This report has been collaboratively authored by teams from Galaxy and PwC.
Currently, there is not an existing framework for global oversight in the cryptocurrency industry, and in recent years, knock-on effects from poor risk practices at a few digital asset firms have pervaded much of the industry as a whole
There is increased risk when engaging counterparties, venues, and vendors; and the lack of a strong process to manage third-party risk can result in (but not limited to) business disruption, financial loss, and non-compliance with regulatory requirements
With a lack of clear supervisory oversight, the onus is on digital asset firms to proactively develop and maintain strong third-party risk programs inclusive of performing risk assessments, conducting due diligence, and implementing governance and oversight
Reflecting on the year 2021, the cryptocurrency industry experienced exponential growth in valuation and headcount, which created an atmosphere that seemed poised to carry this momentum into the following year. However, during the first quarter of 2022, signs of market participant exhaustion became apparent and several players collapsed. Cracks within the industry started to appear, gradually widening, and ultimately triggering a chain reaction of risk exposure that led the digital asset industry into a bear market.
The collapse of cryptocurrency market players can be attributed to the immaturity of this industry and heavy reliance on other cryptocurrency third parties, which may result in an increased risk of business disruption, financial loss, and non-compliance with regulatory requirements. With the unique and evolving risks presented by cryptocurrency, such as key management and custody of assets, cryptocurrency institutions should consider establishing oversight and due diligence over third parties, including counterparties, vendors, and venues. The onus is on each individual organization to develop a more agile and resilient approach to third-party risk management.
Taking a Step Back
Traditional finance has been evolving for centuries compared to the cryptocurrency industry, which began in 2009 when the first Bitcoin block was mined. As we explore the ever-evolving challenges and risks in cryptocurrency, it is important to consider the differences between traditional finance and digital assets to identify solutions.
The table below details the types of institutions between traditional finance and digital asset.
Additionally, aside from the varying types of institutions, there are fundamental differences over how assets are custodied and maintained – refer to the table below.
Developing the cryptocurrency products and services required to meet the needs of users today and in the future requires a degree of reliance on third-party vendors in addition to open-source software. Historically, the consequences of improper governance and risk considerations have played out many times on-chain through various exploits, but the effects had yet to truly spill over into off-chain financial organizations until early May 2022.. The first domino in a long chain of interconnected assets, counterparties, and digital asset firms fell and led to contagion spread across the industry, even affecting more traditional markets and firms.
As various digital asset firms fell, the contagion of risk spread to the most seemingly well-positioned actors. Cursory or inconsistent due diligence conducted on third parties – regarding entity ownership, points of control, reporting requirements, asset custody architecture, asset holdings, and fraud – likely contributed to the de-leveraging in the crypto industry. What these interconnected counterparties failed to identify was an effective way to assess and mitigate risks associated with commingled assets, how stress can impact firm solvency, private key management for custodied assets, the technical nature of the assets held, and the infrastructure on which the assets operated. Institutions looking to build in the digital asset industry should be vigilant in their reviews of third parties and confirm that their relationships are working and will continue to work as desired.
Creating a risk management program is necessary to mitigate many types of risk that exist when engaging with third parties, including (but not limited to) cybersecurity, legal, operational, financial, and reputational risks. For instance, cybersecurity risk may exist when sharing information with a third party about your company, your customers, and your process. Additionally, you should be responsible for any regulatory scrutiny that results from actions taken by the third party on your behalf, which may lead to legal risk. As a result, it is critical to establish a third-party risk management program to assess relevant risks when engaging a counterparty, vendor, or venue. Especially in the digital asset world which can carry unclear rules and regulatory expectations, a clearly defined program can help to reduce the potential risks of doing business with a third party. The OCC, SEC, and NFA differ in some requirements for their registrants, but the spirit of the rules is identifying and managing risk introduced by third parties. When building out a third-party risk management framework, it should address unique risks in the crypto space such as key management, liquidity, non-reversible rails, and treasury management. An important risk to highlight that is distinct to digital assets is the overtly custodial nature of trading digital assets on centralized exchanges. This is different from the traditional world in which you generally maintain custody of your assets until the exact moment of asset exchange. As opposed to this in the crypto world, a firm should weigh the opportunity cost of the digital assets to be deployed and remain active on exchange while weighing the inherent risks of the custodian selected by the respective crypto exchanges used. Traditional risks such as financial, cyber, and reputational should be taken into account as well. Without a strong framework, the firm may neglect to consider and assess risks when deciding to align with a third-party. For example, when a firm is selecting a vendor to serve as its custodian, understanding how the custodian generates its customer’s private keys and governs its storage and signing process could help deter the firm from selecting an inadequate solution. Overall, a strong framework for cryptocurrency market players should include risk assessments, due diligence, and governance to assess relevant risks when engaging a counterparty, vendor, or venue.
