[00:00:00] Seamus: Welcome to METACO Talks, episode 28 and the last of 2021. It’s been a great year and we’ve talked to some amazing people in the world of decentralized finance. Our discussion today on managing risk in the digital asset economy, we’ll have an equally interesting discussion. We have a guest who literally wrote the rulebook on risk compliance and best practice for digital assets.
Julian Sevillano, who is the Managing Director of Promontory, is joining us. Julian leads the Promontory’s FinTech and digital asset practice and advises financial institutions, FinTech, digital asset firms, and regulatory agencies on incrementing risk and compliance strategies. He’s got over 20 years in international banking and payments experience. Prior to Promontory he held various senior leadership positions in risk management, finance strategy, and treasury visa, and has extensive experience with US and international regulatory agencies. When it comes to regs, what he doesn’t know is probably not worth knowing. Julian, it’s great to have your thanks for joining.
[00:01:06] Julian: Thanks Seamus. Nice to see you again. It’s a pleasure.
[00:01:09] Seamus: Likewise. One issue I think we’re going to have is, there’s a lot to talk about. I think your experience is pretty unique, and unfortunately have 30 minutes. Why don’t we kick it off? When we talk about you writing legislation, I think that’s actually a fact, right? You were very involved in crafting the Wyoming Legislation. You worked very closely with some of the largest institutions in this market. It’d be great to hear a bit about your background and what you’ve done in this space.
[00:01:33] Julian: Sure. Thanks, Seamus. We’ve been very fortunate at Promontory. I’ve been very fortunate to lead a really great team of people that over the last couple of years, we’ve been head down thinking about regulation and supervision in the context of banking for digital assets activities. We’ve done some really amazing work and some great projects, and we’ve got a lot ahead of us to.
As you alluded to, we wrote the supervisory guidance for the division of banking in Wyoming. Those of us that are in the crypto space know that Wyoming was the first state in the US to basically approve a crypto banking license. Their speedy banks are allowed to custody, digital assets. They’re allowed to facilitate trading, they’re allowed to facilitate staking, lending and all other manner of activities, in addition to deposit taking. They’re not allowed to lend actually, they’re 100% reserve banks.
The division of banking issued an RFP, which we were fortunate enough to win. The nature of that RFP was to help them write supervisory guidance, so that their bank examiners could go into these institutions and understand the nature of the activities that they’re performing. In a traditional bank, an examiner will go in, look at our bank’s loan portfolio, understand how they are underwriting those activities and determine, they’re managing these in a safe and sound. In this case, you’d have to go in there and say, “How are you managing the private keys? How are you onboarding customers? What due diligence are you doing on them? How are you monitoring transactions?” As we all know, there’s very heightened AML risks, heightened information security risks, heightened operational risks whenever you’re supporting digital assets custody and other related activities.
We had to spend a lot of time. We wrote, I want to say, 750+ pages of very prescriptive and detailed supervisory guidelines on how to comply with AML and sanctions requirements in the context of digital assets custody, what are best practices for managing keys, and what are the different models? As we all know there’s many different models for managing keys. How to meet fiduciary requirements, when you’re performing as a fiduciary on behalf of your customer. Digital assets activities present heightened risk as it relates to fiduciary responsibilities, more so than a traditional activity would, because there’s more discretion that generally you apply. For example, when you’re facilitating a trade of a digital asset on behalf of a customer, versus when you’re facilitating a trade for a traditional office security.
That led us to working extensively with the large banks in the US and internationally that are all lining up to issue to support digital assets custody. But in the context of that, there’s a brand new activity, it’s a great opportunity for them. But these are very large banks that have very well-established risk and compliance programs, and they need to think about: how do I manage these activities in a safe and sound manner? How do I build risk and compliance programs that my regulators are going to be comfortable with?
Outside of Wyoming there’s been a little bit of work that’s been done by the OCC in the US, and we’ll talk about that in terms of the permissibility, but there’s not a lot of supervisory guidance to tell banks how they meet or what the safety and soundness standards are. That’s been a fascinating piece of work for us.
The third piece of work that we’ve been doing is we’ve been working a lot with the digital asset custodians in the US, the large institutional custodians, helping them become basically banks. We’ve been working closely with Anchorage since the beginning of the year, and we’ve got several other customers. Anchorage is the first US chartered national trust bank, and the only one operating right now. We have several others that we’re supporting at the state and federal levels as well. It’s a fascinating amount of work. Really interesting. I’m happy to talk more about our experiences and what we’re seeing.
