Chair of the Supervisory Board of the European Central Bank: Several Trends in Future Cryptocurrency Financial Regulation

Compiled by: Andrea Enria

This article is a speech by Andrea Enria, Chair of the Supervisory Board of the European Central Bank, at the MiCAR and its Coordination Meeting on EU Financial Market Legislation, jointly organized by Ca' Foscari University of Venice and the Bank of Italy.

Introduction

I am very grateful to be invited to deliver the keynote address at this conference in Venice. This topic is highly topical and particularly timely, and I believe we will discuss many interesting aspects of financial innovation and the role of regulation today. It is worth noting that the EU is the first major jurisdiction in the world to introduce a regulatory framework for the cryptocurrency industry. The Markets in Crypto-Assets Regulation (MiCAR) came into effect at the end of June 2023 and will be fully applicable by the end of 2024. I will first discuss how recent developments in the crypto asset space have strengthened the case for direct regulation of crypto asset activities. Then, I will address some issues related to MiCAR and explain how the most advanced forms of decentralized finance (DeFi) pose fundamental challenges to the application of financial regulation. Finally, I will outline what I believe are the essential elements of a regulatory framework that sets the boundaries between the crypto industry and banking and regulates their interactions.

General Discussion on Crypto Asset Regulation

The technical characteristics of the crypto asset framework can be quite complex, but its basic building blocks are distributed ledger technology (DLT). In this environment, both financial and non-financial assets are encrypted (tokenized) in the form of digital tokens, and transactions and contracts are executed without the need for permission and with anonymous access, without any intervention from centralized entities (whether public or private) acting as intermediaries, custodians, or guarantors for final settlement. Native crypto assets like Bitcoin and other DLT-based assets, as well as DeFi, which has developed more broadly from this original concept, seem to provide an opportunity for a new market structure that could completely eliminate the need for financial intermediaries and public institutions. For many, these innovations evoke radical proposals such as free banking or the denationalization of money, which gained popularity after the severe disruptions caused by banking and regulatory failures that led to the 2007-08 financial crisis. Initially, I advocated for isolating the world of crypto assets (particularly cryptocurrencies) from the regulated financial sector to avoid direct regulation of crypto asset activities. At that time, I believed that prohibiting financial institutions, especially credit institutions, from purchasing, holding, or selling crypto assets could prevent risks from spilling over into the regulated financial sector and eliminate public concerns about highly speculative investments. Crypto assets would enjoy the same level of protection as traditional financial asset investments. At the same time, I strongly advocated for the comprehensive inclusion of crypto exchanges and crypto asset providers within the scope of anti-money laundering and counter-terrorism financing (AML/CFT) regulation. I believed it was indeed possible to allow new technologies and products to develop outside mainstream banking channels, characterized by "experimenting with cryptocurrencies in a closed environment." However, due to the turmoil experienced in the subsequent cryptocurrency market, including the emergence of unsustainable business models and shocking fraud, we have strong reasons to adopt a stricter regulatory approach. In fact, we have seen some crypto asset projects relying solely on the expectation of continuously rising prices and the ongoing influx of new investors (like a Ponzi scheme), with no intrinsic value, no ability to generate cash flow, and extremely volatile prices. For example, in the collapse of the stablecoin TerraUSD, we witnessed a clear case of business model flaws and misconduct. This revealed three extremely concerning aspects: the high vulnerability of lending protocols; the extensive interconnections among crypto asset participants; and the unreliability of algorithmic stabilization mechanisms. The same case revealed strong harmful associations between crypto assets (Luna, paired with TerraUSD) and crypto asset companies (Lido, Celsius), which had a profound impact on public confidence in the entire industry. The operational system and governance framework of the trading platform FTX also exhibited severe flaws, making it susceptible to conflicts of interest, fraud, and the misappropriation of customer assets to cover losses incurred by other group entities. In fact, the FTX case exposed all the issues related to opaque corporate structures and overly complex and vertically integrated crypto-related business models. I now believe that, given the ongoing expansion of crypto asset activities, the interest shown by banks and other traditional intermediaries in providing a mix of traditional financial services and crypto financial services, the harm caused to consumers by fraud, and the numerous risk management failures in the crypto asset space, the approach of "experimenting with cryptocurrencies in a closed environment" is no longer tenable. Furthermore, although the scale of the industry remains relatively small, further growth outside the regulatory scope could ultimately raise broader financial stability concerns, especially considering the increasing interconnections with the banking sector, as evidenced by the crisis involving some mid-sized banks in the U.S. earlier this year. I am also particularly concerned about potential criminal activities within the industry; if the world of crypto assets remains entirely outside the regulatory scope, the serious risks of money laundering and terrorist financing will intensify. Therefore, the decision by European legislators to regulate crypto asset issuance and crypto asset services is a correct decision made at the right time.

