It’s unusual to see an industry making a formal request to be regulated, but that’s exactly what fintech data aggregators are asking of the Consumer Financial Protection Bureau (CFPB). Companies like Plaid and Robinhood have reasoned that more oversight by the CFPB comes with access to more consumer data–which in turn would allow fintech companies…
On March 9, 2022, President Biden issued an Executive Order on Ensuring Responsible Development of Digital Assets, which outlines the federal government’s comprehensive strategy for the treatment of cryptocurrency. In this order, the White House stated that in November 2021, “non‑state issued digital assets reached a combined market capitalization of $3 trillion,” up from $14 billion in November 2016.
According to a fact sheet released by the White House, the rise in these digital assets in recent years creates an opportunity for the United States to “reinforce American leadership in the global financial system.” Additionally, this order is described as “first-ever, whole-of-government approach” to addressing the risks posed to the financial sector by cryptocurrencies. It’s also designed to address other United States concerns, such as “consumer protection, financial stability, national security, and climate risk.”
The Executive Order outlines six objectives for its digital asset policy:
- To reduce the risks posed to consumers, investors, and businesses from the use of digital assets;
- To promote and maintain financial stability and financial system integrity by mitigating risk;
- To combat and prevent crime and illegal actions in the financial sector;
- To reinforce national security;
- To protect the ability of persons to exercise their human rights;
- To promote and maintain financial inclusion and equity by promoting access to “safe and affordable financial services”; and
- To reduce or extinguish climate change and pollution.
In order to achieve these objectives, the order notes that the U.S. is considering the possibility of developing central bank digital currents (CBDCs). The policy and actions needed to create U.S.- issued CBDCs are as follows:
- Engage in research and development regarding the potential design and deployment options of U.S. CBDCs;
- Engage in multi-country conversations and pilot projects involving CBDCs in a manner that is consistent with U.S. priorities and democratic values, such as privacy;
- Prioritizing timely assessments of the potential benefits, of engaging in U.S. CBDCs, as opposed to private sector-administered digital assets. These benefits include enhanced efficiency, minimized costs, and economic growth, and risks;
- Directing relevant federal agencies to engage in the interagency process to produce to the President a report outlining
- The future of monetary and payment systems;
- The influence that technological innovation could have on these systems; and
- The implications for the United States financial and payment systems, economic growth, financial inclusion, and national security;
- Encouraging the Chairman of the Board of Governors of the Federal Reserve System (“Chairman of the Federal Reserve”) to continue their research on CBDCs and issue a report on certain impacts these currencies could have on the United States; and
- Directing the Attorney General and the Chairman of the Federal Reserve to provide an assessment of legislative changes that they deem necessary, and a corresponding legislative proposal.
Another approach to achieving these objectives is to “promote financial stability, mitigate systemic risk, and strengthen market integrity” by engaging the Financial Stability Oversight Council (FSOC) to produce a report outlining the risks to the financial stability posed by the use of digital assets and identifying the regulatory gaps that foster these risks, and recommended actions to mitigate these risks.
Finally, the order notes that these objectives can be achieved by limiting illicit financial acts and mitigating the national security risks that are associated with these illegal practices. In order to do so, the order directs relevant agencies to submit to the President supplemental annexes listing the “illicit finance risks posed by digital assets” and a coordinated action plan for mitigating these risks.
Each of these order directives must be completed within a defined time frame, with the longest deadline being 210 days from the date of the order’s issuance. Despite these defined timelines, however, the Executive Order will have no immediate effect on the regulation, management, or operation of digital assets.
As such, organizations should consider additional means to mitigate or prevent the risks associated with these assets from negatively impacting their organization or the industry they serve in the interim.
Cryptocurrency Security Standard
One available security standard in the digital asset and cryptocurrency space is the Cryptocurrency Security Standard (CCSS) which was introduced in 2014 to provide guidance on the secure management of cryptocurrencies.
CCSS is known as an “open standard,” which is commonly defined as a standard that is maintained by the CCSS Steering Committee—which is composed of cryptocurrency subject matter experts—and made available to the public for adoption or implementation. Industries who share or develop open standards do so to establish behavior parameters or guidelines for industry participants.
CCSS has three levels of scrutiny for information systems that manage or maintain cryptocurrency exchange data. If the organization can attain all three levels of scrutiny, then their cryptocurrency will be more resilient to a system compromise or attack.
- Level 1 – the information system has been proven, by independent audit, that they have the ability to protect a cryptocurrency wallet with a strong security system. The system’s strength comes from a consistent assessment and addressing of risks in accordance with the industry standard.
- Level 2 – an independent audit of the information system proves that, its creating organization has formalized policies and procedures that exceed the industry standard and have been employed and consistently enforced within the business to ensure enhanced security levels.
- Level 3 – an independent audit of an organization’s information system shows that policies and procedures have been deployed that exceed the standards in Level 2, such as multiple actors engaged to conduct “all-critical actions,” use of advanced authentication mechanisms.
According to a report, in a recent review of current breaches, Deloitte found that “every system that suffered a high profile cryptocurrency breach was found to be non-compliant with CCSS Level 1.” However, in contrast, systems that were in compliance with CCSS Level 2 or higher evidenced an enhanced likelihood of withstanding a cyberattack resulting in the attackers having full access to the mechanical part of the cryptocurrency systems. The report further stated that testing for CCSS compliance would provide reasonable assurances as to the organization’s ability to minimize or mitigate the risks associated with the cryptocurrency assets.
As such, organizations should consider compliance with this open standard as they await further regulation or guidance resulting from the Executive Order.