Speech by Andrea Enria, Chair of the Supervisory Board of the ECB, at the Conference on MiCAR and its coordination with EU financial markets legislation, jointly organised by Ca’ Foscari University of Venice and Banca d’Italia
Venice, 14 November 2023
Introduction
I am very grateful for the invitation to deliver the keynote speech at this conference, here in Venice. The theme is very topical and particularly timely, and I am sure that today we will be discussing many interesting aspects of financial innovation and the role of regulation.
It is remarkable that the European Union is the first major jurisdiction in the world to introduce a regulatory framework for the crypto industry. The Markets in Crypto-Assets Regulation (MiCAR)[1] entered into force at the end of June 2023 and will be applicable in its entirety by the end of 2024.[2]
I will first discuss how recent developments in the crypto-assets world have strengthened the case for directly regulating crypto-asset activities. I will then touch on some problematic aspects of MiCAR and explain how the most advanced forms of decentralised finance (DeFi) seem to pose a fundamental challenge to the very application of financial regulation and supervision. And I will conclude by outlining what I believe are the basic elements of a regulatory and supervisory framework which sets the boundaries and polices interactions between the crypto industry and the banking sector.
Regulating crypto-asset activities
The technical features of the crypto-assets framework can be hugely complicated, but its basic building block is the distributed ledger technology (DLT). In this environment, assets, both financial and non-financial, are encrypted in the form of digital tokens (tokenisation), and transactions and contracts are executed on the basis of permissionless and pseudonymous access, with no need for any intervention by centralised institutions, whether public or private, as intermediaries, custodians or guarantors of the final settlement.
Bitcoin and other native crypto-assets based on DLT and, more broadly, DeFi, a development of that original concept, seemed to provide the opportunity for a new structure of financial markets that could completely dispense with the need for financial intermediaries and public institutions. For many people, these innovations bring to mind radical proposals such as free banking[3] or the denationalisation of money[4], which gained greatly in popularity in the wake of the havoc wreaked by the banking and regulatory failures that led to the great financial crisis of 2007-08.
I initially advocated[5] the segregation of the crypto-assets world, in particular cryptocurrencies, from the regulated financial sector, avoiding the need to directly regulate crypto-asset activities.
I thought at the time that prohibiting financial institutions, in particular credit institutions, from buying, holding or selling crypto-assets would avert the danger of contagion to the regulated financial sector and also dispel a potential perception among the general public that investments in highly speculative crypto-assets would enjoy the same level of protection as investments in traditional financial assets.
At the same time, I strongly argued for the full inclusion of crypto exchanges and crypto-asset providers under the remit of anti-money laundering and countering the financing of terrorism (AML/CFT) regulation and supervision. I was of the view that it was indeed possible to let new technologies and products develop outside the mainstream channels of banking markets under an approach that could be characterised as “let crypto experiment in a closed environment”.
However, the turbulence experienced in crypto markets since then, including recent instances of unsustainable business models and egregious fraud, makes a strong case for a tougher regulatory approach.
In fact, we have seen some crypto-asset projects that relied solely on expectations of ever-increasing prices and continuous inflows of capital from new investors (like a Ponzi scheme) with no intrinsic value whatsoever, no ability to generate cash flows and extreme price volatility[6].
In the demise of the stablecoin TerraUSD, for instance, we had a clear case of a flawed business model coupled with misconduct. This shone a light on three extremely concerning aspects: the high vulnerability of the lending protocols; the extensive interconnections among crypto-asset players; and the unreliability of algorithmic stabilisation mechanisms. The same case revealed strong detrimental interconnections between crypto-assets (Luna, paired with TerraUSD) and crypto-asset firms (Lido, Celsius) which had a profound impact on public confidence in the entire sector.
The trading platform FTX also operated with a seriously flawed institutional and governance framework that was prone to conflicts of interest, fraud and misappropriation of client assets in order to cover losses incurred by other group entities. Indeed, the FTX case laid bare all the problematic aspects of an opaque corporate structure and an overly complex and vertically integrated crypto-related business model.
I now believe that the “let crypto experiment in a closed environment” approach is no longer tenable, given the expansion of crypto-asset activities, the interest expressed by, among others, banks and other traditional intermediaries in commingling the provision of traditional and crypto financial services, the damage to consumers caused by fraud, and the numerous risk management failures in the crypto-assets world.
Moreover, although the sector is still relatively small, further growth outside of the regulatory perimeter could eventually give rise to wider financial stability concerns, particularly considering the increasing interconnections with the banking sector, as evidenced by the crisis involving some medium-sized US banks earlier this year.[7]
I am also particularly concerned about the potential for criminal activity within the sector, with serious risks of money laundering and terrorism financing that will be exacerbated if the crypto-assets world remains completely outside of the scope of regulation.
