Our response to HM treasury's regulatory framework for cryptoassets in the UK
TRM welcomes this consultation and call for evidence and appreciates the collaborative approach taken by the government to creating a sound and competitive regulatory framework for cryptoassets in the UK.
By taking this pragmatic and phased approach it is highly likely that the government will create a proportionate and competitive regulatory framework. In doing so, it is crucial that the integrity of that framework is ensured via robust controls and the minimisation of financial crime risk.
Thus our response focuses on the questions that directly relate to market integrity and to how best risk can be managed within the system. In addition we have taken the opportunity to respond to the “Call for Evidence” on Decentralised Finance (DeFi). At TRM we work closely with several entities within the DeFi ecosystem to help them consider what effective risk management looks like. When considering a way ahead, it is essential to take a public-private approach which is centered around the support and development of tools such as blockchain intelligence and digital identity to achieve the desired regulatory outcomes.
We welcome any feedback on our response and would be happy to provide any further details.
Response to Consultation Questions
10. Do you agree with the assessment of the challenges and risks associated with vertically integrated business models? Should any additional challenges be considered?
TRM agrees that there are risks associated with vertically integrated business models but also believes that with appropriate guidance, governance standards and risk management it is possible to mitigate these risks.
At present, there is an insufficient suite of tools that could help firms control their risk across verticals but these can be developed. In doing so, and when complemented by appropriate guidance (based on approaches taken in traditional markets but fine tuned for the unique characteristics of digital assets) then risks will be appropriately mitigated.
There are also considerable advantages for digital asset venues and supervisors to achieve the desired regulatory outcome by making use of more real time monitoring of risks which will allow them to respond faster to problems if they emerge. TRM agrees that placing the onus on venues to store trade and other information and making it available to supervisors on request is the more proportionate way of doing things. As technology and the regulatory framework develops however, it may be possible to feed this data directly into the supervisor allowing for real time supervision.
15. Do you agree with the proposal for trading venues to be responsible for defining the detailed content requirements for admission and disclosure documents, as well as performing due diligence on the entity admitting the cryptoasset? If not, then what alternative would you suggest?
TRM believes it would be helpful to have some standardisation in what sort of information is required for admission and disclosure documents as this will help both exchanges and consumers, who are assessing the risk associated with different assets, have a framework in which they can compare assets. Regarding consumers, it will be necessary to provide some information on how to interrupt these disclosure documents so that they are properly understood.
Having a more unified approach will also help blockchain analytics companies ingest this data and display it within their systems making it easier for entities to understand risk - this would be especially useful for entities using multiple vendors.
20. Do you have views on the key elements of the proposed cryptoassets trading regime including prudential, conduct, operational resilience and reporting requirements?
TRM agrees with the proposed cryptoasset trading regime. In regard to the reporting requirements, it will be important for the supervisor to provide clear guidance on these requirements which should support the use of blockchain analytics solutions to enhance this function. The expansion in reporting requirements presents an exciting opportunity for the supervisor to have access to a wide pool of data which will give unparalleled insights into what is happening in the UK’s cryptoasset market.
25. Do you agree with the assessment of the challenges of applying a market abuse regime to cryptoassets? Should any additional challenges be considered?
TRM agrees that the highly globalised, fragmented and borderless nature of the cryptoasset markets makes it more challenging to control market abuse within them. This is further exacerbated by a lack of global standards on how preventing market abuse should be approached. TRM has been involved in the work of IOSCO in trying to establish these standards and looks forward to the output of that work. At a high level, market abuse most often occurs “off-chain,” which presents challenges outside the realm of open immutable blockchains. Unlike on-chain data, off-chain data is opaque and harder to track,leading to more opportunities for market abuse. It is critical to marry on-chain data from blockchain analytics with off-chain data held by exchanges and other CASPs.
26. Do you agree that the scope of the market abuse regime should be cryptoassets that are requested to be admitted to trading on a cryptoasset trading venue (regardless of where the trading activity takes place)?
