Next Article in Journal
Risk-Averse, Integrated Contract, and Open Market Procurement with Quantity Adjustment Costs
Previous Article in Journal
Evaluating Financial Inclusion in Peru: A Cluster Analysis Using Self-Organizing Maps
Previous Article in Special Issue
The Cryptocurrencies in Emerging Markets: Enhancing Financial Inclusion and Economic Empowerment
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
JRFM
Volume 17
Issue 12
10.3390/jrfm17120550
jrfm-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles thumb_up
...
Endorse textsms
...
Comment
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Conceptualizing an Institutional Framework to Mitigate Crypto-Assets’ Operational Risk

by
Deepankar Roy
1,
Ashutosh Dubey
2 and
Daitri Tiwary
3,*
1
Department of Information Technology, National Institute of Bank Management, Pune 411048, India
2
National Payments Corporation of India, Mumbai 400051, India
3
Birla Institute of Management Technology, Greater Noida 201306, India
*
Author to whom correspondence should be addressed.
J. Risk Financial Manag. 2024, 17(12), 550; https://doi.org/10.3390/jrfm17120550
Submission received: 28 October 2024 / Revised: 22 November 2024 / Accepted: 29 November 2024 / Published: 9 December 2024
(This article belongs to the Special Issue The Future of Money: Central Bank Digital Currencies, Cryptocurrencies and Stablecoins)
Browse Figures
Versions Notes

Abstract

:
Extent ecosystems of crypto financial assets (crypto-assets) lack parity and coherence across the globe. This asymmetry is further heightened with a knowledge gap in operational risk management, wherein the global landscape of crypto-assets is characterized by unprecedented external risks and internal vulnerabilities. In this study, we present a critical examination and comprehensive analysis of current crypto-asset operational guidelines across geographies. We benchmark these guidelines to the Basel Committee for Banking Supervision (BCBS) risk classification framework for crypto-assets, identifying gaps in the operations across organizations. We, hence, conceptualize a novel institutional framework which may help in understanding and mitigating the gaps in operational risks’ regulation of crypto-assets. Our proposed Crypto-asset Operational Risk Management (CORM) framework determines how operational risk associated with crypto-assets of financial institutions can be mitigated to respond to the increasing demand for crypto-assets, cross border payments, electronic money, and cryptocurrencies, across countries. Applicable to firms irrespective of their size and scale of operations, CORM aligns with global regulatory initiatives, facilitating compliance and fostering trust among stakeholders. Strengthening our argument of CORM’s applicability, we present its efficacy in the form of alternate hypothetical outcomes in two distinct real-life cases wherein crypto-asset exchanges succumbed to either external risks, such as hacking, or internal vulnerabilities. It paves the way for future regulatory response with a structured approach to addressing the unique operational risks associated with crypto-assets. The framework advocates for collaborative efforts among industry stakeholders, ensuring its adaptability to the rapidly evolving crypto landscape. It further contributes to the establishment of a more resilient and regulated financial ecosystem, inclusive of crypto-assets. By implementing CORM, institutions can navigate the complexities of crypto-assets while safeguarding their interests and promoting sustainable growth in the digital asset market.

1. Introduction

In recent years, cryptocurrencies have become one of the most intriguing investment opportunities. A growing number of wealth managers and institutional investors are getting ready to make cryptocurrency investments in the upcoming years as prices continue to rise. The global crypto-asset management market is anticipated to grow at a compound annual growth rate (CAGR) of 25.50% from 2022 to 2029, reaching USD 2801.87 million (Data Bridge Market Research 2022). The market for crypto-asset is shown in Figure 1 as a percentage of market value.
Following the FTX scandal in 2022, cryptocurrencies went through a bubble akin to the dotcom bubble of the twenty-first century (KPMG 2022b). Similar to how euphoric speculation caused dotcom company valuations to soar before plummeting, the unexpected surge in interest in cryptocurrencies and other crypto-assets has made them a regular feature in news stories worldwide. Based on blockchain technology, a variety of crypto-assets, including cryptocurrencies, fungible tokens, non-fungible tokens, and central bank digital currencies (CBDCs), have been created and embraced globally. The majority of the analysis is still abstract; however, 90% of central banks worldwide are currently assessing the benefits and hazards of issuing CBDC (RBI 2022). Central bankers must consider a number of potentially destabilizing concerns before deciding to engage the digital currency race. It is true that there is a race to determine the future of money, currency, and payments and that authorities from all over the world must be clear and consistent. CBDCs provide a distinctive substitute for cryptocurrencies. Central banks issue, oversee, and support CBDCs, in contrast to the decentralized nature of cryptocurrencies. This indicates that they provide an extra degree of protection and trust and are supported by the government. CBDCs are a possibly more effective and economical alternative to cryptocurrencies since they can also be used to enable payments and transactions between banks. Additionally, by increasing transaction transparency and trackability, CBDCs can give governments greater insight into financial activity. In the end, if created on a blockchain, CBDCs can be categorized as crypto-assets. They provide a safe and regulated substitute for cryptocurrencies and give central banks a new avenue to communicate with their citizens.
As we commence with mapping of existing regulations for crypto-assets across USA, Europe, Saudi Arabia, China, and India, we identify gaps in terms of risk mitigation mechanisms. This gap is persistent in terms of operational risks, i.e., the risk of loss caused by weak processes, people, or systems. It is further magnified by systemic risks associated with financial institutions, including legal risks and information technology risks. Though actual and potential operational risk events are assessed for their reputational, regulatory, and operational impacts, we underscore the need of a framework which may be adopted for managing operational risk, similar to commercial bank’s risk management program (KPMG 2022a). While we draw similarities of operational risk of crypto-assets with the operational risk built into all banking products, activities, processes, and systems, we conceptualize a framework to determine how the operational risk can be mitigated in response to the increasing demand for crypto-assets, cross border payments, electronic money, and cryptocurrencies. In this process, we analyzed the development and evolution of associated operational risk types relevant to crypto-assets.

Timeline of Risk Management Failures in Crypto-Assets

We observe that the biggest risk from an operational standpoint is storage loss. Cryptographic keys, not coins, are used to hold cryptocurrency addresses. If the keys are revealed or control is briefly lost, the money linked to a specific address may be lost entirely. Two specific incidents in the recent history of crypto-assets are used to illustrate this operational risk. For example, when Mt. Gox fell in January 2014, 850,000 bitcoins were destroyed (Trust 2024). Since Ethereum’s 2016 introduction, additional platforms have been able to develop their own coins and use smart contracts. Cardano, Tezos, and Neo adopted this model in 2016. In January 2018, Coincheck, a cryptocurrency exchange based in Tokyo, was robbed of $530 million. The thieves exposed Coincheck’s security by stealing money from it via a “hot wallet” (Buck 2018). In August 2021, more than $600 million was taken from Poly’s decentralized finance platform (Gagliardoni 2021). Additionally, a tweet urged the project’s developers to donate $33 million in Tether. In December 2021, it was compromised (Thurman 2021). Security companies drained BitMart addresses. Via the Binance Smart Chain, $96 million worth of cryptocurrency was processed. Etherscan recognized the address as “BitMart Hacker”. In December 2021, a front-end attack on the Badger DAO (Decentralized Autonomous Organizations) led to a $120 million Bitcoin and Ethereum theft by permitting an Externally Owned Account (EOA) to have infinite approvals. After discovering that user addresses were being drained, Badger suspended smart contracts. The fraudulent transactions failed after two hours and twenty minutes. One effective security technique is the use of specialist key-storing hardware, such as hardware wallets and hardware security modules (HSMs). However, hardware solutions are not perfect. Security measures also include compartmentalizing funds and using multi-signature wallets.
Mining-power centralization presents a systemic risk in addition to the operational risk of storage loss since it may result in blockchain and currency manipulation. In October 2022, for example, Binance was hacked for $570 million, which is considered to be one of the largest attacks in the history of cryptocurrencies. A hack of the Binance Smart Chain network resulted in the withdrawal of 2 million Binance Coins (BNB) and the creation of additional Binance Coins (Livni 2022). BNB, a cryptocurrency exchange, has its own token. Due to a smart contract flaw, blockchain security needs to be strengthened. The ramifications of crypto-assets for policy are hotly debated. We further probe and map the operational risks, to arrive at mitigation strategies and the conceptualized framework.
Our research is presented in the following Section 2, commencing with a review of existing literature on operational risk in crypto-assets. In Section 3, we map the evolution of crypto-assets’ regulatory ecosystem. Thereafter, in Section 4, we describe recent incidents that have exploited operational risks of crypto-assets. In Section 5, we discuss global initiatives to manage risks and associated risks that have been observed. In Section 6, we propose a framework for managing operational risks associated with crypto-assets. Finally, we discuss the application, limitations, and scope of our framework.

