Let’s take a closer look at investment-level strategies, and then we’ll examine measures that can be taken at an organizational level.
Blockchain Intelligence (BI). Also known as blockchain analytics, BI is a cornerstone capability intrinsic to digital currencies and blockchain in general. To a large extent, it is the foundation of digital currencies’ enhanced capabilities, especially when it comes to granular transparency and traceability.
BI is used by CROs, risk executives, law enforcement, and government regulators to detect and mitigate illicit-finance and counterparty risks. Third-party vendors offer increasingly sophisticated AI-based tools and analytic practices for monitoring digital currencies’ blockchain transactions.
For example, BI systems can use machine learning to detect patterns in transaction histories that are consistent with money laundering or illicit finance. These systems often connect directly with law enforcement, regulators, and compliance professionals, giving these authorities visibility into real-time financial flows. When there is a problem with a counterparty, investigators can identify the related transactions. This gives banks more ability to reduce risks to their customers.
Anti-money-laundering (AML) techniques are well-established forms of BI oriented toward counterparty and illicit-finance risks, including the financing of terrorism and sanctions noncompliance. There are some specific ways in which key AML controls operate differently in a digital-currency space:
- Know Your Customer (KYC). KYC evaluates companies and investors when they join the blockchain or digital currency. It continually compiles knowledge of entities’ backgrounds, transactional histories, and expected future activity.
- Know Your Transaction (KYT). KYT, a recently developed application, evaluates each blockchain transaction as it happens. This is essentially the process of transaction monitoring, extended to the ecosystem level. An effective KYT system can verify in real time that a transfer is not going to a bad actor or a known sanctioned wallet.
Platforms and dashboards for digital currencies, another important BI offering, bring together information related to all seven risk categories. For example, a dashboard might compare counterparties to see which are highly leveraged and cross-check those findings against these parties’ KYC and KYT records. These dashboards enable continuous improvement of crypto-related operations.
BI also plays a role in the deployment of automated controls. These allow banks and other financial services firms to continually monitor and improve their practices. Automated controls, for example, can help limit exposure. In some digital-currency investments, rapid liquidity may not be available. Therefore, banks and investors need to keep their exposure within the limits of acceptable risk—even if all the funds pass muster after asset research (discussed next). As discussed previously, digital-currency holders can be hurt by the domino effect from another fund’s or exchange’s failure, even if they don’t hold that fund or do business on that exchange directly. Thus, as with any risky investment, an automatic stop-loss and hedging should be considered as options.
Asset Research. Also known as “do your own research” (DYOR) processes, asset research involves examining the integrity of the business behind a digital currency to see whether investing in it is worth the possible risk, especially given the potential volatility. There should also be fail-safe internal audits for all transactions and smart contracts, before they are finalized.
Those conducting asset research should closely examine the business fundamentals of the digital currency and its sources (for example, founding institutions or even the exchanges themselves), the financial health of the firm, its software and agreement architecture, its balance-sheet structure, provenance, and business model. One indicator of financial health is a robust ancillary revenue stream. This might be a blockchain-as-a-service offering with cybersecurity, insurance brokering, or low-cost digital-currency trading, or a value-creating exchange for airline frequent-flier miles or online-game costumes. Another indicator is the extent to which exchanges have put mitigation processes in place: upholding sanctions, identifying problematic participants, and verifying the identity of counterparties.
Assessment of Vendor and Partner Relationships. As they become more familiar with digital currency, financial institutions may want to reorient their relationships in the larger ecosystem. Preferred vendors may shift to new names, and the relationships with them may need to be more transparent.
Proof-of-Stake Participation. Financial institutions can gain credibility and income by staking crypto funds, using assets dedicated to that purpose. The income, which accrues to any proof-of-stake participant, should not be treated as a return on investment. It consists of transaction fees and inflationary rewards generated by the blockchain protocol, and is thus a separate category of income. These “rewards” are typically partially transferred to clients, creating the perception of higher savings rates versus traditional deposit savings offerings.
