This article is from our magazine Building Blocks. In this article, Dr. Günther Dobrauz, Benjamin Bürgi, Sebastian Ahrens, & Markus Perdrizat, working with the teams at the PwC Legal Practice in Switzerland, present the regulatory developments in the digital asset world and give an auditors’s view of the importance criteria for a crypto storage solution.
If this introduction is of interest, learn more about the storage infrastructure solutions from Crypto Storage AG here.
After the initial novelty and complexity of blockchain, cryptocurrencies, and the initial coin offerings (ICOs) that largely caused perplexity among legislators and supervisory authorities, the majority of jurisdictions today realise the potential and the strategic relevance of these developments. Following a recent downturn in prices (the so-called “Crypto Winter”), not only the markets have had time to mature but also legislators and supervisory authorities now have a clearer perception of the technology’s implications. Guidelines provide guidance to market participants, and new legislation addresses legal uncertainties.
In Switzerland, the Swiss Federal Council published a report on the legal framework for blockchain and decentralised ledger technology (DLT) in the financial sector in December 2018. Based on this report, it initiated consultation on adaptations to Swiss federal law to address developments in DLT. Notably, the report proposes the introduction of so-called DLT rights that will make it easier to tokenise shares and other financial instruments. The report also proposes a new form of regulated trading venue (DLT trading system) where aspects of settlement and admission to trading are fitted to the specifics of DLT. Lastly, the report proposes adjustments to insolvency law, providing clarification regarding the treatment of crypto assets in case of the insolvency of a custodian. The consultation period for the report ended in June 2019. The proposed amendments have the potential to close relevant gaps in the Swiss legal framework and create more legal certainty for crypto assets.
New regulation not specifically aimed at blockchain and DLT might impact crypto assets in Switzerland as well, notably regarding so-called security tokens. The upcoming Financial Services Act (FinSA) sets out harmonised prospectus requirements also applicable to security tokens. Issuers of such tokens are thereby obligated to provide qualified information to investors. Furthermore, organising ICOs and providing certain services regarding crypto assets could be subject to FinSA’s rules for the provision of financial services. The new rules are expected to come into effect in January 2020.
With the “Blockchain Act”, Liechtenstein introduces a dedicated framework to create optimal conditions for the token economy. This new law aims at providing secure base infrastructure and legal institutions to foster digital business models based on DLT. The law recently passed the first hearing in the Liechtenstein parliament. Other smaller jurisdictions such as Malta and Gibraltar are following a similar but more selective concept with their dedicated legal frameworks. Bigger players such as the US and the EU have been more defensive by following a less differentiated approach so far. Nonetheless, internationally, there seems to be a general tendency to distinguish crypto assets according to their functions, i.e. payment, utility, or investment. The handling, however, still varies greatly. International standard setters or task forces are working on recommendations and rules for a common approach to tackle certain problematic areas. Notable is the Financial Action Task Force (FATF) and their recent efforts to introduce rules for anti-money laundering and combating the financing of terrorism (AML/CFT) for blockchain transactions. Furthermore, the announcement of Facebook’s own cryptocurrency, Libra, is raising new concerns about systemic relevance, startling supervisory bodies, and will likely lead to further international regulatory tightening.
The ability to audit crypto assets is key to building trust
As an audit firm, our mission is to provide trust in new emerging technologies and to help our clients navigate the respective challenges. With an increasing demand for financial audits from our clients, we had to find a way to solve two main challenges: establishing the ownership of assets in the crypto space and producing the equivalent of a bank statement from the public blockchain.
Especially the proof of sole ownership is a very difficult task in the blockchain world. As long as the access to funds is based on knowledge of a secret key, it is impossible to prove that only the legitimate „owner“ of the key has that knowledge and that it was never shared with anyone else. The only way to solve this dilemma is to ensure there are processes and technology solutions in place that convert knowledge into possession: if the key is stored securely on a hardware security module (HSM) or even a smartcard, the owner of the key actually does not know the key. This approach reduces the problem of testing the controls governing access to the device that stores the key. This is standard practice when assessing who has access to any other mission-critical IT system.
