PRA and FCA clarify framework for exposure to cryptoassets

On the 24 March 2022 Sam Woods, CEO of the PRA, issued a follow up 'Dear CEO' letter discussing the regulator's approach to existing or planned exposure to cryptoassets in the context of increasing growth and innovation in the industry.

Whilst the scope of the letter is very broad given the spectrum of the term 'cryptoassets', it is focused on physical and derivative exposures to cryptoassets without an intrinsic value (e.g. Bitcoin, Ether) and other so-called stablecoins whose value is stapled to fiat currency and other forms of conventional financial assets.

The letter outlines a number of tangible measures that firms must take when gaining exposure to cryptoassets, and should be considered by firms in relation to risk management systems and capital adequacy calculations going forward. Such measures include:

• enhanced risk management controls and frameworks;
• increased involvement of senior managers in decision making processes relating to cryptoassets exposure; and
• re-consideration of capital adequacy and other prudential risk calculations and assessments.

It is also indicative of a wider, international focus on the prudential treatment of cryptoassets that firms should keep a close eye on throughout the course of the coming months and years, particularly those relating to the Basel Committee on Banking Supervision's (BCBS) ongoing consideration of the same topic.

The crypto market and increased regulatory interest

The letter was published at the same time as a package of other policy and supervisory documents including the FCA's notice to all FCA regulated firms with exposure to cryptoassets and the Bank of England's Financial Policy Committee's 'Financial Stability in Focus' report and publication of the responses to its discussion paper on new forms of digital money.

Whilst firms falling under the scope of PRA regulation have typically taken limited exposure to cryptoassets, there is an increased interest from banks and designated investment firms in entering into crypto markets, and this is leading to an ever-pressing need to re-consider the adequacy of the current regulatory and prudential framework for this asset class. The benefits of deploying Distributed Ledger Technology to financial markets can only be realised through adequate, proportionate and appropriate risk management practices. This is particularly so in a market that by definition has global application and scale.

What actions should firms take?

1. Stronger risk controls

The letter reminds firms of their responsibilities under the PRA's Fundamental Rules, including the need to have effective risk management systems, and be transparent with the PRA about its business activities and plans.

To demonstrate compliance with these Fundamental Rules the letter recommends that crypto risks should be escalated to the board and highest levels of executive management (especially those performing Senior Management Functions (SMF) approved by the PRA). Given their status, SMFs should actively review and sign off risk assessment frameworks for exposure to cryptoassets or entities which are heavily exposed to cryptoassets.

The letter also mandates a number of measures that must be taken in the adaptation of existing risk management systems, including more frequent monitoring of related activities, greater uncertainty being factored into modelling and valuation, and lower risk tolerance than is used for conventional asset classes. Stress tests can be used in the context of increasing uncertainty to ensure risks are being captured.

The FCA has also highlighted in its notice the importance of such systems and controls, including checking whether cryptoassets businesses with which a firm interacts are listed on its unregistered cryptoassets businesses page and maintaining full compliance with KYC and AML requirements under the Money Laundering Regulations 2017.

The PRA raises expectations that firms must discuss their approach to cryptassets exposure and the framework they adopt with their supervisors.

2. Prudential framework

The PRA emphasises that firms should consider the full prudential framework when assessing and mitigating risks and exposure to cryptoassets including PRA Fundamental Rules, Pillar 1, ICAAP and related Pillar 2 capital considerations.

The regulator highlights that it will be taking a closer look at Pillar 2 processes and disclosures for firms with material exposure to cryptoassets.

Beyond the PRA's approach, the FCA highlighted in its notice that whilst no specific changes to prudential requirements have been identified by them as yet in relation to cryptoassets, they also emphasise the need to comply with the existing prudential framework and rules on capital adequacy in full, including in particular CASS given the nascent nature of custody activities and the extent of outsourcing to unregulated providers that is prevalent in the market.

Pillar 1

Although the onshored Capital Requirements Regulation (CRR) contains requirements that are applicable to cryptoassets activities, the PRA considers that there are areas which do not adequately capture the risks posed.

The letter reminds firms that whilst the full Pillar 1 framework applies to crypto activities, certain activities, including participation in market-making or direct holdings, will expose firms to unique market risk and counterparty credit risk requiring in some cases a recalibration and additional capital.

The letter also raises the issue of direct holdings of cryptoassets that are classified under accounting frameworks as intangible assets and hence deducted from CET1 under the CRR. As to market risk, the letter states that (depending on the features of the asset), the majority of cryptoassets (including particularly Bitcoin and other cryptoassets without intrinsic value) should have a capital requirement of 100% of the value of the firm's position given the lack of directly comparable asset. Furthermore, it states that diversification and hedging should be approached conservatively, given the potential for relationships to deteriorate in times of stress.

Although the PRA suggests that offset exposures referencing different crypto underlyings are unlikely to be prudent or recognised to achieve prudential netting, there is some tolerance in approach with regards to netting long and short derivative positions to the same cryptoasset. This contrasts with current proposals of the BCBS.

Counterparty credit risk under SA-CCR must be approached on the basis of the stricter netting sets provisions for 'other risks' categories. This would prevent netting of different cryptoasset positions and which are entered into with one or multiple counterparties.

Pillar 2

The Pillar 2 framework captures risks not adequately caught by the Pillar 1 framework. The letter highlights that, depending on a firm's activities, it should at least assess market risk, credit risk, counterparty credit risk and operational risk, along with the extent to which activities involving cryptoassets expose the firm to risks not generally considered under their existing Pillar 2 assessments.

Operational risks, including fraud and cyber risks are highlighted by the PRA as a particular area of concern that firms should enhance their focus on.

What next?

The PRA will be launching a survey of firms to cover existing crypto exposures and future plans for 2022, responses to which are required by the 3 June 2022.

At present, to avoid enhanced scrutiny or action by the PRA, PRA-regulated firms should consider the letter's action points, notably in relation to risk controls and pillar 1 and 2 assessments, in order to consider whether present and near-future crypto-asset exposure is adequately accommodated for.

Whilst the FCA's notice did not contain identical action points, firms regulated by the FCA alone should also consider the appropriateness of their risk management processes and controls in relation to cryptoassets in light of increased regulatory interest.

The publication of the outcome of discussions of the BCBS will give further guidance on the direction of prudential treatment of cryptoassets which will likely inform the long-term approach to regulatory treatment, allowing firms to further determine changes needed to their current risk management strategies.