Legal development

Basel Committee Final standard on the prudential treatment of banks cryptoassets

Insight Hero Image

    The Basel Committee on Banking Supervision (the Committee) has now published its finalised standard (the Standard) on the prudential treatment of banks' exposures to cryptoassets, taking into account stakeholder feedback to its initial proposals in the June 2021 consultation (see Ashurst briefing here), and the second public consultation in June 2022 (see the Ashurst briefing here).

    The Standard has been endorsed by the Committee's oversight body, the Group of Governors and Heads of Supervision, and is to be implemented by 1 January 2025. It will be incorporated into the Basel Framework as a new chapter, titled 'SCO60: Cryptoasset exposures'.

    Final Classification Conditions

    The final classification system remains largely unamended from the previous consultations, now with further refinements to the eligibility criteria for the different cryptoasset groups. The final structure is as follows:

    Group 1 Cryptoassets

    Group 1 assets must fully satisfy a set of rigorous Classification Conditions and are subject to at least equivalent capital requirements based on the risk weights of underlying exposures, as set out in the existing Basel Framework. Group 1 is further sub-categorised into:

    • Group 1a cryptoassets

    These include tokenised traditional assets, which are generally to be treated like their traditional counterparts (subject to a potential add-on for infrastructure risk detailed below, which is now only to be applied on a discretionary basis).

    The Committee's stance that only Group 1a cryptoasset are eligible for recognition as collateral for risk mitigation purposes remains unchanged.

    • Group 1b cryptoassets

    These are cryptoassets with effective stabilisation mechanisms (stablecoins). Group 1b assets are subject to a 'redemption risk assessment' and a 'supervision/regulation requirement' providing that only stablecoins issued by supervised and regulated entities are eligible for inclusion.

    The Committee has now removed the 'basis risk test' previously proposed, but has indicated a willingness to identify another statistical test that can reliably identify low-risk stablecoins. Such a test, if found, may be included ad hoc as an additional requirement to the existing tests.

    While the Standard does not recognise Group 1b cryptoassets as collateral for capital requirements purposes, the Committee intends to monitor this decision for potential future revision.

    The Committee's stance on permissionless blockchains has been maintained, such that digital assets underpinned by public, permissionless, blockchain networks cannot be eligible for Group 1. However, it will continually assess whether the perceived risks of permissionless blockchains can be sufficiently mitigated for their inclusion in the future.

    Algorithm-based stablecoins or those stablecoins that use automated protocols to maintain their value are expressly excluded from Group 1.

    Group 2 Cryptoassets

    This encompasses all tokenised traditional assets and stablecoins which fail to satisfy the Group 1 criteria, as well as unbacked cryptoassets. They are accordingly regarded as higher risk and subject to more conservative prudential treatment.

    In response to stakeholder feedback, the Committee now recognises the risk-reduction effect of hedging transactions for certain Group 2 cryptoassets. As proposed in the previous consultation, Group 2 is now sub-divided based on a set of hedging recognition criteria such that:

    • Group 2a cryptoassets: permits a limited degree of hedging to be recognised based on a 'hedging recognition criteria' which includes thresholds relating to market capitalisation, trading volume and price observations to be met for inclusion.
    • Group 2b cryptoassets: deemed of highest risk, and hedging is accordingly not recognised. These assets are subject to a risk weight of 1250% to the greater of the absolute value of the aggregate long positions, and the absolute value of the aggregate short positions in the cryptoasset.

    Banks' exposures to Group 2 cryptoassets should generally not exceed 1% of their Tier 1 capital and any such increase will result in Group 2b capital treatment applying to the amount by which the limit is exceeded. Where exposure reaches 2%, all Group 2 exposures will be subject to Group 2b capital treatment.

    Summary of Changes from the Second Consultation

    Infrastructure Risk Add-On

    In the second consultation, the Committee proposed a surcharge to encompass any unforeseen risks that may arise with the technological infrastructure of cryptoassets, given its relative nascency. It was initially proposed to increase total credit risk-weighted assets (RWA) by 2.5% of the exposure value for exposures in the banking book, and to increase total market RWA by 2.5% of the exposure value for exposures in the trading book.

    The Committee has now taken the welcome approach of giving authorities discretion to apply this add-on based on any observed weaknesses as they arise, rather than mandating them to do so ex ante.

    Basis Risk Test, Redemption Risk Test, and Supervision Requirement

    The Committee initially set out two tests for Group 1b cryptoassets, including:

    • a redemption risk test, whereby reserve assets must be sufficient to enable the stablecoin to be redeemable at all times for the amount of the peg value; and
    •  a basis risk test, being a quantitative assessment of the market value of the cryptoasset to ensure that holders of the stablecoin would be able to sell in the market for an amount that closely tracks the peg value.

