Risks of doing business with crypto exchanges and custodians

The Actuaries Institute hosted an Insights session entitled Crypto Currency & Risk Management in July 2022. This article is the second in a series of three which draws on content from the session as well as some more recent related developments. The first article – which you can view here – explores some use cases of cryptocurrencies and blockchain.

One area within the crypto ecosystem that has come under increasing regulatory scrutiny is the logistical side of crypto, or more specifically, how crypto assets are traded and held for safekeeping. Several high-profile cyber hacks, scams and fraud cases involving these services have exposed significant vulnerabilities. These entities, which include crypto exchanges, custodians, brokers and dealers, have been categorised by the Australian Government Treasury as Crypto Asset Secondary Service Providers (CASSPrs).   

Riding on the surge in demand for crypto assets, CASSPrs have mushroomed, with the number of crypto exchanges alone currently estimated to be in excess of 500 globally^[1]. Coinbase and Binance are two well-known examples in this space.

In Australia, more than 800,000 Australian taxpayers have transacted in digital assets in the last three years, with a 63 per cent increase in 2021 compared with 2020^[2].

The rapid growth in the crypto asset economy has prompted the Australian Government to release a Consultation Paper in March 2022 on approaches to licensing and custody requirements for CASSPrs that will better protect consumers while not stifling innovation, competition and growth^[3].

The paper highlighted that CASSPrs are subject to a number of risks that could ultimately result in consumers losing their crypto assets.

These include operational risks such as;

• Business continuity
• Illiquidity and inadequate capital
• Insolvency and disorderly wind down
• Fraud and key personnel risks
• Misleading or deceptive conduct and are more susceptible to cybersecurity risks

CASSPrs can also further complicate legalities regarding ownership and jurisdiction of crypto assets. For instance, uncertainties may arise as to who owns the asset (i.e. the customer or the CASSPr) if it is not clear whether the relationship has been created on a trust or contractual basis. The customers’ private keys (required to access crypto assets) may be held offshore to where the CASSPr is incorporated.    

ACX.io and MyCryptoWallet are examples of two Australian-based digital currency exchanges that failed in 2021. ACX.io froze its customer accounts in 2020 before going under administration, causing an estimated loss of $10 million for around 200 investors^[4]. The liquidator of MyCryptoWallet has reported that the business may have been trading whilst insolvent for up to three years prior^[5].

Other notable examples of failed CASSPRs can be found internationally. In 2014, hackers cumulatively stole between 650,000-850,000 of Bitcoins (worth USD460 million at the time) from Japan-based crypto exchange, Mt. Gox, which subsequently forced the company to file for bankruptcy. At its peak, Mt. Gox handled over 70% of all Bitcoin transactions^[6].

The founder of Canada’s largest crypto exchange, QuadrigaCX, defrauded customers of USD93 million in cryptocurrencies and channelled the funds into other crypto exchanges for speculative trading^[7]. The scam was uncovered after the founder unexpectedly died from illness while on a trip to India. Customers were unable to access their cryptocurrencies, totalling USD145 million, which were stored in off-line cold wallets that only the founder could access. QuadrigaCX subsequently entered into bankruptcy in 2019. The sensational nature of this case, which included speculation that the founder had faked his own death, prompted a podcast series and Netflix documentary on the subject.

Very recently, and perhaps most importantly, the crypto exchange FTX filed for bankruptcy in the US. FTX was the second-largest crypto exchange in the world, after Binance, and its March 2022 funding round implied a US$32 billion valuation. Reports cite a combination of reasons for its failure, including poor corporate governance, a lack of regulation and concerns about the asset backing of its own crypto currency, FTT.^[8] The effects of FTX’s failure have been felt in Australia, including crypto trading platform Digital Surge suspending customer deposits and withdrawals due to its exposure to FTX.^{[9], [10]}

CASSPrs who operate in Australia are subject to existing Australian laws, which include the Corporations Act, Anti-Money Laundering and Counter-Terrorism Financing Act and Competition and Consumer Act, but these are insufficient to holistically regulate the crypto asset ecosystem. For example, there are challenges in classifying a given crypto asset as a financial product or non-financial product as the current definitions were developed prior to its invention and the features and use cases of crypto assets are novel and varied. Different laws and regulations apply depending on the classification, with financial products being subject to greater regulatory scrutiny.   

The Consultation Paper has proposed a number of reforms for CASSPrs^[11]. These include holding assets on trust for the consumer, ensuring consumers’ assets are appropriately segregated, maintaining minimum financial requirements (including capital requirements), ensuring consumers’ private keys are managed appropriately, implementing robust cyber and physical security practices (including independent verification), and ensuring processes for redress and compensation in the event assets held in custody are lost. If third-party custodians are used, CASSPrs must be able to appropriately assess the third-party’s compliance with necessary requirements, and the third parties must also have robust systems and practices to receive, validate, review, report and execute instructions from the CASSPr.  

While the regulation of CASSPrs is still being finalised, consumers requiring these services should practise extra vigilance. This includes careful review of the CASSPr terms and conditions, paying particular attention to whether the consumer retains crypto ownership (i.e. held on trust). Consumers should consider the option of storing private keys in a private wallet such as in an offline environment (e.g. hard drive, USB disk), instead of with the CASSPr. Note that crypto is not typically insured by the CASSPr or the Australian government if it is lost or stolen, unlike bank deposits.

The next article in this series provides some actuarial perspectives on crypto as an asset class and recent regulatory developments.  

References 

CPD: Actuaries Institute Members can claim two CPD points for every hour of reading articles on Actuaries Digital.