This is why the decision of European legislators to regulate the issuance of crypto-assets and the provision of crypto-asset services was the right call at the right moment.
Financial regulation and the crypto industry
MiCAR is a significant legislative achievement which places the EU at the forefront of global developments. MiCAR’s strength is its harmonised framework, which is directly applicable in all Member States and regulates the issuance of crypto-assets, in particular asset-referenced tokens (ARTs) and e-money tokens (EMTs), and the provision of crypto-asset services.
A fundamental aspect of MiCAR is the requirement that issuers of ARTs and EMTs and providers of crypto-asset services ensure segregation between their own assets and those of their customers. The absence of such a requirement was one of the main causes of the disruption following the FTX collapse.
MiCAR’s scope of application does not extend to crypto-assets that are already regulated as financial instruments or any other products already subject to existing EU legislation, such as bank deposits.[8] Financial instruments are instead covered by the DLT Pilot Regime Regulation[9].
Indeed, the tokenisation of financial instruments is expected to make trading and post-trading processes more efficient.[10] If coupled with the tokenisation of deposits as a means to settle financial transactions, the cost savings and reduction in operational risk could be material. Moreover, the tokenisation of deposits could also offer a competitive tool for banks to preserve their funding base and enable an efficient credit intermediation process.[11] That is why it is of fundamental importance that the regulatory regime for tokenised deposits, both retail and wholesale, is absolutely clear and any residual uncertainties are eliminated.[12]
Moreover, for reasons I would describe as “structural”, MiCAR explicitly excludes from its scope fully decentralised finance[13] and native cryptocurrencies like bitcoin, given the potential lack of addressees of the regulatory measures and the absence of an issuer.
Bitcoin will be captured by the rules on provisions of services for crypto-assets (such as trading on an “institutionalised” exchange), but the issuance (mining) of bitcoins is outside the regulatory scope of MICAR.
Another aspect that certainly complicates the implementation of financial regulation is what I would call the “deterritorialisation” of financial services. The remote offering of services enabled by technological advances has made it increasingly difficult to identify the jurisdiction in which the provider is located.
As banking supervisors, we are used to dealing with cross-jurisdictional issues[14] (with mixed results perhaps) but it seems that we are now facing a completely novel challenge, namely the disconnection of the provision of financial services from a natural or legal person physically located in a specific place.
Nonetheless, in order to guarantee financial stability, it is crucial that authorities are able to obtain a holistic view of the business of crypto-asset players. This is particularly difficult with DeFi because of the need to aggregate exposures and financial interconnections between “entities” that are not easy to pinpoint in regulatory terms.
The same challenge is also present with respect to crypto centralised finance (CeFi), even if in more traditional exchange platforms (like FTX was) crypto-assets are frequently exchanged off-chain, namely in the ledger of the exchange.
In fact, crypto-asset service providers often operate through a network of entities frequently defined only as members of their “ecosystem”. Mapping the exact perimeter of the FTX group was not an easy task for the special administrator. Whatever names the players use for marketing purposes, it is key that entities connected to each other are subject to accounting consolidation and consolidated supervision.
Crypto finance and the banking sector: setting boundaries and policing interactions
Let me now turn to interactions between crypto finance and the banking sector. It is of the utmost importance for prudential supervisors to draw up clear rules on the relationship between crypto-asset players and traditional financial intermediaries, above all credit institutions, given their fundamental role in the financial system both as issuers of deposits and providers of liquidity to other intermediaries.
In this regard, I believe that regulating interactions between crypto-assets and the banking sector should encompass at least three essential elements: policing the banking sector perimeter; upgrading the prudential assessment of applications for initial authorisation to take into account the provision of crypto-asset services and crypto-assets issuances by banking intermediaries; and prudentially regulating financial interconnections between banks and the crypto-assets world.
Policing the perimeter of authorised banking activities
In accordance with the principle “same activity, same risks, same regulation”, whenever crypto firms start engaging in activities that are reserved for banks, they need to apply for a banking licence and meet the legal requirements for granting such authorisation.
The key question is whether, and when, crypto-asset-related activities actually cross that regulatory threshold.
Identifying what financial services are actually provided, and how, is sometimes a challenge for us supervisors, given the lack of a truly harmonised regulatory framework for financial services in the EU. As outlined by the European Securities and Markets Authority in a 2019 report on crypto-assets, there are significant differences in how Markets in Financial Instruments Directive (MiFID)[15] rules on the definition of financial instruments have been implemented in the Member States.[16]
It is therefore clear that thorough analysis is needed of what financial services are provided in the DeFi space and how they map onto the definition of financial services in the existing legislation, particularly in relation to the banking sector.