    The Committee has now removed the basis risk assessment, instead requiring, in addition to the redemption risk test, that only stablecoins issued by supervised and regulated entities with robust redemption rights and governance are eligible for inclusion in the category.

    Group 2 Exposure Limits

    The Committee's initial proposal regarding banks' exposure limits to Group 2 cryptoassets has largely been adopted, with minor tweaks providing that:

    • exposures are to be measured as the higher of the gross long and gross short position in each cryptoasset, rather than the aggregate of the absolute values of long and short exposures as previously proposed; and
    • a breach of the 1% threshold will only require Group 2b capital treatment by the amount that such limit has been exceeded, rather than to all Group 2 exposures. However, an upper limit of 2% applies which, if surpassed, will result in the whole of Group 2 exposures being subject to Group 2b capital treatment. This modification seeks to avoid a cliff effect, but still disincentivises banks from exceeding the 1% threshold.

    Assessment of Classification Conditions

    The requirement for banks to seek prior supervisory approval when determining the classification of their cryptoassets has been removed. Instead, banks must notify supervisory authorities of the classification decisions made, with the potential that authorities can override such determinations where they disagree. Again, a welcome amendment which will remove unnecessary administrative burden.

    Custodial Assets

    Finally, the Committee has clarified which standards are applicable to custodial services provided by banks, noting the concern that otherwise the standards would require credit, market and liquidity risk assessments to customer assets where banks are acting as custodian.

    Ashurst Thoughts

    The finalisation of the Standard is a welcome incremental step in global preparedness to accommodate the expected scaled transformation in financial markets underpinned by distributed ledger technology (DLT). The revisions made to the version of the Standard set out in previous consultations are welcome and signal a receptiveness from the Committee to the stakeholder need for flexibility and discretion, rather than the imposition of rigid standards prior to any risks materialising.

    Although the Committee continues to display a very conservative approach to the risks that could emanate from cryptoassets and the risk of conflation between so-called 'native' assets, such as Bitcoin, and traditional assets taking tokenised form, the Standard more closely aligns with the market consensus that the nascency of DLT and similar technologies does not necessarily require a highly conservative approach, particularly given that some cryptoassets (such as those in Group 1a) are highly liquid and readily accepted in the market. Accordingly, such cryptoassets are to be rightfully treated in the same way as their conventional counterparts.

    The Committee remains anxious and bearish on the utility of public blockchain networks from both supervisory control and financial crime perspectives. Whilst we believe most of these concerns are resulting from a misconception, this will focus banks' minds on instituting most cryptoassets projects based on permissioned/private blockchain networks which inevitably limits the 'true' disintermediation of the network in favour of a more governable construct.

    Banks are encouraged and incentivised to innovate and experiment with stablecoins though there are important questions of policy, particularly from a financial crime perspective, that will impact whether and how fast these products can successfully emerge.

    It remains to be seen how the main financial centres around the globe react to the Standard given that the Standard constitutes minimum requirements and it is within the gift of domestic authorities to 'gold plate' the Standard – this is particularly so following recent failures of intermediaries in the native cryptoassets space and in light of negative sentiment expressed by regulators and policymakers worldwide.

    Whilst the Standard remains unadopted until 2025, it will de facto dictate the global regulatory approach to the prudential treatment of cryptoassets and, as such, must form an influential source for banks' policies and risk appetite decisions on an ongoing basis. With this in mind, we consider the following aspects of the Standard to be particularly noteworthy:

    Classification Conditions

    • Group 1 Classification Condition 1 - "cash held in custody": to satisfy one of the Classification Condition 1 requirements, tokenised traditional assets must pose the same level of credit and market risk as the traditional (i.e. non-tokenised) form of the asset. One of the traditional asset forms is identified as "cash held in custody" and requires that "the cryptoassets must confer the same level of legal rights as cash held in custody". However, it is not clear what exactly "cash held in custody" is intended to mean as it is not defined or explained in the Standard. We note that this term was also used without definition or explanation in the June 2021 and June 2022 consultations. We consider it likely that it is intended to have a broad meaning (and treated as either on or off balance sheet such as cash held in a custody account by an entity which is acting as the custodian on behalf of customers) and that it excludes collateral arrangements but it would be helpful if this term could be clarified by the Committee.
    • Group 1 Classification Condition 1 - cryptoassets that have a stabilisation mechanism: it is notable that issuers of cryptoassets that have a stabilisation mechanism will need to be prudentially regulated in order to satisfy one of the Classification Condition 1 requirements.
    • Group 1 Classification Condition 2 – settlement finality: to satisfy one of the Classification Condition 2 requirements, the legal framework applicable to the cryptoasset arrangement must at all times ensure settlement finality. However, it is not clear if this requirement can be satisfied by contractual settlement finality or if it can only be satisfied pursuant to statutory regimes such as the Settlement Finality Directive framework and which offer insolvency protection (Directive 98/26/EC on settlement finality in payment and securities settlement systems). If the latter, this would represent a high bar. We therefore consider it likely that the intention is that contractual finality amongst members of the relevant network will suffice.

