1. Market Risk: Price Volatility

The risk of getting caught in a speculative bubble or market-driven price cash depends on how speculative the activity is in a digital currency. Stablecoins, which are pegged to fiat-currency values and hold underlying collateral (in the peg currency, or more often in highly liquid assets, such as treasuries), are often marketed as being relatively risk free. But even stablecoins can be volatile, especially when the collateral is inadequate (for example, using yet another stablecoin as collateral), insufficient (not fully backed), or algorithmic (stabilized by automatic balance against another stablecoin or underlying collateral pool).

Another issue is the relative lack of market controls that traditionally protect participants from extreme volatility and from borderline-illegal market swings (such as pump-and-dump schemes). In the realm of digital currency, market controls are still catching up, and this can become problematic when a firm is offering clients near real-time exchange for fiat payment purposes. For example, having a wallet that holds bitcoin, and converts to fiat at the point of purchase, can lead to challenges in terms of liquidity management, internal trading pools, and customer expectations. These challenges might result in constraining the offering of some services to a subset of digital currencies, or taking other mitigation measures (described later).

2. Counterparty Risk: Default from Other Participants

The intrinsic characteristics of digital currencies make them akin to a non-transparent illiquid asset. Moreover, while in principle they are decentralized by design, liquidity is channeled via a rather constrained set of market participants (most notably, digital-currency exchanges) that for all intents and purposes have been subject themselves to significant challenges. The challenges for exchanges range from ineffective internal controls to issues mostly related to proprietary-trading-style failures (in some cases, driving these exchanges to bankruptcy). If either these exchanges or some holders of a digital currency cannot meet their obligations, or appear to be likely to default, the value of the digital currency can drop rapidly. As with derivatives markets, losses from counterparty risk can spread rapidly across a digital-currency ecosystem, creating a high level of volatility that affects other asset classes as well. This poses a difficult conundrum for financial institutions from a customer-protection perspective: customers are essentially holding an asset that is perceived to operate as a currency (with market fluctuations akin to those in the foreign-exchange market), but they are exposed to a rather different risk profile, driven by the intrinsic nature of the digital currency and the operating quality of the ecosystem that supports it.

3. Illicit-Finance Risk: Questionable Actors

One common concern about digital currencies is the extent to which fraud, money laundering, price manipulation, and deceptive activity are prevalent. While in absolute terms, the share of fraud related to crypto globally is not large, it can still be material: according to the Financial Times, cryptocurrency scams increased by more than 41% in England and Wales (and presumably elsewhere) between 2021 and 2022. The risk of illicit finance challenges the core banking services of value custody and fraud protection.

Practices like “rug pulls”—where promoters withdraw transactions from a digital-currency offering after selling it, thereby diluting its value—are like conventional pump-and-dump schemes. The digital-currency market, in part because of its cross-jurisdictional nature, does not have the same level of protections and controls in place that have evolved over hundreds of years in the financial services industry. But even if all these controls were in place, digital currencies are designed to support person-to-person transactions, without banks or other oversight groups as intermediaries. This exposes clients to the risk of fraud.

4. Regulatory Risk: Continuously Evolving Local Government Thinking

Governments around the world are developing new rules for digital currencies. The SEC, for example, in its June 2023 lawsuit against Bitcoin and Coinbase, named 19 cryptocurrencies as securities, thereby setting the stage for potential regulatory changes. The uncertainties around this case will require attention, and add incremental costs in the servicing of digital currencies. More generally, the constantly evolving nature of digital-currency regulations means that compliance professionals are paying close attention to shifts in direction, “skating to where the puck is headed.”

Banks and other financial institutions have played a relatively limited role thus far in helping to shape regulatory efforts. With digital currencies, where offerings tend to cross multiple regulatory jurisdictions, they may have a larger role to play in the future. (See the sidebar “The Call for Digital-Currency Regulation.”)

