APRA releases guidance on managing crypto asset risks

Alison Cripps - Legal Writer, LexisNexis Practical Guidance Cybersecurity, Data Protection & Privacy

On 21 April 2022, the Australian Prudential Regulation Authority (APRA) issued risk management guidelines (in the form of a letter) for APRA-regulated entities that engage in crypto asset related activity. The guidelines outline APRA’s risk management expectations and a policy roadmap for regulated entities that engage in crypto activity.

Who needs to know?

Organisations under the regulation of APRA should review the guidelines.

What crypto activity is covered by the guidelines?

APRA identifies crypto-assets as including tokenised traditional assets, crypto-assets with stabilisation mechanisms and other unbacked crypto-assets. Activities involving these assets, which will fall under the scope of the guidelines, may include investment, lending, issuance or the providing of services associated with the assets to customers.

What do the guidelines say?

APRA expects that APRA-regulated entities who engage in the above crypto-activity will continue to understand and manage any potential risks associated with that crypto activity. In particular:

• before engaging in any activities involving crypto-assets organisations should conduct due-diligence and perform comprehensive risk-assessments to understanding the risks of engaging in activities involving crypto-assets and should take steps to mitigate those risks;
• when relying on a third party in activities involving crypto-assets organisations should take the principles of Prudential Standard CPS 231 Outsourcing or Prudential Standard SPS 231 Outsourcing into consideration; and
• put in place robust risk management controls, which have clear accountability mechanisms and reporting lines to the board on risks associated with new activities.

APRA also reminds regulated-entities to continue to follow ASIC’s conduct and disclosure regulations, and to consult either APRA or ASIC when unclear on any prudential, disclosure or conduct requirements and expectations relating to activities involving crypto-assets.

What’s ahead for APRA and its regulation of crypto assets?

Regarding future policy on crypto-assets and related activities, in “the period ahead” APRA plans to:

• consult on requirements for the prudential treatment of crypto-asset exposure in Australia for authorised deposit-taking institutions (ADIs). Consultation on this will begin in 2023, with the possibility for initial prudential guidance to be realised in the meantime;
• establish new and revised requirements for the management of operational risks, which will cover control effectiveness, business continuity and service provider management. These requirements will apply to all of an entity’s operations, including those involving crypto-assets. A draft of these requirements will be released for consultation in mid-2022; and
• consider potential approaches to the prudential regulation of payment stablecoins. Acknowledging the similarity between stablecoins and Stored-value Facilities (SVFs), APRA in collaboration with other relevant agencies is developing options for incorporation stablecoins into the proposed regulatory framework for SVFs. Pending the development of certain broader legislative frameworks, consultation on prudential requirements for large SVFs is predicted to begin in 2023.

APRA reiterates that individuals and entities should expect a number of developments in crypto-asset and payment regulation more broadly in the near future.

This article was written with the assistance of James Boyaji, Paralegal.