[00:05:33] Seamus: It’s a fascinating position, because I think most advisories are really about compliant with rules. But you’ve started with a blank slate and helped them define what that should be. How do you come up with what should be best practice? What are some of those when you’re looking at risk and compliance programs?
[00:05:46] Julian: If you think about it, what we did when we started this work was we scoured the world for any and all supervisory guidance, any and all industry white papers, any and all best practices. We tried to reach out to the ecosystem of digital assets custodians, digital asset service providers. We built pretty strong relationships with a lot of the market surveillance companies with the transaction monitoring firms, which we still have today. The idea was to understand, what are you doing today? A lot of these digital asset custodians they are, and I’m speaking to you, you’re an information security company in your DNA. This is what you do. You manage risk in that way. How do we do that in the context of banking and in the context of digital? That’s something that is a translation that needs to occur.
Then a layer on top of that, how do we think financial crimes compliance in the context of digital assets? A lot of it was very iterative, and it was working directly with the industry and working directly with the regulators. Interestingly, people always think about risk appetite in the context of, in the industry participants they decide what risk appetite they want to accept. Regulators also decide what risk appetite they want to apply. They’ll either going to hold a very high bar, or they’re going to set the bar somewhere in the middle that hopefully will enable some form of innovation while also managing risks and keeping the bad guys out as to the extent that you can.
When you think about that, we think about a few key areas of risk that we have to think through. You have to think about the AML and sanctions compliance piece. You have to think about custody operations. You have to think about fiduciary compliance. You have to think about third-party risk management. The crypto world is an ecosystem of service providers that plug and play into each other. Not many of them are used to working with banks. The bar is so much higher for vendors for banks, that you have to think about that as well, and think about how you set that bar and think about the obligations that banks should have for doing third-party risk management on their vendors.
You’ve got to think about information security, not only in the context of key management, but in the context of the overall program as it is and how it fits within the different regulatory standards for traditional information security, understanding that there really isn’t a standard at a global level for something like key management. There are lots of better best practices, but there’s no regulatory prescription that tells you how you should do it. That’s a few things.
The last thing I’ll point out is payment system risks. A lot of people have been talking a lot about stable points lately. They talk about, how do we think about regulation and how do we think about supervision? There are very well-established payment system risk principles internationally by the CPSs, financial market infrastructures, domestically in the US and in several other countries as well. Those principles perfectly can be applied to stable coin networks, in terms of how they’re managed, how they’re designed, the risks that you control around them. As part of the work that we did in Wyoming, we also wrote a payment system risk manual, specific to stable coins and specific to e-money tokens. Really fascinating stuff.
[00:09:18] Seamus: Very much so. I was ready to start, there’s too much to dive into. Maybe to pick a couple of things. I’d like to follow up this risk tolerance approach that you mentioned the regulators need to take on. I think that’s super interesting and will inform us when we’re talking about different gradations of that globally.
I’d be curious to know, when you’re engaging with the regulators, who leads who? How do you connect and communicate with the regulators when there isn’t any regulation on these issues on the best practice?
[00:09:50] Julian: That’s a great question. Maybe I’ll use an example. When we work with a client that is applying for some form of registration or some form of a license, be it a national bank license or a state license or crypto registry, there are certain requirements. The good news is that at Promontory, we have a lot of experience helping even traditional firms achieve banking licenses. When we got the opportunity to work with crypto firms, it was really an extension of what we already have in our DNA. It’s very much a collaborative process, where in the case of crypto or digital assets, you have to over-communicate.
Typically, when you’re applying for some form of license, you create a business plan. As part of that business plan, you tell the regulators, here’s what I plan on doing for the next three years, these are the types of clients that I’m going to have, this is the type of services that I’m going to provide, this is the technology that I’m going to rely on, these are the risk and compliance programs that I’m going to establish to support these activities, this is the type of corporate governance that I’m going to have, and these are the financials. This is how much capital I’m going to allocate to this business, so that even if things go bad I’ve got enough capital to support this business – at least over what they call Denovo period, which is typically about three years.