5. Security Risk: Vulnerability to Theft, Loss, and Attack

If not properly secured, digital currencies are vulnerable to theft, loss, and cyberattack. (According to Chainalysis, a large blockchain-analysis firm, $3.8 billion were stolen from digital-currency businesses in 2022, especially from DeFi protocols. Overall, illicit addresses sent nearly $23.8 billion worth of cryptocurrency in 2022, a 68% increase over 2021.) Intruders can steal or deplete digital-currency holdings, and they may also capture private keys (the cryptographic codes used to gain access to holdings). If private keys, passwords, or wallets are stolen or lost, their value may be unrecoverable. Many of the blockchain-intelligence and anti-money-laundering methods described later, in the risk-mitigation section, have evolved to manage security risk.

Intrinsically, the custodian model for digital currencies is different from custody for any other asset class. In other asset classes, a bank has a single omnibus structure to manage the aggregate exposure to the market (this is typically done with retail securities holdings, for example).

With digital currencies, at the most basic level, banks provide custody to safeguard the key to the holdings. At a more nuanced level, banks can provide customers with an ongoing view of the digital currency’s exposure to market risk. Beyond that, banks have limited recourse to support customers, making deposit insurance costs potentially higher. A model similar to other asset classes, recognizing the customer’s full level of market exposure, might be preferable. Forthcoming evolutions of digital currencies essentially aim at a higher level of “self custody” as a precondition for peer-to-peer transactions. This, in principle, could reduce transaction costs and offer a jurisdictional payment rail at the potential expense of transferring custody risk to customers.

6. Operational Risk: Complexity, Smart Contracts, and New Technologies

Digital currencies have more underlying complexity than other types of value storage and transfer mechanisms. Typically, they are supported by founding companies (arguably, with the notable exception of bitcoin), with complex and somewhat opaque governance structures (such as decentralized autonomous organizations). Also, they often involve novel technologies and behavioral patterns. As a result, it’s possible to lose track of all the ramifications of how the value of the currency should evolve, along with the consequences of any given trade that supports or underpins digital currencies. Some digital-currency investors may have been caught unaware by this complexity.

Consider forking, which takes place when some participants choose not to follow or recognize the original consensus protocol. Instead, they spin out a competing record of transactions, as if creating an alternate timeline. Each path may have its own transaction record, controlled by its own community. In some cases, this is done deliberately—to create new currencies, for example. Nonetheless, the paths share a common history and often assets. This produces a risk of losing value or control.

Another operational risk is an error in a smart contract, a core tenet of many digital-currency and other blockchain-related applications. In simple terms, a smart contract represents the intention to codify automatic execution and provide the code some sort of power of attorney. For example, a smart contract might specify that an automatic sale of digital currencies will take place under pre-established conditions (like a complex standing order). In general, derivative contracts can be linked directly to digital-currency investments so that options can be executed directly and automatically. A mistake in the drafting and coding of that contract could lead to an automatic transaction that was not intentional—and that could lead to substantial accidental losses. Once executed, there is essentially no recourse.

7. Reputational Risk: Damage to the Public Image

Big losses and major missteps in digital currency tend to be widely reported events. With digital currencies, losses result from exposure to the ecosystem, and unlike fiat currencies, their perceived stability is unrelated to how a country or government performs. Reputational damage may result from the sudden collapse of a vendor or exchange, the exposure of a mining scam or Ponzi scheme, a malware outbreak, the rapid decline of utility tokens, or backlash against a fraudulent initial coin offering or wallet service. Although some threats to a bank’s image may come from public misperception, much reputational risk reflects decisions made by employees at every level of the hierarchy.

How to Mitigate Risks

Banks can mitigate the risks of digital currencies at two levels at once: specific to each investment (“bottom up”) and overall (“top down”), with organization-wide capabilities. Exhibit 2 shows risk-mitigation strategies that can be deployed. Typically, these measures are table stakes, and it is unusual to see a bank or other financial services institution adopt more comprehensive measures and do so consistently. By putting a comprehensive set of complementary mitigations in place, financial institutions can ensure that digital currencies are offered and leveraged effectively.