The accelerating pace of technological innovation is creating a new set of challenges for regulation. Innovation to financial services and changing consumer needs are making it difficult for regulations to keep up. Historically, regulation could focus on known risks to safety and soundness as well as consumer financial protection. However, the growing role of technology in financial services is changing the nature of the risks that need to be regulated.
Cryptocurrency (crypto) is an emerging technological innovation that has raised a wide range of regulatory questions. It was developed as an application of the underlying technology of blockchain. In its origins, crypto was unregulated because it did not fall under any sovereign jurisdiction. This contributed to the use of crypto in illegal activities. But as it matures and grows in its adoption, the need for a regulatory framework is increasing. Many expect regulatory policy to provide guardrails that prevent abuse.
While all new technologies pose regulatory challenges, the appropriate regulation of cryptocurrency is a particularly hard problem to solve and continues to be debated. Opinions about cryptocurrency tend to be polarized and discussions about regulation difficult, because some view it as a major innovation while others view it as a scam. Some early proponents of crypto see it as an important alternative to government-based systems of money, which favors a “light touch” for regulation. Others point to regulation as a necessary component for building a bridge between crypto and traditional finance. Regulators must determine how the under-regulated crypto space will interact with the highly regulated requirements of traditional financial institutions.
The credit union industry is evaluating how it may need to adapt to this emerging technology. Young and diverse individuals in local communities are among the “crypto curious” who want to explore it as an investment. Credit unions that want to engage with this demographic need to address the growing interest in digital assets, but there are numerous risks to consider when offering crypto to members. Even if credit unions are not taking financial risk with their own balance sheet, the operational and reputational risks associated with cryptocurrency are important to manage.
A number of credit unions began their crypto journey in 2022 and more are beginning to explore it in 2023. This is an evolving technology with changing use cases and the regulations will need to evolve along with the applications. In this article, we first reflect on current practices and the regulatory guidance issued so far, which we hope will help credit unions discuss best practices among their peers. Next, we consider where these trends are headed in the future. Given the interest of members and the potential of crypto and related technologies, credit unions must plan ahead. The best strategy is one that prepares and positions credit unions to be ready to adapt.
Last year was the year of credit unions starting to leverage fintech partnerships so their members could invest in bitcoin as an asset. These arrangements were a first step toward connecting members with the cryptocurrency ecosystem. Much of this was driven by internal analysis of ACH transactions, which showed members transferring funds out of the credit union and into crypto exchanges like Coinbase. Many credit unions asked themselves, “If our members are already buying crypto, why not try to internalize that service?” This led to the formation of partnerships with fintechs functioning as a third-party vendor for the crypto investment.
In this approach, crypto acts as an asset for member investment, which is why discussion has often shifted toward the term “digital assets” rather than “cryptocurrency.” The bitcoin account is linked to the member share account and the member decides when to transfer funds into and out of the bitcoin account. It is a closed system, so the funds move back and forth between the two accounts like a toggle switch with no other source or use of the funds.
Regulation has followed this development with guidance around appropriate use of digital assets. Regulators such as the National Credit Union Administration (NCUA) started a steady drip of guidance based on distributed ledger technology (DLT). Under the incidental powers provision credit unions can partner and refer members to third-party providers that allow members to buy, sell and hold uninsured cryptocurrency as long as they are careful not to create an agency or brokerage relationship. Key takeaways from their initial guidance include a focus on vendor due diligence, risk management, and member advertising.
Credit union’s vendor due diligence process should include questions specific to crypto. Contractual agreements are a critical part of due diligence for any new partner, but particularly those related to crypto. NCUA provided guidance outlining the need for each contract to clearly specify the responsibilities of each party, include strong indemnification protections and termination provisions. Indemnification language addressing fraud losses and privacy provisions related to member information are just a couple of the contractual items credit unions should review with their counsel.
Effective risk management involves all levels of the organization, including discussions with the board to set appropriate risk tolerance levels, which should be documented in board minutes. Reputational risk should be considered given crypto’s popularity in the news. Identifying, assessing and mitigating additional risks unique to crypto and any partner the credit union selects will be needed to move forward. Credit unions will also want to ensure audit functions and internal controls are validating the accuracy of the risk mitigation assumptions over time through consistent monitoring.
How credit unions communicate and educate members about services is paramount. Without careful marketing practices it is easy to run into an Unfair Deceptive Abusive Acts and Practices (UDAAP) issue related to crypto. The NCUA has identified a few items such as explaining the assets are not federally insured and investing in crypto may not allow member recourse that are important to state in communications.
While the focus was on vendor management in 2022, the approach to cryptocurrency and digital assets will continue to evolve in 2023 and beyond. The current practice is to partner with a third-party fintech to provide members the ability to buy, sell, and hold digital assets (primarily bitcoin). Credit unions that choose this path must invest in third-party due diligence measures. However, the use cases and associated regulation for crypto will continue to expand. With the current arrangement, digital identity is verified through the member share account before member funds are transferred into cryptocurrency. There is no other entry point, so there is no further need for identity verification.
