Today the Basel Committee on Banking Supervision published updates to crypto-asset rules for bank compliance. It also released the final disclosure framework. In the latest consultation, the Committee threatened to treat stablecoins and traditional digital securities on public blockchains as having the equivalent risk as cryptocurrencies. This would block banks from participating in significant tokenization initiatives on public blockchains because they would be prohibitively expensive.
We previously reported that the Basel Committee seemed to have dropped this proposal, but we were wrong. Currently the Committee does not believe that banks can address the risks of permissionless blockchains. Hence, any stablecoins or digital securities issued on permissionless blockchains are in the high risk Group 2 category along with cryptocurrencies. Private or consortium blockchain tokens are the only ones that have the potential to qualify in the lower risk categories.
This week’s announcement made no mention of permissionless blockchains. Plus, there are no changes in the rules regarding permissionless blockchains. However, the Committee’s views that banks cannot mitigate the risks were expressed during the December 2023 consultation and still stand.
Below is the relevant excerpt from the December 2023 consultation:
“An additional topic that the Committee announced it would review in December 2022 was whether the risks posed by cryptoassets that use permissionless blockchains can be sufficiently mitigated to allow for their inclusion in Group 1. The Committee has completed this review and concluded that the use of permissionless blockchains gives rise to a number of unique risks, some of which cannot be sufficiently mitigated at present. Some of the most significant risks stem from the networks’ reliance on third parties to carry out basic operations. Banks have limited ability to conduct due diligence and oversight over those third parties or prevent potential disruptions to the network. Similar analysis applies to political, policy, and legal risks, AML/CFT risks, and risks around settlement finality, privacy, and liquidity. The Committee acknowledges that technical solutions to many of these issues may develop rapidly in the future and would welcome ongoing feedback from industry participants on the risks of permissionless systems and the development of mitigants. At this point, however, the Committee does not propose any adjustments to the cryptoasset standard to allow for the inclusion of cryptoassets that use permissionless blockchains in Group 1.”
In order to be treated in the lower risk Group 1 categories, any crypto-asset must also comply with clauses SCO60.8 to SCO60.20.
The Committee is not changing the rules. However, before the above December 2023 statement, people interpreted the rules relating to permissionless blockchain risks as manageable.
Only the following unchanged clause mentions permissionless blockchains:
60.125 Risks that banks need to consider in their risk management of cryptoassets activities include, but are not limited to, the following:
(1) Cryptoasset technology risk: Banks must closely monitor the risks inherent to the supporting technology, whether cryptoasset activities are conducted directly or through third parties, including but not limited to:
(a) Stability of the DLT or similar technology network: The reliability of the source code, governance around protocols and integrity of the technology are among key factors related to stability of the network. Key considerations include capacity constraints, whether self-imposed or due to insufficient computing resources; digital storage considerations; scalability of the underlying ledger technology; whether the underlying technology has been tested and had time to mature in a market environment; and robust governance around changes to the terms and conditions of the distributed ledger or cryptoassets (eg so-called ‘forks’ that change the underlying ‘rules’ of a protocol). In addition, the type of consensus mechanism (ie for a transaction to be processed and validated) is an important consideration as it relates to the security of the network and whether it is safe to accept a transaction as ‘final’.
(b) Validating design of the DLT, permissionless or permissioned: Cryptoassets may rely on a public (‘permissionless’) ledger, whereby the validation of transactions can be done by any participating agent, or distributed among several agents or intermediaries, which could be unknown to the users. In contrast, a private (‘permissioned’) ledger restricts and pre-defines the scope of validators, with the validating entities known to the users. On a permissionless ledger, there may be less control of technology and on a permissioned ledger there may be a small group of validators with greater control. Risks related to the validating design of the DLT include the accuracy of the transaction records, settlement failure, security vulnerabilities, privacy/confidentiality, and the speed and cost of transaction processing.
(c) Service accessibility: One of the distinguishing features of cryptoassets is its accessibility to holders of these assets. A holder of cryptoassets is assigned a set of unique cryptographic keys, which allow that party to transfer the cryptoassets to another party. If those keys are lost, a holder will generally be unable to access the cryptoassets. This increases the possibility of fraudulent activities such as a third-party gaining access to cryptographic keys and using the keys to transfer the cryptoasset to themselves or another unauthorised entity. Furthermore, the risk of a large-scale cyber-attack could leave banks’ customers unable to access or recover cryptoasset funds.
(d) Trustworthiness of node operators and operator diversity: Since the underlying technology and node operators facilitate the transfer of cryptoassets and keep records of transactions that take place across the network, their role is essential in designating and sizing the amounts that are held by the holder. Whether nodes are run by a single operator or are distributed among many operators and whether the operators are trustworthy (eg whether the nodes are run by public/ private institutions or individuals) are relevant considerations in third- party risk management.
Other stablecoin changes
Two other proposed amendments re stablecoins were watered down. But these are somewhat moot given the position on permissionless blockchains. The consultation suggested all stablecoin reserves have to be bankrupt remote relative to the issuer and stablecoin custodian. The final standard states that banks that only provide custody services to a stablecoin are not required to keep cash balances separate from other bank deposits. Hence, provided the bank isn’t the stablecoin issuer, this allows bank accounts to be used for stablecoin reserves. The EU’s MiCA regulation mandates a high proportion of reserves to be held at banks (30-60%).
The Basel Committee also considered banning the use of securities finance transactions, such as reverse repurchase agreements (reverse repos) in stablecoin reserves. This involves stablecoin issuers lending their cash reserves to banks and receiving collateral as security. The new rules allow very short term reverse repo agreements provided they are over collateralized by high quality marketable securities. For example, Circle’s USDC lends around 60% of its reserves to banks in this way overnight.
However, the marketable securities have to be of the highest quality. A footnote to the Tether stablecoin reserves shows it has overnight reverse repos representing over 10% of its assets. We believe the quality falls short of the Basel requirements because Tether’s lending is secured by collateral of A2 credit rating which is only upper-medium in quality. By contrast, USDC’s collateral is A1. Tether also wouldn’t qualify as low risk for banks because at least 16% of the assets it holds don’t match Basel requirements.
While high quality reverse repo is okay, repo is not because the Committee considers it as expanding the balance sheet of the stablecoin issuer – repo involves the issuer lending securities and receiving cash. Likewise, Basel bans securities received from collateral swaps, because they could temporarily lower the quality of securities held. With some limitations, a national regulator can allow repo and collateral swaps.
Other changes
The original Basel rules allowed for some limited hedging of cryptocurrencies for certain assets. Cryptos qualify as eligible for hedging if there’s an exchange traded ETF or ETN for that coin. Until recently that mainly meant Bitcoin and Ether, but the range of ETNs has expanded, particularly in Europe. However, the Basel updates tighten the criteria that the ETF/ETN must also be centrally cleared.
Stablecoins now have more detailed rules on attestations and audits. There must be a third party verification at least twice a year and an external audit annually.
Meanwhile, the Committee previously postponed the implementation of the rules to January 2026.
Update: In the early versions of the article we incorrectly concluded that permissionless blockchains were not treated as high risk automatically. However, this was incorrect.