Financial Regulation of the Crypto Industry

MiCAR is a significant legislative achievement that places the EU at the forefront of global developments. The advantage of MiCAR lies in its unified framework, which directly applies to all member states and regulates the issuance of crypto assets, particularly asset-referenced tokens (ART) and electronic money tokens (EMT), as well as the provision of crypto asset services. A fundamental aspect of MiCAR is the requirement for issuers of ART and EMT, as well as providers of crypto asset services, to ensure the segregation of their own assets from those of their clients. The lack of such a requirement was one of the main reasons for the chaos following the collapse of FTX. MiCAR does not cover crypto assets that have already been regulated as financial instruments or any other products that are already subject to existing EU legislation, such as bank deposits. Financial instruments are instead regulated under the DLT pilot regime. In fact, the tokenization of financial instruments is expected to make trading and post-trade processes more efficient. If combined with the tokenization of deposits as a means of settling financial transactions, the cost savings and reduction of operational risks could be substantial. Additionally, the tokenization of deposits could provide banks with a competitive tool to safeguard their funding base and achieve efficient credit intermediation processes. This is why it is crucial to have a regulatory framework for retail and wholesale tokenized deposits that is absolutely clear and eliminates any residual uncertainty. Furthermore, MiCAR explicitly excludes fully decentralized finance and native cryptocurrencies like Bitcoin from its scope (the rationale for this being what I call "structural" issues), as regulatory measures may lack an object and there is no issuer. Bitcoin will be subject to the rules for crypto asset service providers (e.g., trading on "institutional" exchanges), but the issuance (mining) of Bitcoin is not within the regulatory scope of MiCAR. Another aspect that complicates the implementation of financial regulation is what I refer to as the "non-territoriality" of financial services. Technological advancements have made it increasingly difficult to determine the jurisdiction in which a provider is located when services are offered remotely. As banking regulators, we are accustomed to dealing with cross-jurisdictional issues (with mixed results), but we now seem to face a new challenge where the provision of financial services is disconnected from the natural persons or legal entities physically located in a specific place. Nevertheless, to ensure financial stability, authorities must have a comprehensive understanding of the business of crypto asset participants. This is particularly challenging for DeFi, as it requires aggregating risk exposures and financial interconnections among "entities," which are not easily identifiable from a regulatory perspective. Centralized finance (CeFi) also faces the same challenges, as crypto assets are often traded off-chain even on more traditional trading platforms (like FTX), meaning they are traded in the exchange's ledger. In fact, crypto asset service providers often operate through networks of entities that are typically defined only as members of their "ecosystem." For particularly regulated entities, delineating the precise boundaries of FTX is not an easy task. Regardless of what names participants use for marketing purposes, it is crucial that interconnected entities are subject to accounting consolidation and comprehensive regulation.

Crypto Finance and Banking: Setting Boundaries and Regulatory Interaction

Now let me talk about the interaction between crypto finance and banking. For prudential regulators, it is essential to establish clear rules regarding the relationships between crypto asset participants and traditional financial intermediaries (especially credit institutions), as they serve as both deposit issuers and liquidity providers to other intermediaries within the financial system. In this regard, I believe that regulating the interaction between crypto assets and banking should at least include three fundamental elements: regulating the perimeter of banking; upgrading the prudential assessment of initial authorization applications to consider the crypto asset services and issuances provided by banking intermediaries; and prudentially regulating the financial interconnections between banks and the world of crypto assets.