    Whichever form of settlement finality is utilised by issuers of cryptoassets, settlement finality in cryptoasset arrangements must be properly documented so that it is clear when key financial risks are transferred from one party to another, including the point at which transactions are irrevocable. Such documentation must be publicly disclosed by the issuer and if the offering of the cryptoasset to the public has been approved by the relevant regulator on the basis of this public disclosure, the requirement will be considered fulfilled. If not, an independent legal opinion would be needed to confirm that the requirement has been met.

    This is one of two contexts under the Standard where it will be necessary to obtain legal opinions (see the Minimum capital requirements for credit risk for Group 1b cryptoassets section below for the second context). The need for legal opinions in these scenarios will require new practices to emerge, including the means of determining which party should provide such opinions and in what format.

    • Group 1 Classification Condition 3 – risk governance and risk control: one of the requirements that must be met to satisfy the Classification Condition 3 requirement is that the functions of the cryptoasset and the network in which it operates (including the distributed ledger or similar technology on which it is based) must be designed and operated to sufficiently mitigate and manage any material risks that could impair the transferability, settlement finality or, where applicable, redeemability of the cryptoasset. To achieve this, entities performing activities associated with these functions must follow robust risk governance and risk control policies and practices to address a wide range of risks including: credit, market and liquidity risks; operational risk and risk of loss of data; various non-financial risks; third-party risk management; and Anti-Money Laundering (AML)/Countering the Financing of Terrorism (CFT).

    The breadth of this requirement demonstrates the Committee's expectation that infrastructure which is implemented to accommodate cryptoassets must be developed in a comprehensive and robust way that is comparable to a traditional securities settlement system.

    • Group 1 Classification Condition 4 – risk management: to satisfy the Classification Condition 4 requirement, entities that execute redemptions, transfers, storage or settlement finality of the cryptoasset, or manage or invest reserve assets, must: (i) be regulated and supervised or subject to appropriate risk management standards; and (ii) have in place and disclose a comprehensive governance framework.

    Classification Condition 4 will effectively serve as a guideline for issuers in seeking to achieve the eligibility conditions for Group 1a and Group 1b and will likely require a significant amount of work to be undertaken in order to ensure that each of the individual requirements of Classification Condition 4 is appropriately satisfied.

    • Responsibility for determining and monitoring compliance with the Classification Conditions: Banks are responsible, on an ongoing basis, for assessing whether cryptoassets to which they are exposed are compliant with the Classification Conditions. Banks must have in place appropriate risk management policies, procedures, governance, human and IT capacities to evaluate the risks of engaging in cryptoassets and must implement them in accordance with internationally accepted standards. All information used by banks in determining compliance with the Classification Conditions must be fully documented and made available to supervisory authorities on request. Furthermore:

    (i) In respect of cryptoassets to which a bank is already exposed on 1 January 2025 (i.e. the implementation date of the Standard), the bank must inform their supervisor of the classification decisions they have reached for each cryptoasset and this information should ideally be sent well in advance of 1 January 2025 (but, if this is not possible, it must be sent as soon as practical after 1 January 2025 but with sufficient time for the supervisor to review and, if necessary, override the classification decision prior to the bank's first set of Pillar 3 disclosures after 1 January 2025).

    (ii) In respect of cryptoassets that a bank may wish to acquire after 1 January 2025, the bank must inform their supervisor of the classification decisions in advance of any acquisition of cryptoassets and this advance notice must occur with sufficient time for the supervisor to review and, if necessary, override the classification decision reached prior to the bank’s acquisition of the cryptoasset.

    Although the Standard will not be applicable until 1 January 2025, banks should consider implementing internal procedures that address each of the requirements above immediately so that they are sufficiently prepared for when the Standard comes into effect, especially due to point (i) above.

