Accenture Federal Services Issues Public Comment on National Credit Union Administration Notice
* * *
Contents
Introduction ... 3
Responses to Questions... 4
Operational Questions (#9) ... 4
Risk and Compliance Management Questions (#10-11, 13-15, 17) ... 5
Supervision and Activities Questions (#21-22) ... 10
Additional Considerations ... 12
* * *
Introduction
Digital asset innovation has created new markets and is disrupting the financial services industry.
Some of the key issues financial regulators are facing with the digital asset industry in
* Lack of transparency
* Threat of market manipulation
* Complexity of underlying technologies
* Rapid pace of industry development
Assisting our financial regulatory clients in responding to these and other challenges they face is critical to establishing
Link to figure below.
AFS approaches digital assets as an opportunity for a more efficient, resilient, transparent, and inclusive financial system. Regulators, such as the NCUA, can enable these benefits by providing clear guidance and rules for entrepreneurs and innovative companies to deliver value through new digital asset products and services.
The innovation coming from the digital asset industry must be balanced with the appropriate amount of education, consumer protection, anti-money laundering (AML/BSA), supervision, and monitoring activities. Regulators have the responsibility to produce reasonable frameworks which mitigate bad actors from using digital assets and underlying technologies for nefarious purposes.
Due to the various services federally insured credit unions (FICUs) provide to the American public, NCUA must have a comprehensive approach to digital assets. Cryptoassets provide the public new markets and asset classes to potentially generate wealth. Stablecoins and CBDC promise to be the new digital payment rails commerce is transacted upon. Asset-backed tokens could enable new transparency and greater access to market participants.
Making these assets usable in decentralized applications (DApps) is decentralized finance (
With this rapid growth has come fraud and opportunists, using false labeling to take advantage of market participants with decentralized in name only or "DINO" applications which can present risks and fraudulent claims to users and investors.
The NCUA must strive to deeply understand both the benefits and risk of digital assets,
Responses to Questions
In response to NCUA's request about DLT and
Operational Questions (#9)
9. How dependent will FICUs be on third-party software and open-source libraries for their own DLT projects?
FICUs will have the freedom of choice to decide how dependent they want to be on third-party software and open-source libraries for DLT projects. There are numerous examples of both private, in-house development of DLT code and open-source use by enterprises. Various companies, such as JPMorgan, have leveraged open-source libraries and then customized the protocols with specific parameters to suit their needs./3
FICUs should leverage and embrace the open-source nature of DLT and
All third-party software and open-source libraries should be considered with respective risks to use, included but not limited to the developer community ceasing to support and/or new features which have not been battle tested in a live production environment.
Risk and Compliance Management Questions (#10-11, 13-15, 17)
10. To what extent are existing risk and compliance management frameworks designed to identify, measure, monitor, and control risks associated with various DLT and
Do some DLT and
Certain DLT and
Use cases which include the use of permissionless blockchain networks (i.e., Bitcoin, Ethereum) require frameworks for the operational and technological risks of a global, open source network, which is maintained by distributed developers and secured by distributed miners/validators. Because these permissionless networks' actors are not all known, FICUs should prioritize fraud mitigation in their risk frameworks. Appropriate cybersecurity is required for the custody of private keys, which enable ownership of assets. Depending on the design and deployment patterns of digital assets, if the private keys of certain assets are compromised or lost, then these assets could be stolen or rendered permanently inaccessible. Furthermore, risks around enterprise data security, including information leakage linking customers and their financial activity, should be included in risk and compliance management frameworks.
Use cases which include permissioned blockchain and DLT networks require appropriate cybersecurity controls at both the private key custody level and the underlying node environment. Because permissioned networks assume that all actors participating in a network are known and approved by other members, a heavy trust reliance is made on identity and membership service providers that could result in external provider risks. Fundamentally, these permissioned networks tend to have different risk profiles than permissionless networks, therefore, regulatory frameworks should be designed with these differences in mind. A high level comparison between permissionless and permissioned networks can be seen in Figure 2 below:
Permissionless
* Anyone can have access to the underlying data and transaction history.
* All participants in the network are treated as equal, meaning that all users have equal rights to read data and execute transactions.
* They are frictionless for anyone to transact on and provide everyone the ability to access a complete copy of the transaction history.
Permissioned
* One or more organizations control who can have access to the underlying data and transaction history.
