Step into the dynamic world of CoinDCX, India’s trailblazing Crypto Asset Service Provider (CASP) that has transformed the landscape of crypto engagement for more than 15 million Indians. Valued at an impressive $2.15 billion, CoinDCX stands as a technological powerhouse, offering a wide spectrum of services encompassing exchange and investment solutions, secure custody services, and cutting-edge DeFi tools.
With a diverse and dedicated team of over 700 professionals spread across Mumbai, Bengaluru, and Delhi, CoinDCX embodies the relentless passion and unwavering commitment synonymous with the global crypto asset sector. As a driving force behind India’s burgeoning CASP ecosystem, the company actively collaborates with government and industry stakeholders to nurture growth and progress. Grateful for IOSCO’s recognition of the industry’s nascent stage and the coexistence of opportunities and risks highlighted in Consultation CR01/2023, CoinDCX shares its thoughtful responses to specific recommendations, striving to strike the perfect balance between investor protection and innovation promotion.
Embracing the values cherished by Web3 technologists, CoinDCX advocates for democratic access, transparency, fairness, self-reliance, self-sovereignty, privacy, and security. Committed to breaking barriers and providing unbridled access to a digitally interconnected world, CoinDCX eagerly contributes to shaping IOSCO’s final recommendations with an unwavering vision of inclusivity and progress.
CoinDCX’s comment on IOSCO’s Consultation Report on Policy Recommendations for Crypto and Digital Asset Markets
First, we would like to thank IOSCO for their level-handed, neutral recommendations provided in Consultation CR01/2023 “Policy Recommendations for Crypto and Digital Asset Markets” – particularly the recognition and emphasis on the fact that the industry (and technology), is still at a nascent stage, with both risks and opportunities yet to manifest maturely. For example, we applaud the foresight to intentionally carve out DeFi from the purview of the suggested regulations, openness towards allowing vertical integration (as long as conflicts of interest are appropriately mitigated).
However, while we are aligned and deeply appreciative of the unbiased and forward-looking view of IOSCO, it is our opinion that recommendations on a few key issues must be clarified or altered to better balance the protection of investors and nurturing innovation. The foundation of these responses is the on-ground experience of Web3 entrepreneurs in India, as well as several other developing nations, the barriers to entry they have faced in the past, and the obstacles they will face if the recommendations provided in this consultation (or other guidance by SSBs) is implemented incorrectly.
We strongly believe that Web3 is made up of a group of technologists who uphold principles of democratic access, transparency and fairness, as well as self-reliance, self-sovereignty, privacy, and security, and have created a suite of technologies that allow real-world implementations of these ideals via code. This is all the more true for entrepreneurs and developers in the developing world – whose experience with the internet has been that of a great equalizer – who should be allowed to reap the benefits of an increasingly interconnected, sophisticated, digital world without barriers based on where they were born. With this thought, we have shared our responses in the humble hope that this view will be part of the guiding principles that shape IOSCOs final recommendations.
Chief Public Policy Officer, CoinDCX
INTRODUCTION & KEY THEMES
The responses include all 18 recommendations provided in the IOSCO paper for reference, each associated question, and response chapter-wise in the following sections. Finally, we would like to thank IOSCO for giving us this chance to provide our thoughts and creating this insightful piece of guidance which will no doubt contribute towards setting the foundation for progressive crypto asset policy for many years.
While we have provided recommendations to all questions posed in the paper, four key themes guide our responses:
THEME 1: A wait-and-watch approach is still risk-appropriate:
In the rapidly evolving world of crypto assets, a prescriptive regulatory approach may inadvertently stifle innovation and limit the potential benefits that these technologies can bring. Therefore, we advocate for a wait-and-watch approach that allows the industry to develop and mature, while still maintaining adequate safeguards for investor protection. This approach would involve continuous monitoring and assessment of the crypto asset landscape, with regulations being introduced or updated as and when necessary based on observed risks and developments. This approach would also provide the opportunity for regulators to learn from the experiences and best practices of other jurisdictions, and to develop regulations that are tailored to the specific needs and circumstances of their own markets.
This is particularly relevant for entrepreneurs and developers in developing nations who would be trivially excluded from ever participating in the industry if prescriptive regulations based on existing IOSCO standards are introduced for CASPs wholesale. Given the consensus by both SSBs and government agencies has been that the Web3 industry is still in its infancy and largely self-referential, we believe this approach is risk appropriate.
THEME 2: Guidance and regulations should be based on the principles fairness, open-mindedness, and manifested risk, not desired outcomes:
Regulatory guidance and regulations should be grounded in the principles of fairness, open-mindedness, and manifested risk. This means that regulations should be designed to ensure a level playing field for all market participants, and should not unduly favour or disadvantage any particular group – including at an industry level. Regulations should also be open-minded, recognizing that both the industry and technology are still in their infancy. Furthermore, regulations should be risk-based, meaning that they should be proportionate to the actual risks posed by crypto assets, and not based on hypothetical or speculative risks.
We feel this approach is more appropriate as compared to an outcome-focused approach, as there is no consensus on basic desirability across nations, or even SSBs. In its absence, regulatory arbitrage will undoubtedly persist, driving the market underground, compounding the difficulty in enforcing any regulation. On the other hand, regulations guided by a more general purpose, principles based approach as described above can lead to a greater degree of uniformity in regulation – a key piece in enabling international cooperation and data sharing at a sufficient scale.
THEME 3: Technological capacity building and regtech integration via industry engagement is a necessary condition for any kind of enforcement:
Effective regulation of the crypto asset industry requires a deep understanding of the underlying technologies and the ways in which they are used. This can only be achieved through close engagement with the industry and continuous capacity building. Regulators should therefore invest in developing their technological capabilities and understanding of crypto assets. Furthermore, regulators should explore the use of regulatory technology (regtech) solutions to enhance their monitoring and enforcement capabilities. This could include the use of blockchain analytics tools, machine learning algorithms, and other advanced technologies. By building their technological capacity and integrating regtech solutions, regulators can ensure that they are well-equipped to oversee the crypto asset industry and to enforce regulations effectively.
This approach is preferable as compared to prescribing general IOSCO Standards to CASPs as suggested in the consultation. This approach can be implemented through technical requirements, the provision or tool kits and government regtech platforms. The key characteristics of Web3 platforms would enable this approach to provide transparency and traceability while simultaneously promoting innovation by reducing the entry barrier to CASP startups.
THEME 4: Distortionary or prohibitory approaches towards crypto assets have thus far been the best indicator of policy failure
While there may be benefits in prioritising capital controls and financial stability by taking an insular approach towards disruptive technology, the benefits have not outweighed the risks in the crypto asset industry; an increasingly observable statement when analysing the stance nations have taken towards crypto assets. While this is true broadly, the hypothesis more strongly applies to nations who have applied prohibitory or distortionary policies for the entirety of the industry’s existence. While the common narrative is that the level of development in a country is a good indicator of adoption. In reality this analysis obfuscates the relationship between hostile or distortionary crypto asset policy and adoption of crypto assets at a grassroots level – as adoption of crypto assets simply does not exist uniformly across other indicators of economic development. This is seen in various industry reports studying on-chain activity by countries, as well as website traffic, downloads and active users on apps of major CASPs. To illustrate this, India, Vietnam, Pakistan, Nigeria, Turkey and China (just to name a few) have all had distortionary or prohibitive policies in place and regularly rank the highest or amongst the highest for volume of crypto asset transactions, number of crypto asset transactions, and active users across platforms.
This is true for nations which have attempted to aggressively ring fence or outright ban crypto assets (Nigeria, China), or those that have tried to prohibitively tax it (India). India provides a particularly relevant lesson in the dangers of distortionary tax policy, having introduced a TDS burden of 1% on every crypto asset sale in the country with the stated goal of discouraging investment and creating traceability. Predictably, market makers adjusted by increasing spreads accordingly, drying up liquidity and making it unprofitable to trade on compliant Indian exchanges. However, the fundamental features of crypto assets (borderless, permissionless) enabled Indian investors to simply move to foreign platforms not beholden to Indian laws, where spreads were as low as 15 basis points. Thus, not only were the twin objectives of discouraging investment and traceability not achieved, they actively contributed towards fomenting an underground market.
This turn of events is not exclusive to crypto assets – whether it be coal, gambling, or (on the opposite end of the spectrum), renewable energy, policy is unpredictable and requires a multidimensional approach; only relying on sticks without carrots is rarely successful. Even if a nation believes the crypto asset industry is undesirable, a more prudent, data driven approach would lead to neutral, fair policies (described above), as the enormous benefits via transparency and mitigation of unnecessary rent seeking as a result of uncertainty and asymmetric information far outweigh the costs.
