Navigating PRA's data request for crypto-asset exposure

On Dec. 12, the Prudential Regulation Authority¹ issued a data request to identify firms' current and expected future crypto-asset exposures.² This request also asks for information on the firms' application of the Basel framework for the prudential treatment of crypto-assets exposures,³ that was published in December 2022, following its second consultation on banks' exposures to crypto-assets.

The framework is the set of standards of the Basel Committee on Banking Supervision for the prudential regulation of banks. The overall purpose of the committee is to enhance financial stability by way of regulation and supervision.

Here we discuss the request, and what implications may arise for financial institutions and their insurers.

Why the Request Has Been Made

The PRA, as the regulatory branch of the Bank of England, supervises 1,500 financial institutions, including banks and insurance companies, and by way of tailored supervision, aims to enhance strategies and build resilience during crisis situations. In order to develop these strategies, it is paramount for the PRA to have up-to-date knowledge and maintain effective supervision of emerging risks, which includes those arising from crypto-assets.

Given the nature of crypto-assets and the risks involved, the PRA indicated that they must be screened on an ongoing basis.

To ascertain this knowledge, the PRA issued a data request and stated that this data will help it to refine its prudential treatment of crypto-asset exposures, and evaluate the relative costs and benefits of various policy options. It would also enable it to update its perspective on firms' current and planned crypto-asset-related activities, serving as a foundation to monitor the implications to financial stability. Firms have until March 24 to comply with the PRA request.

In accordance with the prudential framework, which the Basel Committee agreed to implement by Jan. 1, crypto-assets are private digital assets that rely on cryptography and distributed ledger or similar technologies. Digital assets represent value digitally and can be used for payments, investments, or to access goods and services.

In terms of the request itself, the PRA is asking for details on tokenized traditional assets, stablecoins, unbacked crypto-assets, and any other types of crypto-assets relevant to PRA firms. This is due to the fact that each type of crypto-asset carries its own set of risks.

For example, tokenized traditional assets use blockchain technology, which can lead to cybersecurity risks, such as hacking or technical failures, and unbacked crypto-assets, which are subject to extreme price fluctuations due to market speculation and can result in considerable financial losses.

In light of the developing regulatory environment for crypto-assets, the PRA considers it vital to understand the nature and level of holdings of its regulated firms in order for it to make informed policy decisions.

This request, and any others it makes, ensure that its regulations and frameworks are based on accurate and up-to-date information. In addition, the request allows the PRA to supervise and monitor the financial health and stability of firms, as well as enabling them to identify future risks and develop strategies to mitigate the impact on the broader financial market.

The Request

The PRA has requested a selection of data from firms that:

• Have any non-negligible direct exposures to crypto-assets;
• Provide products of services in respect of crypto-assets; or
• Plan to have any such exposure, or provide any such product of service, in the next five years.

The PRA has requested details on whether firms have started applying the prudential framework for holding crypto-assets, what their exposures to crypto-assets are, and what they are forecasted to be for the next five years. That data is to be set out by total value, activity and groups as defined in the prudential framework.

The PRA has asked firms to explain how they have separated their business lines, products or services in order to reply to the request, as well as what factors may change the firms' inclination to offer details in the future.

Another focus of the request is for details of the firms' services that are based on permissionless blockchains, and how they foresee that use changing over the next five years.

The PRA confirms that the prudential framework indicates crypto-assets that use permissionless blockchains cannot be included in Group 1 — defined under the framework categorization as those that meet in full a set of classification conditions — because the risks cannot be mitigated adequately to ensure financial stability. However, the PRA confirms this is still under review.

Firms have also been requested to set out the costs they have incurred in carrying out the data request.

The PRA has stated that it expects firms to take reasonable steps to ensure any estimates that are provided have been done so fairly and properly, based on appropriate inquiries made by the firm. It has also indicated that responses must be based on the highest level of consolidation of the firm.

Implications for Financial Institutions

It is important that firms comply with this data request to enable the PRA to carry out its role effectively.

Financial institutions may use this as an opportunity to review and enhance internal compliance and governance as a result of complying with the request. This could include updating their own policies and procedures relating to their management and use of crypto-assets, including considering the firm's future use of crypto-assets and any related future services or products the firms may offer over the next five years.

The resulting data may also highlight any areas where reporting and data collection needs to be improved in order to meet the PRA's requirements.

Overall, the request means that firms must now, if they have not already, ensure that their crypto-asset-related risks have been and are effectively managed or monitored, with the requisite Basel management frameworks in place. These frameworks are essential for those firms to be able to navigate the potential volatility and regulatory implications that crypto-assets bring.

Conclusion

There is a fine line between embracing innovation and managing the associated risks. Clear regulation that supports innovation, but also ensures financial stability, is paramount to ensure the security of the financial environment.

The PRA request comes at a time when the emphasis on regulation and the impact on consumers is at an all-time high. There is an increase in focus on regulators in respect of the duties of firms and their responsibilities to consumers. As a result, it is paramount for firms to stay abreast of the ever-changing regulatory landscape.

This will also apply to firms' management. Directors will need to ensure they are aware of all relevant exposures and risks of the assets their companies are holding, and that their company complies with the framework with adequate risk management strategies in place.

It will also be vital for directors to continually review those strategies as the regulation develops, not only from the perspective of compliance or mitigating the risk of claims, but to ensure the company's financial resilience.

This latest request from the PRA reinforces the digital transformation of the financial sector, emphasizing the need for clear regulation for firms involved in crypto-assets to assist them with understanding their complexities, and mitigating and managing their associated risks, particularly in respect of cybersecurity.

The balance between innovation and risk management is a fine one, so we will wait to see what conclusions the PRA makes, together with any associated regulatory changes.

For those financial institution insurers concerned about their clients' crypto-asset exposures, we expect they will be making a similar disclosure request to understand their clients' potential exposures, and to determine whether to provide cover for such risks, noting that various policies may contain virtual currency exclusions.

A review of firms' existing holdings and compliance with the prudential framework is crucial in managing crypto-asset-related risks effectively. Up-to-date knowledge of crypto-asset risks is fundamental, particularly if a firm foresees its use of crypto-assets increasing over the next five years. Training on current and developing risks and regulation is recommended.

This article was originally published in Law360.

¹https://www.bankofengland.co.uk/explainers/what-is-the-prudential-regulation-authority-pra.

²https://www.bankofengland.co.uk/prudential-regulation/publication/2024/december/cryptoassets-data-collection.

³https://www.bis.org/bcbs/publ/d545.pdf.