* User identities are authenticated and known through some type of procedure (e.g. KYC/AML).
* Different levels of read and write access can be assigned to participants for various types of data in the distributed ledger. This enables greater control and privacy than permissionless blockchains.
It should be of note that permissionless and permissioned networks are not necessarily mutually exclusive and that design patterns could follow a hybrid approach in which certain activities are conducted on a permissionless network and others on a permissioned network.
As designed and implemented today,
11. What unique or specific risks are challenging to measure, monitor, and control for various DLT and
FICUs participation in blockchain and/or DLT networks will give rise to new risks and challenges. Furthermore, engaging with DeFi DApps present additional possible risks on top of the supporting blockchain or DLT network.
Depending on what type of blockchain and/or DLT network FICUs are participating in, different technologies and processes will be required to address the unique risks including node infrastructure, software maintenance, security and custody. NCUA should examine the different types of blockchain and DLT networks being used in the market and what people, processes and technology might be required for addressing unique risks of each network.
Blockchains and other DLT systems produce transactional data in a new format which must be collected and analyzed in an appropriate manner. Furthermore, this transactional data might be challenging to trace through and analyze depending on how the network is designed. FICUs should be developing the necessary IT infrastructure, data pipelines and/or node infrastructure for the respective blockchain and/or DLT networks they participate in or interact with.
Many digital asset and
DeFi DApps present additional complexity when it comes to risk management. In addition to the underlying blockchain, DeFi DApps rely on complex smart contracts to facilitate financial services on-chain. NCUA should examine and deconstruct the smart contract architecture of DeFi DApps to understand development patterns and the data associated with smart contract interactions.
13. How are FICUs integrating, or how would FICUs integrate, operations related to DLT and
FICUs could implement software that act as middleware between their enterprise architecture and the target DLT networks and/or DeFi DApps. Multiple architecture patterns exist to enable a secured blockchain middleware, but ultimately, it's the underlying use case and associated requirements what defines the best approach to follow. Two common patterns used today include dedicated blockchain clients or oracles.
Perhaps the most common pattern used today is integrating enterprise legacy systems using a dedicated blockchain client (e.g., Go Ethereum, Open Ethereum, etc.) that is connected to the target DLT network. Using available software development kits (SDKs) to facilitate programmatic access, FICUs can implement their own protocols to retrieve data from legacy systems and generate blockchain transactions. FICUs could either deploy their own client nodes or utilize cloud-based blockchain-as-a-service (BaaS) offerings from a variety of vendors for a more convenient, secured and faster go-to market strategy. It should be noted that there are different types of nodes such as light, full and archive nodes that FICUs can use, depending on the use case requirements and non-functional trade-offs.
Another way to bridge DLT networks and legacy systems is using blockchain oracles infrastructure. An oracle is a technology which delivers data from an off -chain source to an onchain smart contract. FICUs can use oracles to retrieve, verify and authenticate data from legacy systems and relay it to smart contracts to initiate and/or interact with on-chain services such as
An example of how FICUs can leverage oracle services would be to automatically trigger the transfer of funds locked in a
The transaction details could be available for all parties to audit and verify.
14. Please identify any potential benefits, and any unique risks, of particular DLT and
We focus on the potential benefits and risks of a permissionless blockchain
Link to figure below.
15. What impact will DLT and
Digital assets present both an opportunity and threat to FICUs. If FICUs do nothing, earnings could be negatively impacted by technology disruptions. If FICU's lean into digital assets and
Some of the possible new products and services which could be built around digital assets:
* Wallet Infrastructure
* Custody Services
* Trading Services
* Borrowing/Lending Services
* Staking Services
* On-chain Analytics
17. What considerations have commenters given to how to maintain continued compliance with State and Federal laws and regulations that may be applicable to various DLT and
Generally, there are two emerging paths for ensuring compliance with laws and regulations for DLT and
Compliance through closed gardens is commonly used with services that are provided on a closed digital platform which requires the user to provide specific information to log-in and participate.
This approach enables service provides to have granular control of users' actions on their platform and place limitations on possible actions. The service providers of these closed platforms can implement compliance requirements as directed by regulations.