2. Review of Literature

As financial markets become more complex, inter-linked, and sophisticated, we refer to extent research on risks associated with financial assets to unravel its antecedents, relevant theories, and implications. Seminal literature defines risk to be an “exposure to a proposition of which one is uncertain”, thus requiring both exposure and uncertainty of outcomes (Holton 2004). Broadly classified in the category of systematic risk and unsystematic risk, the scope, impact, and mitigation strategies widely vary. The focus of empirical models in terms of assessing risks are dependent on probabilistic and quantitative estimation of externalities. This includes the probabilistic approach of Knight (1921), Markowitz’s (1976) theory of portfolio selection, and the market-benchmarked capital asset pricing model of Fama and French (1993). Present research on crypto-assets, specifically cryptocurrencies, have adopted similar approaches, with quantitative models of risks and returns, hedges, spreads, and network effect with other asset class like gold, crude, etc. (Chan and Nadarajah 2020; Almeida et al. 2022; Almeida and Gonçalves 2022). There remains an evident gap in understanding the business-specific risks for crypto-assets. This is pertinent since measures of portfolio efficiency of traditional financial assets have been empirically proven to be inefficient in the case of crypto-assets (Juskaite et al. 2024).
Seminal research by Linter and Fama has, however, reduced unsystematic risks, i.e., risks unique to a business or industry and pertaining to factors within the asset-class, to residuals of asset-pricing models, explaining them to be uncorrelated with returns (Beja 1972). This has been addressed in the previous decades, wherein unsystematic risks have included compliance risk, reputational risk, security risk, competition risk, governance risk, strategic risk, technological risk, and operational risk (Blackman 2014; Boitnott 2022; Christiansen 2021). The literature suggests that these are risks which can be mitigated, thus paving the way for business resilience. We note that while market risks of crypto-assets have gained attention, operational risks, i.e., “uncertainty related to losses resulting from inadequate systems or controls, human error or management” (Moosa 2007), emerge as a persistent problem for crypto-assets, resulting in massive losses, as discussed in Section 1. We refer to the Copernican shift in perception and estimation of operational risks for financial assets due to the reforms of Basel II while probing in the context of crypto-assets (Power 2005).
As definition of operational risk continues to be nebulous, the Commonwealth Bank of Australia (1999) defined it as “all risks other than credit and market risk, which could cause volatility of revenues, expenses and the value of the Bank’s business”. In another contemporary definition by the Reserve Bank of New York (Shepheard-Walwyn and Litterman 1998), operational risk is defined as “a general term that applies to all the risk failures that influence the volatility of the firm’s cost structure as opposed to its revenue structure”. We therefore note that operational risks may affect both the revenue and cost incurred in a business. Drawing parallels to the financial asset class, operational risks, such as loss of storage, security threats, compliance and tax issues, cyber threats, etc., have been affecting crypto-asset classes. However, empirical models and mitigation strategies are insufficiently researched in the context of crypto-assets.
Peters et al. (2016) had one of the earliest discussions on operational risks in the domain of cryptocurrencies. Referring to the Basel II and III banking regulations applicable to virtual and cryptographic assets, the authors stated that operational risks are “not incidental” but “fundamental” for crypto-assets, especially when they are accepted and commence interacting with banking channels and financial networks. Citing the definition of operational risk as “the risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events”, as stated in Basel II, Peters et al. (2016) claim that the risk will be accentuated as crypto-assets become more active. Tetiana et al. (2022) substantiate this by stating that operational risks have been influenced and heightened by “bull runs” of crypto-assets. This presents a significant void in the literature since the crypto-assets market has experienced exponential growth (see Figure 1), but there is a dearth of insights on the extent and potency of its operational risks (CoinMarketCap 2024).
Citing recent research by Juskaite et al. (2024), we underscore that lack of knowledge pertaining to operational risks has led the investor to underestimate the risk. While empirical studies have applied portfolio optimization on the risk and return of crypto-assets, the research shows that the results may not conform to traditional financial assets (Juskaite et al. 2024). As explained by Mueller et al. (2023), this may be due to idiosyncratic levels of operational risk associated with crypto-assets and their diverse interactions with financial institutions.
Though technological infrastructure, security assumptions of cryptographic software, open-source governance, digital asset custody, digital asset valuation, and code maintenance have been cited as sources of operational risks, lack of regulatory auditing and nascent stage of cloud forensics remain insufficiently explored in the scientific literature (Zhao and Duncan 2018; Ikeno et al. 2022; Ward 2023). Theoretically, while operational risk is well researched, its antecedents, measures, and implications for crypto-assets are insufficient in the literature. We address this research gap by mapping the operational risks of crypto-assets and conceptualizing an institutional mitigation framework based on uncertainty theory (Liu 2009). Unlike probability theory (Kolmogorov 1963), which dwells in finite outcomes, uncertainty theory, applied in the context of operational risks in crypto-assets, posits that there may be infinite outcomes with respect to the prevailing diverse risks. In a novel approach to explore uncertainty theory beyond mathematical representations, we propose a framework which is able to address the lack of information about crypto-assets’ operational risks by (i) defining uncertain variables in terms of operational risks unique to crypto-assets, (ii) mapping the potentially impacted party, (iii) mapping the operational risk pillar as per Basel Operational Risk (Loss Category 1), (iv) indicating loss effect as per Basel Framework, and (v) proposing a mitigation approach.

3. Crypto-Asset Ecosystem and Its Evolution

A crypto-asset can be considered as a “a digital portrayal of value, which may be provided by a financial institution or a central bank, or any private entity or a decentralized software driven network, which is secured and transacted using cryptographic means” (Lam and Lee 2015). Such crypto-assets may be used in certain situations in place of lawfully offered funds. It could also be physically depicted through things like metal objects with engravings or paper printouts. A form of anonymous cryptographic electronic money was first proposed by American cryptographer David Chaum in a conference paper published in 1983. It was envisioned that a currency could be transmitted untraceably and without the involvement of centralized entities (such as banks). Chaum developed Digicash as a prototype cryptocurrency in 1995 based on his early ideas. A white paper describing the functioning of the Bitcoin blockchain network was published by Satoshi Nakamoto on 31 October 2008. On 22 May 2010, cryptocurrency was used to purchase something tangible for the first time, a day now known as “Bitcoin Pizza Day”. A fork of Bitcoin, Litecoin, appeared in October 2011 and was soon the second-largest cryptocurrency by market capitalization. Digital currency is highly attractive to criminals because of its anonymity and lack of centralized control. China banned transactions using crypto-currency in 2019 and started pilots of the Chinese central bank digital currency (CBDC) e-yuan in the country from 2020 (Felix and Baker 2023).
A legal tender system for Bitcoin was introduced in El Salvador (PwC 2022) in September 2021. A variety of financial services activities are being executed using smart contracts that are based on blockchain technology. Decentralized finance (DeFi) has been attracting the attention of technology developers, investors, and financial institutions. A number of new crypto-asset markets have already been enabled by DeFi protocols on public blockchains, including borrowing and lending, as well as decentralized exchanges. The technology could facilitate transactions in real-world assets such as stocks, currencies, and bonds. Real-world assets will need to be represented digitally, or via tokens, so that they can be added to the blockchain. DeFi protocols may provide issuers, investors, and financial institutions with significant cost savings and new business opportunities for tokenizing real-world assets for transacting through them.
Figure 2 and Table 1 provide a list of participants in the crypto-asset ecosystem, with examples identified by platform, institution, or service names (Roy et al. 2023).

3.1. Global Initiatives to Manage Risk Associated with Crypto-Assets

The regulatory focus on digital assets has significantly increased in the last few years, and this trend is expected to continue. Market capitalization and volatility rose quickly as institutional and retail adoption grew. Consumer trust has been damaged by recent high-profile cryptocurrency company failures, fraud, scams, and improper handling of client assets. Because of this, regulators have come into sharper focus. The below Figure 3 (Thomson Reuters 2022) depicts the status of crypto-asset regulations globally:
To guarantee improved consumer protection, a prompt and comprehensive global regulatory policy approach and supervisory structure are required. There are two primary categories into which the regulations fall:

3.1.1. Category 1: New Regulations for Holding Crypto-Assets by Regulated Entities

To determine whether a bank’s exposure to a crypto-asset will be allocated, the Basel Committee on Banking Supervision (BCBS) established criteria in its second consultation on the prudential treatment of crypto-asset exposures in December 2022 (Basel Committee on Banking Supervision 2022). Every right and duty associated with the cryptocurrency asset is well defined and enforceable by law. Whether it is a tokenized traditional asset or has a strong stabilizing mechanism that ties its value to a traditional asset, this also involves settlement finality. According to the standard, crypto-assets shall be continuously categorized into two groups, Group 1 crypto-assets: Group 1a crypto-assets which include tokenized traditional assets and Group 1b crypto-assets with efficient stabilizing mechanisms. Group 1 crypto-assets are subject to Basel Framework capital requirements, which are determined by the risk weights of the exposures in the portfolio. Group 2 comprises unbacked crypto-assets. Hedging-recognition criteria are used to identify which Group 2 crypto-assets (Group 2a) can be hedged and which (Group 2b) cannot. Table 2 below lists the financial and non-financial risks related to crypto-assets that were noted in the December 2019 (Basel Committee on Banking Supervision 2022) discussion paper published by BCBS.
Cryptocurrency assets adequately reduce material risks, including their operating networks. It is necessary to control and oversee organizations and processes that handle and process cryptocurrency assets or to subject them to suitable risk management protocols. “A risk-based approach to virtual assets and virtual asset providers was published by the Financial Action Task Force (FATF) in October 2021” (FATF 2021). Virtual Asset Service Providers (VASPs) can use this document to better understand and fulfill their anti-money laundering (AML) and counter-terrorism financing (CTF) obligations, as well as to assist authorities in creating regulatory and supervisory standards for virtual asset operations.
The German government was one of the first to grant legal certainty to financial institutions, allowing them to retain bitcoin assets (Federal Financial Supervisory Authority (BaFin) 2024). As per the regulations, only authorized exchanges and custodians are permitted to purchase or trade cryptocurrency assets. The German Federal Financial Supervisory Authority (BaFin) requires licenses for companies. The nation’s Crypto-assets Taskforce is composed of the UK Financial Conduct Authority (FCA), the Bank of England, and HM Treasury (Cryptoassets Taskforce 2018). Regulations created especially for crypto-assets by the FCA address CFT, AML, and know your customer (KYC). Restrictions have also been put in place to protect VASPs, but care has been taken to avoid limiting innovation. Cryptocurrency exchanges need to register with the FCA if they have not already filed for an e-money license. Cryptocurrencies are subject to activity-based taxes and are not considered legal tender. The FCA has banned the trading of bitcoin derivatives.

3.1.2. Category 2: Classifying Crypto-Assets to Be Financial Products That Are Currently Regulated and Expanding That Regulation to Include Other Ecosystem Components

“Cryptocurrency is a security covered by Israel’s securities laws, according to a ruling by the Israeli Securities Authority” (Israel Securities Authority 2018). The agency has issued warnings to the public about the risks of cryptocurrency. FATF’s position on AML/CFT rules is comparable to that of the Israel Money Laundering and Terror Financing Prohibition Authority. Cryptocurrencies are considered assets by the Israel Tax Authority, which also mandates a 25% capital gains tax.
A warning “against dealing or investing in Crypto Assets including cryptocurrencies as they are not recognised by legal entities in the kingdom” has been issued by the Saudi Arabian Monetary Authority (SAMA) and its Ministry of Finance of Government of Saudi Arabia (2019). They are outside the scope of the regulatory system and are not traded by regional financial institutions.
The regulatory landscape surrounding cryptocurrencies in the US is evolving, despite agency overlap and differing viewpoints. Divergent interpretations and guidelines have been issued by the Financial Crimes Enforcement Network (FinCEN), the Securities and Exchange Commission (SEC), the Commodity Futures Trading Commission (CFTC), and the Federal Reserve Board, which are all considered to be the most powerful regulatory agencies. The SEC consistently views cryptocurrencies as securities; “the Treasury calls bitcoin a currency, and the CFTC calls it a commodity”. (Commodity Futures Trading Commission 2020) “A digital representation of value that serves as a medium of exchange, a unit of account, and/or a store of value” is how cryptocurrency is defined by the Internal Revenue Service (IRS) and has published tax guidance accordingly.
Cryptocurrencies are governed by the Monetary Authority of Singapore (MAS 2020). Both traditional and cryptocurrency payments and exchanges are governed by the Payment Services Act of 2019. The Securities and Futures Act also governs the issuance of digital tokens.
The Indian legislative council adopted the taxation laws on virtual digital assets (VDAs), often known as the crypto tax, as suggested in the Budget 2022–2023 by approving the Finance Bill 2022. The tax rate on cryptocurrency assets is 30%. A bill is now being drafted by the Indian government. At the G20 summit in 2023, which India hosted, this problem was a key topic of discussion. The draft bill on “Banning of Cryptocurrency & Regulation of Official Digital Currency Bill 2019” (Press Information Bureau 2019), forbids cryptocurrencies as legal cash or currency. Furthermore, it is forbidden to mine, keep, sell, deal in, issue, dispose of, or utilize cryptocurrencies (Press Information Bureau 2019). Creating cryptocurrencies and/or verifying buyer–seller cryptocurrency transactions are the goals of mining.

