APRA details crypto-asset expectations – Lexology

In its April 21 letter to all APRA-regulated entities, APRA set out its risk management expectations and policy roadmap for entities engaged in activities associated with crypto-assets. This includes its intention to develop a new framework dedicated to the prudential regulation of crypto-assets.

This letter outlines the first set of details on APRA’s intention to set expectations and standards for crypto-assets and related activities.

It concerns all APRA-regulated entities and their administrators, financial service providers that engage in activities associated with crypto-assets. It is also relevant for current and future “responsible persons” under the Banking Executives Liability Regime (BEAR) and the Financial Responsibility Regime (FAR).

Some notable expectations of APRA are:

  • Authorized Depository Institutions (ADIs) and Insurers: Investments in crypto-assets will need to comply with requirements to hold an appropriate level of regulatory capital, and any exposure must be taken into account in the institution’s internal assessment process. capital adequacy (ICAAP) and stress tests where applicable.
  • CSR Licensees: Licensees considering investing in crypto-assets as part of their investment strategy should ensure that they can demonstrate how the investment complies with the obligation to act in the best financial interests of the beneficiaries, respects the clauses of the investment strategy and respects the existing prudential standards. investment governance requirements.
  • BEAR regulations and future FAR regulations: responsibilities for crypto-asset activities should be assigned to BEAR responsible persons, with adjustments to the statements of responsibility. We believe that this expectation will also apply to the implementation of FAR, as discussed below.
  • Crypto-Related Loans: The principal, funding and liquidity treatment of loans secured by crypto-assets will need to be confirmed by APRA.
  • Allocation of superannuation funds: mentioning compliance with prudential standard SPS 231 Outsourcing (SPS 231), APRA highlights its likely strict application of the existing policy position in SPS 231. This has significant flux on the consequence for super funds delegating to an investment manager and in custodial agreements for crypto-assets. This will impact, and likely slow, the speed at which super funds are allocated to this emerging asset class.

Two important areas of prudential regulation are flagged for 2022 and 2023. APRA intends to consult on:

  • mid-2022: a prudential standard for the management of operational risks related to crypto-asset activities, relating to the effectiveness of controls, business continuity and the management of service providers; and
  • 2023: Prudential treatment of crypto-asset exposures in Australia for ADIs, and prudential regulation of payment stablecoins and large stored-value facilities.

What are APRA’s expectations for crypto asset risk management?

APRA generally expects entities to take a cautious approach and ensure that all risks are well understood and well managed before engaging in crypto-asset activities. Specifically, APRA expects regulated entities to:

  • Perform appropriate due diligence and comprehensive risk assessment before engaging in crypto-asset activities and ensure that they understand and adopt measures to mitigate the risks associated with their crypto-asset activities.
  • Comply with the prudential standards governing outsourcing (Prudential Standard CPS 231 Outsourcingor SPS 231 for CSR licensees) when engaging third parties to assist with their crypto-asset business.
    • It is important to note that for ADIs, APRA expects that responsibilities for crypto-asset activities will be assigned to those responsible for BEAR, with adjustments to their accountability statements as appropriate, and that APRA-regulated entities should also consider the impact of any new products on their operational risk. profile, and implement the necessary chances for internal controls.
    • Given the similarities between BEAR and the proposed FAR, we believe that APRA-regulated entities preparing for FAR should reflect this expectation of BEAR in planning for FAR.
  • Comply with all conduct and disclosure regulations administered by ASIC and consult with APRA and ASIC if uncertain about prudential, conduct or disclosure requirements and expectations when conducting activities of crypto-assets.

What activities do the APRA expectations apply to?

APRA’s risk management expectations apply to all APRA-regulated entities engaged in direct and indirect activities associated with crypto-assets as follows:

Crypto-asset activity

Expectations of APRA on risk management

Invest in crypto-assets

  • Appropriate capital management
  • CSR licensees must demonstrate consistency with best financial interests, commitments and investment governance requirements
  • Identify and manage operational risks such as fraud, cybercrime, conduct, financial crime and technology risks
  • Consider liquidity risks and disclosure requirements

Asset-Linked Crypto Lending

  • Manage credit risk for crypto collateral due to potential price volatility and illiquidity
  • Identify and manage operational risks as above (e.g. conduct risk) and risks associated with reliance on third parties, such as custodians, crypto infrastructure providers, exchanges and vendors portfolio
  • Confirm capital, funding and liquidity treatment with APRA for loans secured by crypto-assets

Issuance of crypto-assets

  • Identify and manage operational risks as above (e.g. conduct risk), as well as the need for robust systems for data collection, storage and backup, and a robust redemption process
    • Conduct risks here include design and distribution obligations.
    • Other risks to consider include governance and liability risks (particularly where there is reliance on third parties), custodial arrangements and safeguarding of funds, capital and liquidity, and implications for recovery and resolution planning

Provide services associated with crypto-assets

  • Specific consideration of fraud and asset security risks
  • Other key risks include cybercrime, financial crime, technology and driving requirements

Investments in entities directly or indirectly trading crypto-assets

  • Investments must comply with existing prudential requirements

Partnering with technology or other businesses to provide crypto-related offerings

  • Outsourcing of significant business activities must comply with prudential requirements

APRA political roadmap

The APRA letter notes that they are developing a long-term prudential framework for the regulation of crypto-assets. This should be developed in consultation with international regulators to ensure consistency of approach.

APRA expects international minimum standards for the prudential treatment of banking exposures to crypto-assets, once approved by the Basel Committee on Banking Supervision, to be the starting point for setting its own standards. prudential. In the coming period, APRA intends to take the following actions:


Expected publication date for consultation

Should come into force

Consultation on the prudential standard for the management of operational risks related to crypto-asset activities, covering the effectiveness of controls, business continuity and the management of service providers.



Consultation on the requirements for the prudential treatment of crypto-asset exposures in Australia for ADIs.



Consult on possible approaches to the prudential regulation of payment stablecoins, including the potential incorporation of such regulation into the proposed regulatory framework for large stored-value (SVF) facilities given their similarity to stablecoins .



*following the conclusion of the Basel Committee consultation

In addition, APRA foreshadows the possibility of broader regulatory developments relating to crypto-assets. This is in light of a similar focus on crypto-assets by ASIC, the Treasury and various parliamentary bodies.

APRA will continue to monitor industry trends and emerging risks, collaborate with other regulators and provide updated guidance as needed.

Comments are closed.