Consultation on international recommendations related to, and risks posed by, fiat-referenced cryptoasset arrangements and activities

Document properties

• Type of publication: Letter
• Date: April 17, 2023

This letter seeks to consult on the management of risks associated with single fiat-referenced cryptoasset arrangements and activities. It also signals the Office of Superintendent Financial Institutions’ (OSFI) intention to align future risk management expectations with related international recommendations.

Fiat-referenced cryptoassets, the most prevalent type of stablecoin^{Footnote 1}, aim to maintain a stable value relative to a fiat currency. In this letter, we focus on fiat-referenced cryptoassets that are pegged to a single fiat currency and backed at least one-for-one by cash and cash equivalents, or issued as a liability of a financial institution. While these cryptoassets have yet to achieve mainstream adoption as a means of payment, associated financial activities have the potential to present risks to the financial system.

The Financial Stability Board (PDF) (FSB) has drafted international recommendations in this regard based on the principle of ”same activity, same risk, same regulation”. It notes that entities engaging in fiat-referenced cryptoasset arrangements or activities should be subject to comprehensive supervision and regulation. For ease of reference, refer to Annex A, which highlights key recommendations proposed by the FSB and the International Monetary Fund (IMF) that OSFI is considering.^{Footnote 2} OSFI has supported these efforts at the international level and is considering aligning future expectations from a prudential perspective with these recommendations.

This consultation follows OSFI’s August 2022 interim crypto exposure advisory, and is aligned with OSFI’s Digital Innovation Roadmap and the 2022-2023 Annual Risk Outlook. It forms part of the coordinated efforts of federal and provincial regulators to explore prudential and non-prudential options to address risks tied to these assets, in support of the federal government’s legislative review of the digitalization of money announced in Budget 2022.^{Footnote 3}

A Federally Regulated Financial Institution (FRFI) must ensure that any activity in which it (i) engages and (ii) proposes to engage – including any activity related to fiat-referenced cryptoassets – is permissible under its governing statute and all other applicable laws. Before engaging in such activities, FRFIs are expected to notify their lead supervisor and comply with OSFI’s requests for information to enable the assessment of the permissibility, safety, soundness, and risk implications of such activities.

Based on its preliminary risk identification work, OSFI has identified a non-exhaustive list of inherent risks associated with fiat-referenced cryptoassets that may affect FRFIs. Refer to Annex B for a summary of these risks. While OSFI’s current guidelines and advisories address many of these risks, there are opportunities to strengthen and clarify its guidance expectations.

Request for feedback

OSFI is now seeking stakeholder input on the international recommendations and whether those, in addition to current guidelines and advisories, are sufficient to address the inherent risks to FRFIs that engage in fiat-referenced cryptoassets and related activities. This feedback, as well as responses to the questions below will inform OSFI’s potential development of risk management expectations for FRFIs that engage in this sector. OSFI is interested in receiving feedback from both FRFIs as well as other financial entities on the below questions. Feedback should be sent to OSFI by email at the Digital Innovation Impact Hub at diih-caein@osfi-bsif.gc.ca by June 16, 2023.

Questions

1. Are the international recommendations and OSFI’s existing risk management expectations that relate to prudential regulation appropriate for FRFIs to address the risks associated with fiat-referenced cryptoassets?
2. What potential gaps to complying with the recommendations listed in Annex A do you see with respect to OSFI’s current guidelines and advisories, if any?
3. Are there any key inherent risks to FRFIs that should be added to Annex B? Considering OSFI’s current guidelines and advisories, where do you see potential gaps to addressing these risks?
4. For what reasons might entities involved in fiat-referenced cryptoassets activities be interested in operating within, or staying out of, OSFI’s regulatory regime?
5. Are there any other comments or considerations that you feel should inform OSFI’s potential development of risk management guidance expectations on fiat-referenced cryptoassets and activities, including with respect to custody issues (e.g., custody of cryptographic keys, tokens, or reserves, etc.)?

Annex A – Key international recommendations^{Footnote 2} being considered as a basis for future OSFI guidelines on fiat-referenced cryptoassets and activities

The current international recommendations propose that traditional financial entities engaging in fiat-referenced cryptoasset (FRC) arrangements and activities ensure the following principles are met:

1. Governance and risk management framework

• The FRC arrangements meet all applicable regulatory, supervisory and oversight requirements of any jurisdiction in which they operate before commencing operations in that jurisdiction. The entity should also comply with new regulatory requirements as necessary.

• The FRC arrangements comply with rules and regulations for effective governance irrespective of the structures of activities and technology used to conduct FRC activities. This includes:

  • having in place a robust and comprehensive governance framework that is proportionate to the size, complexity, and systemic importance of the entity engaging in the FRC activity. Potential risks arising from those activities a FRFI engages in should fit within their risk appetite; and

  • ensuring effective accountability measures when engaging in those activities.

• A robust framework should be in place to ensure proper:

  • identification, measurement, evaluation, monitoring, reporting, and control of all material risks, including those arising from leverage and credit, liquidity, operations, compliance, and maturity transformation.

  • establishment of effective contingency arrangements (including robust and credible recovery plans where warranted) and business continuity planning.