OVERARCHING RECOMMENDATION ADDRESSED TO ALL REGULATORS
Recommendation 1: Regulators should use existing frameworks or New Frameworks to regulate and oversee crypto-asset trading, other crypto-asset services, and the issuing, marketing and selling of crypto-assets (including as investments), in a manner consistent with IOSCO Objectives and Principles for Securities Regulation and relevant supporting IOSCO standards, Recommendations, and good practices (hereafter “IOSCO Standards”). The regulatory approach should seek to achieve regulatory outcomes for investor protection and market integrity that are the same as, or consistent with, those that are required in traditional financial markets.
Are there other activities and/or services in the crypto-asset markets which Recommendation 1 should cover? If so, please explain.
- CoinDCX response: The document specifically states that the IOSCO standards should apply in general to all types of crypto assets; our recommendation is to limit applicability of IOSCO standards and regulation as described in this document to financial instruments that unequivocally fall within existing laws and regulations in most member jurisdictions. Examples of this include stablecoins, tokens representing real-world assets, and tokens that are unambiguously securities (based on voluntary registration to relevant securities regulator or enforcement action by the same).
- There is a danger of pigeonholing crypto assets if they are to be uniformly covered by IOSCO guidelines as suggested in the document. While crypto assets of a certain characteristics, market capitalization, liquidity, and daily trade volume may be suitable for coverage under IOSCO guidelines, a cornerstone of the entire crypto asset industry is the ability to access public blockchain infrastructure and create crypto assets or software that interfaces with crypto asset networks at little to no cost. Although crypto assets like Bitcoin or Ethereum may represent something of a new asset class in and of themselves, crypto assets (in their current iteration), can be digital analogs of any physical or digital asset – ranging from tokenized securities to NFTs of digital art.
- Thus, any guidance provided must necessarily first define a clear and consistent scope of activities and assets to regulate, as opposed to applying to “all crypto-assets, their issuers, and the provision of services in relation to primary issuance, secondary trading, and ancillary services and activities linked thereto.” The same issue arises when tackling DeFi; while the document states that DeFi is out of the scope of this document, it is not explicitly defined. Indeed, many would consider stablecoins as well as custodians to be DeFi.
- While several jurisdictions, including the US, UK, and Canada, which have currently focused regulations on certain types of tokens, specifically those that can be construed as securities, all nations are still struggling with appropriately defining crypto assets, as well as how they fit into the prevailing taxonomy of instruments in legacy finance. For example, the US and the UK are yet to regulate stablecoins (although draft bills exist), while Japan’s stablecoin laws have only just come into force. Even today, it is not wholly clear whether even Ethereum should be considered a commodity or a security.
- However, this is not to say that no crypto assets are ready for regulation. Rather, emphasis on regulation should be on the on-ramps and off-ramps in a particular jurisdiction – that is, platforms offering investment and trading services involving crypto assets to both retail clients and accredited investors globally or in a particular country’s borders; such as exchanges and lending platforms.
- For example, exchanges should be limited in the tokens they are allowed to list, similar to how OSC (Ontario Securities Regulator) has created a ‘black list’ of tokens for registered platforms. The OSCs model works by allowing voluntary registration by issuers on the one hand (particularly for local issuers), coupled with a black list for tokens deemed inappropriate for sale — we suggest this model of regulation for listing as well (as discussed later in the document)
Do respondents agree that regulators should take an outcomes-focused approach (which may include economic outcomes and structures) when they consider applying existing regulatory frameworks to, or adopting new frameworks for, crypto- asset markets?
- CoinDCX response: An outcomes based approach to policy, particularly for innovative new technology that has thus far not produced any significant negative externalities (all of which are thus far hypothetical – that is, regulators are cautious of crypto assets because of their potential to create systemic risk as opposed to having any actual history of doing so) will yield distorted policy outcomes.
- To begin with, there is no consensus amongst regulators whether crypto assets are desirable at all, with attitudes varying from proactive embrace to fierce scepticism. Consequently, there is no consensus for desired economic outcomes either. Adoption of an outcome based policy approach would almost certainly result in regulatory arbitrage, the development of underground markets, and offshoring of funds – enabled by the fact that crypto assets are internet-native, permissionless, and decentralised – making them borderless by design.
- The digital asset industry has had as hostile a relationship with regulators as any industry out there – and has been generally met with friction and scepticism since its inception. Of course, there are political elements unfortunately intertwined with the development of blockchain protocols, as the current iteration of assets were popularised in part as a movement against irresponsible monetary policy by Central Banks post the 2008 financial crisis.
- While the technology has been lauded as revolutionary, the assets that convey a protocol’s economic incentives and underpin the continuing functioning and security of a platform have often been paradoxically vilified – without acknowledgement of the fact that one does not have value without the other. In our zeal to maintain visibility on all transactions as a holy grail for financial technology, the ability for people to pseudonymously send assets to one another has overshadowed the fact that protocols like Bitcoin and Ethereum achieve robustness, functionality, and uptime surpassing every other financial institution or payment service provider, underpinned by dispersed, decentralised economic organisations without corporate structures – the first examples of internet communities where ‘code is law’
- Of course, the value of crypto assets has been acknowledged by the market – a recent 2023 Citibank report estimates that there are over 400 million people who are crypto users or have at least used crypto assets at some point in time, mirroring 2022 estimates published by BCG which estimated that adoption of Web3 technologies is happening at a pace in line with internet adoption in the 1990s and early 2000s. This contrast in attitudes between regulators and citizens will necessarily lead to biassed policy outcomes if an outcomes-first approach is adopted.
- The real world results of outcome based policy at odds with market sentiment and retail demand can already be seen in countries like India and Nigeria. In both cases, the central bank stepped in to ‘ring-fence’ financial institutions from dealing in, or allowing their clients to transact in digital assets (India in April 2018, and Nigeria in February 2021). These policies were put in place to achieve the desired outcome of discouraging investment and use of crypto assets.
- However, according to recent reports by various firms including on-chain analytics leader Chainalysis, adoption in India and Nigeria is amongst the highest in the world. Not only did outcome-based policy fail in discouraging interest in crypto assets, it actively contributed (and is perhaps the main factor) to creating thriving underground and offshore markets in both nations.
- Although the Indian Supreme Court disqualified the RBIs mandate in 2020, the recent introduction of a 1% Tax Deducted at Source (TDS) on every crypto asset trade introduced in 2022 has proven to be equally prohibitive, once again with the intention of discouraging market activity, while simultaneously attempting to create visibility on the flow of funds. The result was the same once again; Indian digital asset users were not deterred, instead moving to offshore exchanges – where they have no legal recourse in the event of fraud or insolvency (i.e. FTX). According to a report published by the ESYA Center over USD 400 million is traded every month via P2P by Indians to on-ramp and off-ramp on international platforms – more than the combined volume of compliant Indian exchanges post the introduction of the 1% TDS. Of note, Nigerians are estimated to transact almost triple that amount monthly, using the same sampling methodology
- While it is our belief that blockchain protocols and crypto assets were built with the open-source ethos of promoting inclusivity, self-reliance, transparency and creating software and digital platforms that serve as global public goods, and should be celebrated as such, we understand that our views may not be shared by regulators. Nevertheless, at the very least the cornerstone of any policy regimen must be based on the principles fairness, neutrality, and existing precedence based on the prior experiences of other industries and the law of the land. Nations who have adopted a proactive, principles based approach – Japan, UK, South Korea, to name a few – have managed to achieve relatively higher rates of compliance and visibility.
- While the crypto asset market has grown remarkably over the last decade, by any estimate (including those by other SSBs) it is far from posing a systemic risk. In such a scenario where the current manifestation of risk is inadequate to warrant hasty regulation, a cautious neutral approach based on broader first principles will yield more favourable policy results as compared to an outcomes-based approach.
RECOMMENDATIONS ON GOVERNANCE AND DISCLOSURE OF CONFLICTS
Recommendation 2: Regulators should require a CASP to have effective governance and organisational arrangements, commensurate to its activities, including systems, policies and procedures that would, amongst other things, address conflicts of interest, including those arising from different activities conducted, and services provided by a CASP or its affiliated entities.
Recommendation 3: These conflicts should be effectively identified, managed and mitigated. A regulator should consider whether certain conflicts are sufficiently acute that they cannot be effectively mitigated, including through effective systems and controls, disclosure, or prohibited actions, and may require more robust measures such as legal disaggregation and separate registration and regulation of certain activities and functions to address this Recommendation.
