Resources

Breaking Down the FDIC Risk Review Section 6: Crypto Asset Risk

On August 14, 2023, the Federal Deposit Insurance Corporation (FDIC) released its 2023 Risk Review. Section 6, titled “Crypto-Asset Risk,” discusses the risks posed by cryptocurrencies, stablecoins and other digital assets to the banking system.

As of March 2023, the total market capitalization of crypto assets was estimated to be over $1.5 trillion.

The report identifies several risks associated with crypto assets, including:

  • Price volatility: The prices of crypto assets can be very volatile, and this can pose risks to banks that hold them or provide services to crypto businesses.
  • Cybersecurity risks: Crypto assets are vulnerable to cyberattacks, and this could lead to losses for banks that are involved in the crypto market.
  • Money laundering & terrorist financing: Crypto assets can be used to facilitate money laundering and terrorist financing, and this could pose risks to the financial system.
  • Operational risks: Banks that are involved in the crypto market could face operational risks, such as fraud and legal risks.

The report also notes that the lack of regulation of the crypto asset market is a major risk. The absence of clear rules and regulations could make it difficult for banks to assess and manage the risks associated with crypto assets, making references to specific examples including:

  • The risk of fraud & theft: The crypto market is largely unregulated, making it a target for fraud and theft. In 2022, there were over $14 billion in crypto-related fraud and thefts.
  • The risk of cyberattacks: Crypto assets are stored in digital wallets, which are vulnerable to cyberattacks. In 2021, a major crypto exchange was hacked, resulting in the loss of over $600 million in customer funds.
  • The risk of market manipulation: The crypto market is highly volatile and can be easily manipulated by large players. This could lead to losses for investors.
  • The risk of environmental impact: The mining of cryptocurrencies consumes a significant amount of energy, which has a negative impact on the environment.

It is important to note that financial institutions can look to mitigate cybersecurity risks by requesting SOC reports or other technology service provider (TSP) attestation reports regarding “IT General Controls.”

Another strong practice includes understanding what connections these crypto companies have that also include access to the bank. API risks should be included as part of the due diligence process and can be mitigated by third-party relationships through web application penetration testing, which are not always captured as part of the TSP reporting process.

Additionally, there are common cybersecurity frameworks like NIST or the CIS top 18 that these companies can implement which may help provide insight into the crypto company’s security posture and readiness to mitigate cybersecurity risk.

The various risks above have led the FDIC to conclude that close, continual monitoring of the crypto asset market is paramount. The FDIC will be working with other regulators to address the risks posed by these assets.