  • AML/CFT measures are in place consistent with FATF Standards, including requirements to comply with the FATF ‘travel rule’, limiting anonymous transactions or using software to monitor suspicious activity; and

  • management of operational, reputational, and financial risks that may arise from the storage and safeguarding of users’ private keys and customer assets, for example, through segregation requirements, including in the case of default/bankruptcy of the custodial wallet service providers.

2. Redemption rights, stabilization mechanism, and prudential requirements

• The issuer of a FRC arrangement should ensure there is an effective stabilization mechanism in place, clear redemption rights, and that it meets prudential requirements in order to maintain a stable value at all times and mitigate run risks. Redemption into fiat should be on demand and at par.

  • An effective stabilization method should include a reserve of assets that is always greater than the amount of outstanding FRC in circulation, unless the FRC is subject to prudential requirements and safeguards equivalent to OSFI’s capital and liquidity standards.

  • In cases where reserve assets are used, they should be unencumbered and easily and immediately convertible into fiat currency at little or no loss of value. The reserve assets should not include speculative and volatile assets or assets with insufficient historical evidence of quality and liquidity. The market value of reserve assets should exceed the outstanding claims or FRC in circulation at all times. In addition, risks of custodial arrangements for reserve assets should be adequately managed and addressed.

3. Data collection, record-keeping, and reporting

• Appropriate infrastructures, processes, and procedures are maintained to ensure data quality and reliability.

• The FRC arrangements have measures in place to ensure the completeness, accuracy, and reliability of data, and have timely, complete, and ongoing access to relevant data and information, wherever the data is located.

• These measures should ensure that the FRC arrangements that entities engage with adequately:

  • collect, store, safeguard, and timely and accurately report data, including on relevant policies, procedures and infrastructures as needed; and

  • have data management systems that record and safeguard relevant data and information collected and produced in the course of their operations, with adequate controls in place to safeguard the integrity and security of relevant data and conform to applicable regulation, including on data retention, data security and data privacy.

Annex B – Key inherent risks of fiat-referenced cryptoassets and activities

Minting, redemption, burning, and reserve management

• Credit and liquidity risk: Failure to meet redemption demands due to a liquidity mismatch (e.g., due to the declining value of the reserve, insufficient funds, volatile redemption demands, misappropriation, or an inability to liquidate reserve assets in a timely manner).

• Run risk: A loss of confidence triggers large-scale redemptions requiring a liquidation of reserves.

• Market concentration risk: Undiversified holdings, exposing reserves to price shocks and run risk.

Custody and digital wallet services

• Custodial service or digital wallet operations risk: Technical and operational vulnerabilities of wallet software, mismanagement of clients’ digital keys, co-mingling of assets, theft, or other issues that may lead to unauthorized outflows.

• Third-party risk: Third parties (such as service providers, software libraries, or custodians) exposing FRFIs to negative outcomes. This can arise from failure to meet the FRFI’s risk policies, carry out appropriate due diligence and risk assessment, or prevent external fraud.

• Third-party concentration risk: Relying on one or a few service providers, wallet software applications, or software libraries. A software failure could impact all entities using the software, with further spillover effects to the cryptoassets ecosystem.

Trading, transfer, and transaction validation

• Irreversibility risk: Uncertainty over settlement finality and irrevocability, heightened due to the consensus nature of public blockchains.

• Network capacity risk: Capacity constraints, such as a lack of network capacity to process transactions, causing delays which could be a trigger for a loss of confidence and run risk.

• Product risk: Failure to design, implement and maintain a product or service to achieve expected outcomes. This includes digital storage considerations, testing of underlying technology and time to mature in a market environment.

Transversal risks, which may affect all of the above activities

• Operational risk: Potential disruption to the entity impacting the ability to deliver its operations. This includes deficiencies in information systems (including cyber security or networks), internal processes, human errors, and data management.

• Technology Risk: In addition to traditional technology and cyber security risk, advanced technologies such as artificial intelligence may have an impact on minting, redeeming, burning, transaction verification (e.g., phone verification), or the use of smart contracts.

• Compliance risk: Inadequate governance framework to ensure compliance with existing standards, regulatory requirements. Lack of transparency, disclosure, or clear line of accountability to assign responsibility for non-compliance and errors.

• Conflicts of interest: Entities performing multiple functions within a fiat-referenced cryptoasset arrangement – such as an issuer operating a custodial wallet or an exchange platform – can create incentives for abuse.

• Breach to data confidentiality and privacy: Risk of data breach and compromised individual user privacy.

• Consumer protection risk: Increased risk of consumer protections not being adequately accounted for, such as those related to disclosure, consent, complaints handling, redress, prohibited conduct, etc.

• AML/CFT risk: Heightened due to potential anonymity, global reach, and use to layer illicit funds.

• Legal risk: Uncertain legal treatment due to lack of clear classification of fiat-referenced cryptoassets, ambiguous rights and obligations including over custodial practices, with challenges in identifying or holding a single legal entity responsible for errors. Additional risk arising from lack of clear accounting standards applicable to fiat-referenced cryptoassets, potential for non-compliance with tax obligations, tax evasion, fraud, or scams.

• Reputational risk: Reputational damage or loss of trust that traditional financial institutions may sustain from payment failure, service disruption, unexpected losses, or lack of regulatory compliance.