Once the appropriate processes around the key management are in place, we now have the methodology and the tools to provide audit and other assurance services to clients holding or transacting in cryptocurrency and, thus, leading the way among the Big Four firms. In the last 12 months, we brought together our leading assurance professionals, software developers, and blockchain experts to develop an assurance solution to support this complex, emerging area. The tool allows us to provide independent, substantive evidence of the “private key and public address pairing” –
one of the pieces needed to establish ownership of cryptocurrency. Secondly, it also allows us to securely interrogate the blockchain to independently and reliably gather corroborating information about blockchain transactions and balances.
State-of-the-art IT and crypto storage – the auditor’s view
In this new digital world, sole ownership of crypto assets is determined by whoever has access to the private keys. The involvement of third parties that traditionally keep record of ownership on paper falls away. When large sums are mistakenly sent abroad, it is no longer possible to reverse the transaction within a couple of days by calling the correspondent bank or SWIFT. Instead, transactions on the blockchain are final as soon as they are executed. As the recipient of the transaction is typically not known, it is impossible to claim back funds that are sent mistakenly or stolen by hackers.
The new role of the crypto storage provider as the trusted custodian of private keys comes with new challenges that require proven IT infrastructure, cutting-edge operations and cyber security processes to safeguard the private keys. Managing digital assets on blockchain networks introduces new threats to confidentiality, integrity, and availability. Privacy also needs to be addressed. To adequately manage these risks, custody providers take an integrated approach where IT and controls are fully aligned to strengthen each other.
Building and maintaining a controlled environment, and reporting on its effectiveness, is an extensive process that requires attention from management, IT, and business employees. During the process, policies and implementation of secure hardware should be aligned with the custody strategy. Advanced monitoring tools enable custodians to monitor suspicious transactions and to report continuously on the security of the infrastructure.
Frequently, banks, asset managers, and also crypto-related companies decide to outsource the management of crypto assets to crypto storage providers. However, because accountability of the crypto assets cannot be outsourced to service providers, the outsourcing company needs to understand how the crypto storage provider addresses risks with their solution, and to closely monitor the security and availability of their crypto assets. Either they directly audit the storage solution or they rely on standardised control reports provided by the storage provider. The ISAE 3000 and ISAE 3402 audit standards are used to report on relevant threats and risks and to control effectiveness with stakeholders, and they can be combined with the SOC 2 trust principles with a focus on information security processes. These audit reports have a proven track record and are widely accepted in industry. Our demonstrated approach helps build trust for all stakeholders, and our audit reports are based on acknowledged and established audit standards. Reporting on control effectiveness not only creates transparency over critical business processes, but can also be used as a competitive advantage. With the growing impact of crypto assets on daily life and in financial systems, the use of these audit reports will open up new partnerships and boost future business development.
About the authors
Dr. Günther Dobrauz is a partner at PwC in Zurich, leader of PwC Legal Switzerland, member of PwC’s global legal leadership team, and the firm’s Global LegalTech Leader. Günther is considered to be one of the leading European banking and investment law specialists and is the author of 10 books with a focus on investment law and regulation, including “MakingMoney out of Technology” (2003), “Uptake Revisited: How Innovative Products Succeed in International Markets” (2007), and “New Suits. Appetite for Disruption in the Legal World” (2019). His passion is innovation and entrepreneurship, and his focus is on the unfolding dynamic of exponential technologies.
Benjamin Bürgi is part of PwC Legal Switzerland’s Banking Legal & Regulatory Team, advising start-ups and established financial institutions on fintech and blockchain matters. Previously, he worked for the Financial Market Authority of Liechtenstein as a FinTech Specialist and for UBS in Wealth Management. Benjamin holds a Master’s degree in Law and Economics from the University of St. Gallen (HSG).
Sebastian Ahrens leads PwC’s global blockchain audit technology development. As the PwC Europe Forensic Innovation Lead, he also evaluates cutting edge technologies in AI and cognitive computing for regulatory matters. Before joining PwC, Sebastian led the computer forensics team in the German Federal Cartel Office (BKartA), and he advised major banks in financial crime technology matters.
Markus Perdrizat leads PwC’s Blockchain Risk Assurance team, and has more than 15 years of experience in IT, audit, and advisory roles for global financial institutions. He combines his background as an IT systems developer and open source contributor with deep expertise in technology risk, controls,and regulatory requirements to help companies build audit-ready emerging technology solutions.Weiterlesen