Recommendation 4: Regulators should mandate that a CASP accurately discloses every role and capacity in which it operates at all times. These disclosures must be communicated in plain, concise, non-technical language, tailored to the CASP’s clients, prospective clients, the general public, and regulators in all jurisdictions where the CASP conducts its activities and offers services. Pertinent disclosures should be made before entering into an agreement with a prospective client and whenever there is a change in the CASP’s position (for instance, when undertaking a new or different role or capacity).
Does Chapter 2 adequately identify the potential conflicts of interest that may arise through a CASP’s activities? What are other potential conflicts of interest which should be covered?
- CoinDCX response: The document is focused on vertical integration in corporate entities, specifically brokers, exchanges or marketplace platforms; that is, exchange platforms performing the function of trading venue, market maker, and custodian. For example, regulation mandating parity between CeFi treasuries and DeFi treasuries, i.e. via scrutiny of assets, would aid efforts to minimise conflicts of interest and consequent abusive behaviours.
- Conflicts of interest may certainly arise due to vertical integration as described, however, potential conflicts of interest associated with the development of the software underpinning a platform, or conflicts of interest that arise through the use of a platform-based token have not been elaborated upon. Although the nature of fraud or manipulation that occurs through these avenues have real-world analogues, the method through which they are executed is somewhat unique to the crypto asset space.
- For example, while vertical integration certainly played a key part in enabling the collapse of FTX, FTXs repeated use of their own token, FTT, as collateral would be problematic in any circumstance. A fundamental difference between traditional securities brokers and CASPs is that CASPs have actual custody of assets. This is particularly problematic with regards to conflicts of interest arising in software development; In startup CASPs, developers often double up as asset managers, meaning they have access to client funds and are capable of creating security vulnerabilities to orchestrate hacks.
Do respondents agree that conflicts of interest should be addressed, whether through mitigation, separation of activities in separate entities, or prohibition of conflicts? If not, please explain. Are there other ways to address conflicts of interest of CASPs that are not identified?
- CoinDCX response: When discussing conflicts of interest, particularly those related to vertical integration in CASPs, of importance is the fact that CASPs can be vertically integrated in this way in the first place. Indeed, it would be difficult, if not impossible for a startup to create the same functionality in legacy finance, whether it be as a broker-dealer or as a payment service provider. Public blockchain infrastructure, like those offered by protocols like Bitcoin and Ethereum allow users to create these platforms in a permissionless fashion at a fraction of the cost as compared to creating the same platform through bank accounts and bank APIs, for example. Thus, segregation of verticals is being discussed purely due to issues that arise due to conflicts of interest, as opposed to any other practical consideration.
- In the process of mitigating conflicts of interest, it is essential that innovation is not neutered by requiring all CASPs (as currently defined) to segregate activities in separate entities is needless red tape, particularly when the most efficient and more importantly, secure solution, would be an integrated monolithic software architecture under one roof and entity. It would also be a prohibitive requirement for startup CASPs.
- Take for example an online NFT marketplace offering a BTC based trading venue for NFTs related to a particular internet subcommunity, started as a passion project. The owners of the platform use one of the many open-source software solutions to process payments and custody user funds, such as BTCPay Server (of note: BTCPay Server is not a custodial solution, rather it is a free, open-source software allowing users to set up their own Bitcoin based, end-to-end payment gateway solution). Regulators should be cautious in taking away the ability of individual freelancers or small communities to monetise their products (art, other digital items / assets) and services without going through rent-seeking platforms.
- Such an entity would fall under the general definition of a CASP, and would not exist if IOSCO standards for market structure were applicable to every digital asset business.
- On the other hand, the reality is that most CASPs, particularly those initially starting up, already do segregate functions. For example, BitGo is widely used by CASPs of all sizes as a hot-wallet custody solution, recently launching the ‘Go’ network, a platform for institutional clients to access on chain-liquidity. Hardware wallet manufacturer Ledger began in a similar initiative in May 2023 with an open, enterprise-grade trading platform designed to meet their risk management and regulatory requirements. Similarly, trusted market makers like Wintermute have emerged to fill the liquidity gap exchanges had to provide themselves during earlier years. Even within DeFi, the majority of Ethereum nodes are actually hosted by a third party service like Alchemy or Infura. However, formalising this simply for the sake of bringing CASPs in line with platforms otherwise covered by IOSCO seems unnecessary without adequate precedent
- The use of public blockchain protocols does open up several additional possibilities to mitigate conflicts of interest and the market abuse it enables. For example, as a response to the collapse of FTX in 2022, a great many digital asset trading platforms opted to regularly publish ‘Proof-of-Reserves’ and ‘Proof-of-Liability’ attestations – dynamic, real time audits allowing anyone to independently verify the assets under management for a particular platform.
- Indeed, the baked-in transparency crypto assets offer have allowed a brand of financial sleuthing unique to the industry, with several high profile scams, hacks, and other types of fraud exposed by ordinary people, as opposed to law enforcement agencies. It is our view that addressing issues related to conflict of interest arising from vertical integration by mandating the use of certain software or platforms that leverage the transparency of public blockchain protocols to mitigate risks is preferable and will lead to more favorable policy outcomes than mandating an arbitrary separation of functions,
Does Recommendation 3 sufficiently address the manner in which conflicts should be disclosed? If not, please explain.
- CoinDCX response: Yes, the document extensively covers the manner in which conflicts should be disclosed, and the degree of vertical integration a platform incorporates by explicitly stating the different functions the controlling entity handles. However, it should be noted that CASPs have an inherently different risk profile as compared with legacy broker details, as they have direct custody, or at least direct access to user funds. Coupled with the fact that transactions on public blockchain protocols are in general irreversible (a necessary feature to maintain trust in a decentralised system), and the borderless nature of crypto assets, disclosing too much about how a platform functions can lead to very real, often catastrophic and entirely unacceptable security risks. We humbly ask the authors and relevant stakeholders reviewing the responses to this document to keep this fact in mind when prescribing best practices for disclosures to CASPs.
RECOMMENDATIONS ON ORDER HANDLING AND TRADE DISCLOSURES (TRADING INTERMEDIARIES VS MARKET OPERATORS)
Recommendation 4: Regulators should require a CASP, when acting as an agent, to handle all client orders fairly and equitably. Regulators should require a CASP to have systems, policies and procedures to provide for fair and expeditious execution of client orders, and restrictions on front running client orders. Regulators should require that a CASP discloses these systems, policies and procedures to clients and prospective clients, as relevant. Orders should be handled promptly and accurately recorded.
Recommendation 5: Regulators should require a CASP that operates a market or acts as an intermediary (directly or indirectly on behalf of a client) to provide pre- and post-trade disclosures in a form and manner that are the same as, or that achieve similar regulatory outcomes consistent with, those that are required in traditional financial markets.
What effect would Recommendations 4 and 5 have on CASPs operating as trading intermediaries? Are there other alternatives that would address the issue of assuring that market participants and clients are treated fairly?
- CoinDCX response: We are wholly aligned with IOSCOs recommendations on pre and post trade disclosures, as well as a commitment on part of CASPs (when operating trading platforms) to execute orders in a prompt and transparent manner endeavouring to fulfil trades at the best available price. While issues related to market manipulation and deception of investors continue to plague the industry (the collapse of FTX for example), it is worth noting that large crypto-crypto trading platforms operate at a very high degree of efficiency; for example, spreads are as low as 15 basis points across high-volume pairs on the top 5 international crypto asset exchanges. Market manipulation, at least by smaller players, is difficult giving the readily available liquidity (and transferability of assets) available in the market.
- The exception to this is in situations where government policy, whether through ring fencing or taxation (as described earlier), creates market distortions – i.e. India’s implementation of a 1% TDS on all sales of crypto assets.
Do respondents believe that CASPs should be able to engage in both roles (i.e as a market operator and trading intermediary) without limitation? If yes, please explain how the conflicts can be effectively mitigated.
- CoinDCX response: In principle, it is our view that limitations should be placed based on risk, as opposed to based on activities wholesale. Therefore, yes, CASPs should be able to engage in both roles. Fundamentally, the objectives behind the segregation of functions in the securities broker industry is not analogous to custody of crypto assets. Segregation exists as a bulwark against conflict of interest, but also because segregation of multiple functions is required to have an efficient equity market, for example, whereas with crypto assets, their very design makes it so that custody, trading, and settlement can happen in an integrated manner. Thus, the purpose of a regulation that would mandate segregation of functions would primarily be limited to mitigating conflict of interest.