4. Associated Risks with Crypto-Assets

The Basel committee has identified some types of operational risk events, as shown in Table 3, which have the potential to result in substantial losses. The current risk management practices for financial institutions with reference to virtual assets and cryptocurrency asset management have been examined in this article. It is critical to recognize that operational risk addresses outside variables like unforeseen circumstances and human error. Global risk classification and an understanding of the workings of crypto-asset and service providers are crucial. Table 4 illustrates the key risk pillars that define crypto-assets (Roy et al. 2023). This table provides a comprehensive summary of the operational risk pillars associated with crypto-assets, detailing various risks that financial institutions may encounter in this domain. The table categorizes risks into seven distinct pillars: Business Model, Technology, Custody and Security, Market Access and Data, Confidentiality and Privacy, Compliance and Tax, and Centralization. Each risk is described in terms of its implications, such as unauthorized transactions, system errors, and the need for robust security measures throughout the lifecycle of private keys. The benefits of this table are manifold; it enhances clarity and structure in understanding the complex landscape of operational risks, raises awareness among stakeholders, and serves as a guide for developing _targeted risk mitigation strategies. Furthermore, it facilitates compliance with regulatory requirements and supports informed decision-making by helping institutions prioritize their risk management efforts. Overall, Table 4 acts as a vital resource for financial institutions navigating the operational risks inherent in the crypto-asset ecosystem, promoting effective risk management practices and fostering a safer operational environment.

5. Crypto-Assets Operational Risk Mitigation Framework (CORM)

A thorough analysis has led to a unified framework for managing crypto-asset operational risk with a mitigation approach. The framework has been named Crypto-asset Operational Risk Management (CORM). It has been represented in Figure 4. It will be used to determine how the operational risk management associated with crypto-assets of financial institutions can be mitigated in reaction to the increasing demand for crypto-assets, cross border payments, electronic money, and cryptocurrencies.
This framework is comprehensive and combines qualitative and quantitative analyses to assess risks systematically while providing guidance for mitigation. The components of the CORM framework have been classified into three broad categories—qualitative, quantitative, and derived. Each category has been associated with the factors which help in identification, classification, detailing, assignment, and mitigation of operational risk associated with crypto-asset. Together, these components provide a structured approach to analyzing, quantifying, and mitigating risks in the context of digital assets. The qualitative component and quantitative component provide the foundational analysis of risks, considering both subjective (qualitative) and objective (quantitative) factors. The derived component consolidates insights from the other two components into actionable risk pointers. Each risk is assessed in terms of its nature (uniqueness), affected parties, and mitigation strategies and is then quantified to evaluate its potential impact.
Qualitative components focus on the descriptive aspects of the framework, emphasizing the nature of risks and the context in which they occur. Operational risk with crypto-assets identifies the specific operational risks that are unique to crypto-assets, such as risks related to market risk, internal fraud, hard fork, storage, transaction processing, regulatory compliance, etc. Uniqueness to crypto-assets indicates whether the identified risks are specific to crypto-assets or if they are applicable to all financial instruments. Impacted party outlines the stakeholders affected by the operational risks, which include financial institutions, customers, and regulators. Mitigation approach outlines the strategies and measures that can be implemented to mitigate identified operational risks. It includes creation of a detailed plan with the best practices for risk management, such as robust security protocols, compliance measures, and incident response plans. The CORM framework serves as a comprehensive guide for financial institutions to navigate the complexities of operational risks associated with crypto-assets, ensuring that they can effectively manage these risks while complying with regulatory requirements and maintaining stakeholder trust.
Quantitative components involve measurable aspects of the framework, focusing on the assessment and evaluation of risks. Loss effect as per the Basel framework describes the potential impact of the identified risks, aligning them with the loss categories defined by the Basel framework. This can be computed in terms of potential value loss for the institution if risk is not mitigated. Thus, it can assist senior management to understand the potential of risk and take decisions accordingly to mitigate said risk. Under the Basel framework, financial institutions assess loss effects through quantitative and qualitative methods, such as Basic Indicator Approach (BIA), where operational risk capital is calculated as a fixed percentage of the institution’s annual gross income; Standardized Approach (SA), where operational risk capital is determined by dividing business lines and applying specific risk factors; and Advanced Measurement Approach (AMA), where institutions use internal data, risk control indicators, and loss event models to estimate potential losses. Institutions also use historical data and risk assessments to identify and mitigate potential loss events proactively. The loss effect ultimately serves as a key metric for calculating the capital reserves required to cover operational risks, ensuring institutions maintain financial stability and resilience against potential disruptions.
Derived components are the outcomes or strategies derived from the existing global regulatory frameworks like Basel, Financial Stability Board (FSB), etc., which acts as reference for building mitigation and management solutions. This classification helps in understanding the CORM framework’s structure and its approach to managing operational risks associated with crypto-assets, facilitating a comprehensive risk management strategy for financial institutions. Basel Operational Loss Pillar refers to the categorization of risks based on established frameworks, such as the Basel Operational Risk framework, which helps in identifying and classifying the types of operational risks. The identified risk pillar associated with crypto-asset emphasizes linking the operational risk identified for crypto-assets with the risk pillar provided by global regulators associated with the crypto-assets. This linkage is critical to map the definitions of risk with current regulatory guidelines, which is crucial in the rapidly evolving landscape of crypto-assets.
Appendix A illustrates the applicability of the CORM framework to the current crypto-asset ecosystem and its participants. CORM analyzes emerging risks, maps them to the established BASEL risk framework, and provides mitigation strategies. Mitigation approaches like this will increase trust, compliance, and stability of crypto-asset management in financial institutions that use it as a tool for payment, investment, asset allocation, and portfolio management. CORM is tailored to identify and assess unique risks tied specifically to crypto-assets, such as key management vulnerabilities, blockchain disruptions, and transaction irreversibility. Risk management frameworks like Basel III, designed for traditional assets, does not fully address these areas. CORM provides crypto-focused risk mitigation techniques like multi-signature wallets, decentralized governance for decision-making, and specific key management policies. Risk management frameworks like Basel III’s mitigation strategies lack specificity for decentralized and cryptographic asset environments. With CORM, institutions obtain guidance on implementing advanced security practices, such as hardware-based cryptographic key storage, which is crucial for securing digital assets. Risk management frameworks like Basel III lacks these measures, as it assumes centralized asset control. CORM also accommodates the decentralized and rapidly evolving nature of the crypto landscape by allowing flexibility in managing crypto-related risks like hard forks or software vulnerabilities. Risk management frameworks like Basel III are more rigid, focusing on structured financial risks in regulated settings. CORM includes compliance and regulatory practices adapted to crypto-assets, helping institutions navigate legal ambiguities, tax compliance, and KYC/AML in a mostly unregulated market. Risk management frameworks like Basel III assumes a regulated environment, making it less applicable in the crypto space. The CORM framework thus helps financial institutions by offering a tailored approach to managing the heightened risks of crypto-assets, facilitating compliance, safeguarding asset integrity, and fostering institutional resilience against cyber, privacy, and fraud risks in this emerging asset class.
The CORM framework provides a distinct and more comprehensive approach to managing operational risks associated with crypto-assets, in contrast to the existing global crypto-asset regulations. The global regulatory landscape and published guidelines specially promoted by the Bank for International Settlements (BIS), the Financial Stability Board (FSB), the United States, China, India, and the European Union primarily focuses on establishing the legal status of crypto-assets, implementing taxation frameworks and enforcing anti-money laundering (AML) and know-your-customer (KYC) requirements. For instance, countries like Singapore, UAE, and Israel have classified cryptocurrencies as securities, subject to their securities laws, while Saudi Arabia has warned against dealing in virtual currencies. Similarly, the FSB and G20 committee has proposed a comprehensive regulatory framework to address financial stability risks, consumer protection, and market integrity concerns related to crypto-asset activities. In contrast, the CORM framework delves deeper into the specific operational risk pillars that financial institutions and crypto-asset service providers face. It systematically identifies and maps these risks, including internal fraud, external fraud, technology failures, and compliance issues, to the established Basel Operational Risk framework. This level of granularity and alignment with industry-recognized standards sets the CORM framework apart from the broader regulatory initiatives. Furthermore, the CORM framework adopts a proactive and institution-driven approach, empowering financial institutions to take ownership of their operational risk management practices. It provides a structured methodology for risk assessment, policy development, implementation, and continuous monitoring, enabling these organizations to enhance their operational resilience and adaptability to the rapidly evolving crypto-asset ecosystem. For example, the CORM framework suggests implementing robust key management systems, conducting regular audits, and establishing governance structures to mitigate the risks of internal fraud and unauthorized access. By offering a more specialized and practical approach to managing operational risks, the CORM framework serves as a valuable complement to the existing crypto-asset regulations, providing financial institutions and crypto-asset service providers with a comprehensive tool to navigate the complexities of the crypto-asset ecosystem while also addressing the broader regulatory concerns around financial stability, consumer protection, and market integrity.