The case of stablecoins is interesting not only because they featured prominently in some recent crises[17] but also because, in the context of DeFi, stablecoins are mostly used to settle transactions involving other crypto-assets. The starting point of any discussion should be that stablecoins might be considered a form of private money, with some similarities to bank demand deposits but without all the public safeguards of bank deposits. And given the possibility that stablecoins can lose their peg to the reference currency (in general the US dollar), they are prone to runs, exactly like bank deposits.
That is why, in its 2021 report on stablecoins, the US President’s Working Group on Financial Markets recommended that their issuance should be reserved for firms authorised as depository institutions, i.e. banks.[18] This regulatory recommendation is yet to be implemented by the US legislator.
I believe in this regard that the solution adopted by MiCAR for regulating EMTs (stablecoins pegged to a single official currency) is consistent with this approach insofar as it allows the issuance of EMTs only by credit institutions or e-money institutions.[19] This will preserve the reliability of EMTs and their capacity to actually operate as money with all its fundamental features.
At ECB Banking Supervision we are ready to cooperate with the European Banking Authority (EBA) and the other competent authorities in the colleges of supervisors that will supervise banks issuing EMTs and assess whether further regulatory changes are needed in this regard.
Initial authorisations of banks carrying out crypto business
Another aspect is how to deal with banking licence applications where the business model involves the provision of crypto-asset services.
It is worth mentioning that, when it comes to activities that holders of a banking licence are permitted to carry out, the solution adopted in the EU has always been very close to the universal banking model. Under this solution, credit institutions are allowed to provide all financial services over and above the provision of core banking services – with the exception of insurance services, which have always required a separate authorisation as well as a separate legal entity.[20]
Therefore, in the EU, credit institutions have usually been able to also provide investment services, payments services, etc. without the need for a separate, specific authorisation. They obviously still need to abide by all the sectoral requirements for the specific type of service (for instance, MiFID suitability requirements for investment advice) and are subject to supervision by the competent sectoral authority (if different from the prudential banking authority).
The rationale behind this approach is that, given the fundamental economic functions they perform, credit institutions have historically been the most strictly regulated financial intermediaries and as such can provide all the other financial services. Unsurprisingly, this is also the solution adopted in MiCAR, pursuant to which credit institutions do not need a specific authorisation to issue tokens or provide crypto services but are subject to sector-specific supervision, alongside the usual prudential supervision.[21]
In this regard, I believe that the assessment of an application for initial authorisation of a credit institution whose business model is characterised by significant crypto-asset activities will have some distinctive features.
We have not had a specific case yet, but it is foreseeable that in the near future, partly due to MiCAR coming into force, there will be innovative companies with significant crypto-asset activities that will apply to be authorised as credit institutions.
Until now we have only dealt with crypto-asset authorisations for German credit institutions, because the provision of crypto-asset custody services and other crypto services requires a formal expansion of the banking licence under German law. We are tasked with issuing authorisations for all credit institutions, both significant – under our direct supervision – and less significant.[22] We have therefore gained some experience in dealing with authorisations of the provision of crypto-asset services, and last year we published the supervisory criteria we use for licensing banks engaging in crypto-asset activities.[23]
We explained that in assessing such applications we will be paying particular attention to the following aspects: the overall business model of the credit institution and its sustainability; the internal governance and risk management of the credit institution and its capacity to assess specific crypto-asset risks; and the fit and proper assessments, where we expect the credit institution to have board members and key function holders with specific and in-depth knowledge of digital finance. We will also be working very closely with the competent AML authorities to assess the AML/CTF risk profiles of the banks.
Going forward, I would imagine the specific national competent authorities provided for by MiCAR, whether they are newly created or existing supervisory authorities, will also be an important partner for us in the assessment of bank licence applications from crypto-asset service providers.
Prudential regulation of linkages between the banking sector and crypto finance
The third and final issue I would like to touch upon is how to supervise and regulate direct financial linkages between credit institutions and crypto finance.
There are two aspects to this. The first relates to the liabilities side of banks’ balance sheets and was thrown into sharp relief earlier this year by the crisis involving some mid-sized US banks with strong links to the tech industry and crypto-asset providers.[24] The other aspect concerns the assets side of banks’ balance sheets and their holdings of crypto-assets.
As far as the first aspect is concerned, systemic risk can arise from the high correlation between deposits held by various crypto companies at the same bank or at different banks. In particular, deposits of crypto-asset issuers may show significant volatility and be prone to coordinated runs.[25] Moreover, when such deposits make up a material share of a bank’s funding, they may hinder or impair its resolution strategy and require extraordinary measures to prevent contagion.
