Focus on blockchain's risks before the rewardsThe digital ledger technology carries enormous transformative potential, but finance professionals must adapt their risk management practices to the legal and security concerns that accompany it.
Digital technology is transforming worldwide financial markets. Blockchain is part of this digital innovation.
Financial institutions and tech companies have invested in blockchain or consortia-based blockchain projects to transform payments, clearing, and settlements (PCS), including how funds are transferred and how securities, commodities, and derivatives are cleared and settled. One consortium, for example, consists of large banks and other financial institutions collaborating on blockchain for financial markets. Individually, tech giants, such as IBM and Microsoft, and several big banks are working on projects within their own internal think tanks.
Switching to blockchain could eliminate inefficient processes and unnecessary costs, but the digital transformation comes with risks that finance professionals will have to manage.
PCS is a complex set of systems and institutions. US PCS systems process about 600 million transactions valued at about $12.6 trillion daily.
Traditionally, businesses and consumers have relied on the central bank, clearinghouses, counterparties, and intermediaries to maintain custody and responsibility of all financial assets. As the 2008 worldwide financial meltdown showed, this comes with risks.
The arrival of blockchain offers choices for managing crypto assets by shifting custody and responsibility traditionally managed by third parties all the way to an organisation itself. There's also a spectrum in between, so the choice doesn't have to be one extreme or the other. It's imperative for finance professionals to invest in continuous blockchain education because of the complexity and emerging nature of the technology.
Elements of a transaction
A financial transaction has three essential elements: a network of participants, assets to be transferred, and a transfer protocol facilitated by financial institutions such as banks and other intermediaries that play a specific role in the process. The financial assets consist of securities, derivatives, commodities, and monetary instruments. Meanwhile, direct and indirect participants are constantly managing inherent legal, settlement, operational, and financial risk in PCS activities. This risk management framework has slowly adapted along with the evolution of the financial system. Now add in paradigm-altering blockchain technology.
Elements of blockchain
Blockchain is a database maintained and shared by nodes in a network. Blockchain characteristics include peer-to-peer networks, cryptography, distributed storage, a single shared ledger, algorithmic monetary supply and governance, programmable money, and permissionless or public blockchains versus permissioned or private blockchains that control the parties allowed to participate. It's important to understand that not all blockchains will be the same, that there won't be one solution, and that many blockchain implementations may work in tandem with one another, forming the new worldwide financial system. This is where the new blockchain risk spectrum emerges.
The legal framework supporting PCS has been customised to match the specific role of an intermediary or process. If an intermediary bears the legal risk for settlement and it could be eliminated with blockchain, then laws and regulations — which have a history of lagging behind innovation — may have to change accordingly. The legal and technological mismatch is one of the biggest factors affecting the speed and method of blockchain adoption.
Blockchain innovations are challenging the legal status quo. A shared public blockchain ledger becomes an auditable record that can be relied upon for assurances and enforceability of obligations. However, the legal risk is shifted from a known party in the old model to no particular party, such as a public blockchain. The immutability proposition of some blockchains creates a highly secure method for ownership where multiple parties share one version of the truth rather than each party maintaining its own version of events. Financial institutions may prefer private or permissioned blockchains because of the need for transaction privacy, but in either case the legal framework needs to adapt and clearly define legal liability.
Blockchain may use smart contracts, which are agreements that seek to enforce themselves by means of code rather than courts. If a weakness is exploited in the smart contract or the underlying code — for example, when a hacker in 2016 stole $55 million worth of cryptocurrency from a smart contract called the DAO, a decentralised autonomous organisation — the legal liability becomes unclear as well as the ability to mitigate the loss. An exploit like this would have a major impact on worldwide financial markets.
In response to the 2016 hack, the developers chose to roll back the ledger by implementing a hard fork on the ethereum network, resulting in the blockchain's splitting into two versions. Conversely, a permissioned blockchain centralises control and the inherent ability to make transactional or other changes, which is more akin to the existing financial model. Blockchain can eliminate legacy risks, but new risks arise in the process.
The expectation of a financial transaction completing as agreed is a significant risk in PCS, defined as settlement risk. There is a legally defined moment where a transaction can be relied upon as irrevocable. Bitcoin transactions are grouped into blocks that are consecutively added to the blockchain in a process called mining. The finality of a transaction settlement approaches 100% after several successive blocks. For example, a bitcoin transaction is generally considered final after six blocks or confirmations when it becomes infeasible to rewrite the ledger. Private blockchains may present a larger challenge in defining settlement due to the aforementioned centralised control and ability to make changes, and the potential lack of a financial intermediary that may have mitigated risk in the old model. The legal framework will also have to adapt to new forms of settlement.
Financial intermediaries traditionally manage financial risk — the risk that a counterparty in the transaction can't fulfil its obligations — by assuming the risk on their behalf through settlement guarantees and other tools such as collateral posting requirements. Blockchain will enable real-time or near real-time transaction settlement, which reduces credit exposure and frees up liquidity that may be otherwise tied up as collateral. The net change to credit and liquidity will ultimately depend on the blockchain implementation, how smart contracts are deployed, and the behaviour of the parties involved.
Any system failure in the PCS process undermining a successful settlement is an operational risk. Safety and integrity are paramount to financial systems and hence the reason for regulation in the current centralised model.