We broadly agree that it makes sense that the scope of the regime is applied to cryptoasset trading venues primarily as these are the entities that have the necessary data to deploy such a regime. It must be noted however, that the CAR should not extend beyond transactions where there is no clear UK nexus - any broadening of this scope will be very difficult for entities to implement and for the supervisors to supervise. Thus this could risk diluting the effectiveness of the regime. In addition, the regime could further fall into trouble if it covers all trading activity regardless of jurisdiction as this would likely come into conflict with vying data protection regimes.
27. Do you agree that the prohibitions against market abuse should be broadly similar to those in MAR? Are there any abusive practices unique to cryptoassets that would not be captured by the offences in MAR?
Yes, we agree that the proposal is correct. It must be noted however, that the ways in which cryptoassets are abused continues to evolve and is unlikely to remain static. At present we have not identified any market abuse practices that could not fit under the MAR offenses however, this may change over time and we are likely to get a better understanding of this once cryptoassets are placed under an abuse regime and there is more monitoring for such behaviour.
28. Does the proposed approach place an appropriate and proportionate level of responsibility on trading venues in addressing abusive behaviour?
At present, trading venues are the only entities that have full access to all the data necessary to conduct market surveillance in a meaningful way. By combining their internal order books with analysis of public blockchain data using blockchain intelligence, venues should be able to identify manipulation and abuse in the markets.
In placing the obligation on trading venues, it will be important to create a feedback loop to the supervisor so that venues can convey their experience of preventing market abuse in the sector. In doing so, the supervisor should consider establishing a specific information sharing mechanism for this purpose. Such a group could also be used to share learnings on how to optimise the technology stack used by firms to identify and combat market abuse. It will likely take time for firms to get this right and public private dialogue will be important for guiding firms during implementation of this regime.
It is right that the consultation acknowledges that the same regulatory outcomes cannot be achieved under this model and thus it is important that whilst the obligation is placed on the trading venues this is reviewed periodically to ensure that it remains appropriate for the venues and for the regulatory outcomes supervisors are seeking to achieve.
29. What steps can be taken to encourage the development of RegTech to prevent, detect and disrupt market abuse?
The creation of a cryptoasset market abuse regime would drive the development of RegTech solutions as it will mandate the use of these tools by firms. The more clearly supervisors can endorse the use of, and crucially experimentation with RegTech tools, the more likely they are to create an environment where effectiveness can be achieved.
This endorsement can be achieved by acknowledging in guidance that controls will evolve and adapt over time and thus should not remain static. In addition, providing feedback on reports from firms will improve the calibration of RegTech tools.
In 2018 five US regulators issued a joint statement on the use of new technology in the fight against financial crime that says, “The Agencies recognize that private sector innovation, including new ways of using existing tools or adopting new technologies, can help banks identify and report money laundering, terrorist financing, and other illicit financial activity by enhancing the effectiveness and efficiency of banks’ BSA/AML compliance programs. To assist banks in this effort, the Agencies are committed to continued engagement with the private sector and other interested parties.” A similar statement tailored to the opportunities presented by cryptoasset firms to detect market abuse using new technology should be considered if a cryptoasset abuse regime was introduced.
Another example comes from the New York Department of Financial Services (NYDFS). In April 2022, NYDFS issued clear guidance to all licensed cryptocurrency businesses on the use of blockchain intelligence, emphasizing the importance of blockchain analytics in ensuring “effective policies, processes, and procedures, including, for example, those relating to customer due diligence, transaction monitoring, and sanctions screening.”
These statements are said to be useful in creating an innovative culture of compliance and should be explored if a cryptoasset abuse regime is established.
36. Do you agree with the assessment of the challenges of regulating DeFi? Are there any additional challenges HM Treasury should consider?
TRM agrees with the challenges identified by the consultation for regulating DeFi, especially the inherently global nature, inconsistency in definitions and the opacity of some governance frameworks. These challenges make taking a national approach difficult and so TRM would encourage the government to continue to support the work of FATF, the FSB and IOSCO in trying to establish global principles for DeFi regulation. These principles whilst responding to the challenges of DeFi must also capitalize on its opportunities not only for individuals but also for regulators.
