Chairman of the Supervisory Board of the European Central Bank: Several Trends in Future Cryptocurrency Financial Regulation

This article is a speech by Andrea Enria, Chairman of the ECB Supervisory Board, at a conference on MiCAR and its harmonization with EU financial market legislation, jointly organized by Ca' Foscari University in Venice and the Bank of Italy.

Introduction

I am very grateful to have been invited to deliver the keynote address at this conference in Venice. The subject is extremely topical and timely, and I am sure that today we will discuss many interesting aspects of financial innovation and the role of regulation.

Notably, the EU is the first major jurisdiction in the world to introduce a regulatory framework for the cryptocurrency industry. The Markets in Crypto-Assets Regulation (MiCAR) comes into force at the end of June 2023 and will be fully applicable by the end of 2024.

I will first discuss how recent developments in the cryptoasset space strengthen the case for direct regulation of cryptoasset activities. I will then discuss some of the issues with MiCAR and explain how the most advanced forms of decentralized finance (DeFi) pose fundamental challenges to the application of financial regulation. Finally, I will outline what I believe are the essential elements of a regulatory framework that sets the boundaries between the crypto industry and the banking industry and regulates their interactions.

1. General discussion on crypto asset regulation

The technical features of the cryptoasset framework can be very complex, but its basic building block is distributed ledger technology (DLT). In this environment, both financial and non-financial assets are encrypted (tokenized) in the form of digital tokens, and transactions and contracts are executed on a permissionless and anonymous basis without any intervention by a centralized institution (whether public or private) as an intermediary, custodian or guarantor of final settlement.

Bitcoin and other native crypto assets based on distributed ledger technology (DLT), and more broadly, DeFi, which has evolved from this original concept, appear to offer opportunities for a new financial market structure that could completely eliminate the need for financial intermediaries and public institutions. For many, these innovations are reminiscent of radical proposals such as free banking or the denationalization of money, which became popular after banking and regulatory failures wreaked havoc and led to the 2007-08 financial crisis.

I initially advocated for isolating the crypto-asset world (especially cryptocurrencies) from the regulated financial sector to avoid direct regulation of crypto-asset activities. I believed at the time that prohibiting financial institutions, especially credit institutions, from buying, holding or selling crypto-assets would avoid risk contagion to the regulated financial sector and would also eliminate the public's potential perception of highly speculative investments. Crypto-assets would enjoy the same degree of protection as investments in traditional financial assets.

At the same time, I strongly advocate for cryptocurrency exchanges and crypto asset providers to be fully included in the scope of anti-money laundering and combating the financing of terrorism (AML/CFT) regulation. I believe that it is indeed possible to allow new technologies and products to develop outside the mainstream channels of the banking market, which is characterized by "letting cryptocurrencies experiment in a closed environment."

However, given the turmoil that cryptocurrency markets have subsequently experienced, including the recent emergence of unsustainable business models and egregious fraud, there are strong arguments for a stricter regulatory approach.

In fact, we see some crypto asset projects that rely solely on the expectation of ever-increasing prices and the continuous inflow of funds from new investors (like a Ponzi scheme), without any intrinsic value, the ability to generate cash flow, and extremely unstable prices.

For example, in the demise of the stablecoin TerraUSD, we saw a clear case of business model flaws and misconduct. This revealed three extremely worrying aspects: the high fragility of the lending protocol; the extensive interconnectedness between crypto asset participants; and the unreliability of algorithmic stabilization mechanisms. The same case revealed a strong, toxic correlation between crypto assets (Luna, paired with TerraUSD) and crypto asset companies (Lido, Celsius), which had a profound impact on public confidence in the entire industry.

The operating system and governance framework of the trading platform FTX also have serious flaws, which are prone to conflicts of interest, fraud and misappropriation of customer assets to make up for losses suffered by other group entities. In fact, the FTX case exposes all the problems of opaque corporate structures and overly complex and vertically integrated crypto-related business models.

I now believe that the “let cryptocurrencies experiment in a closed environment” approach is no longer tenable given the continued expansion of crypto-asset activity, the interest shown by banks and other traditional intermediaries in providing a hybrid of traditional and crypto-financial services, the damage to consumers caused by fraud, and the numerous risk management failures in the crypto-asset space.

Moreover, while the sector remains relatively small, further growth outside the regulatory perimeter could ultimately raise broader financial stability concerns, especially given the growing interconnectedness with the banking sector, as demonstrated by the crisis involving some mid-sized U.S. banks earlier this year.

