Part#2 of our crypto default risk management series covered a wide range of solutions which could be used by crypto players for their crypto counterparty risk management. However, our analysis demonstrated most of the solutions serviced risk assessment rather than risk mitigation. And that emerging risk mitigation techniques such as DeFi insurance have failed to deliver efficient hedging for crypto counterparty default risks.
Why is that? This new instalment retraces the historical structural gaps of the crypto industry which hindered the emergence of efficient default risk protections. It also tells us how the crypto industry has started addressing such gaps over the past few years.
Recalling the goal of our article series — uncover what type of solution the crypto industry needs for crypto default risk management — let’s look at some of the challenges of achieving efficient solutions.
Structural gap #1: Nascent risk management best practices in crypto
Counterparty risk management practices in crypto have gone a long way since the high profile FTX collapse. The consideration for using mitigation solutions has followed a similar path, which in turn has led to limited resources allocated towards research and development works in that space.
“We need better risk management, more guardrails…and we need some of that installed into the crypto industry,”
Jeff Horowitz, chief compliance officer at BitGo.
The recent crypto default events illustrated failure in risk management and lack of best practices at even large blockchain organizations:
- Lack of good governance: failure to counterbalance powers of executives or management, to hold leadership team accountable for their actions and enforce control in the organization decision process
- Inadequate financial controls: internal controls (policies, procedures and checks that companies implement to mitigate their risk profile) and external controls (independent audits which verify financial statements comply with an accounting framework)
- Inexperienced executive team: mismanagement and lack of oversight
- Failure in due diligence: failure of outsiders in their proper due diligence, despite some risk assessment tools available
“Having experienced staff to implement and monitor the risk-management measures on a routine basis is also important,”
Mike Carter, Chief Compliance Office at Bittrex.
However, an overarching structural gap acted as the basis of all these failures: lack of regulatory or accounting requirements and absence of institutionalized auditing techniques. Trust in data faltered after bad press incurred by third-party auditing companies which conducted proof-of-reserves audits of defaulted entities. Following incumbent crypto auditors fallout, no large players have been standing out to fill the gaps.
According to a Bloomberg survey, only 31 out of the top 60 companies in crypto have undergone a full financial audit or received reserve attestations from an independent auditor. Many of the companies surveyed, however, said their lack of audits was due to the unwillingness of major audit firms to engage with them. The survey results also show that 46% of the 24 companies that disclosed their present auditor were audited by one of the ‘Big Four’ accounting firms. These accounting firms include KPMG, PricewaterhouseCoopers (PwC), Ernst & Young (EY), and Deloitte. Coinbase, Circle, and Ripple, for instance, were audited by Deloitte, while Chainalysis, Ledger, and Anchorage Digital received audits from EY.
Structural gap#2 : Challenges of achieving full decentralization
Counterparty risk transfer has its own limitation if the risk mitigation technique exposes the protection buyer to other indirect risks.
To illustrate this point, let’s take the traditional single-name credit default swap (CDS) market as an example. As OTC instruments, CDS are not traded on exchanges. Although they are not subject to mandatory clearing under EU Emir or Dodd — Frank Act, clearing of single-name CDS currently remains voluntary. Financial market infrastructures (FMI) such as ICE’s US clearing unit or LCH CDSClear are financial intermediaries which offered clearing services for various single-name CDS and some market participants committed voluntarily to clear single-name CDS. Due to the important, centralized role they play, clearing houses represent systemic risks for trading counterparties. Although well capitalized, a residual default risk exists for both counterparties, which needs regulatory capital to hold against exposure of such financial intermediaries.
Only full decentralization ensures default remoteness and censorship resistance. Full decentralization is challenging to achieve, as decentralization needs to be considered at each level of the DeFi technical stack (see Fig.1). This makes it an important challenge for the emergence of default risk hedging solutions, all the more as blockchain solutions can only win Vs. traditional solutions (and attract traditional institutionals) if the comparative benefits are clear and significant enough.