The opportunities of DeFi stem from the characteristics of the blockchain where data is Transparent, Traceable, Public, and Programmable — and can allow anyone – from regulators to financial integrity professionals, average citizens to law enforcement – to more readily manage risks in the DeFi system.
Data is Transparent
The nature of public blockchains as open and distributed ledgers means that each transaction is verified and logged in a shared, immutable record, along with the timestamp of the transaction and the blockchain addresses involved. This data from the public blockchain is transparent, enabling the financial industry and government agencies to monitor trends in financial crime, market abuse, and financial stability in real-time and conduct more effective sectoral risk assessments.
Data is Traceable
Because blockchains provide an immutable audit trail of every transaction, understanding the ultimate source and destination of funds, particularly across jurisdictions, is substantially easier, faster, and more reliable compared to tracing funds through traditional financing mechanisms. For example, in the May 7, 2021, ransomware attack on Colonial Pipelne law enforcement used blockchain intelligence to track, trace, and investigate the movement of the Bitcoin ransom payment. Through the use of the blockchain and excellent police work, law enforcement was ultimately able to identify the destination of funds and seize the majority of the ransom payment. That recovery was only possible because of the blockchain technology that DeFi relies upon.
Data is Public
Unlike transaction and customer data held by companies or financial institutions, public blockchains are distributed and not managed by a central authority. Thus, anyone — including law enforcement officials and regulators — can, with the appropriate tools access, identify, and trace blockchain transactions as the information is free and publicly accessible, independent of a third-party.
Data that is Programmable
Blockchain provides a new opportunity to increase access to the financial system by reducing the cost of providing financial services and programming key outcomes into smart contracts.
The promise for DeFi policy is the technology itself. To date the conversations around DeFi and regulation have been about how to jam crypto into the current regulatory paradigms. The native qualities of public blockchains and the DeFi ecosystem call for a different regulatory paradigm that can make use of such exciting opportunities whilst aspiring to the same regulatory outcomes of traditional finance.
37. How can the size of the “UK market” for DeFi be evaluated? How many UK-based individuals engage in DeFi protocols? What is the approximate total value locked from UK-based individuals?
Evaluating the size of the DeFi market in the UK is challenging, especially when compared with the centralised (CeFi) cryptoasset market.
When estimating UK flows within the CeFi market we can anchor analysis around entities that either have a geographic presence in the UK or who directly market to UK customers. Using this data as a starting point we can then use proprietary blockchain intelligence methods to establish the flows of cryptoassets in and out of the UK. TRM Labs is happy to share exactly how they do this with UK government in a private setting.
When we approach measuring the size of the UK’s DeFi market a different approach is needed. Unlike CeFi, most DeFi projects do not have a geographic center around which data can be collected - often governance and users are spread across the globe making it difficult to determine one ‘hub’ and few have registered legal entities. In addition, the data will be impacted by the way that users interact with the “project.” For example, are users engaging at the protocol or the front end? Furthermore, are users using a Virtual Private Network to interact with the project? TRM, through the use of proprietary blockchain intelligence, is able to glean jurisdictional insights from the way users interact with DeFi, but it is, admittedly, more difficult than in the CeFi space. Again, TRM Labs is happy to discuss these limitations and challenges with the UK government in a private setting.
To understand TVL, there are several free services, such as DeFi Llama that provide this information on individual DeFi projects. To understand the TVL of UK DeFi projects, the government would need to determine which of these projects are based in the UK - which as mentioned above has its limits.
38. Do you agree with HM Treasury's overall approach in seeking the same regulatory outcomes across comparable "DeFi" and "CeFi" activities, but likely through a different set of regulatory tools, and different timelines?