Safe Storage. Many banks currently offer a model where they maintain full custody over a customer’s cryptocurrency transactions, offering a high level of protection and oversight. By contrast, a fully crypto-style model can be as extreme as transferring custodial responsibilities to the customer. Within this latter model, several basic protection measures can help prevent crypto keys and other critical data from being hacked or lost. These include basic cybersecurity measures, guarding against phishing and intrusion, and protection for digital-currency holdings.
The following is a selection of currently used safe-storage solutions:
- Hot and Warm Storage Wallets. A third party, such as an exchange, holds the data. Hot and warm wallets are typically connected to the internet, with warm wallets downloaded as computer or phone apps.
- Cold Storage Wallets. Also called hardware security modules (HSMs), these physical storage devices are generally separated from other devices or the internet. HSMs are comparable to a brick-and-mortar bank vault: access requires physical proximity.
- Multi-Signature Protocols. These wallet-based security systems require several private keys for each transaction.
- Multi-Party Computation (MPC). MPC, the most comprehensive approach, is a wallet-based technique for maintaining secrecy and access. Instead of getting a private key, each participant holds a unique encrypted MPC protocol.
There is an expectation that further innovation will allow clients to be offered the potential benefits of digital currencies (including the ability to trade and pay as promised by CBDCs, or as safe storage with stablecoins), without introducing self-custody risk.
Broader Mitigation Strategies. As banks gain experience with these various forms of mitigation, they will naturally look at their offerings differently. Broader risk-related conversations can lead to stronger oversight practices throughout the organization. A scenario-planning exercise, for example, can help banks and investors game out different risk scenarios, stay alert to possible challenges, and respond to risks more successfully when they arise. Scenario exercises can also involve third-party experts and regulators, helping teams gain and maintain expertise.
A direct consequence of these strategic exercises can be a set of decisions about offerings. Depending on the customer base and risk level, some digital currencies might be removed from an offering or given a longer lead time, relative to less controlled exchanges, to bring onboard.
Building Institutional Capabilities. Ultimately, mitigating risk means continuously improving the bank’s functional capabilities, and aligning them with its digital-currency strategy and risk appetite. Each offering needs to be considered as part of a larger whole. As new aspects of digital-currency technology appear, and as risk-mitigation techniques evolve, such as protocols, blockchain innovations, or software bridges, banks will experiment with them. These experiments must be transparent, so that the entire organization can learn from them.
To develop these capabilities, leaders should put in place a clearly defined roadmap: laying out the initial digital-currency offerings, the staffing and skills needed to deliver these offerings, the institutional and technical support required, and the guardrails that help protect customers from risk. Some capabilities may involve outsourcing, especially if they require specialized talent.
Financial institutions can also raise their capabilities by instituting company-wide guidelines that specify approved practices for digital-currency offerings, by recruiting and developing employees with an eye to improving risk management, by developing appropriate communications and compliance policies, and by considering insurance lines for smart contracts and other digital-currency transactions.
Conclusion: Moving Forward
Digital currencies, and their various use cases in finance and other industries, are here to stay. Once banks have determined the level at which they want to participate in this business, it is important for them to support their customers with appropriate risk-management practices. This will help banks benefit from new innovations, such as those in CBDCs.
The range of risks and mitigation measures described here may seem complex. However, most banks are already familiar with this level of risk intensity. They already have most of the tools and capabilities they need. The next step is to reorient them to digital currencies, supplement them with specific capabilities related to this asset class, and train people accordingly.
Expertise with digital currencies can be a source of competitive advantage. These financial instruments are still new enough that relatively few people are addressing their customers with the appropriate mix of caution and excitement. Once banks have appropriate measures in place to counter risk, and have people on hand who can guide their customers, they can confidently explore the opportunities and put themselves in a better position for the future.
The authors wish to thank Sukand Ramachandran at BCG; Kaj Burchardi at BCG Platinion; Vivek Chauhan, Asad Kassamali, Ave King, and Kushagra Shrivastava at FalconX; Thomas Armstrong, Ari Redbord, and Laura Yungmeyer at TRM Labs; and Lorien Gabel, Annalea Ilg, and Ben Spiegelman at Figment for their contributions to this article.
This article was written in collaboration with B Capital and FalconX.