Now, in a digital assets firm, you have to over-communicate. You can’t just say, I’m going to support digital assets custody. Well, how are you going to do that? What technology will you use? How is it structured? How does it meet certain standards of fiduciary compliance? There’s a tremendous amount of documentation that needs to go in into place.
What we do with our customers is, before we even start examinations or pre-application examinations, we schedule several working sessions with the regulators, which are between an hour and two hours for different subject matter experts, to literally walk them through: this is how we do digital assets custody, this is how we facilitate trading, this is how our customer onboarding works, this is how our withdrawal processes work. Literally walking them through, helping them understand in layman’s terms, how does a digital asset custodian process a request to withdraw all Bitcoins, and how do you do that? What are the humans doing, and who’s involved and what controls are in place? Then what’s the technology doing? How does the technology work with each other to make sure that if that withdrawal request comes in, that it’s authenticated, it comes from the right person, we have confidence that it does, and that then it’s processed within the bank in a way that isn’t going to create any errors and also isn’t going to lead to any nefarious activity? Those are the types of things that we have to walk them through.
If I shift over to the other area of huge focus where we spend a tremendous of time with regulators, it’s financial crimes compliance. There, we have to explain to them why is it that we’ve built for our clients a financial crimes program that is bespoke and addresses the specific risks that these activities present? As we know in the digital assets world, there’s nothing generic about digital assets custody. Every model is different. Every application, every installation is different. Every instance that every client wants a slightly different bell and whistle, the client base is different. The customers are different. The risks are different. The transactions are different. The geographic footprint is different. Institutional versus retail, or both, something in the middle. We have to explain to them and over explain to them, how is it that we’ve done that? We typically start by building a risk assessment so that a regulator can see and understand first the risks. then how am I managing those risks, and how does that meet the safety and standards or how do we expect that it should meet the safety and soundness standards of what regulators are?
It’s very much an iterative process. You never want to be teaching a regulator. That’s not something that you want to do or that they appreciate. But you definitely have to help them with education on this new technology and how it applies in the traditional bank world.
[00:14:37] Seamus: Sounds like a fine balance. Don’t teach but educate.
Were there any specific challenges? Getting a banking charter, as you mentioned, you’ve done it for Anchorage and you’re working with others. Any specific challenges around going through that process, beyond what you’ve just described in terms of the over-educating?
[00:14:59] Julian: A tremendous amount of challenges. I’ll say that my friends at Anchorage are true pioneers. They’re wonderful people to work with. I think they very early on understood the benefits of aspiring to the highest level of supervision, in the US at least. They understood that if they want to work with large institutions, that’s something that you want to aspire to. For them, it’s been a massive investment in time and effort. There’s been a lot of challenges. I think that the challenges have been in, again, going back to work with the regulators in a collaborative way. I will say that, in this case the OCC, which was the entity that has the office of the currency of the controller in the US, it’s granted them the license, they have a tremendous group of career examiners. They’re tremendous professionals. They took a very keen interest early on. They worked really hard to quickly get up to speed and learn the technology.
There were some challenges. One example was, and I was talking about withdrawals in the context of fiduciary compliance. In the US, for example, you have rules which require you to have two human beings to approve a withdrawal. In some cases, that doesn’t fit within the context of how digital assets custody works, because you have very strong logical controls. We had to work with those regulators, to help them understand how logical controls in some ways can be stronger than human controls, because they’re hard-coded and because it’s not just two humans. It’s probably a quorum of at least five humans on the backend that controls the logic that goes into those controls. That was one example.
A couple of other examples are helping them understand how it is that in some cases you have more information and can do a lot more due diligence, when you’re doing a KYC and enhanced due diligence for digital assets custody, when you’re actually monitoring transactions. The blockchain gives you a lot more information, depending on the asset that you’re looking at, than other traditional assets. You can gather more information. There was a little bit of that.
The other thing to understand is, whenever we’re doing one of these bank licensing engagements – it’s not just specific to digital assets – you have to reach a balance with the regulator to determine what is the appropriate level of staffing of size of capital to support the activities of this specific institution? Everybody wants more capital. Everybody wants more resources in order to support that, but you really need to come up to the equilibrium. What’s the right level? What’s something that is always a dialogue with a regulator, and it’s always a conversation.
We had to build a lot in a very short period of time, but I think overall we’re very satisfied with the work that we did there. We were very privileged to get the opportunity to work with them and with the regulators on some very groundbreaking stuff. That hopefully sets the standard for those to come.
