On 13 March 2019, the Basel Committee on Banking Supervision (Basel Committee) published a statement on crypto-assets. In recognition that crypto-assets do not reliably provide the standard functions of money and are unsafe to rely on as a medium of exchange or store of value, the Basel Committee’s statement sets out its prudential expectations related to banks’ exposures to crypto-assets and related services, for those jurisdictions that do not prohibit such exposures and services.
The expectations are based on the fact that crypto-assets pose a number of risks for banks, including liquidity risk; credit risk; market risk; operational risk (including fraud and cyber risks); money laundering and terrorist financing risk; and legal and reputation risks. Accordingly, the Basel Committee expects that if a bank is authorised and decides to acquire crypto-asset exposures or provide related services, the following should be adopted at a minimum:
- due diligence: before acquiring exposures to crypto-assets or providing related services, a bank should conduct comprehensive analysis of the risks noted above;
- governance and risk management: a bank should have a clear and robust risk management framework that is appropriate for the risks of its crypto-asset exposures and related services. Given the anonymity and limited regulatory oversight of many crypto-assets, a bank’s risk management framework for crypto-assets should be fully integrated into the overall risk management processes, including those related to anti-money laundering and combating the financing of terrorism, and heightened fraud monitoring;
- disclosure: a bank should publicly disclose any material crypto-asset exposures or related services as part of its regular financial disclosures and specify the accounting treatment for such exposures, consistent with domestic laws and regulations; and
- supervisory dialogue: the bank should inform its supervisory authority of actual and planned crypto-asset exposure or activity in a timely manner and provide assurance that it has fully assessed the permissibility of the activity and the risks associated with the intended exposures and services, and how it has mitigated these risks.