I am also particularly concerned about the potential for criminal activity within the industry, and the serious risks of money laundering and terrorist financing will be exacerbated if the crypto asset world remains completely outside the regulatory perimeter.

Therefore, the decision by European legislators to regulate crypto-asset issuance and crypto-asset services is the right decision at the right moment.

2 Financial Regulation of the Crypto Industry

MiCAR is a major legislative achievement that places the EU at the forefront of global developments. The strength of MiCAR lies in its unified framework, which is directly applicable in all Member States and regulates the issuance of crypto-assets, in particular Asset Reference Tokens (ARTs) and Electronic Money Tokens (EMTs), as well as the provision of crypto-asset services.

A fundamental aspect of MiCAR is to require issuers of ARTs and EMTs, as well as providers of crypto-asset services, to ensure segregation between their own assets and those of their customers. The lack of such a requirement was one of the main reasons for the chaos following the FTX collapse.

The scope of application of MiCAR does not include crypto assets that are already regulated as financial instruments or any other products that are already subject to existing EU legislation, such as bank deposits. Financial instruments are regulated under the DLT pilot regime.

Indeed, the tokenization of financial instruments is expected to make trading and post-trading processes more efficient. If coupled with the tokenization of deposits as a means of settling financial transactions, the cost savings and reduction of operational risks could be enormous. Moreover, the tokenization of deposits could also provide banks with a competitive tool to protect their funding base and enable efficient credit intermediation processes. This is why it is crucial that the regulatory regime for retail and wholesale tokenized deposits is absolutely clear and eliminates any remaining uncertainty.

Furthermore, MiCAR explicitly excludes fully decentralized finance and native cryptocurrencies such as Bitcoin from its scope (for what I call “structural” reasons) because there is a potential lack of an object for regulatory action and no issuer exists.

Bitcoin will be subject to the rules for the provision of crypto-asset services (such as trading on “institutional” exchanges), but the issuance (mining) of Bitcoin will not fall under the regulatory scope of MiCAR.

Another aspect that complicates the implementation of financial regulation is what I call the “delocalization” of financial services. Technological advances have made it increasingly difficult to determine the jurisdiction in which a provider is located when services are provided remotely.

As banking regulators, we are used to dealing with multi-jurisdictional issues (with perhaps mixed results), but we now seem to be facing a completely new challenge where the provision of financial services is disconnected from a natural or legal person who is physically located in a particular place.

Nonetheless, in order to guarantee financial stability, authorities must be able to gain a comprehensive understanding of the operations of crypto asset participants. This is particularly difficult for DeFi, as it requires aggregating risk exposures and financial interconnections between “entities”, which are not easily ascertainable in terms of regulation.

The same challenges exist in crypto centralized finance (CeFi), where even on more traditional trading platforms like FTX, crypto assets are often traded off-chain, i.e. on the exchange’s ledger.

In fact, crypto asset service providers often conduct business through a network of entities that are often defined only as members of their “ecosystem.” Drawing the precise boundaries of FTX was no easy task for the Special Administrator. It is essential that interconnected entities be subject to accounting consolidation and integrated regulation, regardless of the names used by participants for marketing purposes.

3 Crypto-finance and banking: setting boundaries and regulating interactions

Now let me turn to the interaction between crypto-finance and the banking sector. It is critical for prudential regulators to develop clear rules on the relationship between crypto-asset participants and traditional financial intermediaries, especially credit institutions, as they act both as deposit issuers and as liquidity providers to other intermediaries in the financial system.

In this regard, I believe that regulation of the interaction between crypto assets and the banking sector should include at least three essential elements: regulation of the banking perimeter; upgrading the prudential assessment of initial authorization applications to consider crypto asset services and crypto asset issuance by banking intermediaries; and prudential regulation of the financial interconnections between banks and the crypto asset world.

4 Scope of regulatory authorization for banking activities

In line with the principle of “same activity, same risk, same regulation”, whenever a cryptocurrency company starts engaging in banking-exclusive activities, they will need to apply for a banking license and meet the legal requirements for granting such authorization.

The key question is whether and when crypto-asset-related activities actually cross the regulatory threshold.

Given the lack of a truly unified regulatory framework for financial services in the EU, determining which financial services are actually provided and how they are provided can sometimes be a challenge for our regulators. As the European Securities and Markets Authority outlined in its 2019 report on crypto assets, there are significant differences in how member states implement the Markets in Financial Instruments Directive (MiFID) rules on the definition of financial instruments.

