APRA and AUSTRAC provide risk management guidance in relation to crypto assets

By Simun Soljo, Gabor Papdi, Andrew Tolé
Anti-bribery & AML Banking & Finance Cyber Risk & Compliance Technology & Outsourcing Technology, Media & Telecommunications

APRA and AUSTRAC provide guidance on crypto assets

On 21 April 2022, both APRA and AUSTRAC issued risk management guidance to their regulated entities in relation to activities involving crypto assets (which includes 'digital currency' as defined in the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF)). APRA issued a letter to all APRA-regulated entities setting out its initial risk management expectations for activities involving crypto assets, an overview of regulatory policy (a 'roadmap') in relation to crypto assets, and associated activities that APRA will undertake in the immediate future. AUSTRAC published its digital currency financial crime guide Preventing the criminal abuse of digital currencies, and this provides guidance about financial crime risks applying to digital currencies, financial and behavioural indicators associated with financial crime, and emerging financial crime risks related to digital currency and crypto assets more generally.

APRA letter to regulated entities

APRA's letter to regulated entities is the first formal guidance from APRA in this area. The letter acknowledges that while activities associated with crypto assets are currently relatively limited in Australia, the scale and risks of such activities could become significant over time. The volatility of the value of some crypto assets could present material risks as exposures increase.

The letter provides a good overview of some of the key issues which APRA-regulated entities need to consider before engaging in activities relating to crypto assets. The precise considerations will depend on the nature of the activities – whether that is investing in crypto assets directly, providing a platform or other means through which customers can gain exposure to this asset class, or issuing crypto assets. In addition to managing the prudential risks APRA has identified, there may be licensing, customer disclosure and broader regulatory conduct obligations which will need to be complied with.

APRA's risk management expectations

APRA's letter provides high-level guidance about the steps that APRA expects regulated entities to take in the context of a prudent approach to risk management for crypto asset activities. The letter does not impose new obligations but rather sets out what APRA considers necessary for regulated entities to comply with their currently applicable prudential framework.

APRA expects that all regulated entities will do the following:

  • conduct appropriate due diligence and a comprehensive risk assessment before engaging in crypto asset activities, and ensure that they understand the risks posed by such activities and have in place measures to mitigate such risks;
  • consider the principles and requirements of the relevant outsourcing prudential standard (CPS 231 / SPS 231) when relying on a third-party to conduct activities involving crypto assets;
  • apply robust risk management controls, with clear accountabilities and relevant reporting to the Board on the key risks associated with new ventures/activities (for authorised deposit-taking institutions (ADIs), APRA expects the accountabilities for crypto asset activities to be assigned to a BEAR Accountable Person);
  • comply with conduct and disclosure obligations administered by ASIC, with a focus on product design, distribution and disclosure obligations; and
  • consult with APRA and ASIC if they are unclear on their prudential, conduct or disclosure requirements in relation to crypto asset activities.

APRA's letter also sets out APRA's initial views about the potential prudential risks for APRA-regulated entities in relation to the flowing kinds of crypto asset activities:

Investments in crypto assets:
  • Capital management – ADIs and insurers will need to hold appropriate levels of regulatory capital and ensure that they treat crypto assets correctly when calculating their regulatory capital levels (noting that different crypto assets may be treated differently in regulatory capital calculations);
  • Investment risk – Registrable superannuation entity (RSE) licensees considering investing in crypto assets must be able to demonstrate how such an investment would be consistent with their best financial interests duty and other regulatory obligations;
  • Operational risk – crypto asset activities may give rise to fraud, cyber, conduct, financial crime and technology risks, as well as usual risks involved with outsourcing activities to third parties;
  • Other risks – including liquidity risk, market risk and large exposure management;
Lending activities linked with crypto assets:
  • Credit risk – where crypto assets are collateral for lending, due to the potentially high price volatility, lack of liquidity and difficulty in enforcing security;
  • Operational risk – crypto asset activities may give rise to fraud, cyber, conduct, financial crime and technology risks, as well as usual risks involved with outsourcing activities to third parties;
  • Other risks – the capital, finding and liquidity treatment of loans secured by crypto-assets may be complex to determine and measure;
Issuing crypto assets:
  • Operational risk – crypto asset activities may give rise to fraud, cyber, conduct, financial crime and technology risks, as well as information security risks;
  • Other risks – governance and accountabilities (particularly if there is reliance on third parties), custody arrangements, capital and liquidity requirements and recovery and resolution planning;
Services on crypto assets for customers:
  • Operational risk – including fraud and asset security, the security of private keys and product design and distribution; 
Partnering with technology and other companies:
  • Capital – equity investments in entities dealing in crypto assets should be treated in accordance with existing prudential requirements; and
  • Outsourcing – APRA notes the need to comply with the relevant outsourcing prudential standard if partnering with technology and other companies will involve outsourcing a material business activity.
Policy roadmap