- An exception to this is liquidity, particularly on centralised platforms, where a conflict of interest might manifest in an analogous fashion to those cautioned by IOSCO in various guidances. Ensuring that a platform limits market making, particularly if it is running an exchange model as opposed to a broker model (where despite whatever fees the broker may extract, they are still price-takers as opposed to an exchange where a market maker can act as price-taker). However, we must also be cognizant of the fact that the ability to self-custody and permissionless transfer also allows users to ‘vote with their feet’ – in this case money – by leaving platforms when faced by abusive market behaviour
- Secondly, allowing the digital asset industry to exist as a real-world staging environment for fintech innovation will maximise the industries potential impact – and nurturing entrepreneurs to innovate leveraging this borderless, digital public infrastructure is key in achieving this.
- Avenues building upon the features of public blockchain protocols, such as technology standards mandating proof-of-reserves, wallet segregation & activity, and on-chain transaction reporting should be exhausted first before mandating compliance in line with existing IOSCO standards. Given that the ethos of ‘code is law’ is enforced via users using particular open source clients (i.e. Bitcoin Core), jurisdictions may instead opt to provide development toolkits or ancillary open-source software to CASPs so that they more easily comply – this will allow them far greater transparency and control, while simultaneously reducing the compliance burden on CASPs.
- As an example of self-regulation by the industry, while proof-of-reserves as a term has been popularised recently, exchanges have been publicly sharing their wallet addresses for the better part of a decade.
- Even in the absence of toolkits provided by the government, a reference framework can be developed to guide CASPs. For example, CASPs would be required to integrate a software (either provided by the government, a trusted third party, or developed according to a reference framework) that dynamically provides information on wallet balances and transactions, and can be configured to follow black/white lists on wallets.
- A great initiative to extract lessons from is the European Union Digital Identity (EUDI) project, which is currently being piloted by 4 large scale consortiums across the EU. A comprehensive ARF(Architecture and Reference Framework) was provided to guide participants on the minimum requirements for wallet providers and custodians of PIIs (Personal Identifiable Information).
- Next, it is important to mention that the functions of a CASP go beyond that of a broker in other assets or commodities – as they almost always are involved in some form of money transmission or provision of payment services (by virtue of the transferable characteristics of crypto assets) – and are already compliant with ML guidelines published by the FATF on treatment of crypto assets. These guidelines can also serve as a useful additional check to disincentivize abusive market behaviour – for example travel Rule enforcement across the globe in partnership with the regulators of other countries is required to help keep transactions attributable and compliant.
- Finally, segregation can be a better option only when appropriate services and firms exist to fill the regulatory gap – for example, in India neither regulations nor trusted third party custodians exist yet. Both a conducive environment and comprehensive policy on custodians is a necessary precursor to any regulation demanding segregation of functions, custody in particular.
Given many crypto-asset transactions occur “off-chain”, how would respondents propose that CASPs identify and disclose all pre and post-trade “off-chain” transactions
- CoinDCX response: Typically, off-chain transactions refer to trades on platforms or via pooled funds, closed wallet-to-wallet or internal database transfers (like those on a prepaid wallet provider like paypal), or movement between addresses controlled by the same entity (for example, the deposit address in a cryptocurrency exchange for a retail user is not the same address from which funds are withdrawn from).
- With the exception of internal wallet transfers from the same controlling entity (which is somewhat idiosyncratic to crypto assets), existing laws, regulations, and precedents are sufficient in instructing the correct disclosures for off-chain transactions by CASPs.
- Adequate guidance exists in multiple verticals; for example (as referenced in the document), the FATF published its guidelines for how jurisdictions may integrate CASPs as reporting entities to the local FIU or relevant agency in 2021, and has been adopted by several nations already. Similarly, we believe guidelines issued by securities regulators (as well as the IOSCO standards) are sufficient in guiding the treatment of trade disclosures.
- This is perhaps more complicated in the case of newer digital assets like NFT’s; although on a centralized platform, for ‘off-chain’ transactions, we believe existing laws across the sale of property (both tangible and intangible), e-commerce laws, securities laws etc. are sufficient in guiding how CASPs may disclose pre-and post trade off-chain transactions.
RECOMMENDATIONS IN RELATION TO LISTING OF CRYPTO-ASSETS AND CERTAIN PRIMARY MARKET ACTIVITIES
Recommendation 6: Regulators should require a CASP to establish, maintain and appropriately disclose to the public their standards— including systems, policies and procedures— for listing / admitting crypto assets to trading on its market, as well as those for removing crypto- assets from trading. These standards should include the substantive and procedural standards for making such determinations.
Recommendation 7: Regulators should require a CASP to manage and mitigate conflicts of interest surrounding the issuance, trading and listing of crypto-assets. This should include appropriate disclosure requirements and may necessitate a prohibition on a CASP listing and / or facilitating trading in, its own proprietary crypto- assets, or any crypto-assets in which the CASP, or an affiliated entity, may have a material interest.
Will the proposed listing/delisting recommendations in Chapter 4 enable robust public disclosure about traded crypto-assets? Are there other mechanisms that respondents would suggest to assure sufficient public disclosure and avoid information asymmetry among market participants?
- CoinDCX response: We thank IOSCO for their relatively light touch approach towards qualifying tokens for listing, and would like to emphasise that regulators should be cautious in creating stringent listing requirements, particularly as the correct path for a blockchain protocol is not yet clear. For example, take Bitcoin – aside from the initial 2009 paper by Satoshi Nakamoto, there is no official white paper for Bitcoin, or any official organisation who may claim liability – yet it has the most liquidity, trading volume, and has the second most active development. There is also nuance in understanding what metrics mean – for example, while Ethereum may have a sufficiently dispersed asset ownership profile, active developers from around the world, a wide array of stakeholders, and acceptable decentralisation of validators, there is significant concentration in nodes – the majority are run by centralised third party services like Infura or Alchemist.
- Thus, there is a real danger that any metrics prescribed now will be insufficient and distortionary when evaluating a particular token for listing or delisting as the path, or journey of a protocol from a startup or open-source project into a platform transacting billions of dollars everyday does not have sufficient precedents.
- The same can be said for developer activity, (measured through any number of metrics, i.e. commits / active developers collected from Github) – while many have purported that developer activity is the best substitute in the absence of a conventional corporate structure (balance sheets etc.) to measure momentum, only a portion of the ecosystem, i.e. protocols like Bitcoin and Ethereum, often not DeFi apps used on them, can be accurately measured this way.
- Nevertheless, while there are challenges in creating an appropriate listing criterion, it is essential that one is implemented to mitigate the proliferation of tokens that are unambiguously securities, ponzi schemes, or other scams. At the same time (as discussed above), trading venues will need some amount of discretion when listing tokens and cannot have a set-in-stone criteria – this is already the case even with market leaders like Coinbase or Binance. A better route might be to empower certain digital asset trading platforms via an SRO or official licensing to make discretionary decisions on listing and delisting, instead vetting the platforms themselves and providing principle-based guidance on which tokens to list and delist. We find this path preferable at the nascent stage the industry currently exists.
Do respondents agree that there should be limitations, including prohibitions on CASPs listing and / or trading any crypto-assets in which they or their affiliates have a material interest? If not, please explain.
- CoinDCX response: While we understand the very real dangers of conflict of interest, particularly when trading venues launch their own tokens (as seen in the FTX fiasco), we strongly oppose prohibition as described in the document, as this provision is tantamount to prohibiting any exchange or platform with any sort of trading product from launching their own tokens. This seems unjust considering other exchange token projects, like BNB, are some of the most successful token models that currently exist; In fact, USDT was originally a token native to the Bitfinex platform – now does more settlement volume than Visa and Mastercard combined.
- Our objection to prescribed listing rules is closely related to objections about mandating a separation of functions in CASPs – while the concerns raised here are justified and relevant, caution should be exercised by policy makers to ensure that in the interest of margin gains in consumer protection, innovation is not neutered; given the still very nascent stage the crypto asset industry is in.
RECOMMENDATIONS TO ADDRESS ABUSIVE BEHAVIOURS
Recommendation 8: Regulators should bring enforcement actions against offences involving fraud and market abuse in crypto-asset markets, taking into consideration the extent to which they are not already covered by existing regulatory frameworks. These offences should cover all relevant fraudulent and abusive practices such as market manipulation, insider dealing and unlawful disclosure of inside information; money laundering / terrorist financing; issuing false and misleading statements; and misappropriation of funds.
Recommendation 9: Regulators should have market surveillance requirements applying to each CASP, so that market abuse risks are effectively mitigated.
Recommendation 10: Regulators should require a CASP to put in place systems, policies and procedures around the management of material non-public information, including, where relevant, information related to whether a crypto-asset will be admitted or listed for trading on its platform and information related to client orders, trade execution, and personally-identifying information.
