Banking on Crypto?

By Justin C. Steffen, Barack Ferrazzano Kirschbaum & Nagelberg LLP

With escalating prices and newfound public adoption, banks and other financial institutions are beginning to take note of cryptocurrencies. An estimated 14% of the U.S. population owns cryptocurrency, and PayPal, U.S. Bank, and Morgan Stanley have all recently launched crypto products. Although the same rules and regulations that apply to other investments may apply to cryptocurrencies, this new(ish) asset class presents unique obstacles of which new industry participants must be aware. Indeed, in a rush to appease customers, today’s shortcuts may prove to be tomorrow’s legal nightmares. Banks, therefore, must learn to engage crypto with caution.

Bitcoin is the seminal cryptocurrency – a digital or virtual currency. Often compared to a form of digital gold, Bitcoin prices have skyrocketed in the last year, trading at over $60,000 at multiple points in recent weeks. Bitcoin was first described in a 2008 whitepaper by a person (or persons) using the pseudonym Satoshi Nakamoto. Nakamoto’s Bitcoin uses public and private key cryptography and hashing to create a secure form of digital currency.

Nakamoto’s whitepaper described both Bitcoin and the blockchain technology underlying the Bitcoin network. Bitcoins are tracked on the Bitcoin blockchain, a large, decentralized ledger – like a spreadsheet that is copied and distributed across participating machines and stored on every user’s system. The blockchain records the movement of all Bitcoin that have been created. By doing so, the blockchain ensures that holders of Bitcoin can neither double-spend nor over-spend.

Anyone can edit the blockchain so long as a predetermined majority of other users (known as “nodes”) agree with the change. This system works without a central repository (i.e., a bank) as all transactions are conducted peer-topeer. Bitcoin transactions are recorded by references to “public keys” – a coded “address” that everyone on the network can see. To redeem or control the Bitcoin assigned to a “public key,” one must also possess the private key – another code known only to the owner that operates like a ticket that entitles the holder to access his or her Bitcoin.

Ether, XRP, and other cryptocurrencies soon followed. These different cryptocurrency tokens were created using different rules and for slightly different purposes. Ethereum, for instance, was designed to facilitate the use of “smart contracts,” which are automated rules (often distilled as if-then statements), committed to code. In total, there are over 4,000 unique cryptocurrencies. The total market capitalization of all cryptocurrencies is estimated at over $2 trillion. Despite their numerous differences, tokens are often bought, sold, stored, and transferred using very similar methods.

Developers, miners or validators, and users are common participants in almost every cryptocurrency ecosystem. First, there are users – people who hold and/or transact with the respective cryptocurrencies. Second, developers make updates to the underlying code and ensure that the cryptocurrency network operates smoothly – or as smoothly as possible. Third and finally, there are miners or validators. These validators are crucial, as they record the transactions on the underlying blockchain or ledger.

Other third parties, however, have become commonplace service providers to the participants in cryptocurrency networks. A number of third-party businesses assist clients by: (1) exchanging between cryptocurrencies and fiat (government) currencies or other cryptocurrencies; (2) transferring cryptocurrencies; (3) safeguarding and/or administering cryptocurrencies, enabling users to control the virtual assets; and (4) providing financial services related to the sale or purchase of certain cryptocurrencies. These third parties encompass a range of businesses, including exchanges, ATM operators, wallet custodians, and hedge funds.

federal and state agencies all have an avowed interest in regulating cryptocurrencies. These regulators each have their own interpretation of cryptocurrencies. To the SEC, they may be securities; to the CFTC, they are commodities; to FinCEN, they are money; and to the IRS, they are property. Navigating these disparate regulatory regimes can be critical.

The SEC, for example, has pursued enforcement actions against the issuers of tokens that the SEC believes constitute securities. In its July 25, 2017 Rule 21(a) report, commonly referred to as the DAO report, the SEC concluded that DAO tokens at issue were securities, evaluating the tokens pursuant to the test first articulated by the Supreme Court in 1946. FinCEN, likewise, has issued a wealth of guidance indicating that cryptocurrencies constitute money for purposes of the Bank Secrecy Act and other laws and that, as a result, certain virtual asset service providers would need to register as money services businesses, and comply with anti-money laundering and counter-terrorism financing requirements and other applicable laws. The import of this guidance is clear: token holders and their service providers must be cognizant of the governing rules and regulations, or hazard incurring civil and, in some cases, criminal liability.

Custody and Ownership (Not your keys, not your crypto?) Although nothing requires users to utilize myriad third parties that help them acquire, hold, and trade digital assets, the simple truth is many, if not most, users rely on one or more third parties. When you entrust a third party with your private keys, you are ceding control over the assets that you believe you have acquired. If the party with which you are dealing is dishonest, those tokens may go missing. In 2019, customers of the Quadriga exchange were surprised to learn that its founder had mysteriously passed away and $250 million of customers’ digital assets went missing.

In addition, for the sake of speed and cost, not all transactions are recorded “on-chain.” When you “buy” tokens from certain third parties, those purchases may not be recorded on the “immutable” blockchain right away, or ever. If the third party goes bankrupt or ceases operations, your recourse may prove illusory.

