Chairman of the ECB's Supervisory Board: Future Trends in Cryptocurrency Financial Regulation

Compile | Author | Andrea Enria

Date: November 14, 2023

This article is a speech by Andrea Enria, President of the Supervisory Board of the European Central Bank, at the meeting on the coordination of MiCAR and its legislation on financial markets with the European Union, co-organized by Ca’ Foscari University of Venice and the Bank of Italy.

Introduction

I am very grateful for being invited to deliver the keynote address at this conference in Venice. This topic is very topical and particularly timely, and I believe that today we will discuss many interesting aspects of financial innovation and the role of regulation.

Notably, the EU is the first major jurisdiction in the world to introduce a regulatory framework for the cryptocurrency industry. The Markets in Crypto Assets Regulation (MiCAR) came into effect at the end of June 2023 and will be fully applicable by the end of 2024.

I will begin by discussing how recent developments in the cryptoasset space have strengthened the case for direct regulation of cryptoasset activity. I will then discuss some of the issues with MiCAR and explain how the most advanced forms of decentralized finance (DeFi) pose fundamental challenges to the application of financial regulation. Finally, I will outline what I consider to be the essential elements of a regulatory framework that sets the boundaries between the crypto industry and the banking industry and regulates the interaction between them.

1 General discussion of the regulation of crypto assets

The technical characteristics of the cryptoasset framework can be very complex, but its basic building block is distributed ledger technology (DLT). In this environment, both financial and non-financial assets are encrypted (tokenized) in the form of digital tokens, and transactions and contracts are executed on the basis of permissionless and anonymous access, without any intervention by a centralized institution (whether public or private) acting as an intermediary, custodian or guarantor of the final settlement.

Bitcoin and other native crypto assets based on distributed ledger technology (DLT), and more broadly, DeFi that evolved from this original concept, appear to offer an opportunity for a new financial market structure that could completely eliminate the need for financial intermediaries and public institutions. For many, these innovations are reminiscent of radical proposals such as free banking or the denationalisation of money, which wreaked havoc on banking and regulatory failures and led to a huge popularity in the wake of the 2007-08 financial crisis.

I initially advocated for the isolation of the cryptoasset world (especially cryptocurrencies) from the regulated financial sector to avoid direct regulation of cryptoasset activity. I believed at the time that prohibiting financial institutions, especially credit institutions, from buying, holding or selling crypto assets would avoid risk spillover to the regulated financial sector and would also dispel the public’s potential perception of highly speculative investments. Crypto assets will enjoy the same level of protection as investments in traditional financial assets.

At the same time, I strongly advocate for the full inclusion of crypto exchanges and crypto asset providers in the scope of anti-money laundering and countering the financing of terrorism (AML/CFT) regulation. In my opinion, it is indeed possible to develop new technologies and products outside the mainstream channels of the banking market, which is characterized by “allowing cryptocurrencies to experiment in a closed environment”.

However, due to the subsequent turmoil experienced by the cryptocurrency market, including the recent emergence of unsustainable business models and appalling fraud, there is a strong case for a stricter regulatory approach to it.

In fact, we see some cryptoasset projects that rely solely on the expectation of rising prices and the continuous inflow of new investors (like Ponzi schemes) with no intrinsic value, no ability to generate cash flow, and extremely volatile prices.

For example, in the demise of the stablecoin TerraUSD, we see a clear case of business model flaws and misconduct. This reveals three extremely worrying aspects: the high fragility of lending protocols, the widespread interconnectedness of cryptoasset participants, and the unreliability of algorithmic stability mechanisms. The same case revealed a strong harmful correlation between crypto assets (Luna, paired with TerraUSD) and cryptoasset companies (Lido, Celsius), which had a profound impact on public confidence in the industry as a whole.

Trading platform FTX’s operating system and governance framework are also deeply flawed, prone to conflicts of interest, fraud, and misappropriation of customer assets to compensate for losses suffered by other group entities. In fact, the FTX case exposed all the problems with opaque corporate structures and overly complex and vertically integrated crypto-related business models.

I now believe that the approach of “letting cryptocurrencies experiment in a closed environment” no longer holds water, given the continued expansion of cryptoasset activity, the interest shown by banks and other traditional intermediaries in the hybrid provision of traditional and crypto financial services, the damage caused by fraud to consumers, and the numerous risk management failures in the cryptoasset space.

Moreover, while the sector remains relatively small, further growth outside the regulatory sphere could eventually raise broader financial stability issues, especially given the growing interconnectedness with the banking sector, as evidenced by the crisis involving some mid-sized banks in the US earlier this year.

