Following the FCA's Dear CEO letter (on which I posted a few days ago), the UK's Prudential Regulation Authority has also published a Dear CEO letter to banks, albeit one with a very different focus. The FCA's letter focussed on banks providing services to clients involved in cryptoassets, whereas the PRA letter focusses on firms which are themselves exposed to cryptoassets (i.e., investing, in one form or another).
As a reminder, the PRA supervises the most significant institutions - its remit includes banks, building societies, credit unions and insurers, as well as investment firms that have been designated (the list of these firms is available on the PRA's "Which firms does the PRA regulate?" page).
It is not entirely clear, but given the cross-reference to the FCA's letter, I have assumed that the meaning of "cryptoasset" in the PRA letter is the same as in the FCA letter - i.e., a cryptoasset is any publicly available electronic medium of exchange that features a distributed ledger and a decentralised system for exchanging value (such as Bitcoin or Ether).
The PRA's letter served as a reminder in the crypto context that firms regulated by the PRA have responsibilities under the PRA’s Fundamental Rules 3, 5 and 7 to:
- act in a prudent manner;
- have effective risk strategies and risk management systems; and
- deal with regulators in an open and co-operative way, and disclose appropriately anything relating to the firm of which the PRA would reasonably expect notice.
So what can firms regulated by the PRA take away from the guidance?
- The letter sets out the risk strategies and risk management systems that the PRA considers most appropriate to cryptoassets. This includes:
- carrying out a full assessment of the risks by the board and senior management (including by a relevant senior management function);
- ensuring that the firm's remuneration policies and practices do not encourage excessive risk-taking in investing in cryptoassets; and
- ensuring that the firm's risk management approach is commensurate to the risks of cryptoassets (e.g., having access to appropriate, relevant expertise and conducting extensive due diligence before taking on any crypto-exposure).
- The PRA expects firms to carry out a comprehensive assessment of the risks involved in being exposed to cryptoassets. Firms should therefore document this assessment: the PRA suggests doing so in their Internal Capital Adequacy Assessment Process or Own Risk and Solvency Assessment. Note - the PRA indicated that whilst assessment of the risk depends on the type of cryptoasset, they should not be considered as currency for prudential purposes.
- Firms should inform their usual supervisory contact of any planned exposure to or activity involving cryptoassets, and provide the an assessment of the risks associated with the intended exposure.
- It looks like the PRA (and other authorities across the world) are considering supervisory or policy updates on the prudential treatment of crypto-assets. The PRA mentioned that they would communicate any such updates, including through Pillar 2 capital for banks if deemed necessary, in due course.
Perhaps more positively, the PRA also stated that it recognised "the underlying distributed ledger or cryptographic technologies, on which many crypto-assets rely, have significant potential to benefit the efficiency and resilience of the financial system over time."
We acknowledge that firms may have taken limited exposure to crypto-assets to date, and hope this letter is helpful to firms in considering any existing exposures and/or plans for the future.