In addition to the types of offences identified in Chapter 5, are there:
a.) Other types of criminal or civil offences that should be specifically identified that are unique to crypto-asset markets, prevention of which would further limit market abuse behaviors and enhance integrity?
b.) Any novel offences, or behaviours, specific to crypto-assets that are not present in traditional financial markets?
If so, please explain.
- CoinDCX response: For the most part, crypto assets and related activities are meant to be internet native or more broadly, digital analogues of real world assets – whether they be shares, commodities, real estate or art. Similarly, the activities have analogues – for example a Bitcoin transaction is close to handing a physical asset, like a bar of gold over to someone, or creating an NFT is like having the artist sign it for you. Thus, the vast majority of crimes are already covered under existing laws, including those that pertain to data protection, privacy, and other internet laws.
- Having said that, there are some activities or attacks that are somewhat, if not entirely unique; For example, what is the consequence of hacking a DeFi protocol that is decentralized in ownership, and with open-source code – If, indeed, ‘code is law’ according to developers of general purpose blockchain protocols (like Ethereum or Solana), the attacker was simply following the rules.
- Although the IOSCO report specifically carves out DeFi from its scope, its important to note that many CASPs directly interface with DeFi products, and offer their services as add-ons to customers. As a result, potential attack vectors exist through CASPs, particularly when a particular CASP has an oversized effect on a particular DeFi protocol.
- In summary, greater clarity on how offences, liability, and enforcement work when dealing with decentralized analogues or interactions with decentralized platforms is required, even when creating guidance specific to centralised entities (like brokers and exchanges) that are the focus of this consultation.
Do the market surveillance requirements adequately address the identified market abuse risks? What additional measures may be needed to supplement Recommendation 9 to address any risks specific to crypto-asset market activities? Please consider both on- and off-chain transactions.
- CoinDCX response: The market surveillance principles (both on and off chain transactions) detailed in the document are sufficient for the purposes of CASP regulation. As previously pointed out, the FATF has released detailed guidance on how to track and report crypto asset trades and transactions in 2021, which has since been adopted (within local context) by several member nations – which has been detailed in other responses extensively.
- CASPs may be mandated to build trading systems to protect users from market manipulation, via appropriate guidance either through SSBs, government agencies, or SROs – for example price circuits for certain pairs based on globally accepted price indices. For newer markets, guidance and disclosures that can be issued to investors can be implemented by SSBs as guidance after global discussions.
- Additionally, this is another opportunity for regulators to attempt to provide tech-based governance via government reporting platforms, softwares, toolkits, and technological requirements.
RECOMMENDATIONS ON CROSS-BORDER COOPERATION
Recommendation 11: Regulators, in recognition of the cross-border nature of crypto-asset issuance, trading, and other activities, should have the ability to share information and cooperate with regulators and relevant authorities in other jurisdictions with respect to such activities. This includes having available cooperation arrangements and/or other mechanisms to engage with regulators and relevant authorities in other jurisdictions. These should accommodate the authorisation and on-going supervision of regulated CASPs, and enable broad assistance in enforcement investigations and related proceedings.
Which measures, or combination of measures, would be the most effective in supporting cross-border cooperation amongst authorities? What other measures should be considered that can strengthen cross-border co-operation?
- CoinDCX response: The key to effective international cooperation is to first (as previously mentioned), move away from prescribing an outcomes focused approach to the regulation of crypto assets – as there is clearly no consensus amongst nations even on the topic of desirability of the industry. It goes without saying that a government that nurtures their crypto asset sector as desirable, aspirational, and a positive technological force going forward will be dissonant with a nation that tolerates crypto assets the same way they tolerate a small amount of narcotics use as a necessary evil. While we disagree (and are often confused) by the latter, reconciling these diametrically opposed views is a futile exercise; we would be better served by first agreeing and adopting an approach first and foremost built around the principles of fairness, access and equality before tempering with risk-appropriate guardrails. In the absence of such a consensus, we feel that significant international cooperation on crypto assets will fail to materialise to an extent that will adequately address the concerns of regulators.
- Crypto asset regulation is a topic that is characterised by several overlapping regulatory domains and regulators in any jurisdiction. In traditional sectors, overlapping regulations have worked because of the status quo that precedence-based legal systems put in place, but for an emerging tech sector like cryptos, where international cooperation is vital, it will be critical for governments across the world to bring these various sub-domains together, giving international and domestic stakeholders a uniform and single point of reference. While different Ministries and Departments will initiate the regulatory processes for aspects of the crypto ecosystem under their respective jurisdictions.
- Next, In the wake of the bankruptcy of some of the biggest crypto exchanges in the world, it is important to learn from the experience of those nations and regulatory frameworks that withstood these crises, for instance Japan.
- The Japanese Financial Services Agency (FSA) regulates the crypto sector in Japan. It works with the Japan Virtual Currency Exchange Association (JVCEA) and the Japan Security Token Offering Association (JSTOA) for regulatory purposes. The JVCEA creates rules and policies for crypto exchange service providers while the JSTOA supervises token offerings and other crowdfunding events. Japanese lawmakers have framed exchange-based rules with the objective of safeguarding market integrity. The global FTX saga began in early November 2022, when FTX began imploding, following allegations that the company had severely mismanaged customer assets. FTX Japan was one of the several international FTX subsidiaries. But, unlike other subsidiaries, FTX Japan was under the purview of strict Japanese crypto regulations. As a result, the company claimed that the exchange was still solvent, customers’ holdings and funds were protected, and it initiated the withdrawal process.
- Moreover, countries can have distinct political/economic philosophies and distinct policies to deal with Virtual Assets, but given the nature of the technology, the need for global collaboration on specific aspects such as Supervision or Monitoring of VASPs for AML/CFT purposes; Preventive measures, such as customer due diligence, recordkeeping, and suspicious transaction reporting, among others; and Sanctions and other Enforcement Measures is of paramount importance, and is suitably covered by the FATF in its ‘Guidance For A Risk-Based Approach On Virtual Assets (VAs) And Virtual Asset Service Providers (VASPs)’.
- The “Travel Rule”, which is also Recommendation No. 15 and one of the most important requirements of the “FATF’s Updated Guidance For A Risk-Based Approach On Virtual Assets And Virtual Asset Service Providers” is the cornerstone for finding global synergy with respect to VASP regulation, as is widely discussed. The Travel Rule requires VASPs to share sender and recipient data with each other during transactions. That is why this regulation is called the “Travel Rule,” because the personal data of the transacting parties ‘travel’ along with their transfers. With respect to data sharing, the Guidance makes a distinction between “ordering VASPs” and “beneficiary VASP”, depending on whether the transaction originated or is received by the VASP respectively. Hence, it is imperative that local governments put in place legislations/regulations to ensure that all domestic and foreign VASPs operating in a particular country are “Travel Rule Compliant”, and their transaction data, as is required to be collected and shared by the FATF, is action upon. Only when countries are able to ensure domestic compliance, will a meaningful application of Travel Rule be possible. If certain jurisdictions refrain from proper implementation of the Travel Rule, then it creates opportunities for “compliance black boxes” to be created in the global regulatory regime, which is detrimental for all nations.
- In addition to Recommendation 15 (Travel Rule) above, recommendations 36-40 of the FATF Guidance are also of vital importance in building mechanisms for international collaboration and protecting cross-jurisdictional rights of different consumers and shareholders in case of failures of crypto asset service providers. They are listed below:
Recommendation 36 Recognises International instruments identified by the FATF. Recommendation 37 Countries should have in place the tools necessary to cooperate with one another and provide mutual legal assistance. Recommendation 38 Help identify, freeze, seize, and confiscate the proceeds and instrumentalities of crime that may take the form of VAs as well as other traditional assets associated with VASP activities. Recommendation 39 Provide effective extradition assistance in the context of VA-related crimes or illicit actors who engage in illicit activities. Recommendation 40 Highlights Other forms of international cooperation.
- All FATF member nations need to implement the above recommendations in their local jurisdiction in line and at par with the traditional financial sector to protect the interests of the VDA investors/consumers and the sector as well. Tying back to what has been mentioned earlier, these various aspects of domestic VDA regulation need to be tied together under an umbrella body to give this ecosystem the required regulatory clarity and stability, for the benefit of all stakeholders, as well as to reduce risk and harm.
RECOMMENDATIONS ON CUSTODY OF CLIENT MONIES AND ASSETS
Recommendation 12: Regulators should apply the IOSCO Recommendations Regarding the Protection of Client Assets when considering the application of existing frameworks, or New Frameworks, covering CASPs that hold or safeguard Client Assets.
Recommendation 13: Regulators should require a CASP to place Client Assets in trust, or to otherwise segregate them from the CASP’s proprietary assets.
