Guidance on how UK firms should handle exposures to crypto-assets

Regulated firms are increasingly taking on – or planning to take on – exposure to crypto-assets. Recognising this, the UK Prudential Regulatory Authority has written to banks, insurance companies and PRA-regulated investment firms about handling crypto-exposures. Firms should adopt the latest guidance into their crypto strategy, including their governance, prudential and risk management models.

Senior Manager responsibility for crypto-assets

The PRA’s Dear CEO letter notes that crypto-assets have exhibited high price volatility and relative illiquidity. According to the PRA, firms’ boards must fully consider the risks of entering into crypto-asset activities. A Senior Manager should take responsibility for approving risk assessment framework for businesses and entities crypto-exposures.

Crypto is not a currency for prudential treatment

The PRA states the crypto-assets represent a new, evolving asset class. Firms should classify crypto-assets for prudential purposes but what that classification is for a crypto-asset will depend on its features. Presumably this is because crypto-assets cover a wide range of potential products including utility tokens, security tokens and cryptocurrencies. In any case, the PRA confirms that that crypto-assets should not be treated as currencies for these purposes.

The letter also requires firms to set out a consideration of risks relating to crypto-exposures in firms’ ICAAPs and ORSAs. The PRA’s position on the prudential regulation for crypto-assets is consistent with previous comments by Mark Carney on this subject.

Managing risks and personal incentives

The PRA also comments on the technical complexity of crypto-assets. As part of their risk management processes, firms engaging with crypto-assets should:

  • have access to appropriate expertise
  • undertake extensive due diligence
  • safeguard against not only financial but also operational, cybersecurity and reputational risks
  • ensure that employee incentives do not encourage excessive risk-taking in crypto-asset activities

The PRA letter follows the Dear CEO letter sent by the FCA to banks to highlight the risk of crypto-assets being used to further financial crime.

What happens next?

Firms that are have, or are considering, exposures to crypto-assets are expected to notify the regulator of:

  • the identity of the responsible Senior Manager
  • any planned crypto-asset activity
  • the risk assessments of those crypto-exposures

According to evidence to the Digital Currencies Inquiry, the PRA is also assessing whether additional prudential regulations are needed to cover crypto-exposures. The PRA also indicates it will “where necessary” publish further updates on the prudential treatment of crypto-assets (including under Pillar 2).