APRA notes that it is developing a long-term prudential framework for crypto assets and related activities in consultation with international regulators. The Basel Committee is consulting on the prudential treatment for bank exposures to crypto assets, the outcome of which will form the minimum standards that will apply to ADIs and a starting point for the standards to be applied to other APRA-regulated industries.

APRA will take the following actions to develop its policy framework in relation to crypto asset activities.

  • Consult on requirements for the prudential treatment of crypto asset exposures for ADIs, following the conclusion of the Basel Committee consultation process. This consultation is expected to be undertaken in 2023, and APRA may issue interim prudential guidance in the intervening period.
  • Progress new and revised requirements for operational risk management, covering control effectiveness, business continuity and service provider management. These requirements will apply to the entirety of regulated entities' operations and so will also affect risk management in relation to crypto asset activities. A draft prudential standard will be released for consultation in mid-2022.
  • Consider possible approaches to the prudential regulation of payment stablecoins. APRA notes that payment stablecoins bear similarities to stored-value facilities and flags that options for incorporating payment stablecoins into the eventual stored value facility regulatory framework are being considered.

AUSTRAC financial crime guide

AUSTRAC's digital currency financial crime guide provides high level guidance on the ways in which digital currencies and associated technologies can be open to criminal misuse as well as the behavioural and financial indicators which designated service providers can look for to mitigate their financial crime risk (in the digital currency financial crime guide, the expression 'digital currency' includes 'virtual assets' generally).

AUSTRAC notes that while digital currencies and associated technologies have considerable potential to drive innovation and efficiencies across sectors such as payments, logistics and healthcare, the borderless nature of digital currencies means they pose a risk of facilitating:

  • money laundering;
  • the purchase of illicit products on the darknet;
  • terrorism financing;
  • scams;
  • tax evasion; and
  • ransomware.

The financial crime guide explains how digital currency can be used to facilitate each of the above unlawful activities and covers behavioural and financial indicators of increased financial crime risk for customers generally and also specifically for the unlawful activities listed above. AUSTRAC believes these behavioural and financial indicators should trigger enhanced customer due diligence by reporting entities and that financial services providers, including digital currency exchange operators, should use a combination of the indicators set out in this financial crime guide and their own knowledge of their business to mitigate and manage financial crime risk and report suspicious activity.

Additionally, AUSTRAC identified non-fungible tokens, staking (ie, committing digital currency to support a blockchain network to verify transactions or to participate in decentralised finance protocols, usually in return for earning more digital currency) and decentralised finance as emerging financial crime risks, flagging these as potential future targets for regulation under the AML/CTF regime.

Next steps

APRA-regulated entities engaging in crypto asset activities, or considering engaging in crypto asset activities, should consider their current risk management practices in light of the expectations set out in APRA's letter. Engaging in crypto-related activities raises new and heightened risks for regulated entities which need to be carefully assessed and managed. APRA's guidance highlights some of the key areas regulated entities need to consider and comply with, and should be incorporated into due diligence processes for any new crypto-related initiatives.

Reporting entities who provide digital currency exchange services or otherwise engage in crypto asset activities should review the financial crime guide and use the information contained in it, along with the to update their profiling and transaction monitoring programs to better identify and mitigate financial crime risks.

If you wish to discuss APRA's letter or AUSTRAC's financial crime guide in further detail, or the regulatory obligations which may apply to your organisation when engaging in crypto asset activities, please contact us on the details below.