Recommendation 14: Regulators should require a CASP to disclose the following information to clients, in clear, concise, and non-technical language:
- How Client Assets are held, and the arrangements for safeguarding these assets and/or their private keys.
- The use (if any) of an independent custodian, sub-custodian, or related party custodian.
- The extent to which Client Assets are aggregated or pooled within omnibus client accounts, the rights of individual clients with respect to the aggregated or pooled assets, and the risks of loss arising from any pooling or aggregating activities.
- Risks arising from the CASP’s handling or moving of Client Assets, whether directly or indirectly, such as through a cross-chain bridge.
- Full and accurate information on the obligations and responsibilities of a CASP with respect to the use of Client Assets, as well as private keys, including the terms for their restitution, and on the risks involved.
Recommendation 15: Regulators should require a CASP to have systems, policies, and procedures to conduct regular and frequent reconciliations of Client Assets subject to appropriate independent assurance.
Recommendation 16: Regulators should require a CASP to adopt appropriate systems, policies and procedures to mitigate the risk of loss, theft or inaccessibility of Client Assets.
Do the Recommendations in Chapter 7 provide for adequate protection of customer crypto-assets held in custody by a CASP? If not, what other measures should be considered?
- CoinDCX response: While much of the guidance from IOSCO Standards as suggested in this document is appropriate and applicable, the risks related to custody CASPs face are different in one key dimension – data breaches can also represent direct theft of funds. As a result, the safety of funds, regardless of whether the method of custody is disclosed, is paramount.
- Thus, we believe that minimum standards should be prescribed to custodians of crypto assets – which could be achieved through an ARF document (like to that provided for EUDI) or a similar toolkit. However, clarity is required on the exact contours of disclosures required – as divulging the architecture and processes used by a custodian may enable bad actors. A detailed overview of the risks associated with custody of crypto assets has been shared in a later response.
- Along the same vein, industry recognized security certifications (ISO 27001, SOC-2, Cryptocurrency Security Standard (CCSS)) and independent security audits by reputed organisations may provide a middle ground to ensure a CASP is taking sufficient measures to protect customer funds while only revealing necessary information publicly.
- To ensure that startups are able to enter the crypto asset space without unnecessarily high capital requirements, an approach involving thresholds for AUM, transactions and trade volume should be applied to CASPs.
- Given the nascent state of the industry along with its historical volatility, some amount of insurance for CASPs, particularly trading platforms with large AUMs, is a chicken-and-egg obstacle the industry is yet to find a suitable answer for. However, there have been developments over the years:
- Japanese crypto exchanges could avail (limited) insurance coverage as far back as 2017, while crypto asset custody firm Bitgo increased its Digital Asset insurance to USD 250 million. Coincover is partnering with Lloyd’s to create a crypto policy that covers losses beyond that which an exchange might typically include. Creating an insurance layer will ultimately be a necessary requirement to ensure customer confidence in CASPs.
- Regulators should be cognizant of the fact that CASPs can offer non-custodial solutions as well; for example, DYDX provides exotic derivative products along with a powerful internal matching engine – with client funds held in a smart-contract as opposed to with the firm. This could be an alternative, stronger alternative to segregation of funds as described in the document – and would once again showcase the relatively higher level of transparency the crypto asset industry has to offer. Once again, the risk profile, as well as potentially the liability, would be different for a platform offering non-custodial trading, where a larger proportion of risk would be via code vulnerabilities and related technological failure.
Should the Recommendations in Chapter 7 address the manner in which the customer crypto-assets should be held?
How should the Recommendations in Chapter 7 address, in the context of custody of customer crypto-assets, new technological and other developments regarding safeguarding of customer crypto-assets?
CoinDCX response: As a response to both (a), and (b), prescribing the same standards as those for broker dealers may be overbearing in some aspects, while simultaneously not covering all risks associated with digital asset custody. In the rapidly changing world of digital assets, the methods and nuances of custody have also rapidly changed – for example, MPC custody (differentiated from Multi Party Signatures) as a concept has only become popular in the last few years. In such a scenario, a principles based approach built around a few key concepts (such as identifying the necessary features required to classify a person as a UBO of a wallet or funds, maintaining that customer assets should not be commingled with platform funds in any way, and ensuring an adequate level of transparency in process and reserve reporting so as to reasonably assure market participants that their funds are safe. Beyond these high level concepts, it would be counter productive to explicitly prescribe requirements on how CASPs should use.
What safeguards should a CASP put in place to ensure that they maintain accurate books and records of clients’ crypto-assets held in custody at all times, including information held both on and off-chain?
CoinDCX response: As previously mentioned FATF 2021 guidelines (and similar local / SSB guidance) is sufficient for adequately covering records of client transactions. In conjunction with this, proof-of-reserves along with regular audits can help ensure that CASP user assets are accurately recorded.
Should the Recommendations in Chapter 7 include a requirement for CASPs to have procedures in place for fair and reliable valuation of crypto-assets held in custody? If so, please explain why.
CoinDCX response: Yes, unfortunately at this moment (as seen in the recent FTX fiasco), an appropriate valuation mechanism to arrive at a fair value for a token (and consequently a fair value for client assets) has proven difficult. While it is somewhat easier for most tokens, which are still concentrated to the point where a single entity can exert control over the protocol and underpinned by a normal corporate entity (or entities), for the most traded tokens, such as Bitcoin and Ethereum, an appropriate valuation mechanism still doesn’t exist. IOSCO guidelines post industry consultation for the same would no doubt be well received by all market participants
Should the Recommendations address particular safeguards that a CASP should put in place? If so, please provide examples.
- CoinDCX response: Yes, while the space is developing safeguards based on basic first principles and global best practices should be introduced as guidance (that is not prescriptive).
- A comprehensive policy would broadly be based on:
- Risk Assessment and Due Diligence:
- Conduct thorough risk assessments of potential assets before listing them on the platform.
- Perform due diligence on token issuers and projects to evaluate their credibility and viability.
- Implement strict listing criteria and review processes to minimise the inclusion of high-risk assets.
- Custody and Security Measures:
- Utilise secure cold storage solutions to protect users’ digital assets from online threats.
- Implement multi-signature (multisig) wallets to require multiple approvals for asset transfers.
- Regularly assess and enhance security protocols to stay ahead of evolving cybersecurity risks.
- Maintain insurance coverage for digital assets to provide additional protection against losses.
- User Education and Awareness:
- Offer educational resources and guidelines to users regarding safe practices and risk management in the crypto space.
- Promote awareness about the risks associated with investing in volatile assets and the importance of conducting thorough research.
- Transparent Disclosure and Communication:
- Provide clear and detailed information about the risks associated with different assets, including their volatility, liquidity, and regulatory considerations.
- Communicate any significant updates, security incidents, or changes in policies promptly and transparently to users.
- Continuous Monitoring and Surveillance:
- Implement robust monitoring systems to detect suspicious activities, market manipulation, and potential security breaches.
- Collaborate with external security firms and industry experts to conduct regular audits and penetration tests.
- Collaborative Industry Efforts:
- Engage in partnerships and collaborations with other reputable exchanges, regulators, and industry associations to share best practices and collectively improve security standards.
- Contribute to the development of industry-wide guidelines and standards for asset custody and risk management.
- Incident Response and User Protection:
- Establish a comprehensive incident response plan to address potential security breaches or unauthorised access promptly.
- Provide user compensation or reimbursement programs in case of any losses caused by security incidents or platform failures.
- Regulators must also recognize that a significant risk also exists with the operators of a particular crypto asset platform, and not just the CASP that is providing custody. For example, Coinbase has developed a detailed best practice list describing the same – summarised below to provide a good example of the risks faced and best practices by a leading CASP.
- Based on How Coinbase Protects Users from Risky Assets & ‘Token Custody Risks: Defining Security in the Crypto World’
- Operational Risks:
- Avoid centralised decision-making: Ensure no single actor has the authority to execute a dangerous function. Decentralise decision-making across multiple stakeholders.
- Implement strong governance systems: These can help mitigate superuser risks and ensure fair operation of the token network.
- Implementation Risks:
- Review all contract code: Examine the entire contract code, function by function, to identify unique or non-standard functions that could impact balance displays or transfer accuracy.
- Mitigate unique logic: If unique or non-standard logic is identified, develop specific mitigations to support it.
- Design Risks:
- Be aware of system features: Accepted system features can be exploited to alter intended smart contract behaviour. While these risks are not direct, they can open smart contracts up to potential exploits.
- Audit external calls: If essential balance-impacting functions contain external calls, audit the external call dependency for additional comfort.
- Superuser Risks:
- Establish strong/decentralised governance systems.
- Implement strong multisig key practices to execute operations.
- Consider revoking superuser privileges entirely.