In this regard, it is worth looking at the provisions of MiCAR that require at least 60% of reserves for significant asset-referenced tokens to be held in bank deposits.[26] While understandable as an investor protection device, this may potentially have unintended consequences from a financial stability perspective.
Some banks will most probably specialise in relationship banking with issuers of stablecoins. However, it will always be particularly important that credit institutions monitor the diversification of their deposit base – not only in terms of individual counterparties but also in terms of sectors – while not relying, beyond their prudently set risk tolerance level, on volatile deposits, especially those of crypto-asset players.
As supervisors, we will also assess very closely the risk of sectoral concentration of the deposit base. In this regard, it is of fundamental importance that the relevant MiCAR delegated technical standards[27] include a prudent calibration of the single-name concentration limit and that issuers are required to define a credit risk tolerance level for their banking counterparties.
It is also important that issuers, and especially significant issuers, are obliged to maintain an effective risk management function. Issuers mostly deal with financial and operational risks, and the sound management of those risks requires adequate human and technical resources.
The second aspect concerns credit institutions’ direct exposures to crypto-assets. Here, we are in a more familiar territory as banking supervisors, at least when it comes to the treatment of credit and market risk. The classic response of banking regulation to the default risk of a borrower has always been to impose capital requirements and exposure limits.
At the end of last year, the BCBS issued a standard on capital requirements for banks’ direct exposures to crypto-assets.[28] The standard is not yet legally binding and needs to be transposed into EU law by 1 January 2025, but we already expect banks to take it into account in their business and capital planning.[29]
The standard divides crypto-assets into two groups. Tokenised traditional assets and stablecoins with effective stabilisation mechanisms that meet stringent classification conditions will absorb the same amount of own funds as their reserve assets or the assets they refer to, with the possibility for supervisors to impose add-ons. The second group, which comprises the riskiest forms of crypto-assets, will be risk-weighted at 1,250%, which basically means that banks must maintain capital resources for the same amount as the entire value of the exposure. Holding limits will also apply to this second group of assets.
One aspect that concerns us at the moment is the possibility of circumventing the soon-to-be-applicable prudential regulatory framework. In fact, if crypto-asset service providers controlled by banks are not within the scope of their prudential consolidation, the BCBS standard and especially the exposure limit may become ineffective.
It is worth recalling that we apply prudential requirements on a consolidated basis and also other financial companies fall within the perimeter of consolidation of banking groups. Their exposures contribute to the definition of the consolidated capital requirement that credit institutions need to fulfil.
As things stand at the moment, we consider it very difficult to include in the scope of prudential consolidation a subsidiary of a credit institution established as a crypto-asset service provider (CASP). This is due to the definition of financial institutions required to be included in the scope of prudential consolidation under the CRR.[30] Including CASPs in the scope of prudential consolidation of banking groups by modifying the definition of financial institution needs to be considered as a matter of urgency.
I am convinced that in the next few years supervisory authorities will face a steep learning curve on how best to deal with the interaction between credit institutions and crypto-assets. And this learning process will be challenging, since attracting sufficient staff with the necessary technical skills will not be easy.
Conclusion
It is my firm belief that the fundamental features of modern financial markets, with credit institutions playing a key part owing to their central role in the process of money creation, need to be preserved. And I see no reason why the key features of this institutional framework should hold back the benefits of the latest technological advances.
I am not persuaded by the argument that innovation can thrive only outside the scope of regulation and supervision and that we should create a space outside the official financial sector for innovative firms to experiment without any need to comply with fundamental prudential, conduct and AML/CFT requirements. When the core function of a firm is dealing with other people’s money, and especially when its services mimic key banking products, such as deposits and payments, there need to be sufficient protections of the safety of the business and the stability and integrity of the market.
This is an area that requires our particular attention so we can deliver adequate regulatory and supervisory solutions. For instance, mixed-activity groups (groups of undertakings offering both financial and commercial services) operating on a cross-border basis and reaching millions of clients may raise level-playing-field concerns and pose a threat to overall financial stability.
Regulation often comes late, sometimes too late to repair the damage that has already been done.
There is a clear parallel here with Hegel’s description of philosophy which arrives too late to provide “instructions on how the world ought to be”. This is because it deploys its analytical tools (“it appears”) only after reality has gone through its formative process and has already attained its “completed state”: like the owl of Minerva, philosophy “begins its flight only with the onset of dusk”.[31]
But we cannot afford to be too late or too lenient out of a misguided fear of hindering innovation or hampering the competitive position of our financial marketplace.
Even though we will always be playing catch-up, it is of fundamental importance that the flight of regulation and supervision of crypto finance starts, indeed has already started, much earlier than at “the onset of dusk”.
Thank you very much for your attention.