I am also particularly concerned about potential criminal activity within the industry, and if the cryptoasset world remains completely outside the regulatory sphere, the serious risks of money laundering and terrorist financing will be exacerbated.

Therefore, the decision of European legislators to regulate cryptoasset issuance and cryptoasset services is a decision made at the right time.

2 Financial regulation of the crypto industry

MiCAR is a major legislative achievement that puts the EU at the forefront of global developments. The strength of MiCAR lies in its unified framework, which is directly applicable to all member states and regulates the issuance of crypto-assets, in particular asset reference tokens (ART) and e-money tokens (EMT) as well as the provision of crypto-asset services.

A fundamental aspect of MiCAR is the requirement that issuers of ART and EMT, as well as providers of cryptoasset services, ensure the segregation between their own assets and those of their clients. The lack of such requirements was one of the main reasons for the chaos that followed the collapse of FTX.

The scope of application of MiCAR does not include crypto-assets that have been regulated as financial instruments or any other product that has been subject to existing EU legislation, such as bank deposits. Financial instruments are regulated under the DLT pilot regime.

In fact, the tokenization of financial instruments is expected to make trading and post-trade processes more efficient. If you add to this the tokenization of deposits as a means of settlement of financial transactions, then the cost savings and reduction of operational risk can be significant. In addition, the tokenization of deposits can also provide banks with a competitive tool to protect their funding base and enable an efficient credit intermediation process. That’s why it’s crucial to be absolutely clear about the regulatory regime for retail and wholesale tokenized deposits and to eliminate any residual uncertainty.

In addition, MiCAR explicitly excludes fully decentralized finance and native cryptocurrencies such as Bitcoin from its scope (the reason for this is what I call a “structural” problem), as regulatory measures may lack targets and issuers do not exist.

Bitcoin will be subject to cryptoasset service offering rules (e.g. trading on “institutional” exchanges), but the issuance (mining) of Bitcoin is outside the scope of MiCAR’s regulation.

Another aspect that complicates the implementation of financial regulation is what I call the “deterritorialization” of financial services. Technological advancements have made it increasingly difficult to determine the jurisdiction in which the provider is located for remote service delivery.

As banking regulators, we are accustomed to dealing with multi-jurisdictional issues (with mixed results), but we now seem to be faced with a whole new challenge, namely the disconnect between the provision of financial services and the natural or legal person who is physically located in a particular location.

Nonetheless, in order to guarantee financial stability, the authorities must be able to get a complete picture of the business of cryptoasset participants. This is especially difficult for DeFi due to the need to aggregate risk exposures and financial interconnections between “entities”, which are not easily pinpoint in terms of regulation.

The same challenges exist with Crypto Centralized Finance (CeFi), where even in more traditional trading platforms such as FTX, crypto assets are often traded off-chain, i.e., in the exchange’s ledger.

In fact, cryptoasset service providers typically operate through a network of entities that are often defined only as members of their “ecosystem.” It is not an easy task for special administrators to draw the precise boundaries of FTX. Regardless of the name used by the participants for marketing purposes, it is critical that the interconnected entities are subject to accounting consolidation and general supervision.

3 Crypto Finance and Banking: Setting Boundaries and Regulatory Interactions

Now let me talk about the interaction between crypto finance and banking. It is crucial for prudential regulators to have clear rules on the relationship between cryptoasset participants and traditional financial intermediaries, especially credit institutions, as they act as both issuers of deposits and liquidity providers to other intermediaries in the financial system.

In this regard, I believe that the interaction between regulating cryptoassets and the banking industry should include at least three essential elements: regulating the banking perimeter, upgrading the prudential assessment of initial authorization applications to take into account cryptoasset services and cryptoasset offerings provided by banking intermediaries, and prudently regulating the financial interconnection between banks and the cryptoasset world.

4 Scope of regulation of authorized banking activities

According to the principle of “same activity, same risk, same regulation”, whenever a cryptocurrency company starts engaging in bank-exclusive activities, they need to apply for a banking license and meet the legal requirements to grant such authorization.

The key question is whether and when cryptoasset-related activities actually cross the regulatory threshold.

Given the lack of a truly harmonized regulatory framework for financial services in the EU, determining what financial services are actually offered and how they are actually provided can sometimes be a challenge for our regulators. As outlined by the European Securities and Markets Authority in its 2019 Cryptoassets Report, there are significant differences between Member States in implementing the Markets in Financial Instruments Directive (MiFID) rules on the definition of financial instruments.