6. Application of CORM Framework

Crypto operational risks can affect various types of institutions operating in the cryptocurrency industry. Some of these institutions include (i) cryptocurrency exchanges: these platforms facilitate the buying and selling of cryptocurrencies and are exposed to risks such as hacking, theft, fraud, and operational errors; (ii) wallet providers: cryptocurrency wallets are used to store and manage digital assets and are exposed to risks such as hacking, theft, and loss of private keys; (iii) payment processors: these companies enable merchants to accept payments in cryptocurrencies and are exposed to risks such as fraud, errors, and hacking; (iv) investment funds: cryptocurrency investment funds are exposed to risks such as market volatility, liquidity risks, and regulatory risks; (v) ICO/STO issuers: Companies that issue initial coin offerings (ICOs) or security token offerings (STOs) are exposed to risks such as fraud, regulatory compliance, and market volatility; (vi) blockchain development companies: these firms are involved in the development and maintenance of blockchain technology or provider of services like Metaverse and Decentralized Finance (DeFi) and are exposed to crypto-asset management along with risks such as software bugs, cyber-attacks, and data breaches; (vii) financial institutions: traditional financial institutions such as banks and investment firms are increasingly investing in cryptocurrencies and are exposed to risks such as market volatility, regulatory risks, and cyber-attacks.
Following are the examples of applying the CORM framework to various actors in the cryptocurrency space. The CORM framework serves as a comprehensive tool for these actors, promoting effective risk management practices that enhance operational stability, regulatory compliance, and stakeholder confidence in the rapidly evolving cryptocurrency landscape. The CORM framework is designed to assist various actors in the cryptocurrency ecosystem, including cryptocurrency exchanges, wallet providers, crypto payment processors, investment funds, and ICO/STO issuers, by providing a structured approach to identifying, assessing, and mitigating operational risks associated with crypto-assets. For cryptocurrency exchanges, the CORM framework helps in managing risks such as hacking, theft, fraud, and operational errors by establishing robust policies and procedures for risk mitigation, incident response, and business continuity planning. This is crucial for maintaining user trust and ensuring compliance with regulatory requirements. Wallet providers benefit from the CORM framework by implementing secure key management practices and safeguarding against risks like hacking and loss of private keys. The framework emphasizes the importance of regular audits and the establishment of secure environments for managing cryptographic keys, which are vital for protecting users’ assets. Crypto payment processors can utilize the CORM framework to address risks related to fraud, errors, and hacking. By developing comprehensive risk assessment processes and incident response strategies, these entities can enhance their operational resilience and ensure secure transactions for their clients’. Investment funds that engage in cryptocurrency investments can leverage the CORM framework to navigate market volatility, liquidity risks, and regulatory uncertainties. The framework provides a systematic approach to risk assessment and mitigation, enabling funds to make informed investment decisions while managing potential operational risks. For ICO/STO issuers, the CORM framework aids in ensuring compliance with regulatory requirements and managing risks associated with fraud and market volatility. By establishing clear operational guidelines and communication plans, issuers can enhance transparency and build trust with investors.
Overall, any organization that operates in the cryptocurrency industry, whether directly or indirectly, is exposed to crypto operational risks and must have effective risk management strategies in place to mitigate them. CORM is applicable to these institutions. Implementing the CORM framework for the above institutions involve six steps:
Step 1. Identify the institution’s objectives: Define the institution’s goals and objectives and ensure that the crypto-asset operational risk management framework aligns with these objectives.
Step 2. Assess risks: Conduct a comprehensive risk assessment to identify potential crypto-asset operational risks that the institution may face. This includes assessing risks related to the technology, regulatory compliance, security, and other relevant areas.
Step 3. Develop policies and procedures: Develop policies and procedures to manage the identified risks. These policies and procedures should cover areas such as risk mitigation, incident response, business continuity planning, and employee training.
Step 4. Implement the CORM framework: Implement the crypto-asset operational risk management framework across the institution. This may involve appointing a risk manager or team to oversee the framework’s implementation and ensure that the policies and procedures are followed.
Step 5. Monitor and evaluate crypto risks: Continuously monitor and evaluate the framework’s effectiveness and adjust it as necessary. This may involve regularly reviewing risk assessments, conducting audits, and gathering feedback from stakeholders.
Step 6. Communication from Operational risk team: Communicate the framework’s implementation to relevant stakeholders, including employees, customers, and regulators. This helps to ensure that everyone understands the risks associated with crypto-asset operations and how the institution is managing these risks.
In order for the framework to be effective, it must be aligned with the institution’s objectives and continuously evaluated. The coverage of different departments in an institution’s CORM framework will depend on the size and complexity of the institution, as well as the nature and scope of its crypto-asset operations. Here are some of the departments that may be involved in the framework: (i) Risk Management: The risk management department should play a central role in the crypto-asset operational risk management framework. They are responsible for identifying, assessing, and monitoring crypto-asset-related risks across the institution. They may also develop and oversee policies and procedures related to risk mitigation and incident response. (ii) IT/Technology: The IT department is responsible for ensuring that the institution’s technology infrastructure is secure and up-to-date. In the context of crypto-assets, they may be responsible for implementing and maintaining the institution’s crypto-asset wallet systems, exchanges, and other platforms. They may also be responsible for ensuring that the institution’s systems comply with relevant regulatory requirements. (iii) Legal/Compliance: The legal and compliance departments are responsible for ensuring that the institution’s crypto-asset operations comply with relevant laws and regulations. They may develop and oversee policies and procedures related to compliance with anti-money laundering (AML) and know-your-customer (KYC) regulations. (iv) Finance/Accounting: The finance and accounting departments are responsible for managing the institution’s financial risks related to crypto-assets. They may be responsible for developing and implementing controls around the accounting and reporting of crypto-asset-related transactions. (v) Operations: The operations department is responsible for managing the day-to-day activities related to the institution’s crypto-asset operations. They may be responsible for executing crypto-asset transactions, managing custodial arrangements, and ensuring the safe storage of crypto-assets. (vi) Human Resources: The human resources department is responsible for ensuring that employees are trained and aware of the institution’s crypto-asset operational risk management framework. They may also be responsible for conducting background checks and monitoring employees for compliance with relevant policies and procedures.
These are just a few examples of the departments that may be involved in an institution’s CORM framework. The key is to ensure that all relevant departments are involved in the framework and that there is clear communication and coordination between them. To measure the effectiveness of CORM framework, organizations should consider key performance indicators (KPIs) such as (i) Risk exposure: This measures the level of risk an organization is exposed to at any given time. It can be measured using metrics such as the number of security incidents, the value of assets at risk, and the impact of any security breaches; (ii) Risk assessment: This measures the quality of risk assessment processes, including how well risks are identified, evaluated, and prioritized. KPIs here can include the percentage of risks identified, the accuracy of risk assessments, and the time taken to complete risk assessments. (iii) Risk mitigation: This measures the effectiveness of measures put in place to mitigate identified risks. KPIs here can include the percentage of risks mitigated, the cost-effectiveness of mitigation measures, and the time taken to implement mitigation measures. (iv) Incident response: This measures how well an organization responds to security incidents. KPIs here can include the time taken to detect and respond to incidents, the effectiveness of incident response procedures, and the impact of incidents on the organization.
By measuring these KPIs, organizations can continually evaluate the effectiveness of their CORM and make necessary improvements to ensure the security and success of their operations.
Crypto-asset ecosystems vary in size and complexity. The CORM framework is adaptable for both small firms and large corporates, albeit with key differentiators in its application. For small firms, CORM can serve as a foundational tool to establish basic operational risk management practices, focusing on cost-effective measures such as simplified key management systems and basic compliance protocols. These firms may prioritize agility and rapid implementation, leveraging CORM to navigate the complexities of crypto-assets without extensive resources. In contrast, large corporates can utilize CORM to develop a comprehensive, multi-layered risk management strategy that integrates advanced technologies like artificial intelligence and machine learning for real-time risk assessment. They can afford to invest in robust infrastructure, extensive training programs, and detailed compliance frameworks that align with global regulatory standards. Additionally, large firms may face more complex operational risks due to their scale, necessitating a more sophisticated approach to stakeholder communication and incident response. While CORM provides a structured approach to managing operational risks associated with crypto-assets for both small and large entities, the scale, complexity, and resource allocation significantly influence its implementation and effectiveness across different organizational contexts.
We have identified two specific instances in the recent years where crypto-assets have succumbed to threats due to heightened operational risks. Hypothetically, we have applied the CORM framework in these two distinct cases where crypto-asset exchanges succumbed to either external risks such as hacking or internal vulnerabilities. We have analyzed how CORM would have helped to mitigate operational risks. Following are the case studies which show how the framework might function in real-world scenarios, strengthening our argument of its applicability.

6.1. Case Study on BitMart: Mitigating External Frauds with CORM

In December 2021, the BitMart exchange was hacked, leading to the loss of $196 million in assets due to unauthorized access to private keys. Attackers gained access to hot wallets and stole assets through unauthorized transactions. If BitMart complied with CORM framework, it will mitigate risk which led to this event. CORM advises strong controls over private key management, including the use of hardware security modules (HSMs), multi-signature wallets, and strict access controls. These measures prevent unauthorized access by compartmentalizing key management, ensuring that critical keys are stored offline or with restricted access, and requiring multiple layers of approval for any key use or transfer. The BitMart exchange hack in December 2021, resulting in losses of approximately $196 million, exemplifies the critical need for a robust operational risk management framework in the crypto-asset sector. The Crypto-asset Operational Risk Management (CORM) framework is designed to identify, assess, and mitigate operational risks associated with crypto-assets, making it particularly relevant in this context. The hack highlighted significant operational risks, particularly related to cybersecurity, such as external fraud and system vulnerabilities. The primary stakeholders affected included BitMart, its customers, and regulatory bodies concerned with compliance and consumer protection. The incident aligns with the Basel framework’s categorization of operational risks, emphasizing the need for effective risk management strategies. To mitigate such risks, the CORM framework advocates for the implementation of robust key management systems, regular security audits, and comprehensive incident response plans. Continuous monitoring and assessment of the operational environment are essential for identifying vulnerabilities before they can be exploited. Additionally, adopting industry best practices, ensuring regulatory compliance, and establishing decentralized governance structures can further enhance security. Applying the CORM framework to the BitMart hack illustrates how a structured approach to operational risk management can effectively identify vulnerabilities and mitigate risks. By implementing these strategies, crypto-asset exchanges like BitMart could improve their security posture, protect against future incidents, and safeguard the interests of their stakeholders, ultimately fostering greater trust and stability in the crypto-asset ecosystem (Thurman 2021).

6.2. Case Study on Binance: Mitigating Internal Vulnerabilities with CORM

Binance is one of the largest cryptocurrency exchanges globally, facilitating the trading of various cryptocurrencies. In October 2022, the exchange suffered a significant security breach, which was attributed to a flaw in its smart contract code. This incident highlighted the operational risks associated with cryptocurrency exchanges, particularly concerning security vulnerabilities and the management of private keys. The CORM framework emphasizes the importance of identifying potential operational risks, including those related to technology and security. In the case of Binance, a thorough risk assessment could have identified the vulnerabilities in the smart contract code that led to the hack. By conducting a comprehensive risk assessment, Binance could have evaluated the potential impact of identified risks, including the financial implications of a security breach and the reputational damage that could ensue. The CORM framework advocates for the development of robust policies and procedures to manage identified risks. Binance could have established stringent security protocols, including regular code audits, penetration testing, and the implementation of multi-signature wallets to enhance the security of user funds. The CORM framework stresses the need for ongoing monitoring and evaluation of risk management practices. Binance could have established a dedicated risk management team responsible for continuously assessing the effectiveness of security measures and adapting to emerging threats in the cryptocurrency landscape. The framework provides guidance on implementing effective mitigation strategies. For Binance, this could have included the adoption of advanced security measures such as hardware security modules (HSMs) for key management, real-time monitoring of transactions for suspicious activities, and a well-defined incident response plan to address potential breaches swiftly (CoinDesk 2022; Forbes 2022; Livni 2022; TechRadar 2023).

