This report has been collaboratively authored by teams from Galaxy and PwC.
Key takeaways
Currently, there is not an existing framework for global oversight in the cryptocurrency industry, and in recent years, knock-on effects from poor risk practices at a few digital asset firms have pervaded much of the industry as a whole
There is increased risk when engaging counterparties, venues, and vendors; and the lack of a strong process to manage third-party risk can result in (but not limited to) business disruption, financial loss, and non-compliance with regulatory requirements
With a lack of clear supervisory oversight, the onus is on digital asset firms to proactively develop and maintain strong third-party risk programs inclusive of performing risk assessments, conducting due diligence, and implementing governance and oversight
Introduction
Reflecting on the year 2021, the cryptocurrency industry experienced exponential growth in valuation and headcount, which created an atmosphere that seemed poised to carry this momentum into the following year. However, during the first quarter of 2022, signs of market participant exhaustion became apparent and several players collapsed. Cracks within the industry started to appear, gradually widening, and ultimately triggering a chain reaction of risk exposure that led the digital asset industry into a bear market.
The collapse of cryptocurrency market players can be attributed to the immaturity of this industry and heavy reliance on other cryptocurrency third parties, which may result in an increased risk of business disruption, financial loss, and non-compliance with regulatory requirements. With the unique and evolving risks presented by cryptocurrency, such as key management and custody of assets, cryptocurrency institutions should consider establishing oversight and due diligence over third parties, including counterparties, vendors, and venues. The onus is on each individual organization to develop a more agile and resilient approach to third-party risk management.
Taking a Step Back
Traditional finance has been evolving for centuries compared to the cryptocurrency industry, which began in 2009 when the first Bitcoin block was mined. As we explore the ever-evolving challenges and risks in cryptocurrency, it is important to consider the differences between traditional finance and digital assets to identify solutions.
The table below details the types of institutions between traditional finance and digital asset.
Additionally, aside from the varying types of institutions, there are fundamental differences over how assets are custodied and maintained – refer to the table below.
Challenges
Developing the cryptocurrency products and services required to meet the needs of users today and in the future requires a degree of reliance on third-party vendors in addition to open-source software. Historically, the consequences of improper governance and risk considerations have played out many times on-chain through various exploits, but the effects had yet to truly spill over into off-chain financial organizations until early May 2022.. The first domino in a long chain of interconnected assets, counterparties, and digital asset firms fell and led to contagion spread across the industry, even affecting more traditional markets and firms.
As various digital asset firms fell, the contagion of risk spread to the most seemingly well-positioned actors. Cursory or inconsistent due diligence conducted on third parties – regarding entity ownership, points of control, reporting requirements, asset custody architecture, asset holdings, and fraud – likely contributed to the de-leveraging in the crypto industry. What these interconnected counterparties failed to identify was an effective way to assess and mitigate risks associated with commingled assets, how stress can impact firm solvency, private key management for custodied assets, the technical nature of the assets held, and the infrastructure on which the assets operated. Institutions looking to build in the digital asset industry should be vigilant in their reviews of third parties and confirm that their relationships are working and will continue to work as desired.
Leading Practice
Creating a risk management program is necessary to mitigate many types of risk that exist when engaging with third parties, including (but not limited to) cybersecurity, legal, operational, financial, and reputational risks. For instance, cybersecurity risk may exist when sharing information with a third party about your company, your customers, and your process. Additionally, you should be responsible for any regulatory scrutiny that results from actions taken by the third party on your behalf, which may lead to legal risk. As a result, it is critical to establish a third-party risk management program to assess relevant risks when engaging a counterparty, vendor, or venue. Especially in the digital asset world which can carry unclear rules and regulatory expectations, a clearly defined program can help to reduce the potential risks of doing business with a third party. The OCC, SEC, and NFA differ in some requirements for their registrants, but the spirit of the rules is identifying and managing risk introduced by third parties. When building out a third-party risk management framework, it should address unique risks in the crypto space such as key management, liquidity, non-reversible rails, and treasury management. An important risk to highlight that is distinct to digital assets is the overtly custodial nature of trading digital assets on centralized exchanges. This is different from the traditional world in which you generally maintain custody of your assets until the exact moment of asset exchange. As opposed to this in the crypto world, a firm should weigh the opportunity cost of the digital assets to be deployed and remain active on exchange while weighing the inherent risks of the custodian selected by the respective crypto exchanges used. Traditional risks such as financial, cyber, and reputational should be taken into account as well. Without a strong framework, the firm may neglect to consider and assess risks when deciding to align with a third-party. For example, when a firm is selecting a vendor to serve as its custodian, understanding how the custodian generates its customer’s private keys and governs its storage and signing process could help deter the firm from selecting an inadequate solution. Overall, a strong framework for cryptocurrency market players should include risk assessments, due diligence, and governance to assess relevant risks when engaging a counterparty, vendor, or venue.
Perform Risk Assessments | Before beginning a relationship with a third party, and as the first step in your third-party risk management program, it is necessary to conduct a risk assessment to confirm that a proposed relationship is consistent with the company’s strategic planning, risk appetite and overall business strategy. The overall goal of the risk assessment is to assess the risk impact of engaging with the counterparty, vendor, or venue. As part of the assessment, multiple options, such as other competitive third-parties or internal solutions, should be assessed against each other to determine the right complement. The risk assessment should contain components such as compliance, governance, technology, on-chain and legal. The outputs of the assessment should be used to analyze the benefits, costs, legal aspects, oversight needed, and feasibility. To that end, the assessment should also serve to develop oversight features such as performance criteria, metrics and reporting needs, contracting needs and internal controls.