Therefore, it is clear that there is a need for a thorough analysis of the financial services offered in the DeFi space and how they map to the definition of financial services in existing legislation, especially as they relate to banking.

The examples of stablecoins are interesting not only because they have been prominent in some recent crises, but also because in the context of DeFi, stablecoins are mainly used to settle transactions involving other crypto assets. The starting point for any discussion should be that stablecoins may be seen as a form of private money, with some similarities to bank demand deposits, but without all the public guarantees of bank deposits. Given the potential for stablecoins to lose their peg to the reference currency (usually the US dollar), they are vulnerable to a run, just like bank deposits.

This is why the US President’s Working Group on Financial Markets, in its 2021 report on stablecoins, recommended that the issuance of stablecoins should be reserved for companies authorized as depository institutions, i.e., banks. This regulatory proposal has yet to be implemented by U.S. lawmakers.

I think that in this regard, the solution taken by MiCAR for the regulation of EMTs (stablecoins pegged to a single official currency) is consistent with this approach, as it only allows credit institutions or electronic money institutions to issue EMTs. This will maintain the reliability of electronic money and its ability to actually function as money and all its essential features.

In the ECB’s Banking Supervisory Authority, we are prepared to work with the European Banking Authority (EBA) and other competent bodies in the supervisory authority to supervise banks that issue EMTs and assess the need for further regulatory reforms in this regard.

5 Initial authorization for banks to conduct cryptocurrency business

Another aspect is how to handle banking license applications when the business model involves the provision of cryptoasset services.

It is worth mentioning that the solution adopted by the EU has always been very close to the universal banking model in terms of the activities that are allowed to be carried out by banking license holders. Under this solution, credit institutions can provide all financial services except core banking services, with the exception of insurance services, which always require a separate authorization and a separate legal entity.

As a result, credit institutions in the EU are also often able to provide investment services, payment services, etc., without the need for a separate specific authorization. Obviously, they still need to comply with all sectoral requirements for a particular type of service (e.g., MiFID’s suitability requirements for investment advice) and be subject to the supervision of a competent authority (if different from a prudent banking institution).

The rationale behind this approach is that credit institutions have historically been the most heavily regulated financial intermediaries, given the basic economic functions they perform, and therefore can provide all other financial services. Unsurprisingly, this is also the solution adopted by MiCAR, according to which credit institutions do not require specific authorization to issue tokens or provide crypto services, but are subject to industry-specific regulation in addition to the usual prudential regulation.

In this regard, I believe that the evaluation of the initial authorization application of a credit institution whose business model is characterized by significant cryptoasset activity will have some distinctive features.

We don’t have a specific case yet, but it is foreseeable that in the near future, there will be a number of innovative companies engaged in a large number of cryptoasset activities applying to be authorized as credit institutions, in part because of the entry into force of MiCAR.

So far, we have only dealt with cryptoasset authorizations for German credit institutions, as the provision of cryptoasset custody services and other crypto services requires a formal expansion of the banking license under German law. Our mandate is to issue authorizations to all credit institutions, whether significant or minor under our direct supervision. As a result, we have gained some experience in dealing with the authorization to provide cryptoasset services, and last year we published regulatory standards for the licensing of banks engaged in cryptoasset activities.

We explain that in evaluating such applications, we will pay particular attention to the following aspects: the overall business model of the credit institution and its sustainability, the internal governance and risk management of the credit institution and its ability to assess the risk of a particular cryptoasset, and the suitability assessment, where we expect the board members and key functional heads of the credit institution to have a specific and in-depth understanding of digital finance. We will also work closely with the AML authority to assess the AML/CFT risk profile of the bank.

Going forward, I think that the specific country authorities under the MiCAR regulations, whether newly established or existing regulators, will also be important partners in our evaluation of banking license applications for cryptoasset service providers.

6 The link between banking and cryptocurrency finance should be prudently regulated

The third and final issue I would like to touch on is how to supervise and regulate the direct financial links between credit institutions and crypto finance.

There are two aspects to this. The first relates to the liability side of bank balance sheets, which became more prominent earlier this year due to a crisis involving a number of mid-sized US banks with strong ties to the tech industry and crypto asset providers. On the other hand, it involves the asset side of the bank’s balance sheet and the crypto assets it holds.

In terms of the first aspect, systemic risk can stem from the high correlation between deposits held by different cryptocurrency companies in the same bank or in different banks. In particular, deposits of cryptoasset issuers can be highly volatile and prone to runs. In addition, when such deposits account for a significant portion of the bank’s funds, they can hinder or harm the bank’s resolution strategy and require extraordinary measures to prevent contagion.