[00:18:15] Seamus: Imagine you’re in the forefront of all this change. One more question for that US experience, Brian Brooks was running the OCC for a while and had a huge, I wouldn’t say bias, but it was very open to embracing this industry. We see that now with his congressional testimony yesterday, which is strongest components of the industry on an ongoing basis. To what degree is some of the regulations in the US or regulators, a bit personality driven? Or, how far into the fabric has acceptance of digital assets now reached from a regulator’s perspective?
[00:18:54] Julian: I do think it’s a little bit personality driven. I think unfortunately, it’s become slightly political right now. As with unfortunately everything in the US and maybe different parts of the world also, the different parties tend to pick sides. Because one party picked one side, the other one just automatically picks the other side. That’s not necessarily correct or true. I’ve been a little disappointed with the recent stance that the OCC has had in particular, on fostering and facilitating innovation. Chairman Suz made some comments that digital assets firms, if they want to become banks, they now have to also apply to become a bank holding company and also apply for FTSE insurance.
Frankly, there’s no legal basis for that in any law. It’s not something that you can actually just say, do it. You have to change laws in Congress to do that, if you’d like. To me, it’s a tactic to discourage digital asset firms from becoming banks. I don’t believe that he’s speaking unilaterally. They’ve had this sprint with all the federal agencies in the US, and they’ve come up with certain position points. I think that he’s speaking on behalf of more broadly the federal bank regulators specifically. I think that is unfortunate, because it slows down innovation.
What it will do defacto, is it says digital asset firms are technology service providers, and are not going to be regulated entities anymore. The banks are going to be the regulated entities that perform that activity, and will contract with the digital asset firms. For some firms, that’s their business plan. That’s what they want to do. That’s great. But for some other firms, I think it inhibits competition. That’s not something that anybody wants. But it’s unfortunate that that is the net result of what’s happening. I don’t really think that we’ll see any more approvals at the federal level for digital asset firms anytime soon, because meeting bank holding company requirements is an impossible standard for digital asset firms. Impossible first of all, because it’s not legal. Even if they wanted to apply, they wouldn’t be able to.
To me, it’s disappointing. I didn’t get a chance to see Brian’s commentary yesterday, but I can only imagine. I know how disappointed he is. Unfortunately, I think that many people, not just in the digital assets industry, but also in supervision and regulation, are disappointed as well. But hopefully those stances changed. I think that what happens, maybe use another example of federal guidance, the President’s Working Group Guidance On Stable Coins that came out a few weeks ago, I would give that a C minus in terms of a grade. I don’t think it was done well. I thought it was done a bit hastily. It wasn’t as comprehensive as it should be. It conflated a little bit of the technology in terms how you build stable coin networks. As I mentioned before, there’s pretty well established risk guidance on payment systems, and it’s not that difficult to apply that to stable point networks.
A better approach might have been to consult the agencies that have written supervisory guidance on stable coin networks. If you look at the sources, who they spoke to, they didn’t speak to New York State. New York state is supervising several very large stable point networks right now. They didn’t speak to Wyoming. Wyoming has written a book on stable coin regulation. Disappointing from the federal agencies, hopefully that changes. There are several senators, including Senator Lummis from Wyoming, who is very outspoken in terms of being an advocate for the industry, for digital assets. She and Senator Sinema have been very vocal; they’ve set up the financial innovation caucus of the US Senate Banking Committee. The idea is to educate their fellow lawmakers on the benefits of blockchain and on the benefits of responsible innovation and responsible regulation. Hopefully those efforts bear fruit and move forward. But I’ve just been disappointed over the last couple of months, and I know many people in the industry have, unfortunately.
[00:23:01] Seamus: I’ve been of the same opinion. I was, let’s say positively impressed yesterday with some of the congressional discussions, because for once it seemed to be a non-partisan issue. Both sides were coming out much more supportive of potentially things like stable coins. They could potentially become a proponent for the continued strength of US dollar dominance, the US dollar as opposed to a something that’s usurping it. I think there’s some positive signs there anyway, on what looked like a dark horizon.
But maybe to step back for a second, talk about that risk-based approach regulator are taking potentially other jurisdictions. We did see last week, I think even Australia; the treasury speech talked about coming legislation around payments related to cryptocurrency. They’re very much embracing that, as what you’ve described. We’ve seen other jurisdictions where we operate places like Singapore, Switzerland, Germany, all allowing innovation to move ahead. We’ve seen the banks embrace that and moving ahead quite aggressively with initiatives.