Scope of Regulating Authorized Banking Activities

According to the principle of "same activity, same risk, same regulation," whenever a cryptocurrency company begins to engage in activities exclusive to banking, they need to apply for a banking license and meet the legal requirements for granting such authorization. The key question is whether and when crypto asset-related activities truly cross the regulatory threshold. Given the lack of a genuinely unified regulatory framework for financial services in the EU, determining which financial services are actually provided and how they are provided can sometimes be a challenge for our regulators. As outlined in the European Securities and Markets Authority's 2019 report on crypto assets, there are significant differences among member states in the implementation of the rules regarding the definition of financial instruments under the Markets in Financial Instruments Directive (MiFID). Therefore, it is clear that a thorough analysis of the financial services provided in the DeFi space and how they map to the definitions of financial services in existing legislation, particularly those related to banking, is necessary. The example of stablecoins is particularly interesting, not only because they have performed prominently in some recent crises but also because, in the context of DeFi, stablecoins are primarily used for settling transactions involving other crypto assets. Any discussion should start from the premise that stablecoins may be viewed as a form of private money, sharing some similarities with bank demand deposits but lacking all the public safeguards of bank deposits. Given that stablecoins can potentially lose their peg to a reference currency (usually the U.S. dollar), they are susceptible to runs, just like bank deposits. This is why the U.S. President's Working Group on Financial Markets recommended in its 2021 report on stablecoins that the issuance of stablecoins should be reserved for companies authorized as deposit-taking institutions, i.e., banks. This regulatory recommendation has yet to be implemented by U.S. legislators. I believe that in this regard, MiCAR's approach to regulating EMTs (stablecoins pegged to a single official currency) is consistent with this practice, as it only allows credit institutions or electronic money institutions to issue EMTs. This will maintain the reliability of electronic money and its ability to function as money with all its essential characteristics. In the European Central Bank's banking supervision department, we are prepared to work with the European Banking Authority (EBA) and other competent authorities in the regulatory framework to oversee banks issuing EMTs and assess whether further regulatory reforms are needed in this area.

Preliminary Authorization for Banks Engaging in Crypto Activities

Another aspect is how to handle banking license applications when the business model involves providing crypto asset services. It is worth mentioning that the solution adopted by the EU regarding the activities allowed for banking license holders has been very close to an all-encompassing banking model. Under this solution, credit institutions can provide all financial services except for insurance services, which always require separate authorization and separate legal entities. Therefore, in the EU, credit institutions are generally able to provide investment services, payment services, etc., without needing separate specific authorizations. Clearly, they still need to comply with all sector-specific requirements for the types of services provided (e.g., MiFID's suitability requirements for investment advice) and be subject to the supervision of competent authorities (if different from prudential banking authorities). The fundamental principle behind this approach is that, given the essential economic functions performed by credit institutions, they have traditionally been the most strictly regulated financial intermediaries and can therefore provide all other financial services. Unsurprisingly, this is also the solution adopted by MiCAR, under which credit institutions do not need specific authorization to issue tokens or provide crypto services, but must also be subject to specific industry regulation in addition to the usual prudential oversight. In this regard, I believe that the assessment of initial authorization applications for credit institutions characterized by significant crypto asset activities will have some distinctive features. We do not yet have specific cases, but it is foreseeable that in the near future, some innovative companies engaged in substantial crypto asset activities will apply for authorization as credit institutions, partly due to the coming into effect of MiCAR. So far, we have only dealt with the crypto asset authorizations of German credit institutions, as providing crypto asset custody services and other crypto services requires formally expanding the banking license under German law. Our task is to issue authorizations to all credit institutions, whether they are significant credit institutions under our direct supervision or less significant ones. Therefore, we have gained some experience in handling authorizations for providing crypto asset services, and last year we published regulatory standards for licensing banks engaged in crypto asset activities. We explained that when assessing such applications, we would pay particular attention to the following aspects: the overall business model of the credit institution and its sustainability; the internal governance and risk management of the credit institution and its ability to assess specific crypto asset risks; and the suitability assessment, where we expect the board members and key function holders of the credit institution to have specific and in-depth knowledge of digital finance. We will also closely collaborate with anti-money laundering authorities to assess the bank's anti-money laundering/counter-terrorism financing risk profile. Looking ahead, I believe that the specific national competent authorities designated by MiCAR, whether newly established or existing regulatory bodies, will also become important partners in our assessment of banking license applications for crypto asset service providers.