- Novel Design Risks:
- Ensure previous external audits of the design.
- Develop in-house capabilities to safely support the token contract.
- Unique Accounting Risks:
- Develop backend integrations to support any balance changing, fee logic.
- Update contracts to include support required by the exchange.
- General Best Practices:
- Conduct thorough due diligence before interacting with a smart contract.
- Regularly monitor the contracts with which you interact.
- Understand transaction limitations.
- Be aware of non-standard accounting practices.
RECOMMENDATION TO ADDRESS OPERATIONAL AND TECHNOLOGICAL RISKS
Recommendation 17: Regulators should require a CASP to comply with requirements pertaining to operational and technology risk and resilience in accordance with IOSCO’s Recommendations and Standards. Regulators should require a CASP to disclose in a clear, concise and non-technical manner, all material sources of operational and technological risks and have appropriate risk management frameworks (e.g. people, processes, systems and controls) in place to manage and mitigate such risks.
Are there additional or unique technology/cyber/operational risks related to crypto assets and the use of DLT which CASPs should take into account? If so, please explain.
- CoinDCX response: Crypto assets and Distributed Ledger Technology (DLT) have gained significant attention and adoption in recent years. However, along with their potential benefits, there are also additional technology, cyber, and operational risks associated with crypto assets and the use of DLT. As Crypto Asset Service Providers (CASPs), it is crucial to recognize and address these unique risks to ensure the stability, security, and integrity of the crypto asset ecosystem. In this context, it is important to explore the specific technology-related, cyber, and operational risks that CASPs should take into account. By understanding and proactively managing these risks, CASPs can contribute to the development of a robust and resilient crypto asset ecosystem that promotes investor protection and safeguards against potential vulnerabilities.
- Creation, issuance, redemption, distribution, and underlying infrastructure of crypto-assets:
Operational risks: CASPs face risks related to technology and operations they control. This includes smart contract design risks and deficient cybersecurity measures that could result in the unavailability or hacking of wallets holding/minting/burning tokens. Other operational risk events such as loss of keys, fraud, mismanagement of token supply, or reliable settlement of transactions can also occur. For example, miners front-running attacks where they prioritise their own transactions over others can lead to misconduct
Cyber-security risks in Wallets and custody: Provision of custodial (hosted) wallets and custody services:CASPs offering custodial services must address risks that could lead to the unavailability or unauthorised outflow of customers’ crypto-assets. This includes vulnerabilities in wallet software design and cybersecurity measures, as well as operational vulnerabilities such as the loss or mismanagement of private keys. Misconduct risks can arise from negligence, fraud/theft, poor administration, inadequate record-keeping, or the co-mingling of assets.
Operational risks in Provision of noncustodial (unhosted) wallets: CASPs providing noncustodial wallets face cybersecurity risks that could result in the unavailability or unauthorised outflow of users’ crypto-assets. Technical vulnerabilities in wallet software design and operational vulnerabilities stemming from user actions or knowledge gaps are important considerations.
- Transfer and transaction:
Operational risks: Unregulated entities within the crypto-asset ecosystem, whose records may be less reliable, are exposed to operational risks. These risks encompass cybersecurity risks, legal risks arising from uncertainties about the legal status of crypto-assets, and misconduct by service providers. Unregulated centralised trading platforms can pose particular risks. Conflicts of interest associated with exchanges should also be taken into account.
Investor protection: Lack of protection for users discourages the use of crypto-assets in transactions, particularly in the case of unregulated entities. Legal clarity regarding the classification of crypto-assets as financial instruments or otherwise is essential for regulatory compliance. Legal risks are further magnified in cross-border transactions.
These risks can be amplified when financial institutions (FIs) engage with CASPs, whether regulated or not. The use of crypto-assets may compete with fiat currencies in Emerging Market and Developing Economies (EMDEs) and potentially amplify volatility in non-reserve currencies and EMDE currencies. CASPs should therefore carefully evaluate and address these technology, cyber, and operational risks to ensure the safe and secure functioning of the crypto asset ecosystem and mitigate any adverse impacts on financial stability and investor protection.
Deep Dive – Understanding risks in crypto asset custody:
Blockchains are ledgers, and as such, they are not organised by ‘wallet’ addresses the same way a bank’s ledger would be, instead they rely on a complete historical record of transactions, through which wallet balances can be inferred. All public keys, and private keys possible already exist – what this means is a public key does not have to be ‘created’ for a transaction to occur, the network itself has no way of differentiating between a public key-private key pair that has been generated by a user and one that has not. The network also has no ‘white-list’ for addresses that are allowed or not; transacting is uncensorable. It is free and instant to generate new key-pairs, such that every single transaction could use a different pair.
Conversely, this means that if, by accident, a user sends funds to a wrong address (although the chances of this are very slim as the chance of a mistyped address being a valid address is very low), or to an address where the receiver no longer has their private key, the funds are lost forever. This also means that while it is extremely difficult to hack the protocol itself (i.e. hack Bitcoin), if a bad actor gets access to users’ private keys, they cannot be stopped from taking funds and sending them to any number of newly created addresses. While wallet addresses can be flagged, and exchanges can be asked to not deal with persons transacting through flagged addresses, transactions are still irreversible, and recovering funds can be a lengthy process that requires the aid of law-enforcement.
The most common attack vector in data breaches has always been via users of a system, rather than the system itself – attackers have found it easier to leverage human error and poor judgement rather than bringing down systems themselves, although this can still happen. In this context it is easy to see the vulnerability that is intrinsic to funds and data stored in VDAs, users themselves must be incredibly careful to not accidentally reveal their private key online, as well as to keep it in a safe and accessible place so that it may be used for a long period of time. A natural consequence of this is the emergence of 3rd party VDA custodians, including ‘hot’ or online wallet providers, exchanges and other financial platforms, and pure custodians. This however, creates a counterparty risk – if the 3rd party is hacked, all users could lose funds even if they did nothing wrong. It also means that users would have to trust 3rd party providers to not misappropriate their funds, something that has occurred repeatedly in the space.
Deep Dive – Key Risks & Attack Vectors for CASP Custodians:
This section gives a brief overview of the types of attack vectors related to custody by CASPS that exist – identifying them now before illustrating how they will be tackled by the custody solution presented in this note. These key risks can form the basis of guidance or regulation for CASP minimum technological standards.
- Systemic Risk vs Storage Risk: Systemic Risk refers to the risk that the system itself will be hacked, i.e. a 51% attack on the Bitcoin Protocol. Storage Risk refers to loss due to negligence like losing private keys or an individual being compromised.
- Storage Risk: Key Focus – Systemic Risk has proven low for large-cap crypto assets; storage risk is the risk that is being mitigated through a custodial solution like the one presented here.
Mishandling Risk by Individuals
Users can store their own private keys without the need for third-party storage systems, but will thus be responsible for their own security. Users can be compromised in multiple ways, i.e. through phishing, creating several attack vectors that can exploit this kind of riskCounterparty Risk
Where a trusted 3rd party may misappropriate funds by colluding with an outside attacker, defaulting (like FTX), and incompetence resulting in the loss of private keysHacking Risk via Technical Weakness: Methods used to steal digitally-stored private keys and/or the decryption keys to access the data, such as open ports, uncomplicated passwords, unpatched operating systems, and bad encryption. Hacking Risk via Impersonating a Customer
Should a hacker obtain control of a customer’s e-mail account, it is possible to effectively impersonate the customer Furthermore, e-mails are frequently used to reset login passwords or validate requests, often giving email intruders access to somebody’s crypto assets by extension.
- Hacking Risk via Impersonating a Counterparty: Should an attacker succeed in hacking the website of the counterparty, they might be able to change the bank account or address where funds are to be transmitted. In this case, a customer would unknowingly send funds to the attacker instead of the intended counterparty.
- Hacking Risk via Intercepting Communications: Also called a man-in-the-middle attack (MITM), if an attacker can intercept and change the address to which bitcoins are to be transferred due to an insecure transmission medium, this would be an easy manner to steal bitcoins.
- Storage Risk: Private Key Loss Risk: If stored online private keys may accidentally be deleted, while there is a risk of physical loss of private key medium (piece of paper, USB drive, etc.) or physical degradation of said medium.
Are there particular ways that CASPs should evaluate these risks and communicate these risks to retail investors? If so, please explain.
- CoinDCX response: Evaluation of Risks by CASPs:
- CASPs should adopt specific measures to effectively evaluate risks associated with crypto assets. A comprehensive risk assessment process should be established, encompassing all aspects of the CASP’s operations and the crypto asset ecosystem. This includes identifying potential technology, cyber, and operational risks, as well as assessing their potential impact on the CASP and its investors.