    Minimum Capital Requirements

    • Minimum capital requirements for credit risk for Group 1a cryptoassets: in respect of how the minimum risk-based capital requirements for credit risk are to be applied to cryptoasset exposures, Group 1a cryptoassets (tokenised traditional assets) will generally be subject to the same rules to determine credit RWA as non-tokenised traditional assets. However, banks must separately assess the tokenised traditional asset against the rules set out in the Credit Risk Standard (CRE) and not assume qualification for a given treatment simply because the traditional (non-tokenised) asset qualifies.

    A specific example is provided in the Standard to illustrate this: a tokenised asset may have different market liquidity characteristics than the traditional (non-tokenised) asset. This could arise because the pool of potential investors that are able to hold tokenised assets might be different to non-tokenised assets. The Committee appears to be concluding that there could be a more pronounced relationship between liquidity risk and credit risk in respect of tokenised assets than is the case with non-tokenised assets, again emphasising the conservative approach the Committee is taking. Banks should therefore be aware that it may be necessary to approach the assessment of tokenised assets in a more nuanced way than is required for non-tokenised assets.

    • Minimum capital requirements for credit risk for Group 1b cryptoassets: certain Group 1b cryptoassets (cryptoassets with stabilisation mechanisms) may be structured to avoid the cryptoasset holders being exposed to the credit risk (either directly or indirectly) of the redeemer. Banks are not required to calculate RWA in respect of the risk of default of the redeemer if the following conditions are met:

    (i) the underlying reserve assets are held in a bankruptcy remote special purpose vehicle (SPV) on behalf of the holders of cryptoassets who have direct claims on the underlying reserve asset(s).

    (ii) the bank has obtained an independent legal opinion for all laws relevant to involved parties, including the redeemer, the SPV and custodian, affirming that relevant courts would recognise underlying assets held in a bankruptcy remote manner as those of the cryptoasset holder.

    As mentioned above, the need for legal opinions will require new practices to emerge, including the means of determining which party should provide such opinions and in what format. The requirement for a legal opinion in this context is likely to be particularly onerous given the requirement for the legal opinion to cover "all laws relevant to involved parties".

    Minimum Liquidity Risk Requirements

    • Minimum liquidity risk requirements –application of the LCR and NSFR frameworks: the Committee explains that the standards relating to the liquidity coverage ratio (LCR) and the net stable funding ratio (NSFR) require additional clarification and elaboration in order to address the novel and unique risks associated with cryptoassets. Furthermore, the appropriate classification and calibration of LCR outflow and inflow rates and NSFR stable funding (ASF) and required stable funding (RSF) factors of cryptoassets and cryptoliabilities depend on factors such as the structure of the cryptoasset/cryptoliability, its commercial function and the nature of a bank's exposure to the cryptoasset/cryptoliability.

    The Committee continues to explain that, in general, exposures involving Group 1a cryptoassets and cryptoliabilities must be treated the same as exposures involving their equivalent non-tokenised traditional assets and liabilities, including the assignment of inflows, outflows, RSF factors and ASF factors. The LCR and NSFR treatment of exposures involving cryptoassets and cryptoliabilities varies according to whether they are: (i) tokenised claims on a bank; (ii) stablecoins; or (iii) other cryptoassets.

    The Committee explains that Group 1a tokenised claims on a bank must be treated as an unsecured funding instrument when they: (i) are issued by a regulated and supervised bank; (ii) represent a legally binding claim on the bank; (iii) are redeemable in fiat currency at par value; and (iv) have a stable value supported by the creditworthiness and asset-liability profile of the issuing bank rather than a segregated pool of assets. The treatment as an unsecured funding instrument is subject to certain considerations including, in respect of liabilities from own-issued tokenised claims on a bank that:

    (i) To the extent the issuing bank can identify, at all times, the holder of the cryptoasset, the bank must apply the applicable outflow rate and ASF factor based on the counterparty classification of the funds provider. However, the issuing bank must not treat the liabilities associated with their cryptoassets as stable retail deposits. If the issuing bank is unable to identify, at all times, the holder of the cryptoasset, it must treat the liability as unsecured wholesale funding provided by other legal entity customers.

    (ii) Tokenised claims on a bank that are used primarily as a means of payment and created as part of an operational relationship between the issuing bank and its wholesale customers must follow the categorisation methodology in the LCR framework.

    Certain aspects of this section of the Standard are surprising to us. Firstly, from an anti-money laundering and counterparty relationship perspective it is unlikely that a bank would not know the identity of the holder of the cryptoasset. Secondly, we take the reference to "tokenised claims on a bank" to effectively mean a "tokenised deposit" in which case the Committee appears to be attributing less favourable liquidity treatment to a (DLT-based) tokenised claim on a bank relative to a claim on a bank which is via a traditional digital channel (i.e not DLT or a similar technology) even though they are, in substance, the same.