7. Conclusions

For any business involved in the cryptocurrency sector to succeed and last, effective crypto operational risk management is essential. It entails recognizing, evaluating, and reducing risks related to the people, procedures, and technology used in crypto operations. Among the many benefits of cryptocurrencies and other crypto-assets are decentralization, transparency, and quick transactions. They do, however, have inherent dangers, including market volatility, security breaches, and regulatory uncertainty, just like any other financial asset. It is becoming more and more crucial for organizations participating in the financial ecosystem to have a clear operational risk management strategy for crypto-assets as they continue to acquire traction and popularity. While still taking advantage of the innovation that crypto offers, such a framework assists institutions in recognizing, evaluating, and reducing the risks related to crypto-asset operations.
Paving the way for future policy responses to mitigate operational risk, CORM provides a structured approach to addressing the unique operational risks associated with crypto-assets. By aligning with the Basel Committee for Banking Supervision (BCBS) risk classification, CORM not only aids financial institutions in navigating the complexities of crypto-asset operations but also serves as a valuable tool for regulators in establishing coherent guidelines. The framework enables institutions to proactively manage risks, thereby preserving their reputation and safeguarding stakeholder interests. Future research should focus on refining the CORM framework by incorporating real-time data analytics and machine learning techniques to enhance risk assessment and mitigation strategies. Research can explore the incorporation of artificial intelligence (AI) and machine learning (ML) to improve risk assessment and mitigation strategies within the CORM framework. These technologies can facilitate real-time monitoring of operational risks and enhance predictive analytics, allowing institutions to proactively address vulnerabilities. Also, empirical studies being conducted to validate the effectiveness of the CORM framework in various institutional contexts is essential. This could involve case studies of financial institutions that have implemented CORM, assessing its impact on operational risk management and overall performance. Future research can also focus on comparing the application of the CORM framework across different regulatory environments and jurisdictions. This analysis can identify best practices and highlight how varying regulatory landscapes influence the effectiveness of operational risk management strategies. Research can focus on creating models that adapt to changes in market conditions, technological advancements, and emerging threats. Additionally, exploring the integration of CORM with existing regulatory frameworks across different jurisdictions can provide insights into harmonizing global standards for crypto-asset management. Research can also be performed on the development of educational programs and training modules for financial institutions to effectively implement the CORM framework. This can include creating resources that enhance understanding of operational risks specific to crypto-assets and best practices for mitigation.
The industry can contribute to the adoption of the CORM framework by fostering collaboration among stakeholders, including financial institutions, technology providers, and regulatory bodies. Engaging in public–private partnerships can facilitate the sharing of best practices and resources, ultimately leading to the development of a more resilient and secure crypto-asset ecosystem. Furthermore, industry-led initiatives to standardize operational risk management practices can enhance the framework’s applicability and effectiveness, ensuring that it meets the evolving needs of the crypto-asset landscape. By working together, stakeholders can create a robust operational risk management framework that not only addresses current challenges but also anticipates future developments in the rapidly changing world of crypto-assets.
Theoretically, we extended the realm of uncertainty theory of risks in the context of crypto-assets, wherein the antecedents, catalysts and outcomes of operational risks are unprecedented. Since the threats are evolving and pervasive to a finite domain, our framework paves the way for empirical investigations in the future. This will lead to further insights into idiosyncrasies of crypto-assets. Academically, we propose a parsimonious measure in the form of a simple framework. It can complement research on measures of risks and return of portfolios consisting of crypto-assets. It may further lead to actionable insights into audits and benchmarks of the operational risks of crypto-assets. CORM as a framework may lead to a culmination of insights from industry and academia, with its application to map and measure specific controls for operational risk mitigation, such as multi-signature wallets, blockchain verification protocols, etc.
The proposed framework helps institutions to navigate the unique challenges posed by crypto-assets and ensures that they are in compliance with relevant regulatory requirements. Institutions can reduce the possible impact of operational mishaps involving crypto-assets, preserve their reputation, and safeguard the interests of their stakeholders by adopting a proactive approach to operational risk management. Institutions must exercise caution when handling the dangers connected to crypto-assets, even while they present exciting prospects for innovation and expansion. For institutions to confidently engage in the crypto ecosystem while successfully reducing the risks related to crypto-assets, CORM as a clear operational risk management framework is essential.

Author Contributions

Conceptualization, D.R. and A.D.; methodology, D.R. and A.D.; validation, D.R., A.D. and D.T.; formal analysis, D.R. and A.D.; investigation, D.R. and A.D.; writing—original draft preparation, D.R., A.D. and D.T.; writing—review and editing, D.R., A.D. and D.T.; visualization, D.R. and A.D. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Data Availability Statement

The research is based on secondary data published on public domains. Data sources have been cited in-text and in references with URL.

Conflicts of Interest

Author Ashutosh Dubey is employed by the company National Payments Corporation of India. The remaining authors declare that the research was conducted in the absence of any commercial or financial relationships that could be construed as a potential conflict of interest.

Appendix A. CORM for Crypto-Assets

Operational Risk for Crypto AssetsUnique to Crypto-AssetsImpacted PartyOperational Risk PillarBasel Operational Risk (Loss Category 1)DescriptionLoss Effect as per Basel Framework
(BIS 2001)		Mitigation Approach
Internal Fraud due to unauthorized access and theft or access to private keysNoInstitution, CustomersConfidentiality and privacyInternal fraudA number of regulatory authorities have already raised concerns about misappropriation of assets (such as cryptocurrencies involving the theft of private and public keys) as well as tax evasion (as this issue has already been raised with several regulatory agencies). Employees who are familiar with micropayment systems are at risk of committing internal fraud.Loss or Damage to
Assets
  • Key management systems should include a secure environment to store, manage, and protect cryptographic keys.
  • Robust policies and procedures should be implemented to safeguard the keys and enable access control.
    It is important to keep track of who has access to the keys and how they are used.
  • Key management systems should also include a backup and recovery system in case the primary system fails. This will help to ensure that the keys are always available and secure.
  • Regular audits should be conducted to ensure the system is functioning properly and to identify any potential weaknesses.
  • Implementation of best practices for cryptographic key management, such as regularly updating keys and implementing multi-factor authentication
Price manipulationNoCustomersCentralisationClients, products, and business
practices		Decentralization is associated with inherent operational risks because cryptocurrencies operate through peer-to-peer networks, independent of a central authority. The independence of cryptocurrency is an appealing feature, but decentralization means that the network manages functions like issuing, processing transactions, and verifying together. Coordinated attacks are possible as a result of this.Legal Liability
Loss or Damage to
Assets
  • Setting up of Decentralized autonomous organization (DAO)Governance board for financial and technical decision of the system
  • Implementation of Communication policy
  • Ensure tougher authentication of developer write access to the code repository by demanding digital signatures on commits and tags.
Non Protections for fraud lossesNoCustomersCustody and SecurityClients, products, and business practicesFraud occurs when someone deceives someone for personal or financial gain, causing them to suffer losses. Payment arrangements protect end users against fraud by providing preventive controls (e.g., security features) and compensating them for financial loss in the event of fraud (e.g., liability policies). Fraud protection policies make up the latter.Regulatory Action
  • Operating guidelines for ecosystem
  • Proper communication plan for investors and retail users
  • Financial responsibility distribution in case of frauds reported.
  • Create a backup strategy in case of a disclosure incident—even if it is questioned.
  • A suitable operation plan outlines a sequence of actions to switch to a new secure private key without compromising control or access to protected data and with little effect on the availability of services provided by the organization.
Partnering with technology and other companies to offer end solutionsNoInstitution, CustomersBusiness Model
Market access and data		Execution, delivery, and process
management		The outsourcing of a material business activity, when it involves collaborating with a third party in the context of crypto-asset related activities, leads to the exposure of personal information to a wider audience.Restitution
Loss of Recourse
  • Entities should ensure that vendors meet the requirements that apply to the outsourcing regarding data management and intellectual property
Hard Forks (FSB 2019; IOSCO 2020) by Platforms managing Crypto AssetsYesInstitutionTechnology
Centralisation		Clients, products, and business
practices		It is known that a hard fork is one of the settlement risks that are unique to blockchains. A hard fork, which produces two irreconcilable ledgers, might result from an unresolved dispute between developers or other participants in a distributed ledger, such as miners. It is also possible for forks to result from changes to the code in the underlying protocol that are not compatible with previous versions. The forking of a chain is typically undertaken by a large subset of node operators who believe that it is necessary to preserve the integrity of the chain, even though it can be disruptive.Loss or Damage to
Assets
  • Third party audit
  • Open source audit
  • Frequent checks with software vulnerabilities as per international publications
  • Monitoring the operations of platform managing crypto-assets
Operational Bank Run (Angelo et al. 2021)YesInstitutionCustody and security and Business ModelClients, products, and business practicesBy creating a regulated crypto-asset like CBDC, central banks could threaten the very two-tiered banking system. Whenever confidence in bank deposits begins to wane, people tend to convert that money to CBDC which might lead to a decrease in loanable money in the system eventually leading to a financial crisis.Regulatory Action
Loss or Damage to
Assets
  • Operating guidelines to manage the funds
  • Risk rules, transaction limits
  • Frequent checks regarding software vulnerabilities
  • Compliance to global financial risk guidelines like Basel
Software FailureNoInstitutionTechnologyBusiness disruption and system failuresEach bank does not process blockchain verification or currency creation. To ensure the reliability of the cryptocurrency network, including transaction processing and verification, an external group of entities in different geographies is essential. A bank processing cryptocurrencies and deposits that relies on external hardware faces large operational risksLoss or Damage to Assets
Write-down
  • Third party audit
  • Open source audit
  • Bounty bug programs
  • Frequent checks with software vulnerabilities as per international publications
External Fraud due to System abuse and theftNoInstitution, CustomersTechnology
Market access and data
Centralisation		External fraudData theft can include wallet addresses, public and private keys, along with other personal identification information such as transaction information between users in virtual currency and cryptocurrency networks.
Oracle services expose systems to systems that require platforms in order to perform operations. It is possible to lose assets and funds as a result of any Oracle hack.		Loss or Damage to Assets
Write-down
  • Regular business and technical audit with external information provider
  • Interfaces should go through security assessment and scans
  • Bug bounty program for the interface
  • Change log management
  • Plan for predictable incidents at third-party partners and document the stages to reinstate service or ensure the continuity of service.
  • Review the design of the third-party API with an emphasis on how it implements access controls, how it prevents message spoofing and how it handles credential-reset functionality.
  • Document the points of contact on both ends of the association with your partner organization.
Blockchain FailureYesInstitutionTechnologyBusiness disruption and system
failures		Failure of the blockchain platform which is running the system due to defects or attacksLoss or Damage to Assets
Write-down
  • Business continuity plan for the hardware failure
  • Network protection using firewall
  • Multiple sites setup to avoid failure in one site to improve system resiliency
  • Use tamper-resistant cryptographic hardware device peripherals intended to store and perform operations with private keys without ever divulging the keys to a host computer.
Improper Peer-to-peer Verifications of Transactions and Risk of Double SpendingYesInstitution, CustomersTechnologyBusiness disruption and system
failures		Due to peer-to-peer verification, a transaction can take up to ten minutes to be published to the network and registered on the ledger blockchain.These delays create a significant opportunity for fraud, system attacks, double spending, and fake transactions. It is possible for an adversary to use the same Bitcoins in multiple transactions during these waiting periods. This could result in losses for the vendor if the goods are released instantly.Write-down
  • Operating guidelines for ecosystem
  • Proper communication plan for investors and retail users
  • Financial responsibility distribution in case of frauds reported.
  • Create a contingency plan in preparation for a disclosure incident, even a doubted incident.
  • A proper operation plan describes a sequence of steps to shift to a new secure private key without losing access to or control of protected data, and with nominal impact to the organization’s service availability
Transaction Irreversibility and Risk of Uncoverable Losses and MistakesYesInstitution, CustomersTechnology
Business model		Clients, products, and business practicesBanking networks, virtual wallets, and cryptocurrency are at risk of cybercrime and hacker attacks due to transaction irreversibility.Write-down
  • Operating guidelines for ecosystem
  • Proper communication plan for investors and retail users
  • Financial responsibility distribution in case of frauds reported.
  • Use wallets in which the private keys are split across separate systems and 2-of-3 consensus is required to spend from the wallet
Investment in Crypto-assetsNoInstitution, CustomersCompliance and tax
Market access and data
Centralisation		Clients, products, and business practicesIn addition to fraud, cybercrime, conduct, financial crime and technology risks, there are likely to be a range of operational risks to identify, assess and manage. Crypto-assets and networks may also be susceptible to novel risks, such as risks associated with relying on third parties for redemption or operation, or using crypto infrastructure and exchanges.Regulatory Action
  • Background check of the Crypto-asset provider
  • Financial assessment by third party
  • Financial risk assessment regarding the investment
  • Compliance check and trend monitoring of the industry
Uncontrolled Crypto assets issuanceYesInstitution, CustomersCompliance and tax
Market access and data
Centralisation		Clients, products, and business practicesThe minting, issuance, and burning of coins will involve a range of operational risks, including fraud, cyber, conduct, and technology risks. It is important to consider risks when designing and distributing new products. Data collection, storage, and safeguarding systems, as well as a robust redemption process, are other key considerations. Regulatory Action
  • Governance board or power of delegation based on stake or rights
  • Regular audits internal and external to avoid any discrepancies
  • System access and rights based on delegation of powers
  • Limit access to the majority of assets in a wallet on an offline (air-gapped, physically access-controlled) system.
  • Transactions can be signed with maker-checker principle and then taken to an online system for publication to the blockchain
Services on crypto-assets for customersNoInstitution, CustomersCompliance and tax
Market access and data
Centralisation		Clients, products, and business practicesA range of operational risks may exist for services involving crypto-assets more broadly. Security risks, such as the possibility of losing private keys, wallets containing funds, and authentication devices, should be taken into consideration.Restitution
  • Operating guidelines for ecosystem
  • Proper communication plan for investors and retail users
  • Financial responsibility distribution in case of frauds reported.
Lending activities linked with crypto-assetsNoInstitution, CustomersCompliance and tax
Market access and data
Centralisation		Clients, products, and business practicesCrypto-asset collateral may be subject to operational risks including fraud, financial crime, and technological failure. A third party, such as a custodian, an exchange, a wallet provider, or a crypto infrastructure provider, may also represent a risk.Regulatory Action
Restitution
  • Governance board or power of delegation based on stake or rights
  • Regular audits internal and external to avoid any discrepancies
  • Investment risk and market risk to be properly evaluated before any lending allowed on crypto-assets held in custody
Anonymity and Risk of Financial CrimeNoInstitution, CustomersCompliance and taxExecution, delivery, and process managementFinancial risk must be considered when examining this vulnerability, including the privacy of customer transactions, money laundering, and account taxation. Losses due to operational risk may occur in some cases.In the case of crypto-asset deposits made by institutions knowingly or unknowingly originating from crime, the risk of fraud is highRegulatory Action
  • Ensuring communication plan for retail investors or users
  • Operating guidelines for ecosystem
  • Financial responsibility distribution in case of frauds reported
  • Reporting based on the law of the land
  • Framework to apportion of assets in dispute
Handling of Sensitive Information and Risk of Fraud due to improper accountingNoInstitution, CustomersCompliance and tax
Business Model
Centralisation		Internal fraudWhen someone gains access to the private key, they are able to create and sign a transaction message, possibly transferring the currency units to their own address as if they are the original owner. Additionally, the storage of virtual wallets and private and public encryption keys are also major risks (all may affect different aspects of cryptocurrencies). Data entry errors, accounting errors, and negligent loss of client assets are also major risks.Regulatory Action
  • Regular business and technical audit with external information provider
  • Interfaces should go through security assessment and scans
  • Bug bounty program for the interface
  • Change log management
  • Wallet security using Hardware security module
  • Key management including rotation
Source: Created by the Authors.