- To ensure sound risk management, CASPs should implement robust governance policies and frameworks. This involves defining clear roles and responsibilities, establishing risk appetite and tolerance levels, and developing effective risk mitigation strategies. Periodical monitoring of risks is crucial to identify any emerging threats and promptly address them.
- Independent audits and assessments conducted by external, unbiased third parties can provide an objective evaluation of the CASP’s risk management practices. These audits help identify potential vulnerabilities and provide recommendations for improvement. Additionally, investing in employee training programs on risk awareness and management ensures that staff members are well-equipped to identify and respond to risks effectively.
- CASPs should also invest in infrastructure, including advanced tools, regulatory technology (RegTech), and supervisory technology (SupTech), to enhance their risk evaluation capabilities. These technologies can automate risk monitoring, compliance checks, and reporting processes, improving overall risk management efficiency.
- Studying global best practices is crucial for CASPs to stay updated on evolving risk landscapes and to learn from successful risk management approaches implemented by other industry participants. By benchmarking against industry standards, CASPs can enhance their risk evaluation methodologies and adopt industry-leading practices.
- Communication Strategy:
- To communicate these risks, CASPs should prioritise clear and transparent risk disclosures. They should provide easily understandable information that highlights the specific risks involved in investing in crypto assets. This includes explaining the unique characteristics and challenges of the crypto asset ecosystem, as well as potential risks related to operational disruptions, cyber threats, and legal uncertainties.
- CASPs should use easy and simplistic language to ensure retail investors can easily comprehend the risks involved. They should avoid complex technical jargon and provide concise explanations that enable investors to make informed decisions. CASPs should also adhere to regulatory guidelines and requirements regarding risk communication and disclosure.
- Regular updates and ongoing communication are essential to keep investors informed about emerging risks and best practices. CASPs should maintain transparent channels of communication, such as investor alerts, newsletters, or dedicated sections on their websites, to provide timely information about evolving risks and mitigation strategies.
- Regular and proactive communication with retail investors is crucial. CASPs should establish channels for investors to seek clarification and assistance regarding risk-related matters. They should promptly respond to investor inquiries and provide ongoing updates on any significant changes in risk factors or market conditions.
- Moreover, CASPs should collaborate with regulatory authorities and industry associations to ensure compliance with relevant regulations and best practices. By actively engaging with regulators and participating in industry discussions, CASPs can align their risk evaluation and communication processes with regulatory expectations and industry standards.
- By implementing these measures, CASPs can effectively identify and mitigate risks, safeguarding the interests of their investors and ensuring a secure and resilient crypto asset ecosystem.
RETAIL DISTRIBUTION RECOMMENDATION
Recommendation 18: Regulators should require a CASP, to operate in a manner consistent with IOSCO’s Standards regarding interactions and dealings with retail clients. Regulators should require a CASP to implement adequate systems, policies and procedures, and disclosure in relation to onboarding new clients, and as part of its ongoing services to existing clients. This should include assessing the appropriateness and/or suitability of particular crypto-asset products and services offered to each retail client.
What other point of sale/distribution safeguards should be adopted when services are offered to retail investors?
- CoinDCX response: Considering the crossborder nature of crypto activities and the proliferation of direct access business models, it becomes necessary to standardise safeguards to protect retail investors across the globe. While the establishment of such minimum standards may be done at a global level, in the interest of effective implementation, the local SROs may be tasked with ensuring enforcement.
- Transparency: CASPs may be mandated to declare, in a standardised format, key information that is relevant to retail users. This may include:
- clear and comprehensive information about the exchange, including the location of its offices, the registrations and licences it holds, details about the legal entity, founding members, and contact details;
- the fee structure for trading, deposits, withdrawals, and any other applicable charges;
- accurate trading volumes, market data, and white papers for all listed assets;
- the criteria for listing or delisting a project;
- periodical publication of prooves of reserve; and
- promptly inform users about any security breaches or unauthorised access to their accounts
- Consumer complaints redressal mechanism: CASPs may also be mandated to maintain a robust consumer complaints redressal mechanism. The guidelines may require that said mechanism should:
- Outline the process for submitting complaints, including the designated channels (such as email, online form, or dedicated support ticketing system), and the the information required from the complainant (e.g., account details, transaction details),
- Specify the timeframe within which the CASP aims to acknowledge and resolve complaints. This may include setting specific time limits for acknowledging receipt of a complaint and providing regular updates to the complainant on the status of their complaint.
- Describe the steps that a complainant can take if they are not satisfied with the initial response or resolution provided. This may include outlining a formal escalation process, such as contacting a designated complaints manager or supervisor for further review and consideration.
- Explain how the exchange will investigate and address complaints. This may involve describing the internal procedures, such as assigning a dedicated complaints team, conducting thorough investigations, and providing a fair and reasonable resolution based on the circumstances of each complaint.
- Detail how the CASP will communicate with the complainant throughout the complaint handling process. This should include information on how often updates will be provided, the communication channels that will be used, and any specific information that will be included in the updates.
- Address the CASP’s commitment to maintaining the confidentiality and privacy of complainants’ personal information. Explain how the exchange will handle and protect sensitive data provided during the complaint process, in compliance with applicable privacy laws and regulations.
- Explain how the exchange will review and analyse complaints to identify any systemic issues, patterns, or areas for improvement. This may involve periodic reviews of complaint data, analysis of root causes, and implementing measures to prevent similar issues from recurring.
- Ombudsman: The global guidelines may also require the SRO to set up an ombudsman. An ombudsman provides an independent and neutral platform for dispute resolution. It allows retail users to have their complaints heard by a neutral party, free from potential bias or conflicts of interest that may exist within the CASP itself.
- Education and awareness campaigns: The global guidelines may also require the SRO to ensure that CASPs undertake education and awareness campaigns periodically. Such education and awareness campaigns may be required to focus on:
- Basic educational resources to retail investors. This may include information about blockchain technology, cryptocurrency fundamentals, risks and rewards of investing, and an overview of common terms and concepts;
- Regulatory compliance requirements and the importance of understanding and adhering to applicable laws and regulations. This can include information on anti-money laundering and know-your-customer requirements, tax obligations, and reporting obligations;
- Scam and fraud awareness, focussed on equipping retail investors with knowledge about common scams and frauds prevalent in the space. This may include sharing.information on how to identify and avoid Ponzi schemes, phishing attempts, and other fraudulent activities;
- Security best practices to protect their holdings. This can cover topics such as strong password management, two-factor authentication (2FA), secure storage options, and the risks of phishing attacks or social engineering scams; and
Resources on market analysis techniques and technical analysis indicators
Should regulators take steps to restrict advertisements and endorsements promoting crypto-assets? If so, what limitations should be considered?
- CoinDCX response: Given that crypto-assets are relatively new and volatile assets, it is fair for global standards to restrict advertisements. However, such restrictions should be reasonable and balanced. While they must adequately inform users of the risks they undertake, it should not stifle innovation, or discourage users from accessing Web3 technologies as a whole, given the potential they present. Further, the standards should be set globally, but enforced locally through an SRO, so as to minimise arbitrage. The guidelines must be clear and unambiguous.
- A global mandate to precede crypto advertisements with a standardised disclaimer may be added
- Advertisements and endorsements that make false or misleading claims about the performance, returns, or benefits of investing in crypto-assets may be prohibited.
- Targeting advertisements towards certain classes of users may be prohibited, such as minors, or individuals who may be more susceptible to financial risks.
- We also understand that despite compliance with local guidelines, several key online platforms do not allow crypto players to advertise thereon, or have special processes for such advertisers. Global guidelines must also prescribe that so long as such advertisers are compliant with the advertising guidelines and their respective SROs can attest to the same, online platforms may not be permitted to reject such advertisements.
BOX TEXT ON STABLECOINS
Are there additional features of stablecoins which should be considered under Chapter 10? If so explain:
- CoinDCX response: The recommendations provided for stablecoins in the consultation document are well taken and aligned. However, guidelines on how stablecoins are to be defined – whether as securities, or other financial instruments – needs to be laid out, and represents a crucial aspect global consensus is lacking in.
- Additionally, while the document lays out the risks, it does not provide any scale or comparison; it is our view that stablecoins should be held at similar standards to other financial institutions accepting deposits and facilitating remittances, not more.
- A risk appropriate approach for stablecoins and stablecoin issuers is needed to ensure regulated, compliant stablecoins in local currency can develop unhindered. In the absence of proactive policy, stablecoins denominated in foreign currency, with assets entirely held in foreign jurisdictions, do have the potential to manifest in greater financial risk than vanilla crypto assets.
Beware: Risks in crypto trading – phishing & impersonation scams unveiled!