Looking at counterparty risk mitigations currently available in the crypto industry (see Part#2 for more details), a few entail indirect exposures to protection/cover seekers, which come from limitations in their decentralization implementation:
- Custody of collateral backing default protection: any centralized custody exposes the protection buyer to default risk of the custodian; although this risk can be partially mitigated by some insurance and asset ring-fencing, this represents an economic risk which dealers are not keen to take
- Capital pool management of discretionary mutuals: capital pools are generally jointly owned by all community members, and aim to hold assets used to back utility tokens which themselves are used to create coverage capacity; centralized risk management of capital pool are prone for single point of failure and can jeopardize the asset — liability matching (i.e. unbalanced ratio between cover payout currency Vs. assets backing the cover)
- Censorship of claim process: claim or default assessment is prone to censorship in a more centralized environment; this could also happen in DeFi protocols where risk assessment can be delegated to “risk experts” or decision to overview fraudulent actions is left to “advisory boards”
Now, arguably, a decentralized implementation through a DeFi protocol will raise all sort of new risks for DeFi users (see Fig.2), among others: smart contract risks (code bug or error resulting in the protocol being used in an unintended way), special economic events (includes oracle manipulation or failure, severe liquidation failures, or governance takeovers).
There is currently a highly debated topic within traditional finance about how to account risks when dealing with decentralized protocols, and whether specific credit counterparty risks could be quantified based on some DeFi risk framework. Such DeFi idiosyncratic risks can be mitigated by technology choices and right balance of decentralization level, as we will see later.
Structural gap#3: lack of transparent, trustful information
Here again, we have gone a long way since the 2022 crypto default events. The lack of transparent, good quality and trustful information is actually the largest structural gap of the crypto industry. This acts as a deterrent for emerging solutions as it can prove challenging for investors to underwrite risks without much information about “Reference Entities” (i.e. legal entity which is subject to the default triggers— source: Hexaven Contracts).
This gap is magnified for historical reasons as the blockchain economy is still at its infancy with only a handful of names being public companies. The crypto industry is also marked by its lack of disclosure requirements, which, for the moment are not driven by accounting or regulatory obligations, but are more driven by external stakeholder pressure (investors and platform users).
Many of the biggest names in the cryptocurrency market still dodge basic questions about their businesses even as investors step up their scrutiny of the industry, according to a survey by the Financial Times. In May 2023, the FT asked 21 of the most prominent crypto companies about their governance and handling of customer assets. Eight declined to share any basic information, such as where they are headquartered, while others provided partial answers.
Creditworthiness of a Reference Entity can be generally derived by:
- On-chain data: based on attested addresses, any real data from on-chain transactions, such as withdrawal processing, liquidity, business activity, utility token performance
- Off-chain data: i) private data from the reference entity, such as financial statements, cash flows, KYC/AML and positionings from CeFi, bank accounts; ii) public data, such as default event, profit warning, adverse media coverage, sanctions or fines, removal of license to operate in a country or business area
On-chain data are de facto transparent but are not necessarily legible. On-chain data availability has been enhanced by more third-party data analytic solutions (see Part#2 for more details).
On-chain data availability has also benefited from developing proof-of-reserves techniques, in particular a technique called “proof of inclusion”, which entrusts client deposit accounting.
“It’s a fundamental fear of sharing information,”
James Newman, co-founder at perfORM Due Diligence Services.
Off-chain private data about Reference Entities are the most challenging to get in front of users (protection buyers or sellers). But also, off-chain public data are not necessarily driving sensible behaviours: all boils down to what should be included in “efficient” data source. In the FTX case study, observers of blockchain data were tweeting out information on activity around FTX, such as movements out of wallets known to be associated with the exchange. This added to the sense of unease and ultimately led to a loss of confidence in FTX.