References

  1. Almeida, Dora, Andreia Dionísio, Isabel Vieira, and Paulo Ferreira. 2022. Uncertainty and risk in the cryptocurrency market. Journal of Risk and Financial Management 15: 532. [Google Scholar] [CrossRef]
  2. Almeida, José, and Tiago Cruz Gonçalves. 2022. Portfolio diversification, hedge, and safe-haven properties in cryptocurrency investments and financial economics: A systematic literature review. Journal of Risk and Financial Management 16: 3. [Google Scholar] [CrossRef]
  3. Angelo, Riva, Stefano Ungaro, and Eric Monnet. 2021. Bank Runs and Central Bank Digital Currency. Available online: https://cepr.org/voxeu/columns/bank-runs-and-central-bank-digital-currency (accessed on 7 October 2024).
  4. Basel Committee on Banking Supervision. 2022. Prudential Treatment of Cryptoasset Exposures. Available online: https://www.bis.org/bcbs/publ/d545.pdf (accessed on 4 May 2024).
  5. Beja, Avraham. 1972. On systematic and unsystematic components of financial risk. The Journal of Finance 27: 37–45. [Google Scholar] [CrossRef]
  6. BIS. 2001. QIS 2—Operational Risk Loss Data. Annexure 5. Available online: https://www.bis.org/bcbs/qisoprisknote.pdf (accessed on 7 May 2024).
  7. BIS. 2019. Designing a Prudential Treatment for Crypto-Assets. Available online: https://www.bis.org/bcbs/publ/d490.pdf (accessed on 8 May 2024).
  8. Blackman, Andrew. 2014. The Main Types of Business Risks. Available online: https://business.tutsplus.com/tutorials/the-main-types-of-business-risk--cms-22693 (accessed on 13 May 2024).
  9. Boitnott, John. 2022. Seven Business Risks Every Business Should Plan For. Available online: https://www.americanexpress.com/en-us/business/trends-and-insights/articles/7-business-risks-every-business-should-plan-for/ (accessed on 14 May 2024).
  10. Buck, Jon. 2018. Coincheck: Stolen $534 mln NEM Were Stored on Low-Security Hot Wallet. Available online: https://cointelegraph.com/news/coincheck-stolen-534-mln-nem-were-stored-on-low-security-hot-wallet (accessed on 4 June 2024).
  11. Chan, Stephen, and Saralees Nadarajah. 2020. Extreme values and financial risk. Journal of Risk and Financial Management 13: 32. [Google Scholar] [CrossRef]
  12. Christiansen, Leif. 2021. Types of Business Risk. Available online: https://zipreporting.com/enterprise-risk-management/types-of-business-risk.html (accessed on 21 June 2024).
  13. CoinDesk. 2022. Binance Hack: $570 Million Exploited in Smart Contract Bridge Vulnerability. CoinDesk. Available online: https://www.coindesk.com/business/2022/10/07/binance-hack (accessed on 14 November 2024).
  14. CoinMarketCap. 2024. Global Live Cryptocurrency Charts & Market Data. Available online: https://coinmarketcap.com/charts/ (accessed on 10 May 2024).
  15. Commodity Futures Trading Commission. 2020. The CFTC’s Role in Monitoring Virtual Currencies. Available online: https://www.cftc.gov/media/4636/VirtualCurrencyMonitoringReportFY2020/download (accessed on 5 May 2024).
  16. Commonwealth Bank of Australia. 1999. Annual Report. Melbourne: Commonwealth Bank of Australia. [Google Scholar]
  17. Cryptoassets Taskforce. 2018. Final Report 2018; HM Treasury, Financial Conduct Authority, and Bank of England. Available online: https://assets.publishing.service.gov.uk/media/5bd6d6f0e5274a6e11247059/cryptoassets_taskforce_final_report_final_web.pdf (accessed on 1 May 2024).
  18. Data Bridge Market Research. 2022. Global Crypto Asset Management Market—Industry Trends and Forecast to 2029. Available online: https://www.databridgemarketresearch.com/reports/global-crypto-asset-management-market (accessed on 4 May 2024).
  19. Dubey, Ashutosh, Deepnarayan Tiwari, and Anjali Tiwari. 2022. Blockchain as a foundational infrastructure of Web 3.0 and cryptoassets. In Blockchain Foundational Infrastructure of Web 3.0 and Cryptoassets. New York: Taylor & Francis. Available online: https://www.taylorfrancis.com/chapters/edit/10.1201/9781003282914-6 (accessed on 8 June 2024).
  20. Fama, Eugene F., and Kenneth R. French. 1993. Common risk factors in the returns on stocks and bonds. Journal of Financial Economics 33: 3–56. [Google Scholar] [CrossRef]
  21. FATF. 2021. Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers. Paris: Financial Action Task Force. Available online: https://www.fatf-gafi.org/en/publications/Fatfrecommendations/Guidance-rba-virtual-assets-2021.html (accessed on 10 May 2024).
  22. Federal Financial Supervisory Authority (BaFin). 2024. Crypto Custody Business. Available online: https://www.bafin.de/EN/Aufsicht/BankenFinanzdienstleister/Markteintritt/Kryptoverwahrgeschaeft/kryptoverwahrgeschaeft_node_en.html (accessed on 10 June 2024).
  23. Felix, Katherine, and Nicholas Baker. 2023. China and Its Central Bank Digital Currency. Paris: Friedric Ebert Stiftung. Available online: https://library.fes.de/pdf-files/international/20024-20230214.pdf (accessed on 1 July 2024).
  24. Forbes. 2022. What Happened with the $570 Million Binance (BNB) Hack? And What Does It Really Mean for Crypto Investors? Available online: https://www.forbes.com/sites/qai/2022/10/09/what-happened-with-the-570-million-binance-bnb-hack-and-what-does-it-really-mean-for-crypto-investors/ (accessed on 14 November 2024).
  25. FSB. 2019. The Financial Stability Board in 2019. Paper Presented at Joint Conference of the European Central Bank and the Journal of Money, Credit, and Banking, Frankfurt, Germany, March 28. Available online: https://www.fsb.org/uploads/S280319.pdf (accessed on 8 May 2024).
  26. Gagliardoni, Thomas. 2021. The Poly Network Hack Explained. Cheseaux-Sur-Lausanne: Kudelski Security Research. Available online: https://research.kudelskisecurity.com/2021/08/12/the-poly-network-hack-explained/ (accessed on 10 May 2024).
  27. Holton, Gerald. 2004. Defining risk. Financial Analysts Journal 60: 19–25. [Google Scholar] [CrossRef]
  28. Ikeno, Yoshiaki, John Angel, and Sudip Panigrahi. 2022. Soundness of stablecoins. In International Conference on Financial Cryptography and Data Security. Cham: Springer International Publishing, pp. 66–73. [Google Scholar]
  29. IOSCO. 2020. International Organization of Securities Commissions Priorities for 2020. Available online: https://www.jdsupra.com/legalnews/international-organization-of-68360/ (accessed on 10 May 2024).
  30. Israel Securities Authority. 2018. Warning to Investors Regarding Cryptocurrency Investments. Available online: https://www.iosco.org/library/ico-statements/Israel%20-%20ISA%20-%20Warning%20to%20Investors%20Regarding%20Cryptocurrency%20Investments.pdf (accessed on 10 May 2024).
  31. Juskaite, Lina, Loreta Gudelyte-Zilinskiene, and Rita Tamosiuniene. 2024. Investment portfolio’s including different cryptocurrencies efficiency study. Transformations in Business & Economics 23: 272–95. [Google Scholar]
  32. Kolmogorov, Andrey Nikolaevich. 1963. The theory of probability. Mathematics, Its Content, Methods, and Meaning 2: 110–18. [Google Scholar]
  33. Knight, Frank H. 1921. Risk, Uncertainty, and Profit. University of Illinois at Urbana-Champaign’s Academy for Entrepreneurial Leadership Historical Research Reference in Entrepreneurship. Available online: https://ssrn.com/abstract=1496192 (accessed on 10 May 2024).
  34. KPMG. 2020. Basel 4: The Journey Continues. Available online: https://assets.kpmg.com/content/dam/kpmgsites/xx/pdf/2020/08/basel-4-the-journey-continues.pdf.coredownload.inline.pdf (accessed on 18 November 2024).
  35. KPMG. 2022a. Beyond Basel IV: Incorporating Crypto-Assets into the Basel Framework. Available online: https://www.scribd.com/document/586742700/Basel-IV-Crypto-En (accessed on 10 May 2024).
  36. KPMG. 2022b. The Collapse of FTX: Lessons and Implications for Stakeholders in the Crypto Industry. Available online: https://assets.kpmg/content/dam/kpmg/cn/pdf/en/2022/11/the-collapse-of-ftx.pdf (accessed on 10 May 2024).
  37. Lam, Patrick N., and David K. C. Lee. 2015. A Light Touch of Regulation for Virtual Currencies. In Handbook of Digital Currency. Available online: https://www.sciencedirect.com/topics/economics-econometrics-and-finance/virtual-currency (accessed on 10 May 2024).
  38. Liu, Baoding. 2009. Some research problems in uncertainty theory. Journal of Uncertain Systems 3: 3–10. [Google Scholar]
  39. Livni, Ephrat. 2022. Binance Blockchain Hit by $570 Million Hack. The New York Times. Available online: https://www.nytimes.com/2022/10/07/business/binance-hack.html (accessed on 10 May 2024).
  40. Markowitz, Harry. M. 1976. Markowitz revisited. Financial Analysts Journal 32: 47–52. [Google Scholar] [CrossRef]
  41. Ministry of Finance of Government of Saudi Arabia. 2019. MOF Warns Against Dealing in Virtual Currencies, Including Cryptocurrencies That Claim Relationship with the Kingdom. Available online: https://www.mof.gov.sa/en/MediaCenter/news/Pages/News_20082019.aspx#:~:text=The%20Ministry%20of%20Finance%20(MOF,traded%20by%20financial%20institutions%20locally (accessed on 5 May 2024).
  42. Monetary Authority of Singapore (MAS). 2020. A Guide to Digital Token Offerings. Available online: https://www.mas.gov.sg/-/media/mas/sectors/guidance/guide-to-digital-token-offerings-26-may-2020.pdf (accessed on 10 May 2024).
  43. Moosa, Imad. A. 2007. Operational risk: A survey. Financial Markets, Institutions & Instruments 16: 167–200. [Google Scholar]
  44. Mueller, Lars, Stefan Stöckl, Johannes Mueller, and Dirk Schiereck. 2023. Estimating Crypto-Related Risk: Market-Based Evidence from FTX’s Failure and Its Contagion on US Banks. Available online: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4582569 (accessed on 10 May 2024).
  45. Peters, Gareth W., Aurélien Chapelle, and Emmanuela Panayi. 2016. Opening discussion on banking sector risk exposures and vulnerabilities from virtual currencies: An operational risk perspective. Journal of Banking Regulation 17: 239–72. [Google Scholar] [CrossRef]
  46. Power, Michael. 2005. The Invention of Operational Risk. Review of International Political Economy 12: 1–21. [Google Scholar] [CrossRef]
  47. Press Information Bureau. 2019. Inter-Ministerial Committee on Virtual Currencies Submits Its Report Along with Draft Bill ‘Banning of Cryptocurrency & Regulation of Official Digital Currency Bill, 2019’. Available online: https://pib.gov.in/PressReleseDetail.aspx?PRID=1579759&reg=3&lang=1 (accessed on 10 May 2024).
  48. PwC. 2022. El Salvador’s Law: A Meaningful Test for Bitcoin. Available online: https://www.pwc.com/gx/en/financial-services/pdf/el-salvadors-law-a-meaningful-test-for-bitcoin.pdf (accessed on 10 May 2024).
  49. PwC. 2023. Global Crypto Regulation Report 2023. Available online: https://www.pwc.com/gx/en/new-ventures/cryptocurrency-assets/pwc-global-crypto-regulation-report-2023.pdf (accessed on 8 May 2024).
  50. RBI. 2022. Concept Note on Central Bank Digital Currency. Mumbai: Reserve Bank of India. Available online: https://rbi.org.in/Scripts/PublicationReportDetails.aspx?UrlPage=&amp,ID=1218#:~:text=While%20Wholesale%20CBDC%20is%20intended,primarily%20me (accessed on 7 June 2024).
  51. RBI. 2024. Guidance Note on Management of Operational Risk. Mumbai: Reserve Bank of India. Available online: https://www.pdicai.org/Docs/RBI-2024-25-31_15202415340467.pdf (accessed on 1 September 2024).
  52. Roy, Deepankar, Ashutosh Dubey, and Sarika Lohana. 2023. A study to review global regulations regarding mitigation of operational risk associated with crypto-assets. In Recent Trends in Engineering and Science for Resource Optimization and Sustainable Development. Edited by Jelonek Dorota, Narendra Kumar, Mamta Chahar, Rusudan Kinkladze and Lila Knop. Boca Raton: CRC Press, p. 259. ISBN 978-1032466390. [Google Scholar]
  53. Shepheard-Walwyn, Tim, and Robert Litterman. 1998. Building a coherent risk measurement and capital optimisation model for financial firms. Economic Policy Review 1998: 4. [Google Scholar] [CrossRef]
  54. TechRadar. 2023. Hackers Exploited Binance Smart Chain Vulnerabilities in $568 Million Breach. TechRadar Pro. Available online: https://www.techradar.com (accessed on 18 November 2024).
  55. Tetiana, Zadorozhna, Sviatoslav Volodymyr, Oleksandr Demchuk, Vasyl Borys, and Tetiana Drahun. 2022. Investment Models on Centralized and Decentralized Cryptocurrency Markets. Dnipropetrovsk city: Scientific Bulletin of National Mining University. [Google Scholar]
  56. Thomson Reuters. 2022. Cryptocurrency Regulations by Country. Available online: https://www.thomsonreuters.com/en-us/posts/wp-content/uploads/sites/20/2022/04/Cryptos-Report-Compendium-2022.pdf (accessed on 18 June 2024).
  57. Thurman, Andrew. 2021. Crypto Exchange BitMart Hacked with Losses Estimated at $196M. CoinDesk. Available online: https://www.coindesk.com/business/2021/12/05/crypto-exchange-bitmart-hacked-with-losses-estimated-at-196-million/ (accessed on 18 November 2024).
  58. Trust. 2024. The Story of Mt. Gox: Explained. Available online: https://trustwallet.com/blog/mt-gox-explained (accessed on 8 August 2024).
  59. Ward, John. 2023. The crypto investing landscape. In The Emerald Handbook on Cryptoassets: Investment Opportunities and Challenges. Leeds: Emerald Publishing Limited, pp. 25–41. [Google Scholar]
  60. Zhao, Yi, and Benjamin Duncan. 2018. The impact of cryptocurrency risks on the use of blockchain for cloud security and privacy. Paper presented at 2018 International Conference on High Performance Computing & Simulation, Orleans, France, July 16–20. [Google Scholar]