Compliance through on-chain methods is commonly used with services which interact with permissionless blockchain networks. Blockchain (on-chain) analytics enables compliance and risk management through analyzing the history of transactions and address activity. Because permissionless blockchains, like Bitcoin and Ethereum, provide a permanent, tamper-proof history of all transactions to all network participants, on-chain analytics enables those interacting with digital assets and DeFi DApps to perform monitoring, analysis and surveillance of transaction activity. Of note, according to Chainalysis, a leading blockchain analytics firm, less than 1% of all transactions were related to illicit activity in 2020./4
Another emerging on-chain method for compliance with laws and regulations is by using oracles. Oracles (described in question 13) can provide information from regulators which is then automatically executed by the smart contracts in the DApps. NCUA should examine how on-chain methods such as blockchain analytics and oracles can be used to maintain continued compliance for DLT and DeFi DApps.
Likewise, consumer protection can likely be achieved in various manners. Because the digital asset space is evolving at an exponential pace, member education and disclosure provision are some of the key elements to best ensure consumers are aware of the potential risks associated with DLT and
Supervision and Activities Questions (#21-22)
21. Are there any unique aspects the NCUA should consider from a supervisory perspective?
Market structure of digital assets and
On-chain monitoring involves the analysis of transactional data produced by entities using blockchain and/or DLT networks and smart contracts executing applications. Different blockchain and DLT networks may produce vastly different data types depending on network design. For any off-chain transactions, NCUA cannot rely on blockchain analytics and must work with the centralized FICU entity to understand how funds are handled internally and how the FICU is interacting and delivering the respective product or service.
22. Are there any areas in which the NCUA should clarify or expand existing supervisory guidance to address these activities?
* Engage FICUs to gauge interest in using or offering
* Examine DeFi as a potential new backend infrastructure for FICUs
* Potentially clarify or expand supervisory guidance to address FICUs' use of
Stablecoins - NCUA should consider the following actions:
* Engage FICUs to gauge interest in using or offering stablecoin products/services
* Examine the different models of stablecoins which are being issued by private entities
* Examine how these stablecoins are used in the market across various use cases
* Potentially clarify or expand supervisory guidance related to FICUs' stablecoin activity and potential product/service offerings if appropriate
Custody - NCUA should consider the following actions:
* Engage FICUs to gauge interest in using or offering custody services
* Examine the multiple custody models that exist for enabling asset owners to interact with their digital assets and DeFi DApps
* Examine the best practices of custodial risk management frameworks for the different models of custody under different use cases
* Investigate how digital asset custodians segregate individual account funds across different blockchain networks
* Potentially clarify or expand supervisory guidance to address FICUs' custody offerings if appropriate
24. Are there any steps the NCUA should consider to ensure FICU members can distinguish between uninsured digital asset products and insured shares?
Digital asset products complexity and marketing could make it difficult for customers to clearly distinguish between uninsured products and insured shares. There are multiple methods which could be used to help customers distinguish between the different types of products and insured shares; directly on-chain and off -chain via financial institution disclosures, account structuring or other tagging mechanisms.
Prioritizing member education and increasing financial literacy around digital asset and
25. Are there distinctions or similarities between stablecoins (cryptocurrencies that are backed by a currency like the
Certain fiat-backed stablecoins might have similarities to stored value products in that one can purchase stablecoins, hold them in a digital wallet and transact with them for different products/services. Because there are various models for fiat -backed stablecoins, the NCUA should examine the various fiat-backed stablecoin models and potentially produce guidance regarding underlying collateral transparency, usage and proof of reserves.
Additional Considerations
We applaud the NCUA for establishing the
View figures at: https://downloads.regulations.gov/NCUA-2021-0102-0023/attachment_1.pdf
* * *
Footnotes:
1/ https://www.accenture.com/us-en/insights/us-federal-government/future-digital-currency
4/ https://blog.chainalysis.com/reports/2021-crypto-crime-report-intro-ransomware-scams-darknet-markets
* * *
The notice can be viewed at: https://www.regulations.gov/document/NCUA-2021-0102-0001
TARGETED NEWS SERVICE (founded 2004) features non-partisan 'edited journalism' news briefs and information for news organizations, public policy groups and individuals; as well as 'gathered' public policy information, including news releases, reports, speeches. For more information contact
Best Credit Repair Company Services to Review and Use in 2021
3 Organization Issues White Paper Entitled 'Fixing National Insurance: A Better Way to Fund Social Care'
Advisor News
Annuity News
Health/Employee Benefits News
Life Insurance News