(you don’t hack the blockchain…well, typically) Proponents of blockchain technology often cite the security of blockchains, the distributed ledgers frequently used to record crypto holdings. But this supposed security may prove false. First, when an individual or group, for example, controls the majority of the hashing or computing power for a given token, they can unilaterally determine whether, and how, to record certain transactions. Often referred to as a 51-percent attack, these attacks – though rare – do occur. Shift and Bitcoin Gold were both subject to such attacks.

Second, and more frequently, “hacks” (attacks) focus on the third parties that help users transact, store, and trade digital assets. Many wallet services, exchanges, and other third parties have been attacked. Though these entities help execute cryptocurrency transactions that are recorded “on the blockchain,” no activity takes place on the ledger. Wallet services, for example, store customers’ private keys. When connected to the Internet (so-called “hot wallets”), those entities are just as vulnerable to cyberattacks as are other businesses. So, while blockchains may be somewhat resistant to cyber subversion, not every act or actor is completely on-chain, thereby rendering accounts, accountholders, and their affiliates subject to attack.

The rules that govern digital currencies (the protocol) are not static. Protocols change to fix imperfections or to change the underlying rules. These changes are referred to as “forks.” Sometimes, a fork results in two unique digital assets, such as when the Bitcoin protocol forked in November 2017, adding Bitcoin Cash tokens to Bitcoin tokens. Users of Bitcoin could obtain Bitcoin Cash. If they used an exchange or wallet service, however, the third party needed to support both sides of the fork. In other words, users completely reliant on others to hold their Bitcoin could lose the opportunity to obtain Bitcoin Cash if those third parties decided against supporting Bitcoin Cash.

Although many third parties have very clear policies regarding forks, even clear policies cannot always quell legal risk. By way of example, Coinbase initially disclosed that it was not intending to support the Bitcoin Cash hard fork. Despite Coinbase’s repeated, advanced disclosures, which detailed how users could secure their own assets, several users failed to heed the warnings and threatened legal action over their supposed lost opportunity. Coinbase retroactively supported the fork, allowing its users to obtain Bitcoin Cash tokens.

Blockchains reveal a wealth of transaction information: how much was transferred, at what time, and between what public addresses. Not all details, however, are readily apparent. The individual owners of cryptocurrency addresses are not recorded on the blockchain. For this reason, digital currencies are said to be pseudonymous. But this transparency – or the lack thereof – has consequences.

First, if regulators or interested parties want to identify the parties engaged in a transaction, they will often look to the third parties that serve as on-ramps to the blockchain ecosystem. Servicing crypto customers in the United States is not without costs. Indeed, large U.S.-based exchange Kraken noted that escalating subpoena compliance costs were to blame for several exchanges excluding U.S. customers. Like exchanges, banks that seek to serve crypto-hungry customers should expect to receive more subpoenas and information requests.

Second, because address owners can remain anonymous, users cannot always be certain with whom they are transacting. This poses myriad regulatory and counterparty risks. Are users, for example, transacting with an individual or entity from a restricted jurisdiction, or are transactions facilitating terrorist financing or money laundering? These issues have led to the rise of on-chain forensics firms, like Chainalysis, CipherTrace, and Elliptic. Although these service providers have helped to unmask and deter criminals, not everything is transparent.

Domestically, the SEC, CFTC, FinCEN, and other state and federal regulators have begun issuing guidance and pursuing enforcement actions with increased frequency. Nevertheless, the rules and regulations that govern the digital currency space remain murky, at best. Even wellintentioned businesses dealing in digital currencies are simply unsure of whether they are always adhering to the letter of law.

This lack of clarity can have dramatic economic effects. For years, the SEC has indicated that many digital currencies are likely unregistered securities. Late last year, the SEC charged Ripple’s co-founders with conducting an unregistered securities offering of XRP. XRP is one of the world’s largest cryptocurrencies, with an estimated market cap of $75 billion. The value of XRP, and the fate of Ripple, will likely turn on the outcome of this litigation. Should the courts side with the SEC, XRP holders may be left holding the bag. Fines, legal fees, penalties, and wild swings in value are part of the cost of crypto business.

The risks attendant with banking crypto may be unavoidable to a degree. That does not mean that banks and financial institutions committed to crypto are helpless. Financial institutions need to consider both traditional and non-traditional risk mitigation tools. First, traditional risk mitigation measures, such as insurance, indemnities, disclosures, representations and warranties, and other tools are available. Insurers, for instance, have created products designed to guard against the risk of lost security keys. These tools alone, however, are likely insufficient.

Second, to minimize risk, banks should consider new tools, such as storage and custody products, and bolster their existing compliance regimes. Regardless of the tool, crypto- and vendor-focused due diligence are imperative. Frequently, regulators look to regulated entities and their representatives to educate them regarding cryptocurrency issues. Therefore, retaining knowledgeable attorneys, consultants, and other professionals is imperative, but these professionals must be enlisted early in the product development process. Without proper, timely guidance, the risks described above can transform a promising investment into a costly lesson.

About the author: Justin C. Steffen is a Partner in the Barack Ferrazzano Kirschbaum & Nagelberg LLP’s Financial Institutions Group. His practice focuses on providing his clients with strategies and solutions for minimizing risk in the digital economy. In addition to his practice, Justin teaches financial and emerging technologies and the law at Northwestern Pritzker School of Law. IBA Associate Member.