Prudential Regulation of the Links Between Banking and Crypto Finance

The third and final issue I want to address is how to supervise and regulate the direct financial links between credit institutions and crypto finance. This involves two aspects. The first aspect relates to the liabilities side of the bank's balance sheet, which has become more pronounced this year due to the crisis involving some mid-sized U.S. banks closely linked to the tech sector and crypto asset providers. The second aspect pertains to the assets side of the bank's balance sheet and the crypto assets it holds. Regarding the first aspect, systemic risks may arise from the high correlation of deposits held by different crypto companies at the same bank or across different banks. In particular, deposits from crypto asset issuers may exhibit significant volatility and be prone to runs. Furthermore, when such deposits constitute a large portion of the bank's funding, they may hinder or impair the bank's resolution strategies and necessitate extraordinary measures to prevent contagion. In this regard, it is noteworthy that MiCAR requires that at least 60% of the reserves for significant asset-referenced tokens be held in the form of bank deposits. While this is understandable as a measure for investor protection, it may have unintended consequences from a financial stability perspective. Some banks are likely to engage specifically in banking activities related to stablecoin issuers. However, it is particularly important that credit institutions monitor the diversification of their deposit base (not only in terms of individual counterparties but also across industries) and should not rely on volatile deposits that exceed their prudentially set risk tolerance levels, especially deposits from crypto asset participants. As regulators, we will also closely assess the concentration risks in the deposit base industry. In this regard, it is crucial that the relevant technical standards mandated by MiCAR include prudent calibrations for single-name concentration limits and require issuers to determine credit risk tolerance levels for their banking counterparts. Equally important is the obligation for issuers, especially significant issuers, to maintain effective risk management functions. Issuers primarily face financial and operational risks, and sound management of these risks requires adequate human and technical resources. The second aspect concerns the direct risk exposure of credit institutions to crypto assets. Here, we, as banking regulators, are in a more familiar territory, at least in terms of dealing with credit and market risks. The typical response of banking regulation to borrower default risk has been to impose capital requirements and risk limits. At the end of last year, the Basel Committee on Banking Supervision (BCBS) issued capital requirement standards for banks' direct investments in crypto assets. These standards are not yet legally binding and need to be transposed into EU law by January 1, 2025, but we already anticipate that banks will incorporate them into their business and capital planning. The standards categorize crypto assets into two groups. The first group consists of tokenized traditional assets and stablecoins with effective stabilization mechanisms that meet strict classification criteria, which will absorb an amount of own funds equal to their reserve assets or referenced assets and may be subject to additional charges from regulators. The second group consists of the riskiest forms of crypto assets, with a risk weight of 1250%, which essentially means that banks must maintain capital resources equal to the total value of their risk exposure. Holding limits also apply to the second group of assets. One aspect we are currently concerned about is the potential for evasion of the upcoming prudential regulatory framework. In fact, if crypto asset service providers controlled by banks are not within their prudential consolidation scope, the BCBS standards, particularly the risk limits, may become ineffective. It is worth recalling that we apply prudential requirements on a consolidated basis, and other financial companies also fall within the scope of the banking group's consolidation. Their risk exposures contribute to determining the consolidated capital requirements that credit institutions need to meet. From the current situation, we believe it is very challenging to include subsidiaries of credit institutions established by crypto asset service providers (CASP) within the prudential consolidation scope. This is due to the requirements set forth in the Capital Requirements Regulation (CRR) regarding the financial institutions that must be included in the prudential consolidation scope. Modifying the definition of financial institutions to include CASP within the prudential consolidation of banking groups needs to be prioritized. I believe that in the coming years, regulators will face a steep learning curve on how best to handle the interactions between credit institutions and crypto assets. This learning process will be challenging, as attracting enough staff with the necessary technical skills is not easy.

Conclusion

I firmly believe that the fundamental characteristics of modern financial markets need to be preserved, in which credit institutions play a key role due to their central position in the money creation process. I see no reason why the key features of this institutional framework should hinder the benefits of the latest technological advancements. I do not subscribe to the view that innovation can only thrive outside the realm of regulation and supervision, and that we should create a testing space for innovative companies outside the official financial sector without adhering to basic prudential, conduct, and anti-money laundering/counter-terrorism financing requirements. When a company's core function is to handle other people's money, especially when its services mimic key banking products such as deposits and payments, there is a need for robust protection of business security as well as the stability and integrity of the market. This is an area that requires our particular attention so that we can provide appropriate regulatory and supervisory solutions. For example, hybrid activity groups operating cross-border and covering millions of customers (groups providing financial and commercial services) may raise concerns about a level playing field and pose a threat to overall financial stability. Regulation often lags behind, sometimes arriving too late to repair the damage already done. This bears a striking resemblance to Hegel's description of philosophy: philosophy comes too late to provide "indications of how the world ought to be." This is because philosophy only uses its analytical tools after reality has undergone its formative process and has reached a "completed state": like Minerva's owl, philosophy "only begins to fly when dusk arrives." However, we cannot adopt policies that are too late or too lenient out of fear of stifling innovation or harming competition in financial markets. While we will always be in catch-up mode, it is crucial that the regulation and supervision of crypto finance begin earlier than "at dusk"; in fact, it has already begun. Thank you very much for your attention.