘FSB warns of emerging risks from crypto-assets to global financial stability’, https://www.fsb.org/2022/02/fsb-warns-of-emerging-risks-from-crypto-assets-to-global-financia. l-stability/

[xlviii] Hacibedel and Perez-Saiz (2023).

[xlix] A Risk checklist is a tool for risk identification that can be used at the earliest stages of risk identification to learn from past events and developments. Identifying past events related to virtual assets that an entity is exposed to (whether directly or indirectly) could assist in mitigating risks going forward.

[l] A risk register is a document that records all identified potential risks, the likelihood and consequences of such risks occurring, the actions that will be taken to reduce those risks and who is responsible for managing same. It serves as a key reference point for an entity’s risk management efforts.

[li] https://financialcrimeacademy.org/risk-identification/

[lii] Generally past performance, identifying whether backed or unbacked, accessibility, volatility, and knowledge of identifiable virtual assets are factors that can aid in analyzing risks.

[liii] https://financialcrimeacademy.org/risk-identification/.

[liv] A range of risk rating approaches could be considered such as the likelihood-impact matrix or the risk heat map, to conduct risk assessments. These tools aid in prioritizing risks and identifying those that require immediate attention due to their significance.

[lv] Managing Risk for the Next Wave of Digital Currencies (supra).

[lvi] BCBS, ‘Prudential treatment of cryptoasset exposures’: https://www.bis.org/bcbs/publ/d545.htm. See also my previous post where I provide a brief summary of the requirements: ‘Regulation of the Crypto Asset Ecosystem: Recommendations from key international bodies and agencies (Part 1’) https://kmafiles.com/68.

[lvii] Teng, Huei-Wen et al, (2023). Mitigating Digital Asset Risks. 10.13140/RG.2.2.18471.93607. https://www.researchgate.net/publication/374144574_Mitigating_Digital_Asset_Risks.