It is therefore clear that there is a need for a thorough analysis of the financial services provided in the DeFi space and how they map onto the definition of financial services in existing legislation, particularly those related to the banking sector.

The example of stablecoins is interesting not only because they have featured prominently in some recent crises, but also because in the context of DeFi, stablecoins are primarily used to settle transactions involving other crypto assets. The starting point for any discussion should be that stablecoins may be seen as a form of private money, with some similarities to bank demand deposits, but without all the public guarantees of bank deposits. Given the potential for stablecoins to lose their peg to a reference currency (usually the U.S. dollar), they are susceptible to runs, just like bank deposits.

That’s why the U.S. President’s Working Group on Financial Markets recommended in its 2021 report on stablecoins that the issuance of stablecoins should be reserved for companies authorized as depository institutions, i.e. banks. This regulatory recommendation has yet to be implemented by U.S. lawmakers.

I think in this regard that the solution adopted by MiCAR for regulating EMTs (stablecoins pegged to a single official currency) is consistent with this approach, as it would only allow credit institutions or e-money institutions to issue EMTs. This would preserve the reliability of e-money and its ability to actually function as money with all its essential characteristics.

In the ECB’s Banking Supervision, we are ready to work with the European Banking Authority (EBA) and other competent authorities in the supervisory community to monitor banks issuing EMTs and assess whether further supervisory reforms are needed in this regard.

5 Preliminary authorization for banks to conduct cryptocurrency business

Another aspect is how to handle banking license applications when the business model involves providing crypto asset services.

It is worth mentioning that the solution adopted by the EU has always been very close to the universal banking model in terms of the activities that banking license holders are allowed to carry out. According to this solution, credit institutions can provide all financial services besides core banking services, with the exception of insurance services, which always require a separate authorization and a separate legal entity.

Thus, in the EU, credit institutions are also generally able to provide investment services, payment services, etc. without the need for separate specific authorisation. Obviously, they still need to comply with all sectoral requirements for specific service types (e.g. MiFID suitability requirements for investment advice) and be supervised by the competent authority (if different from the prudential banking authority).

The rationale behind this approach is that credit institutions have historically been the most heavily regulated financial intermediaries, given the essential economic functions they perform, and therefore can provide all other financial services. Unsurprisingly, this is also the solution adopted by MiCAR, according to which credit institutions do not need specific authorization to issue tokens or provide crypto services, but are subject to sector-specific regulation in addition to the usual prudential supervision.

In this regard, I believe that the assessment of initial authorization applications from credit institutions whose business models are characterized by significant crypto-asset activities will have some distinctive features.

We do not have concrete cases yet, but it is foreseeable that in the near future there will be a number of innovative companies engaged in significant crypto-asset activities applying to be authorized as credit institutions, partly as a result of the entry into force of MiCAR.

So far, we have only handled crypto-asset authorizations for German credit institutions, as the provision of crypto-asset custody services and other crypto services requires a formal extension of a banking license under German law. Our mandate is to issue authorizations to all credit institutions, both major and minor under our direct supervision. As a result, we have some experience in handling authorizations to provide crypto-asset services, and last year we published the supervisory criteria for licensing banks engaged in crypto-asset activities.

We explained that when evaluating such applications, we will pay particular attention to the following aspects: the credit institution’s overall business model and its sustainability; the credit institution’s internal governance and risk management and its ability to assess specific crypto-asset risks; and the suitability assessment, where we expect the credit institution’s board members and key functional heads to have specific and in-depth knowledge of digital finance. We will also work closely with the anti-money laundering authorities to assess the bank’s AML/CFT risk profile.

Looking ahead, I imagine that the specific national competent authorities specified in MiCAR, whether new or existing regulators, will also become important partners in our assessment of banking license applications from crypto-asset service providers.

6. The connection between banking and cryptocurrency finance should be carefully regulated

The third and final issue I want to talk about is how to supervise and regulate direct financial links between credit institutions and crypto finance.

There are two aspects to this. The first relates to the liability side of banks’ balance sheets, an issue that became more prominent earlier this year due to the crisis involving some mid-sized US banks with close ties to the tech industry and crypto asset providers. The other side relates to the asset side of banks’ balance sheets and their crypto assets.

With respect to the first aspect, systemic risk may arise from high correlations between deposits held by different cryptocurrency companies at the same bank or at different banks. In particular, deposits held by crypto-asset issuers may experience large fluctuations and be susceptible to runs. Moreover, when such deposits represent a significant portion of a bank's funding, they may hinder or impair the bank's resolution strategy and require extraordinary measures to prevent contagion.