What if credit union members could send and receive cryptocurrency? Bitcoin was designed to be “peer-to-peer electronic cash” and the whole crypto ecosystem is built on the idea of transferring value on the internet as digital cash. The leading fintech vendors in this space do not offer this service, but this is the originally intended direction because it shifts the industry toward adopting crypto functionality.
Consider the current tools for peer-to-peer transfers like Venmo and Zelle. These tools are built on the older technology of card networks like Visa and Mastercard and require a significant amount of intermediation to function. Cryptocurrency uses the efficiency of blockchain to allow users to transfer funds from one address to another with ease and speed. Even if members are reluctant to transfer bitcoin due to its volatility, stablecoins use the technology of cryptocurrency while being pegged to the value of the dollar. Credit unions could facilitate peer-to-peer transfer of funds on blockchain by providing digital wallet services and allowing their members to send and receive crypto including stablecoins.
The regulatory challenge is the compliance around receiving cryptocurrency funds into a member’s credit union account. As a reminder, today’s crypto accounts at credit unions are closed systems — the only entry and exit point is the member’s share account. But what if the member can receive crypto into their crypto account from an external source? Suppose two friends go out for dinner and one person pays the bill while the other person sends the friend some money. The technology commonly used for this type of funds transfer today is Venmo or Zelle — but if the person who paid the bill is a credit union member who has a crypto account with a blockchain address, the friend could simply transfer crypto (e.g., stablecoins) into that person’s account. The technology to do this already exists, but the compliance requirements are less clear.
What would it take for a credit union member to receive crypto into their crypto account? This external source of funds raises the question of “know your member.” Today the focus is on managing vendor relationships. Yet this example of an evolving use case requires tackling additional compliance requirements as the next regulatory evolution.
The Bank Secrecy Act (BSA) and Anti-Money Laundering (AML) provisions require a credit union to “form the reasonable belief the person is who they say they are” at account opening and to understand the transactions of the account to support suspicious activity detection. In addition to possible updates or clarifications regarding authorized custodial powers, person-to-person transactions from a credit union-supported account would likely require a change in BSA, AML and OFAC related requirements or guidance. While it is uncertain what approach regulators will take, credit unions should focus education on the following key compliance areas as they prepare for evolving crypto use cases: Know Your Member, Suspicious Activity Reports, and OFAC Screening.
Know Your Member (KYM) requirements will likely spur a need for additional detailed questions specific to members’ anticipated crypto activity. This also applies to risk-based guidance for identifying when a member or a type of crypto transaction is high risk, which would trigger enhanced due diligence. Risk assessments and enhanced due diligence screening will become even more of a priority to properly identify high risk accounts associated with crypto. One possibility is that credit union staff could be trained to monitor transactions via blockchain instead of more traditional forms such as ACH.
For Suspicious Activity Reports (SAR) reporting, critical and noncritical fields may be a challenge to complete with the available information in the blockchain. The SAR fields may need to be adapted in the future to more easily allow for fields that are relevant to crypto. This implies that transaction monitoring and corresponding regulations may look different in the future, requiring systems that can identify IP addresses, beneficiary exchanges and other underlying transactional data. Recognizing when a crypto transaction is suspicious and identifying the source of funds could require an adjustment in not only the regulatory reporting requirements, but also in staff training for new methods of screening for suspicious activity.
Office of Foreign Assets Control (OFAC) screening will be essential to internal controls around cryptocurrency transactions. OFAC requires a credit union to screen all activity for foreign assets. FinCEN may need to expand on existing procedures to include identifying blockchain addresses, IP addresses and any other relevant information. There should be processes in place to flag geographic keywords and block IP addresses attempting to access crypto products and/or services in sanctioned jurisdictions. Data points within transaction monitoring and OFAC screening are needed to meet both SAR and OFAC reporting requirements.
Regulatory adjustments are likely on their way as use cases for cryptocurrency and blockchain connected to financial services continue to develop. The lack of consumer protections and federal insurance for crypto funds that a traditional savings account supports will be ongoing discussions for regulators such as the Consumer Financial Protection Bureau (CFPB) and NCUA. For example, the Electronic Fund Transfers Act (Regulation E) does not cover crypto transactions but adopting some level of consumer protection against fraud may be desired as it interacts with traditional financial solutions.
While the future for the regulatory framework is unclear, the significant potential for cryptocurrency and blockchain technology remains. As credit unions work to understand the current landscape and potential future, consider additional education for your board members on these topics. Without education on the underlying technology, board members and staff will be unable to align future opportunities with the credit union’s strategic plan and member needs.
Last year was about members investing in digital assets, but the future will likely involve new and more complex use cases. Credit unions can prepare for these possible scenarios by educating themselves on the emerging technology and relevant areas of compliance.
Article by Lamont Black, Professor at DePaul University and Erin O’Hern, ViClarity Vice President of Strategic Initiatives. ViClarity is a Leagues company and a benefit of Leagues membership. Article was originally published on ViClarity.com on July 17, 2023.
