What Kraken’s New CCO Needs to Know (and So Do You)

The SEC’s decision to fine crypto exchange Kraken $30 million for failing to register its cryptocurrency staking program is just the latest example of how decentralized digital-asset businesses are increasingly beholden to compliance standards as their practices become more mainstream. In cryptocurrency markets, decentralization and potential for innovation exist side by side with big risk, market volatility and scant — but growing — regulatory controls.

GRC practices exist to prevent potentially detrimental oversight and protect against fraudulent practices that could devastate an industry, as with the collapse of crypto exchange FTX late last year. Failures of this magnitude are typically unheard of in businesses that are aligned to applicable risk management and compliance standards and regulations.  

With increased regulatory scrutiny, there is optimism: Kraken is in the process of fixing its compliance controls under the leadership of a new chief compliance officer, who began in the role just before the SEC settlement was announced. The company has also agreed to invest in its compliance technology and training. 

This is a start, but only adding training and controls is not enough. Compliance leaders must keep in mind that all risk is connected, across business units and vendors. Adherence to GRC best practices will ensure that the company stays on top of regulations and avoids future settlements.

Decentralized businesses are here to stay

Despite the current scrutiny on crypto and the metaverse, digital currencies and the decentralized financial ecosystem are here to stay. The industry may feel a short-term impact following the events at Kraken and FTX — each highlighting, in their own way, the absence of corporate governance — but digital assets are likely to come back stronger within a regulated environment that offers the checks and balances required for stability.

Leaders must remember that it is possible to innovate while still maintaining an operative model of governance, risk and compliance. As the acceleration of regulation increases to match the pace of disruption, choosing to implement a solid GRC program ensures businesses are not only up to speed with accepted practices and standards but that they’re establishing a level of visibility and trustworthiness that will lead to success in the long term.

Learning from past financial crises

As with any rapidly evolving technology, regulation of the digital-asset markets is still catching up with day-to-day transacting as various government bodies determine the best path forward. In the meantime, the task of governance falls on individual business leaders, who must come together to grow responsibly.

What’s happening now with crypto is not the first time we’ve seen crises in the financial industry promote increased oversight and regulation. The Dodd-Frank Act was passed in 2010 in response to the financial crisis of 2008, establishing unprecedented regulatory measures in the financial services industry. Dodd-Frank was designed to keep consumers and the economy safe from risky investment behaviors by insurance companies and banks.

This is a lesson to others in this industry as well: We must learn from history to spot potential financial disasters (and scams) before they blot balance sheets and compromise customer relations. We cannot allow the fear of missing big returns to drive investments, especially when we recognize they lack clear checks and balances. Twelve years after the passage of Dodd-Frank, the collapse of Silicon Valley Bank and Signature Bank in March — within a week of each other — suggests there are still lessons to be learned here.

Risk

Risky Business: Important Lessons From SVB’s Demise

by Atul Vashistha

March 28, 2023

When all is said and done, it’s likely that Silicon Valley Bank’s failure will be traced back to one serious flaw — shoddy risk management.

Read more

Remember that risks are interconnected

The past few years have taught us that unregulated industries, however flashy, sow considerable risks — just look at the diversity and scale of financial losses. Kraken’s SEC fine may have been avoidable with the right measures in place. That $30 million loss doesn’t include interconnected losses by partners, investors and other parties.

Businesses venturing into new markets should be aggressive at investing in the tenets of a secure, viable and robust risk and compliance program. All risks — cyber, operational, regulatory, third party — can arise from interlinks between digital currencies and the wider financial system.

A connected governance, risk and compliance strategy supports a holistic, integrated approach to risk management and is critical to achieving resilience in difficult times. By ensuring collaboration between teams, businesses are better enabled to assess, manage and mitigate strategic risks, leading to more informed decisions.

Continually update controls as regulation evolves

As cryptocurrency is decentralized by design, local and federal regulators may not have jurisdiction or enforcement capabilities based on current regulations. However, there are steps being taken by regulatory bodies that suggest the industry is heading in a stabilizing direction. With crypto-related cybercrime expected to reach $30 billion by 2025, regulatory agencies have been working to enforce both existing anti-fraud measures and new regulations with cryptocurrency providers.

In the U.S., the Infrastructure Investment and Jobs Act, signed into law by President Joe Biden in November 2021, extends information-reporting requirements to digital assets. The FDIC in 2022 declared that FDIC–supervised institutions that engage or intend to engage in crypto-related activities should notify the agency and provide information that will allow it to “assess the safety and soundness, consumer protection, and financial stability implications of such activities.” Similarly, Commodity Futures Trading Commission (CFTC) Commissioner Christy Goldsmith Romero has affirmed that regulation by the agency is the answer for dealing with the risk associated with crypto as more traditional financial institutions show an interest in digital currencies.

European regulatory authorities are drafting crypto rules not just for ensuring consumer protection and preventing financial crime but also to reduce the carbon footprint of cryptocurrencies. Meanwhile, the Bank of England earlier this year published a response to the potential risks of crypto assets to UK financial stability, saying, “Where crypto technology is performing an equivalent economic function to one performed in the traditional financial sector, the [Financial Policy Committee] judges this should take place within existing regulatory arrangement, and that the regulatory perimeter be adapted as necessary to ensure an equivalent regulatory outcome.” Likewise, regulatory authorities in Canada, Singapore, Japan, India and other countries have issued updates on their work to develop crypto-focused regulations and frameworks. 

For decentralized businesses, this means that compliance must be a priority — not just a box-ticking exercise. Business leaders like Rinaldi and others would do well to remember that meeting the standards of compliance is just the first step in an effective GRC strategy. Once standards are met, leaders must continually monitor for changes in policy and regulation like the above, and then adjust strategies and risk controls to keep steering the organization toward a successful future.