Jrfm 17 00550 g001
Figure 1. Market capitalization of cryptocurrencies, including stablecoins and tokens. Source: Authors’ Creation.
Figure 1. Market capitalization of cryptocurrencies, including stablecoins and tokens. Source: Authors’ Creation.
Jrfm 17 00550 g001
Jrfm 17 00550 g002
Figure 2. Crypto-asset ecosystem. Source: Authors’ Creation.
Figure 2. Crypto-asset ecosystem. Source: Authors’ Creation.
Jrfm 17 00550 g002
Jrfm 17 00550 g003
Figure 3. Global regulations for crypto-assets. Source: Thomson Reuters. Cryptos Report Compendium 2022.
Figure 3. Global regulations for crypto-assets. Source: Thomson Reuters. Cryptos Report Compendium 2022.
Jrfm 17 00550 g003
Jrfm 17 00550 g004
Figure 4. CORM framework. Source: Created by the Authors.
Figure 4. CORM framework. Source: Created by the Authors.
Jrfm 17 00550 g004
Table 1. Crypto-asset ecosystem. (Adapted from: Dubey et al. (2022)).
Table 1. Crypto-asset ecosystem. (Adapted from: Dubey et al. (2022)).
LayerDescription Examples
Settlement LayerThe settlement layer of a network consists of network hardware, blockchain-based software, and data management mechanisms, including the Internet and connected devices. This layer serves as the foundation for all the subsequent layers. In this layer of the protocol, different consensus mechanisms, such as proof of work and proof of stake, are used to ensure the security of the blockchain. Ethereum, Binance, Bitcoin, Hyperledger, R3 Corda, etc.
Asset LayerThis layer includes the creation of different assets over the blockchain layer. Some of them are
Cryptocurrency (Fungible token): A crypto token functions as a method to support governance, access, and non-monetary transaction
Stablecoin: Tokens that are predominantly a payment settlement asset and intended to sustain a steady value of exchange.
Central Bank Digital Currency: A payment settlement token, or digital equivalent of physical bank notes and coins, that is issued by a central bank and turns out to be the third form of public money in conjunction with central bank reserves and cash.
Non-Fungible Tokens: A variation in tokenization of securities, securities tokens are types of investment assets that only exist, including the proof ownership, in the blockchain or Distributed Ledger Technology (DLT) ledger.
Native token: A token backed by assets may represent fiat currency; expensive gems; precious metals like gold, silver, and platinum; baskets of assets; or even interest as cashflow in real estate. Some represent a right to claim an asset, while others are digital representations of specific assets.		Dogecoin, USDC, Digital Rupee, Non Fungible Token (NFT) for Arts
Protocol LayerA smart contract is a program stored on a blockchain that is executed when certain conditions are met. With the growth of a blockchain, the number of transactions will increase. We need scalable solutions to support the increased number of transactions. It is common for off-chain solutions to be implemented in order to resolve issues related to the protocol’s first layer. The features of the first layer are not diminished by these solutions, but rather, they are enhanced.Polygon, Polkadot
Application LayerThis layer includes over-the-top customization to facilitate the financial services over blockchain protocolUniswap, dYdX, AAVE
Aggregation LayerThese are user interfaces which enable interaction with DeFi or blockchain application with the help of wallets or service provider applications.Wallets like Coinbase, Metamask
Additional ServicesThere are value-added services which are required to run the blockchain platform with required compliance, guidelines, and regulationsOracle services like Bloomberg
Table 2. Basel Committee for Banking Supervision (BCBS) risk classification framework for crypto-assets (Roy et al. 2023; KPMG 2020).
Table 2. Basel Committee for Banking Supervision (BCBS) risk classification framework for crypto-assets (Roy et al. 2023; KPMG 2020).
CategoryRiskDescription
Financial RisksLiquidity riskMarket liquidity risk develops if cryptocurrency assets cannot be sold for little to no loss of value. Banks that issue and/or accept deposits in cryptocurrency assets may also be vulnerable during difficult times because of a lack of financial liquidity.
Market RiskThe valuation and pricing of crypto-assets display a high degree of volatility, and disjointed trading platforms may hinder price discovery.
Credit and counterparty credit riskCrypto-assets that are legally binding generate counterparty credit and credit risks in the same manner as traditional assets. It points out that banks find it challenging to estimate the risk of lending to crypto-asset businesses due to the lack of historical data on these assets.
Non-Financial RisksCyber and operational riskSince crypto-assets are digital and not supported by tangible assets, operational and cyber risks are evident concerns. The technologies behind crypto-assets expose financial organizations to a whole new set of vulnerabilities from a governance and cybersecurity standpoint.
Legal and regulatory riskFor businesses without a strong regulatory framework, crypto-assets present new legal and regulatory dangers. Because cryptocurrency assets are not subject to central regulation, regulatory arbitrage may occur. Furthermore, as blockchain technology facilitates value movement, financial institutions will need to develop creative methods to adhere to KYC, AML, and terrorist financing requirements.
Reputational riskUsing cutting-edge coin offerings and crypto-asset management technology carries reputational hazards. Since cryptocurrency assets are distributed, unlike traditional assets, any unfavorable opinion or behavior by one party could have an adverse effect on the ecosystem as a whole.
Third party RiskThe majority of crypto-assets are operated by unregulated third parties with community-driven software. To improve their product offerings, financial institutions could also look for outside developers, partners, or solution suppliers. All of these factors contribute to an increase in third-party risk for a financial institution.
Implementation RiskInternal policies and procedures must be created from the beginning and throughout the lifecycle of a crypto-asset. A crypto-asset cannot be implemented until an accounting treatment, operational method, and other frameworks are in place.
Table 3. Basel Committee Operational Risk events loss classification (Adapted from RBI 2024; BIS 2001).
Table 3. Basel Committee Operational Risk events loss classification (Adapted from RBI 2024; BIS 2001).
Operational Risk Pillar 1Operational Risk Pillar 2DescriptionIllustrated Event
Internal fraud
  • Theft and forgery
  • Market manipulation
  • Improper transaction capture, execution, and maintenance
This means that at least one internal party may collude with other internal or external parties in order to deliberately cause loss to the organization. There are numerous reasons behind internal fraud. For example, an internal party may deliberately want to misappropriate property owned by the company. In other cases, they can merely be taking more risks by trying to by-pass the systems which have been built.Manipulation of prices of crypto-assets due to centralization of information.
Account take-over or impersonation on crypto-asset wallets.
External Fraud
  • Hacks associated with theft and forgery
  • System security
Firms have to deal with a varied variety of third parties. It is likely that some of these third parties may not have the intent of having a rational and candid deal with the enterprise. Instead, they may intend to cheat the firm by swindling money from them or by getting the firm to break the law. In such circumstances, there are no internal parties involved in the deceitful activity.Distributed denial of service attack on crypto exchange.
Employment Practices and Workplace Safety
  • Unauthorized data access
  • Consuming external investment for non-business areas
  • Unauthorized activity in systems
  • Discrimination with employees
Office lawsuits such as those based on non-observance of laws regarding gender or cultural diversity can be put in this group. The firm may not have pardoned the conduct of its erring worker. However, it will be held accountable and may have to pay monetary compensations. Enterprises may also have operational risks arising from non-compliance with policies concerning the well-being and safety of workers. As a result, they may have to pay compensations to the wounded or otherwise distressed employee.Stealing of user information, wallet keys, and tokens.
Improper Clients, Products, and Business Practices
  • Defects in product
  • Improper advisory services
  • Wrong information sharing in market among clients and customers
A company may suffer operational risk because of the customers it selects to work with. For example, crypto companies like FTX were punished for fraud when their staffs were found to be in cryto-asset mismanagement. Likewise, a company may have to face operational risk because of non-compliance with its obligations towards the customerAML, KYC, regulatory breach, and non-compliance regarding management of crypto-assets in the geography.
Insider trading of crypto-assets.
Losses to Physical Assets
  • Failure of hardware
  • Theft of physical servers hosting services
Organizations all over the globe spend a lot of money on building physical assets. Companies have to spend money in order to construct factories, purchase machinery, vehicles, or other assets that may be required by their business. Yet, these assets may get ruined in unrests, terrorist attacks, or even acts of God.Servers hosting crypto-asset services became damaged due to system failure or improper business continuity plan.
Business Disruption
  • Damages due to environmental, civic, political, and other disruptions in the business
If a company faces any outage or data robbery that arises because of the incorrect working of its business systems, it could face extreme losses. These losses could be connected to lost business income. Nevertheless, they could also be related to lawsuits that may arise because of the data which have been compromised.Servers hosting crypto-asset service got damaged due to act of god.
Outage of network or electricity stops the crypto-asset system.
Delivery and Process Management
  • Promises on delivery of service
  • Improper regulatory reporting
  • Third party causing failure or fraud in the system
  • Improper client intake and documentation
  • Customer/client A/c mismanagement
Enterprises may also face operational risks because they may not be able to follow through on the assurances that they have made in their contracts. Crypto-asset portfolio returns offered to customers are not meeting the expectations.
Client consent and permissions not collected.
Data entry error in the event of systemic failure.
Table 4. Summary of operational risk pillars associated with crypto-assets. (Adapted from PwC 2023; BIS 2019).
Table 4. Summary of operational risk pillars associated with crypto-assets. (Adapted from PwC 2023; BIS 2019).
S. No.RiskDescription
1Business modelDirect investing, futures trading, and staking assets to make money are only a few of the operational hazards associated with various digital asset investment strategies and business structures. Operational hazards include, but are not limited to, unauthorised transactions, incomplete or erroneous books and records, and digital asset holdings that do not balance with the custodian or blockchain.
2TechnologyTechnology risks include the possibility of unintentional or unauthorised logical and physical access to vital systems, the possibility of system mistakes and reporting as a result of change management operations, and the potential for an inefficient reaction to harsh market conditions.
3Custody and securityStrong controls should be in place at every stage of the private key life cycle, including generation, distribution, storage, security, and usage, as well as private rotation and destruction, when offering services involving crypto-asset custody functions like onboarding, deposits/withdrawals, and reconciliation.
4Market access and dataMarket data service providers have put controls in place to preserve market data and liquidity. The primary risk involved in this choice is whether the service user will use an infrastructure provider to aggregate and offer a single solution for all services, or will they connect to each decentralized exchange and blockchain independently?
5Confidentiality and privacyConfidentiality and privacy must be preserved in order to foster trust and satisfy stakeholder expectations. Data leaks and transaction data loss pose the biggest risks.
6Compliance and taxProviders of crypto-asset services are required to exhibit adherence to financial sector norms and laws, such as those pertaining to tax reporting, know your customer (KYC) requirements, and anti-money laundering (AML).
7CentralizationWithout any maker–checker governance, a small group of people—mostly owners—control the business model, technology choices, operations, and market decisions.
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Roy, D.; Dubey, A.; Tiwary, D. Conceptualizing an Institutional Framework to Mitigate Crypto-Assets’ Operational Risk. J. Risk Financial Manag. 2024, 17, 550. https://doi.org/10.3390/jrfm17120550

