Risk Management at Crypto Firms Is in Focus Following FTX Collapse

When a crypto firm is privately held and isn’t subject to the disclosure requirements public companies face, such as third-party auditing, just learning what controls are in place can be a tall order.

“We need better risk management, more guardrails…and we need some of that installed into the crypto industry,” said

Jeff Horowitz,

chief compliance officer at crypto custodian BitGo. Mr. Horowitz said BitGo’s assets are kept separate from customer assets, and the company’s operations go through a full examination once a year by regulators in South Dakota and New York, where the firm has operations.

Although most crypto firms aren’t subject to formal federal regulation, many have adopted the enterprise-risk-management programs that U.S. watchdogs require of mainstream financial institutions in the wake of the 2008 financial crisis. These rules ask companies to identify, monitor and control their risks in both their financials and operations through scenario planning and testing and framework implementation. 

Among the risks being monitored are cybersecurity risks; legal and compliance risks, such as those arising from financial crimes and sanctions; credit risks that arise when funds are used as collateral; and liquidity risks. 

“These things sound good, but what’s running through my mind is…are these efforts coordinated and connected and are we seeing gaps in these processes?” said

Mark Beasley,

a professor and director of the Enterprise Risk Management Initiative at North Carolina State University. 

As the crypto industry works to reassure customers, there are signs that some of the efforts to bolster transparency are faltering. Accounting firm Mazars on Dec. 16 said it paused all work for crypto clients and withdrew from its website a report on reserves at Binance and other cryptocurrency-trading companies. Binance, whose own efforts at providing transparency have been criticized in recent weeks, said net outflows from its platform swelled to $6 billion in the period between Dec. 12 and Dec. 14.

A Binance spokeswoman said that Binance’s capital structure is free from debt. She added that Binance passed a stress test in December and was able to fulfill large withdrawal requests “without breaking stride” and the firm is looking to provide additional transparency in the coming months. 

Although stress testing for lending risks doesn’t apply to custodians that hold assets on behalf of others, BitGo’s Mr. Horowitz, who previously worked as the compliance chief at crypto exchange

Coinbase Global Inc.,

said measures such as those established to manage banking risk can help identify potential problems, like those seen at FTX. He said his firm—whose assets under custody include about $1 billion for FTX under the failed exchange’s new management team—conducts an annual audit of financial statements, a review of its anti-money-laundering and know-your-customer programs, and has insurance in cases of fraud and for the potential loss of the cryptokeys for customers’ wallets. 

For its part, crypto exchange Bitstamp USA Inc. said that it separates client digital assets from company assets and that it performs annual stress testing on the liquidity risks of client funds, including under hypothetical scenarios in which the exchange would have enough liquid assets to withstand material client withdrawals over short periods. 

The exchange also has a global operations team that oversees customer onboarding, transactions monitoring and customer-service issues, said Bitstamp Chief Compliance Officer

Thomas Hook.

It has a global risk team in charge of companywide assessment, but it has regional compliance teams to ensure compliance with local regulatory requirements. 

Bitstamp USA is licensed in New York state through a business license for virtual currency activities, known as a BitLicense, and has compliance personnel in Europe, the U.K. and Singapore. Mr. Hook said these teams also report to the firm’s senior management and board to ensure the firm’s risk-management plan “doesn’t happen in a silo.” 

At crypto exchange Bittrex Inc., Chief Compliance Officer

Mike Carter

said the firm’s risk-management strategy includes the use of policies and processes to protect against cyberattacks and to protect data privacy in response to Europe’s General Data Protection Regulation and privacy laws in place elsewhere. 

The Seattle-based exchange also focuses on market surveillance and integrity to prevent potential misconduct on its marketplace. Having experienced staff to implement and monitor the risk-management measures on a routine basis is also important, Mr. Carter said. 

As the crypto industry matures, these executives said it is important for investors and consumers to check for signs of adequate risk management and compliance measures at crypto firms. These include ascertaining the type of licensing a company might have, whether it is being audited and by whom, seeing proof of reserves backing customer deposits and disclosures about the company’s business model, and determining whether the company has responsive customer service, they said. 

Other signs include whether the company engages in outside due diligence, whether assets are segregated and how secure crypto assets passwords are kept. 

In addition, potential customers should evaluate the maturity and makeup of a crypto firm’s leadership team to ensure a cult of personality doesn’t exist around it, said Mr. Hook of Bitstamp. 

Ultimately, none of the efforts crypto firms make to be transparent or disclose risk-management efforts amount to a guarantee without formal regulatory oversight or the disclosure rules required of publicly traded companies. 

“Many of the actors at that level of scale are good actors, but we won’t know until all of the acts of the play have come about,” said

Doug Schwenk,

chief executive of Digital Asset Research, which provides data on the crypto market and vets crypto exchanges on behalf of hedge funds. 

Write to Mengqi Sun at [email protected]