This week the European Banking Authority (EBA) issued a report covering the prudential risks and opportunities of Fintechs. The list of risks read a little like the legal blurb you find in a share listing document: a long bucket list, just in case there’s a legal issue. That’s probably the point.
The EBA document contains an entire section dedicated to Trade Finance distributed ledger technology (DLT). At the time of writing, trade finance projects were still in the Proof of Concept stage, whereas we.trade is now live.
The opportunities highlighted include efficiency gains, cost reduction, fewer errors, reduced duplication of financing, and fraud prevention. Banks could expand their customer base. For customers, there’s the potential for greater transparency, simplicity, speed, and shortening the time exposed to trade risk.
Risk Factors
Below is a summary of the salient risk points, as well as Ledger Insight’s (LI) commentary on each.
Legal
EBA: One of the issues raised is jurisdiction because different blockchain nodes will be in different locations. The laws in the two locations could conflict with each other, and digitally signed contracts might not be enforceable in one of them. And it’s also important to know in which jurisdiction a dispute would be resolved.
LI: Most standard contracts include jurisdiction. Surely a similar concept could be implemented? For example, the jurisdiction could always be the same as that of the bank providing the money or guarantee. Given these systems are all permissioned, when accessing the system, an end user client can accept binding Terms and Conditions. Where there are different regulators involved, that’s a tricky issue. But that must happen today in non-DLT transactions.
Lack of Central party
EBA: The report also pointed to the lack of a central party to provide governance and assume liability. The EBA listed issues such as who can participate and each participant’s role, what happens if someone loses their private key, and expelling non-compliant members.
LI: These would be issues for a public blockchain, but as the report noted, these systems are using private permissioned DLT. When interviewing participants in trade finance, many pointed to the need for a central jointly owned organization. In the case of we.trade, a joint venture company exists, so there is a governance mechanism in place to address many of these issues.
In other cases, perhaps Marco Polo, the client relationships are with a bank, as they are today.
Regarding losing private keys, for the banks they’re likely to have secure backups. For consumer users, for example we.trade, they have a regular web login. Enterprises are more likely to need private keys, and are less likely to lose them. But if they did, the advantage of a DLT is that the counterparties each have a copy of the records, though that’s neither hassle nor risk-free.
However, the liability issue is a much trickier one. These networks could become very large in terms of both members and financial volumes. Hence it would be prohibitive for one organization like we.trade to take on significant liabilities.
Money Laundering
EBA: The EU expressed concerns about Anti Money Laundering (AML) compliance because the technology allows for less physical examination of documents. They noted the potential for large fines and reputational damage.
LI: In discussions with the various trade finance projects it appears that banks plan to do normal AML before allowing clients to access any DLT platform. So until they start using blockchain-based AML, this should not be an issue. However, there could be the weakest link problem. i.e. if one bank has poor compliance, someone could slip through. But this is not related to DLT.
Dependence on Tech providers
EBA: The report pointed to increased dependence on third-party technology providers.
LI: For example, in the case of we.trade IBM is the technology provider. In the case of Marco Polo, R3 and TradeIX are the partners. Banks are fully aware of the risks, and getting several banks to agree on common rules when they all have very strong views on security is one of the hardest tasks.
Scale and concentration
EBA: The EBA is concerned about the potential risk of concentration or dependence on a single consortium or a single point of failure.
LI: On the one hand, the distribution of nodes should make a single source of failure less likely. Deploying software updates is challenging on a distributed network. And if there is a severe bug found post-deployment, it could impact the entire network. That could affect both the operation of the network and result in bad data throughout the network.
A target for fraudsters
EBA: The report stated that the sums involved could incentivize internal or external fraud including organized crime.
LI: On the one hand, blockchains tend to store encrypted data. But it’s hard to argue that these networks won’t be a target. Banks are always targets. The risk point is likely to be at the intersection between banking systems and the DLT.
Bitcoin ‘maximalists’ and those in the public blockchain arena believe that private permissioned blockchains will encounter Equifax types of hacks. Even though nobody’s managed to hack Bitcoin itself, numerous exchanges have suffered security breaches. Though these exchanges are startups, not banks.
Security risks
EBA: If someone steals a private key, it may be possible to forge a node. Even though data is encrypted, it may be possible to correlate transactions made with the same public key. Smart contracts rely on external services called oracles, for example for exchange rates. These oracles could be attacked or unavailable.
LI: This starts to get into a debate about the pros and cons of different DLTs. The ability to correlate transactions is most likely an Ethereum reference. In the case of Hyperledger Fabric, there’s the concept of channels which are similar to mini blockchains between particular parties to a sequence of transactions. With Corda, it only logs transactions for the relevant parties, and nobody else sees or stores them.
Oracles are a source of vulnerability. And in future separate blockchain networks are going to need to inter-operate which will be the most vulnerable point.
Conclusion
Banks are notoriously risk-averse and will have already addressed most of these issues to minimize the risks. That doesn’t mean the risks go away altogether.
One of the biggest threats is the potential liability of the central joint venture company. However, the likes of VISA and SWIFT are examples of companies that have endured.
Given the hurdles, it’s impressive that we.trade managed to launch the first enterprise joint venture blockchain.