There can be a problematic mix of transparency and non-transparency in crypto. Centralized exchanges, or firms that handle customer trades and money, may have wallets visible on a chain that shed light on their assets or customer reserves. However, they also have non-visible balance sheets showing how much of those assets are pledged to, or spoken for by, other parties. This combination of information could be damageable: Enough to know when others are fleeing, but not enough to know if they are right or wrong to do so.
How to overcome these structural gaps?
Across all 3 structural gaps, the crypto industry has initiated its internal transformation and put in place new approaches and best practices.
Integrated risk framework with more robust stakeholder governance
Large crypto players have adopted enterprise-risk management frameworks. Counterparty risks are now more integrated with other risks — cybersecurity risks legal and compliance risks, and liquidity risks in cryptocurrencies — thanks to integrated corporate functions — across compliance, regulatory and risk — and across global and local regulatory jurisdictions.
These enterprise-risk-management programs, which mimic what U.S. watchdogs require of mainstream financial institutions in the wake of the 2008 financial crisis, help crypto players to identify, monitor and control their cryptocurrency risks in both their financials and operations through scenario planning and testing and framework implementation.
Also, in-demand jobs in crypto have sparked in risk management with high profile hires from traditional finance, particularly driven by demand from custodians and global consulting firms such as Deloitte.
Default remoteness and censorship resistance
Third-party custodians have strengthened their risk management provisions with asset segregation and insurance coverage expansion, although crypto-native custodians have still a long way to get trust from traditional banks.
Within DeFi, a big focus has been laid on the design of decentralized default management system, not only for operational efficiency of the claim process, but to be transparent, community driven and ultimately censorship resistant.
The DeFi projects supporting the development of default risk mitigations still need to continue their efforts to communicate on DeFi risks and their decentralization levels. This is generally the case for any DeFi protocols, but it is all the more important for DeFi providing default risk solutions so that they can stand in the long run as alternatives to traditional risk transfer frameworks such as single-name CDS markets.
Data sharing incentives and disclosure requirements
While risk analytics solutions have been expanding with some compelling offerings, the core issue resides in off-chain private data: their availability and trustfulness.
Zero-knowledge (ZK) technology can support the use of private data as input for counterparty risk assessment, whilst still ensuring privacy of such data. Credora, a Credit Oracle, uses this approach to produce a Reference Entity’s creditworthiness guidance without the need for Credora itself or any other third-party to access private data of the Reference Entity. The Reference Entity still has the option to give their consent to disclose part or all the information.
A key part of a durable solution may be clear guidelines for how customer assets are held and managed, including when they are segregated (e.g. at a brokerage) and when they are commingled and invested (e.g. at a bank). This would give customers a better understanding of when they are deliberately taking a risk and when they are not.
Here, the drivers for changes could come from 2 different approaches:
- A Darwinist approach: natural selection of crypto players in the “data transparency” race; transparency scores are emerging concepts which could find an important use case in risk assessment, whereby “bad actors” would be penalized by lower creditworthiness scores, ultimately deterring away users
- (Regulatory) disclosure requirements: Crypto firms could theoretically impose clarity on themselves; but at this point, regulation might be the best way to earn the market’s trust: a solution to a problem that crypto firms have unfortunately created themselves.
Conclusions
- While crypto counterparty risk assessment solutions have flourished, risk mitigations have been coping with many challenges to emerge as efficient hedging solutions
- This has been mainly due to some structural gaps of the crypto industry: nascent risk management best practices, challenges of achieving full decentralization and, more importantly, lack of transparent, trustful information about creditworthiness
- The crypto industry has shown a way forward to address these structural gaps: integrated risk framework with more robust stakeholder control, default remoteness and censorship resistance of crypto default risk mitigation solutions, data sharing incentives and disclosure requirements
- All this paves the way for the emergence of efficient crypto default counterparty risk protections
What’s next?
Part#4 (and final): Design principles for an efficient crypto counterparty default risk protection
