Regulators keep an eye on cryptocurrency

Australian and overseas regulators are keeping an eye on cryptocurrency, with Australian prudential supervisors writing an open letter to banks, insurers and superannuation companies on risk management associated with crypto assets.

While there are no new prudential standards at the moment, the open letter sets out expectations under the current prudential framework.

Australia is currently also consulting on proposed regulation of crypto asset secondary service providers (CASSPrs), namely digital asset exchanges and custody providers.

What does APRA letter say about insurers?

The latest update is APRA’s open letter to the industry directly relating to crypto assets.

Importantly for insurance companies, the letter does not set out any specific risks or expectations relating to the insurance of crypto assets.

The one reference to insurers is in the context of investments in crypto assets. APRA wants to make sure that insurers nonetheless hold sufficient regulatory capital.

The main risk for insurers at the moment arises due to the volatility of crypto assets and difficulties in valuation.

Technological safeguards also play a key role and insurers generally undertake detailed due diligence prior to issuing a policy where insurance is in relation to custody of crypto assets.

Nonetheless, the open letter contains some interesting insights on APRA’s views in relation to prudential risks arising from crypto assets.

Proposed regulation of CASSPrs

Consultation has now concluded in relation to the licensing of crypto asset secondary service providers, namely digital currency exchanges and custody requirements for crypto assets. 

The proposed licensing regime will apply to all secondary service providers such as brokers, dealers or those who operate and market crypto assets, as well as secondary service providers who offer custodial services in relation to crypto assets. 

The regime will not apply to decentralised platforms or protocols.

The regime proposes imposing obligations on CASSPrs similar to the obligations that currently apply to AFSL holders. 

These include the requirement to provide services efficiently, honestly and fairly, maintaining adequate resources for the provision of services, having appropriate dispute resolution arrangements in place and ensuring directors and key persons are fit and proper people.

The regime also imposes minimum financial requirements, including capital requirements on CASSPrs as well as client money obligations. CASSPrs would also need to maintain adequate custody arrangements.

Custody

The proposal also involves mandatory minimum principle‑based custody obligations for private keys held or stored by CASSPrs on behalf of consumers. 

The security of private keys that prevent unauthorised access to crypto assets is of critical importance. 

Accordingly, Treasury is proposing that mandatory obligations should apply, including that the assets are held in trust for the consumer. 

This is to ensure appropriate segregation of assets and that the custodian of the private keys has the required expertise and infrastructure, including having appropriate processes to minimise the risk of loss and unauthorised access, as well as processes for compensation in the event that crypto assets held in custody are lost.

Impact on Insurance?

Assuming these proposals become law, it will be interesting to see whether CCASPrs will seek to obtain insurance to assist with some of these obligations, n iparticular, the processes for redress and compensation in the event that crypto assets held in custody are lost.

Insurance companies are no doubt watching this space closely, noting that very few insurance policies currently cover cryptocurrency. Where it is available, cover is generally limited to theft of private keys while in cold storage (offline).

If CCASPrs are regulated, this may result in increased demand for insurance of private keys in custody. 

Insurance can play a role by ensuring there is the capacity to provide compensation in the event that private keys, for example, are lost due to negligence of the custody provider.

Tim Chan is an insurance and insurtech lawyer at global law firm Norton Rose Fulbright and Founder of The InsurTech Lawyer blog. He regularly advises insurers and startups on emerging legal issues affecting the industry. 

This article first appeared on the The Insurtech Lawyer blog. It is reproduced here with permission.