Similar to CeFi, we would welcome a consistent international approach to DeFi that reduces the risk of regulatory arbitrage while, at the same time, encourages innovation. While there are indeed DeFi projects that are, in essence, operating like CeFi projects, as we move toward a more truly decentralized space, it is important that we have regulation that harnesses the native properties of blockchains in order to regulate in new and innovative ways. The purpose of regulation is to mitigate risk, while at the same time enabling lawful users of the technology and allowing an ecosystem – predicated on peer-to-peer cross border value transfer at unprecedented speed and scale – to flourish. This is why we believe HM Treasury’s approach of taking a different set of regulatory tools and timelines is appropriate.
40. Which parts of the DeFi value chain are most suitable for establishing "regulatory hooks" (in addition to those already surfaced through the FCA-hosted cryptoasset sprint in May 2022)?
TRM agrees that regulating DeFi protocols themselves could create several challenges and would be impossible for pre-existing, immutable protocols. It is, however, possible to consider how regulatory outcomes could be coded into future protocols enabling embedded supervision - this should be considered in more depth as the sector develops, perhaps in a future consultation.
As described by the consultation, regulating DeFi ‘front ends’ is another possibility and as discussed below can go some way in achieving regulatory objectives - especially in relation to combating financial crime. If this was pursued however, it should be considered how we could apply regulatory expectations to frontends but with sufficient room for experimentation so that compliance could be achieved but without incurring the host of legacy issues that we see in traditional finance (bloated compliance functions, false positives, derisking etc.). If regulatory hooks were established here, the government should support the development of supervisory tools and the use of new tools throughout the ecosystem for effective risk management.
As the government explores this area, it should consider how it can leverage other government work such as that on Digital Identity and the revisions of AML supervision when creating a new paradigm for regulatory effectiveness in DeFi.
This new paradigm should be informed by the self-regulatory activities already undertaken in DeFi. These include the effective screening of wallets interacting with DeFI frontends for financial crime risk, the due diligence of liquidity pools and NFTs and the ability to use blockchain intelligence to establish illicit finance typologies in DeFi. The government should establish a dialogue with the sector to understand these and their outcomes.
41. What other approaches could be used to establish a regulatory framework for DeFi, beyond those referenced in this paper?
TRM supports the government’s stated aim to “[look] for a proportionate, innovation- friendly approach, which recognises distinct opportunities offered by new business models and encourages a thriving and well-regulated UK DeFi industry.” To achieve this, TRM encourages the government to take a steady approach, one that is cognizant of market developments and that reflects international standards.
42. What other best practices exist today within DeFi organisations and infrastructures that should be formalised into industry standards or regulatory obligations?
At present, several entities within the DeFi ecosystem have pursued a self regulatory approach to risk management. In the case of anti-financial crime we see firms developing their own good practices on how to counter illicit finance risk in DeFi. TRM works with several ‘frontends’ to provide tools for sanctions screening and for the screening of other money laundering and terrorist financing risk. For users of DeFi we also offer tools that can assess the risk of liquidity pools, smart contracts and NFTs. These self regulatory efforts are creating useful examples of how anti-financial crime objectives can be achieved in DeFi using the latest technology.
It must be noted, that the greatest risk faced by the DeFi ecosystem today is from hacks and code exploits and this is where the sector must priroitise best practice creation. In 2022 alone, over $3.7 billion was hacked and stolen from the cryptoasset ecosystem with $3bn coming from DeFi projects and bridges alone. Nearly 90% of the $3.7 billion stolen last year was through infrastructure attacks and code exploits.
These hacks undermine the integrity of the system and deter wide scale adoption. To counter this problem, DeFi projects must have strong cybersecurity and undertake code audits before publishing their code and explore the use of bug bounties. To ensure the quality of code audits we must create some form of standardisation for these to ensure that they are robust. The recent hack of the Ueler Finance project showed that despite having eight audits it is still possible for a project to be attacked. Here, the government should consider how it could leverage cybersecurity learnings from other industries such as traditional banking to help domestic DeFi projects pursue more secure practices.
Access our coverage of TRON, Solana and 23 other blockchains
Fill out the form to speak with our team about investigative professional services.