Perform Risk Assessments | Before beginning a relationship with a third party, and as the first step in your third-party risk management program, it is necessary to conduct a risk assessment to confirm that a proposed relationship is consistent with the company’s strategic planning, risk appetite and overall business strategy. The overall goal of the risk assessment is to assess the risk impact of engaging with the counterparty, vendor, or venue. As part of the assessment, multiple options, such as other competitive third-parties or internal solutions, should be assessed against each other to determine the right complement. The risk assessment should contain components such as compliance, governance, technology, on-chain and legal. The outputs of the assessment should be used to analyze the benefits, costs, legal aspects, oversight needed, and feasibility. To that end, the assessment should also serve to develop oversight features such as performance criteria, metrics and reporting needs, contracting needs and internal controls.
Conduct Due Diligence | Once it has been confirmed that the firm would like to move forward with a third-party relationship, the due diligence process begins. It is imperative that the implementation of a rigorous and robust due diligence framework is in place for selecting and managing third parties. The framework should identify and control multiple types of risk (e.g., market, reputational, credit, operational, etc.) as well as cover the decision to engage with a third party and the review of ongoing third-party relationships. Additionally, it should include the review of the third party’s policies, processes, business continuity and disaster recovery plans, as well as the financials of the third party.
It is recommended that you develop and distribute a third-party questionnaire and use the responses to further assess the potential risks associated with the third party under consideration. A strong questionnaire may include the following items:
Audited financial statements, annual reports
Key management processes and controls
Any complaints, litigation, or regulatory actions
SEC filings and insurance coverage
Reputation of the entity
Ability to use current system or make investment
Proof of reserves
Qualifications of the third party’s management team
Usage of third parties to perform activities
Controls, cybersecurity, and privacy protections
Continuity and disaster recovery plans
Knowledge of rules and regulations to follow
In order to be most effective in this evaluation, a standardized scorecard or set of scorecards should be developed such that each vendor or class of vendor is judged across the same criteria. Some examples of criteria to include but are not limited to are risk management practices (e.g., three lines of defense, BCP, due diligence process for their vendors), financial condition, and applicable controls, metrics, and reports. A documented, tested scoring methodology and framework should be designed and utilized to construct both the scorecard and conduct the actual evaluation. The framework should be designed and utilized to construct both the scorecard and conduct the actual evaluation.
Additionally, with the public and transparent nature of blockchain data, firms can add an additional layer of assessment of counterparties, vendors, or venues by confirming or exploring on-chain holdings or activities. Leveraging on-chain forensics from commercial tools may give a firm the ability to conduct more rigorous diligence than is possible in the traditional space.
Implement Governance & Oversight | Once the firm has gained some level of comfort over the third party’s practices and organization, the attention shifts to governance, including oversight over contracts, ongoing monitoring over third parties, and reporting to key stakeholders.
A well-structured contract should include protections (e.g., scope, cost performance, reporting privacy, disaster recovery, termination conditions, etc.) and should be approved by the board and/or legal counsel. In addition to the initial risk assessment and due diligence performed, third parties should be reviewed on a periodic basis to identify new risks and evaluate performance. Due to the fast-paced and seemingly ever-changing nature of the digital asset industry, it may be pertinent to implement automated compliance alerts as well as conduct more frequent evaluations on applicable vendors than a firm would in the traditional world. Furthermore, there should be defined reporting lines for escalation, communication plans, and change management.