In this regard, it is worth noting that MiCAR’s provisions require that at least 60% of the reserves of major asset reference tokens be held in the form of bank deposits. While understandable as a means of investor protection, this may have unintended consequences from a financial stability perspective.

Some banks will likely specialize in banking activities related to stablecoin issuers. However, it is particularly important that credit institutions monitor the diversification of their deposit base (not only in terms of individual counterparties but also in terms of the industry) and should not rely on volatile deposits, especially deposits of crypto-asset participants, that exceed their prudently set risk tolerance levels.

As a regulator, we will also assess concentration risks in the deposit-based sector very closely. In this regard, it is critical that the relevant MiCAR mandated technical standards include prudent calibration of single-name concentration limits and a requirement for issuers to establish credit risk tolerance levels for their bank counterparties.

It is also important that issuers, especially material issuers, maintain an effective risk management function. Issuers primarily deal with financial and operational risks, and the sound management of these risks requires adequate human and technical resources.

The second aspect concerns the direct exposure of credit institutions to crypto assets. Here we are in more familiar territory as bank regulators, at least in terms of dealing with credit and market risks. The typical response of bank supervision to the risk of borrower default has been to prescribe capital requirements and risk limits.

At the end of last year, the Basel Committee (BCBS) published a standard on capital requirements for banks investing directly in crypto assets. The standard is not yet legally binding and needs to be transposed into EU law by January 1, 2025, but we already expect banks to incorporate it into their business and capital planning.

The standard divides crypto assets into two categories. The first category consists of tokenized traditional assets and stablecoins with effective stabilization mechanisms that meet strict classification conditions, which will absorb the same amount of own funds as their reserve assets or referred assets and may be subject to additional charges imposed by regulators. The second category consists of the riskiest forms of crypto assets, with a risk-weighted ratio of 1250%, which basically means that banks must maintain the same amount of capital resources as the total value of their risk exposure. Holding restrictions also apply to the second group of assets.

One aspect that we are concerned about at the moment is the possibility of circumventing the prudential regulatory framework that will apply. In fact, if a bank-controlled crypto-asset service provider is not within its prudential integration, the BCBS standards, especially the risk limits, may become ineffective.

It is worth recalling that we apply prudential requirements on a consolidated basis and that other financial companies also fall within the scope of banking group consolidation. Their risk exposures help determine the combined capital requirements that credit institutions need to meet.

As things stand, we believe that it is very difficult to include subsidiaries of credit institutions established by crypto asset service providers (CASPs) in the scope of prudential consolidation. This is due to the European Council Insolvency Regulation (CRR) which defines the financial institutions that must be included in the scope of prudential consolidation. It is imperative that CASPs are included in the scope of prudential consolidation of banking groups by amending the definition of financial institutions.

I believe that in the coming years, regulators will face a steep learning curve on how best to handle the interaction between credit institutions and crypto assets. This learning process will be challenging, as it will not be easy to attract enough staff with the necessary technical skills.

in conclusion

I firmly believe that the fundamental features of modern financial markets need to be preserved, with credit institutions playing a key role due to their central role in the money creation process. I see no reason why this key feature of the institutional framework should hinder the benefits of the latest technological advances.

I do not buy into the idea that innovation can only flourish outside of regulation and oversight and that we should create a space for innovative firms to experiment outside the official financial sector without having to comply with basic prudential, conduct and AML/CFT requirements. When a firm’s core function is handling other people’s money, especially when its services mimic key banking products such as deposits and payments, the security of the business and the stability and integrity of the market need to be fully protected.

This is an area that requires our particular attention so that we can provide appropriate regulatory and supervisory solutions. For example, mixed activity groups (groups of companies providing both financial and business services) that operate across borders and reach millions of customers may raise concerns about the level playing field and pose a threat to overall financial stability.

Regulation often arrives late, sometimes too late to repair the damage that has been done.

There are clear parallels with Hegel's description of philosophy: philosophy arrives too late to provide "indications of how the world ought to be". This is because philosophy uses its analytical tools only after reality has undergone its process of formation and has reached its "finished state" ("it appears"): like Minerva's owl, philosophy "begins to fly only when dusk has come".

But we cannot adopt policies too late or too leniently for fear of stifling innovation or harming competition in financial markets.

While we will always be playing catch-up, it is critical that regulation and oversight of crypto finance begins much sooner than the “twilight hour”—it has already begun.