AMA Style

Roy D, Dubey A, Tiwary D. Conceptualizing an Institutional Framework to Mitigate Crypto-Assets’ Operational Risk. Journal of Risk and Financial Management. 2024; 17(12):550. https://doi.org/10.3390/jrfm17120550

Chicago/Turabian Style

Roy, Deepankar, Ashutosh Dubey, and Daitri Tiwary. 2024. "Conceptualizing an Institutional Framework to Mitigate Crypto-Assets’ Operational Risk" Journal of Risk and Financial Management 17, no. 12: 550. https://doi.org/10.3390/jrfm17120550

APA Style

Roy, D., Dubey, A., & Tiwary, D. (2024). Conceptualizing an Institutional Framework to Mitigate Crypto-Assets’ Operational Risk. Journal of Risk and Financial Management, 17(12), 550. https://doi.org/10.3390/jrfm17120550

Article Metrics

Back to TopTop
  NODES
Association 3
CMS 1
coding 2
Community 1
Frameworks 11
games 2
games 2
hosting 3
Idea 3
idea 3
innovation 5
Interesting 2
Intern 64
iOS 11
Javascript 2
languages 2
mac 29
Note 14
os 274
server 3
swift 1
text 19
Theorie 1
Training 3
twitter 1
Users 8
Verify 2
visual 1
web 5