In its 21 April letter to all APRA-regulated entities, APRA has set out its risk management expectations and policy roadmap for entities engaging in activities associated with crypto-assets. This includes its intention to develop a new and dedicated framework for the prudential regulation of crypto-assets.
This letter sets out the first set of details of APRA’s intention to set expectations and standards relating to crypto-assets and associated activities.
It is relevant to all APRA-regulated entities and their directors, financial services providers which engage in activities associated with crypto-assets. It is also relevant to current and future ‘accountable persons’ under the Banking Executive Accountability Regime (BEAR) and Financial Accountability Regime (FAR).
Some noteworthy APRA expectations are:
- Authorised deposit-taking institutions (ADIs) and insurers: investments in crypto-assets will need to be consistent with obligations to hold an appropriate level of regulatory capital, and any exposures must be factored into internal capital adequacy assessment (ICAAP) process and stress testing where relevant.
- RSE licensees: licensees considering investments in crypto-assets as part of their investment strategy must ensure they can demonstrate how the investment is consistent with the duty to act in the best financial interests of beneficiaries, meets the investment strategy covenants, and complies with existing prudential requirements for investment governance.
- BEAR regulation and future FAR regulation: Accountabilities for crypto-asset activities should be assigned to BEAR Accountable Persons, with adjustments to accountability statements. Our view is that this expectation will also apply on implementation of FAR, as we will discuss below.
- Crypto-related lending: the capital, funding and liquidity treatment for loans secured by crypto-assets will need to be confirmed with APRA.
- Superannuation fund allocation: by mentioning compliance with Prudential Standard SPS 231 Outsourcing (SPS 231), APRA is highlighting its likely strict enforcement of existing policy position in SPS 231. This has a material flow on consequence for super funds delegating to an investment manager and in custodial arrangements for crypto-assets. This will impact, and likely slow, the speed of super fund allocation to this emerging asset class.
Two significant areas of prudential regulation are flagged for 2022 and 2023. APRA intends to consult on:
- mid-2022: a prudential standard for the management of operational risks related to crypto-asset activities, covering control effectiveness, business continuity and service provider management; and
- 2023: prudential treatment of crypto-asset exposures in Australia for ADIs, and the prudential regulation of payment stablecoins and large Stored Value Facilities.
What are APRA’s crypto asset-related risk management expectations?
APRA generally expects entities to adopt a prudent approach and ensure any risks are well-understood and well-managed before engaging in crypto-asset activities. Specifically, APRA expects regulated entities to:
- Conduct appropriate due diligence and a comprehensive risk assessment before engaging in crypto-asset activities and ensure they understand and adopt measures to mitigate any risks related to their crypto-asset activities.
- Comply with prudential standards governing outsourcing (Prudential Standard CPS 231 Outsourcing, or SPS 231 for RSE licensees) where engaging third parties to assist with their crypto-asset activities.
- Importantly, for ADIs, APRA expects that accountabilities for crypto-asset activities would be assigned to BEAR Accountable Persons, with adjustments to their accountability statements where appropriate, and that APRA-regulated entities should also consider the impact of all new products on their operational risk profile, and implement any chances required to internal controls.
- Given the similarities between BEAR and the proposed FAR, our view is that APRA-regulated entities preparing for FAR should reflect this BEAR expectation in FAR planning.
- Comply with all conduct and disclosure regulation administered by ASIC and consult with APRA and ASIC where there is any uncertainty on prudential, conduct or disclosure requirements and expectations when undertaking crypto-asset activities.
What activities do APRA’s expectations apply to?
APRA’s risk management expectations apply to any APRA-regulated entities engaging in both direct and indirect activities associated with crypto-assets as follows:
Crypto-asset activity | APRA-expectation on risk management |
Investing in crypto-assets | - Appropriate capital management
- RSE licensees to demonstrate consistency with best financial interests, covenants and investment governance requirements
- Identify and manage operational risks such as fraud, cyber, conduct, financial crime and technology risks
- Consider liquidity risks and disclosure requirements
|
Crypto asset-linked lending | - Manage credit risks for crypto collateral because of potential price volatility and illiquidity
- Identify and manage operational risks as above (e.g. conduct risk) and risks associated with reliance on third parties, such as custodians, crypto infrastructure providers, exchanges and wallet providers
- Confirm capital, funding and liquidity treatment with APRA for loans secured by crypto-assets
|
Issuing crypto-assets | - Identify and manage operational risks as above (e.g. conduct risk), as well as the need for robust systems for collecting, storing and safeguarding data, and a robust process for redemption
- Conduct risks here include design and distribution obligations.
- Other risks to consider include risks around governance and accountabilities (in particular where there is a reliance on third parties), custody arrangements and the safeguarding of funds, capital and liquidity requirements, and recovery and resolution planning implications
|
Providing services associated with crypto-assets | - Specific consideration to the risks around fraud and asset security
- Other key risks include cyber, financial crime, technology and conduct requirements
|
Investments in entities dealing directly or indirectly in crypto-assets | - Investments should be consistent with existing prudential requirements
|
Partnering with technology or other companies to provide crypto-related offerings | - Outsourcing of material business activities should comply with prudential requirements
|
APRA’s policy roadmap
The APRA letter notes they are developing a long-term prudential framework for the regulation of crypto-assets. This is to be developed in consultation with international regulators to ensure consistency in approach.
APRA expects that international minimum standards for prudential treatment of bank exposures to crypto-assets, once agreed by the Basel Committee on Banking Supervision, will be the starting point for setting its own prudential standards. In the period ahead, APRA intends to take the following steps:
Steps | Expected release for consultation date | Expected to take effect |
Consult on prudential standard for the management of operational risks related to crypto-asset activities, covering control effectiveness, business continuity and service provider management. | mid-2022 | 2024 |
Consult on requirements for the prudential treatment of crypto-asset exposures in Australia for ADIs. | 2023* | 2025 |
Consult on possible approaches to the prudential regulation of payment stablecoins, including potentially incorporating such regulation into the proposed regulatory framework for large Stored-value Facilities (SVFs) given their similarity to stablecoins. | 2023 | 2025 |
*following the conclusion of the Basel Committee’s consultation
In addition, APRA foreshadows the possibility of broader regulatory developments relating to crypto-assets. This is in light of a similar focus on crypto-assets by ASIC, the Treasury and various parliamentary bodies.
APRA will continue to monitor industry trends and emerging risks, engage with other regulators and provide updated guidance as required.
This publication is introductory in nature. Its content is current at the date of publication. It does not constitute legal advice and should not be relied upon as such. You should always obtain legal advice based on your specific circumstances before taking any action relating to matters covered by this publication. Some information may have been obtained from external sources, and we cannot guarantee the accuracy or currency of any such information.