Conduct Due Diligence | Once it has been confirmed that the firm would like to move forward with a third-party relationship, the due diligence process begins. It is imperative that the implementation of a rigorous and robust due diligence framework is in place for selecting and managing third parties. The framework should identify and control multiple types of risk (e.g., market, reputational, credit, operational, etc.) as well as cover the decision to engage with a third party and the review of ongoing third-party relationships. Additionally, it should include the review of the third party’s policies, processes, business continuity and disaster recovery plans, as well as the financials of the third party.
It is recommended that you develop and distribute a third-party questionnaire and use the responses to further assess the potential risks associated with the third party under consideration. A strong questionnaire may include the following items:
Audited financial statements, annual reports
Key management processes and controls
Any complaints, litigation, or regulatory actions
SEC filings and insurance coverage
Reputation of the entity
Ability to use current system or make investment
Proof of reserves
Qualifications of the third party’s management team
Usage of third parties to perform activities
Controls, cybersecurity, and privacy protections
Continuity and disaster recovery plans
Knowledge of rules and regulations to follow
In order to be most effective in this evaluation, a standardized scorecard or set of scorecards should be developed such that each vendor or class of vendor is judged across the same criteria. Some examples of criteria to include but are not limited to are risk management practices (e.g., three lines of defense, BCP, due diligence process for their vendors), financial condition, and applicable controls, metrics, and reports. A documented, tested scoring methodology and framework should be designed and utilized to construct both the scorecard and conduct the actual evaluation. The framework should be designed and utilized to construct both the scorecard and conduct the actual evaluation.
Additionally, with the public and transparent nature of blockchain data, firms can add an additional layer of assessment of counterparties, vendors, or venues by confirming or exploring on-chain holdings or activities. Leveraging on-chain forensics from commercial tools may give a firm the ability to conduct more rigorous diligence than is possible in the traditional space.
Implement Governance & Oversight | Once the firm has gained some level of comfort over the third party’s practices and organization, the attention shifts to governance, including oversight over contracts, ongoing monitoring over third parties, and reporting to key stakeholders.
A well-structured contract should include protections (e.g., scope, cost performance, reporting privacy, disaster recovery, termination conditions, etc.) and should be approved by the board and/or legal counsel. In addition to the initial risk assessment and due diligence performed, third parties should be reviewed on a periodic basis to identify new risks and evaluate performance. Due to the fast-paced and seemingly ever-changing nature of the digital asset industry, it may be pertinent to implement automated compliance alerts as well as conduct more frequent evaluations on applicable vendors than a firm would in the traditional world. Furthermore, there should be defined reporting lines for escalation, communication plans, and change management.
Legal Disclosure:
This document, and the information contained herein, has been provided to you by Galaxy Digital Holdings LP and its affiliates (“Galaxy Digital”) solely for informational purposes. This document may not be reproduced or redistributed in whole or in part, in any format, without the express written approval of Galaxy Digital. Neither the information, nor any opinion contained in this document, constitutes an offer to buy or sell, or a solicitation of an offer to buy or sell, any advisory services, securities, futures, options or other financial instruments or to participate in any advisory services or trading strategy. Nothing contained in this document constitutes investment, legal or tax advice or is an endorsementof any of the digital assets or companies mentioned herein. You should make your own investigations and evaluations of the information herein. Any decisions based on information contained in this document are the sole responsibility of the reader. Certain statements in this document reflect Galaxy Digital’s views, estimates, opinions or predictions (which may be based on proprietary models and assumptions, including, in particular, Galaxy Digital’s views on the current and future market for certain digital assets), and there is no guarantee that these views, estimates, opinions or predictions are currently accurate or that they will be ultimately realized. To the extent these assumptions or models are not correct or circumstances change, the actual performance may vary substantially from, and be less than, the estimates included herein. None of Galaxy Digital nor any of its affiliates, shareholders, partners, members, directors, officers, management, employees or representatives makes any representation or warranty, express or implied, as to the accuracy or completeness of any of the information or any other information (whether communicated in written or oral form) transmitted or made available to you. Each of the aforementioned parties expressly disclaims any and all liability relating to or resulting from the use of this information. Certain information contained herein (including financial information) has been obtained from published and non-published sources. Such information has not been independently verified by Galaxy Digital and, Galaxy Digital, does not assume responsibility for the accuracy of such information. Affiliates of Galaxy Digital may have owned or may own investments in some of the digital assets and protocols discussed in this document. Except where otherwise indicated, the information in this document is based on matters as they exist as of the date of preparation and not as of any future date, and will not be updated or otherwise revised to reflect information that subsequently becomes available, or circumstances existing or changes occurring after the date hereof. This document provides links to other Websites that we think might be of interest to you. Please note that when you click on one of these links, you may be moving to a provider’s website that is not associated with Galaxy Digital. These linked sites and their providers are not controlled by us, and we are not responsible for the contents or the proper operation of any linked site. The inclusion of any link does not imply our endorsement or our adoption of the statements therein. We encourage you to read the terms of use and privacy statements of these linked sites as their policies may differ from ours. The foregoing does not constitute a “research report” as defined by FINRA Rule 2241 or a “debt research report” as defined by FINRA Rule 2242 and was not prepared by Galaxy Digital Partners LLC. For all inquiries, please email [email protected]. ©Copyright Galaxy Digital Holdings LP 2023. All rights reserved.