    • Minimum liquidity risk requirements – Group 1a treatment as HQLA: the Committee has determined that Group 1a cryptoassets that are a tokenised version of high-quality liquid assets (HQLA) may only be considered as HQLA to the extent that both the underlying asset in its traditional form and the tokenised form of the asset satisfies the characteristics of HQLA.

    A specific example of a Group 1a cryptoasset is provided in the Standard to illustrate this: a tokenised bond that meets the HQLA eligibility criteria and temporarily resides on a distributed ledger to facilitate transfer. However, it is not clear if there is any specific significance being attached to an asset "temporarily" residing on a distributed ledger (as opposed to an asset "permanently" residing on a distributed ledger). Notwithstanding the use of "temporarily" in this example, the example provides support for the position that Group 1a cryptoassets residing on a distributed ledger are capable of satisfying the characteristics of HQLA.

    Bank Risk Management and Supervisory Review 

    • Banks' risk management frameworks: banks with direct or indirect exposures to cryptoassets, or that provide related services to any form of cryptoasset, must, on an ongoing basis, establish policies and procedures to identify, assess and mitigate the risks related to cryptoassets or related activities (including operational risks, credit risks, liquidity risks and market risks). Such policies and procedures must be informed by existing Committee statements on operational risk management generally and cryptoassets in particular. Banks must also conduct prudent assessments of any cryptoasset exposures they intend to take on and verify the adequateness of existing processes and procedures.

    Banks must notify their supervisory authorities of their policies and procedures, assessment results and their actual and planned cryptoasset exposures or activities in a timely manner and to demonstrate that they have fully assessed the permissibility of such activities and the associated risks and identify how they have mitigated such risks.

    Risks that banks need to consider in their risk management of cryptoasset activities includes, but are not limited to, the following:

    1. Cryptoasset technology risk: including: stability of the DLT (or similar technology) network; validating design of the DLT (permissionless or permissioned); service accessibility; trustworthiness of node operators and operator diversity.

    2. General information, communication and technology (ICT) and cyber risks: in particular, the additional ICT and cyber risks that a bank holding cryptoassets may be exposed to (e.g. cryptographic key theft).

    3. Legal risks: including: accounting; taking control/ownership; disclosure and consumer protection; uncertain legal status.

    4. Money laundering and financing of terrorism: where banks provide services to Virtual Asset Service Providers (VASP), or to customers involved in Virtual Asset activities, or through engaging in VASP activities themselves, banks need to apply the risk-based approach set out by the Financial Action Task Force for the purposes of AML and CFT.

    5. Valuation: this risk needs to be considered due to the fact that many cryptoassets pose valuation challenges (due to, for example, their volatility and variable pricing on different exchanges, especially as most cryptoassets are traded on unregulated marketplaces). Such challenges can result in losses for banks in a variety of contexts tied to mispricing due to inadequate operational processes.

    • Supervisory review of bank risk identification and assessment: supervisors should review the appropriateness of banks' policies and procedures for identifying and assessing risks, and the adequacy of banks' assessment results, and require banks to address any deficiencies in their identification or assessment process of cryptoasset risks. Furthermore, supervisors may recommend that banks undertake stress testing or scenario analysis to assess risks resulting from cryptoasset exposures. Such analyses can inform assessments of banks' capital adequacy.
    • Disclosure requirements for banks’ exposures to cryptoassets or related activities: the disclosures must follow the five general guiding principles for banks’ disclosures set out in the Disclosure Requirements (DIS10). As such, in addition to the quantitative information summarised in the section above, banks must provide qualitative information setting out an overview of the bank’s cryptoasset activities and the main risks related to their cryptoasset exposures, including descriptions of:

    1. business activities related to cryptoassets and how these translate into components of the risk profile of the bank;

    2. risk management policies related to cryptoasset exposures;

    3. the scope and main content of the bank’s reporting related to cryptoassets; and

    4. the most significant current and emerging risks relating to cryptoassets and how such risks are managed.

    In accordance with the general guiding principles, banks must disclose information regarding any material Group 1a, Group 1b, Group 2a and Group 2b cryptoasset exposures on a regular basis, including (for each specific type of cryptoasset exposure) information on:

    1. the direct and indirect exposure amounts;

    2. the capital requirements; and

    3. the accounting classification.

    Banks must also include exposures to Group 1 cryptoassets in the relevant existing disclosure templates that apply to traditional assets (e.g. for credit risk and market risk).

    The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
    Readers should take legal advice before applying it to specific issues or transactions.