In this regard, it is worth noting the provisions of MiCAR, which require at least 60% of the reserves of the material asset reference token to be held in the form of bank deposits. While it is understandable as a means of investor protection, it can have unintended consequences from a financial stability perspective.

Some banks are likely to specialize in banking related to stablecoin issuers. However, it is particularly important that credit institutions monitor the diversification of their deposit base (not only in terms of individual counterparties, but also in terms of industries) and should not rely on volatile deposits, especially those of cryptoasset participants, that exceed their prudently set risk tolerance levels.

As regulators, we will also assess the concentration risk of deposit-based industries very closely. In this regard, it is critical that the relevant MiCAR delegate technical standards include a prudent calibration of the single-name concentration limit and the requirement for issuers to determine the credit risk tolerance level for their bank counterparties.

Equally important, issuers, especially significant issuers, have an obligation to maintain an effective risk management function. Issuers primarily address financial and operational risks, and the sound management of these risks requires adequate human and technical resources.

The second aspect involves the direct exposure of credit institutions to cryptoassets. Here, we as banking regulators are in a more familiar area, at least in terms of dealing with credit and market risk. The typical response of banking supervision to borrower default risk has been to stipulate capital requirements and risk limits.

At the end of last year, the Basel Committee (BCBS) issued standards for capital requirements for banks to invest directly in cryptoassets. The standard is not yet legally binding and needs to be translated into EU law by 1 January 2025, but we already expect banks to incorporate it into their business and capital planning.

The standard divides crypto assets into two categories. The first category consists of tokenized traditional assets and stablecoins with an effective stability mechanism that meet strict classification conditions, which will absorb the same amount of their own funds as their reserve assets or referred assets, and may be subject to additional fees imposed by regulators. The second category consists of the riskiest form of crypto-assets, with a risk-weighted rate of 1250%, which basically means that the bank must maintain the same amount of capital resources as the total value of the exposure. Holding restrictions also apply to the second group of assets.

One of our current concerns is the possibility of circumventing the prudential regulatory framework that will be applied. In fact, if a bank-controlled cryptoasset service provider is not within its prudent integration scope, the BCBS standard, especially the risk limit, may lapse.

It is worth recalling that we apply the prudential requirement on the basis of the merger, and other financial companies also fall within the scope of the banking group merger. Their risk exposure helps determine the comprehensive capital requirements that credit institutions need to meet.

As things stand, we believe it will be very difficult to include subsidiaries of credit institutions set up by cryptoasset service providers (CASPs) in the scope of prudent consolidation. This is due to the fact that the Council on Insolvency Regulation (CRR) provides for financial institutions that must be included in the scope of prudent consolidation. By revising the definition of financial institutions, the inclusion of CASPs in the scope of prudent consolidation of banking groups needs to be a priority.

I believe that in the coming years, regulators will face a steep learning curve on how best to handle the interaction between credit institutions and cryptoassets. This learning process will be challenging, as it is not easy to attract enough employees with the necessary technical skills.

Conclusion

I strongly believe that the fundamental characteristics of modern financial markets need to be preserved, in which credit institutions play a key role due to their central role in the process of money creation. I see no reason for the key features of this institutional framework to hinder the benefits of the latest technological advances.

I do not believe in the view that innovation can only flourish outside the scope of regulation and oversight, and that we should create a space for innovative companies to experiment outside of the official financial sector without complying with basic prudential, behavioural and AML/CFT requirements. When a company’s core function is to handle other people’s funds, especially when its services mimic key banking products such as deposits and payments, the security of the business and the stability and integrity of the market need to be adequately protected.

This is an area that requires our special attention so that we can provide appropriate regulatory and oversight solutions. For example, a hybrid event group (a conglomerate that provides financial and business services) that operates across borders and covers millions of customers may raise concerns about a level playing field and pose a threat to overall financial stability.

Regulation is often long overdue, sometimes too late to repair the damage that has already been done.

There is a clear similarity to Hegel’s description of philosophy: philosophy came too late to provide “instructions as to how the world should be”. This is because philosophy uses its analytical tools (“it appears”) only after reality has undergone its formation and has reached a “state of completion”: like Minerva’s owl, philosophy “begins to fly only when twilight comes”.

But we can’t afford to go too late or too lenient for fear of hindering innovation or hurting competition in financial markets.

Although we will always be playing catch-up, it is crucial that the regulation and supervision of cryptocurrency finance begins earlier than “twilight”, and in fact it has already begun.

Thank you very much for your interest.