How would you look at the different countries in terms of the risk-based approach to balancing this regulation and innovation?
[00:24:05] Julian: Switzerland has clearly been a leader for several years now. They’ve fostered innovation in the industry. They’ve built clear rules, and they’ve got bank charters. They’ve chartered a couple of banks already. Certainty is really what they’re looking for, regulatory certainty. Hopefully some reasonable rules as well, but in the end just give us any rules. Give us the rules and let’s figure out how to do this. We don’t want to have the rug pulled out from under us after we’ve invested in building a business, then all of a sudden you change the rules at the 11th hour and I can’t launch my business anymore, or I can’t support my business anymore.
Really clear rules. I think the Finma and MAS in Singapore, as you mentioned, they’ve got clear registration requirements, they have clear information requests, they have clear permissibility standards. Some of them are a little bit more restrictive than others. People would argue MAS are a little bit more risk averse, and Switzerland will allow a little bit more. All that is the dynamic in any and every day. If I think about, what are some of the areas contribute to the risk appetite of these activities of digital assets custody solutions, in some ways it is the design and the controls, because that’s the foundation. But the other piece is, what assets do you support, and which ones don’t you support? There’s thousands and thousands of tokens out there, and those tokens have very different attributes in terms of whether they lend themselves to the appropriate level of financial crimes compliance, what the governance structures are, whether they should be considered a security or not, are they a fraud or not a fraud?
In supporting custody or trading or lending of those activities, you are scaling up or scaling down your risk appetite. That’s an area that I think regulators are beginning to understand. One of the things that the federal regulators asked us about very early on is, how do you make a decision on which token you’re going to support and which ones you’re not going to support? That I think will be a really interesting evolving process.
[00:26:21] Seamus: Clearly, that’s still a challenge. How do you think firms are going to look at going one step beyond that and looking at DeFi, or even as far as DAOs? Is there a framework they can start thinking about it that could get them involved?
[00:26:33] Julian: I think it’s very interesting. DeFi is very interesting, because going back to coin due diligence, it’s a token. You have to dissect the different parts of that token. How is it established? What is the underlying activity? What is the governance behind it? Does that give you a certain level of comfort that these activities can be performed in some way?
I think that the idea that DeFi or DAOs are somehow going to live outside of the regulatory, as long as they’re performing activities that are otherwise supervised or regulated, that’s not going to happen in any level of scale. If you’re facilitating trading, eventually you will have to apply to be a broker dealer or to have some other form of registration, because you’re performing those activities. There’s certain level of consumer protections that need to be in place in that sense as well.
In terms of DAOs, the Wyoming law is a really interesting one. It allows DAOs to become LLCs. I think the constitution that got it on everybody’s front page, is how people raised $40 million in six days and came within a dollar of probably the execution with best. It’s an illustration of the power of that technology. I think what’s interesting about where they’re looking at is, where were the faults that may have been in the governance? That’s the centralized part of the DAO that I think you’re never going to lose if you’re operating in a regulated space, because there needs to be a throat to choke. There needs to be someone to keep accountable for maintaining these standards. There has to be some basic level of centralization within the DAO, even if most of the activities are performed in a decentralized way.
[00:28:21] Seamus: Absolutely, we’ve had the same discussions here. Do you see other states or other jurisdictions embracing similar regulations around DAOs that Wyoming has?
[00:28:29] Julian: I hope so. I hope that we see something like that at the federal level soon.
[00:28:36] Seamus: That would be exciting. As I expected, we’re out of time. We will have to have your back and dive in a lot of these subjects more deeply, because I think we’ve only scratched the surface. But Julian, it’s been a real pleasure having you here. Thanks for your time. Anything else you’d like to wrap up with before we finish?
[00:28:50] Julian: No. Thank you very much for your time, Seamus. It was a pleasure as always, and I look forward to talking again soon.
[00:28:57] Seamus: Thanks Julian. Unfortunately, this was the last episode of 2021. The good news is we’ll be back in 2022. On behalf of everyone at METACO, thank you for joining us. Thanks for your support this year, and all the best for the holidays. Thank you. Bye.
[00:29:14] Julian: Thank you. Bye.