Operational risks include system outages, security, resiliency, and capacity. Blockchain can provide a superior solution to those risk factors because information and security are spread among many participants rather than concentrated with a single player. Defences to a centralised point of attack have proved ineffective against breaches like those that occurred with Equifax or the US National Security Agency, where databases with millions of customer records reside in a single gigantic attack vector. Risk gets shifted to end points in a blockchain model where the end users are responsible for managing their own digital assets. One giant attack vector of millions of data points in the old model becomes millions of attack vectors, making it far less profitable to hack end users one at a time.
A new realm of risks
The blockchain risk spectrum encompasses the major aforementioned risks along with a new set of considerations and four additional risks distinguished below.
Key management risk
Private key management, securing a digital signature, is the method for managing digital assets on blockchains. In this context, ownership of assets is defined by ownership of private keys. End users can now choose complete responsibility and custody of digital assets or someplace in between, which never existed before. In the traditional financial model, third-party financial institutions maintain responsibility and custody of assets on behalf of owners. Therefore, key management risk is the risk that an end user fails to manage his or her keys, resulting in a total and irreversible loss of those assets.
Different kinds of wallets — the software used to store digital assets — are either hot wallets or cold wallets, which are typically referred to as cold storage. Hot wallets are connected to the internet and cold wallets are not; therefore, hot wallets are at a higher risk of being hacked and should be used to store lower-value digital assets. Cold storage, the more secure method, should be used to store high-value digital assets for a longer-term holding period and less frequent transactions. Every wallet has a private key, but the method for securing it is different. Hot wallets can be a simple app, and cold storage can be achieved with a specialised hardware device.
Mismanaging private keys and resulting hacks usually come from a failure to back up the keys and store them in a safe or other appropriate method. In other cases, an inside job is the culprit, so bad actors within an organisation are a threat to security. Private key management may be the most important concept for finance professionals to understand, practise, and develop.
Code and cryptography risk
Every new technology may be tested, regardless of the degree of confidence in them, to gain assurance that the systems are working as intended. The proper level of assurance requires a high degree of technical expertise that is currently in short supply. Blockchain projects need to check their own code for bugs before, during, and after implementation. The risk of using a weak method of encryption without a proper amount of randomness to create the expected level of security can result in an exploitation, or the underlying code may not be properly audited by developers. As the DAO hack showed, failure to test the code and a rush to implement can result in significant loss of funds.
There's also a risk that current cryptographic methods can be broken with more sophisticated technology, like quantum computing, or that those methods can't be improved and implemented in time to thwart an attack. Some blockchain projects have already developed a provable quantum-resistant ledger, but overestimating the level of security achieved creates a hidden vulnerability. Technical assurance is one of the biggest challenges for finance professionals and risk practitioners.
Forks and chain-split risks
Blockchain developers make software upgrades by implementing hard forks or soft forks, usually requiring an agreement among a majority of nodes for successful implementation. In some cases, a minority of nodes may prefer and continue to support the old chain, which may result in the original chain's permanently splitting into two chains with two respective coins. For example, ethereum (ETH) split into ethereum classic (ETC), and both chains exist today. Sometimes wallet software has to be upgraded, or coin-splitting tools are created to support separating the coins into different wallets. During this period of uncertainty, an organisation's liquidity could be impacted, especially if a significant portion of its assets are tied up in a particular coin. Forking and chain-split risk may adversely affect the assets, liquidity, creditworthiness, and solvency of participants because of the time and resources it takes to work through the change. Finance professionals must anticipate and hedge the new realm of risks that arise with blockchains.
Consensus and governance risks
Consensus is a process of agreeing on one continuous version of a blockchain ledger. Governance is the process of ongoing protocol maintenance and enacting code changes. Consensus and governance work hand in hand, and they can result from a combination of people and code execution. Consensus and governance risks are the risks that developers or other responsible stakeholders can't agree on a timely change to a protocol or that a protocol change is enacted that adversely affects a party similarly to blockchain forks. It also encompasses the risk that settlement can't be relied upon as a legally defined moment because of the possibility that a transaction, block of transactions, or the blockchain ledger is eventually rewritten.
A blockchain reorganisation happens when a client finds a new, longer blockchain than the one it was working on, and switching to the longer chain creates orphaned blocks of transactions. This can happen for a variety of reasons, but it's also a natural temporary phenomenon that happens daily as transactions propagate a global distributed network. For example, bitcoin miners will stay on or revert to the longest chain to stay in consensus as designed by the protocol. The blockchain history and the order of blocks and transactions may be rewritten over the course of minutes or hours, but this nonetheless obscures the legally defined moment of settlement in a proof-of-work model like bitcoin. This wouldn't happen with every kind of distributed ledger; not every distributed ledger is the same, and each kind may have a unique set of risks to consider.
PCS risks have been managed for a long time in the traditional financial world with a strong legal framework. Blockchain introduces new risks, creating a gap in the legal framework and a new set of security considerations that must be closed for successful adoption of blockchain technology and realisation of all its promises. Finance professionals need continuous education to stay ahead of this quickly emerging technology and to take advantage of all the opportunities.
Kirk Phillips, CPA, CGMA, is the author of The Ultimate Bitcoin Business Guide, a reference for entrepreneurs and business advisers. He is an initial coin offering, blockchain, and cryptocurrency adviser and has substantial cryptocurrency investments. To comment on this article or to suggest an idea for another article, contact Sabine Vollmer, an FM magazine senior editor, at Sabine.Vollmer@aicpa-cima.com.