Statement to the Financial Stability Oversight Council: Regulating digital assets
I was asked to give a statement to a Financial Stability Oversight Council discussion that stemmed from the Executive Order on Ensuring Responsible Development of Digital Assets. I was asked to specifically address: technological risks posed by digital assets, factors that would drive substantially greater adoption of digital assets, and actions that financial regulators could take to address financial stability risks and regulatory gaps associated with digital assets. I’ve reprinted that statement here.
I’m a software engineer and also an independent researcher of cryptocurrencies and public blockchain technologies more broadly. I mostly focus on hacks, scams, and the other devastating impacts of some of these projects on retail participants, as well as some of the risks we are facing if cryptocurrencies enjoy greater adoption and integration into both finance and society in general. I hold no cryptocurrency or positions in cryptocurrency companies, nor do I hold any long or short positions on crypto or related companies.
I would like to begin first by noting that my particular area of interest and research is cryptocurrencies, and so I will be focusing on those in my remarks today. However, the concept of “digital assets”, and even just “digital currencies”, is much broader. While I am quite critical of cryptocurrencies and skeptical of their potential to improve finance or society as a whole, I do remain cautiously optimistic about some digital asset use cases: namely, the eventual introduction of a non-cryptocurrency-based form of digital cash. I think it is important to recognize that cryptocurrencies and other blockchain-based tokens are only a subset of digital assets.
Some features of cryptocurrencies pose risks both to individual consumers and to the financial system in general.
One so-called feature of cryptocurrency is that transactions are irreversible: once a transaction has been recorded to the chain, there is no undoing it. If party A sends party B some crypto tokens, the closest thing to “undoing” that transaction is to convince party B to send the tokens back. This differs from traditional finance, where there is some consumer recourse in the case of fraudulent transactions or erroneous transfers. If a user transfers crypto to the wrong address, falls for a scam, or suffers a hack, that transaction is permanent.
Privacy and pseudonymity on a public ledger also poses some risks that don’t exist in much of traditional finance. With cryptocurrencies, it is as if everyone’s banking transactions were publicly visible, but each account name was replaced with a random string of characters. In some cases, even the exchange doesn’t know who controls the account associated with the string of characters. Some cryptocurrency exchanges and other projects implement varying degrees of know-your-customer and anti-money laundering protection, requiring their users to submit documentation, though even those that do often implement these restrictions in shoddy ways. Some don’t require this at all—particularly the decentralized exchanges and projects—and allow people to transact with no identity verification. This introduces additional difficulties for law enforcement when trying to address fraud and other crimes, and also carries risk around sanctioned individuals and groups.
For those who are technologically savvy, the pseudonymity can be a boon: they are able to operate without disclosing their identity to the public or to the services they choose to use, and they can maintain a degree of privacy. For criminals, it’s even more of a benefit—it’s much easier to get away with a crime when the profits of that crime can be transferred to an anonymous crypto wallet rather than a traditional bank account. Furthermore, there are a proliferation of tools—particularly cryptocurrency tumblers—which help users who know to use them to not only maintain their anonymity, but to launder stolen funds.
However, for average users, it can be challenging to maintain anonymity with crypto wallets, and users often inadvertantly “dox” themselves—making their entire transaction histories public. The consequences of this tend to be fairly minimal today (assuming the person is not engaging in criminal behavior). However, if cryptocurrency becomes more widely adopted and used more for goods and services in the real world, both the difficulty of properly maintaining privacy and the consequences of failing to do so will increase.
Finally, cryptocurrency projects are highly susceptible to a broad range of attacks. There are many reasons for this, including that financial systems running on a public blockchain, often with open-source code, lower the barrier to entry for attackers compared to more traditional financial systems. Crypto projects are also often “testing in production”: proving out not only untested code, but untested financial models, with real people’s money. The collapse of the Terra ecosystem in May is perhaps a good example of this—the financial model behind that “algorithmic stablecoin” turned out to not work in practice, and the project failed in a spectacular and tragic way. Software development standards tend to be low, particularly when compared to industries developing critical systems, and there tends to be little in the way of testing, auditing, or verification of code. There are also enormous incentives for attacks, and software developers are finding themselves trying to safeguard against state-sponsored threat actors.
The impact of both attacks and unintentional failures of cryptocurrency projects can be particularly enormous due to the highly-intertwined nature of many of these projects. As we’ve seen recently with projects and companies including Terra, Celsius, and Voyager, many crypto projects are deeply reliant on one another—both in software but also in terms of borrowing and lending—and the failure of a single token or ecosystem can have many times the impact one would expect due to exposure across the industry. As of yet we have not seen terribly much in the way of contagion to traditional finance, but as crypto continues to enter the mainstream, without proper regulation it will only be a matter of time.
Although adoption of crypto assets has increased in recent years, they still remain fairly niche. Some factors that are likely to speed adoption include: the emergence of more mature consumer apps that address the poor user experience of buying, trading, and selling cryptocurrencies; further adoption of cryptocurrencies into traditional finance (for example, via crypto ETFs, or the burgeoning trend of retirement funds embracing crypto); the adoption of cryptocurrency into more facets of society (for example, acceptance as payment at stores, as collateral for traditional loans); and government recognition and acceptance of cryptocurrencies.
When it comes to regulation, there must be a careful balance between protecting consumers while not exposing the financial system to systemic risk. Perhaps most importantly, the idea that we must take a light touch to regulation in order to not stifle innovation is overblown. The most impressive innovation we have seen with cryptocurrencies have been in separating average people from their money via new forms of financial fraud, or old forms of it that have been updated with a crypto token. Ransomware has flourished as a result of cryptocurrency, as have cybercriminals with various other specialties who have prospered thanks to this new industry of far too much money and bad code. Innovation in fraud and theft is still innovation, undeniably, but we must realize that not all innovation is societally good, nor does this kind of innovation call for light touch regulation, regulatory sandboxes, and the other kinds of favorable conditions that crypto firms and lobbying groups have been clamoring for.
When it comes to systemic risk, in my opinion we should be cautious in increasing the exposure of traditional finance to the regular failures of crypto projects. Stablecoins, for example, pose enormous risk to cryptocurrency as a whole, and some recent proposals to treat stablecoin issuers as banks concern me. The government should be extremely cautious in how it might put its backing behind tokens that are used almost exclusively to enable people to leverage up their crypto holdings in decentralized finance (defi) projects. I would point you to the excellent work of Professor Hilary Allen to provide much more detail on this point—in particular her statement on stablecoins to the U.S. Senate Committee on Banking, Housing, and Urban Affairs in December of 2021.
The same is true for aspects of cryptocurrencies beyond stablecoins. Fiduciaries should not be recommending crypto to their clients any more than they should be suggesting they diversify into scratch-off tickets, and I am horrified that retirement fund operators in particular are beginning to embrace the idea.
Clarity should be provided around the fact that cryptocurrencies are, broadly, securities, and they should be strictly regulated as such.
Much of the regulation should take place at crypto on- and off-ramps, such as the many crypto exchanges currently operating in the US. These are, in my opinion, the best place to impose limits on a somewhat challenging-to-regulate industry. No time should be wasted arguing over whether to try to “ban cryptocurrencies” as a whole, or regulate the software that people can write or execute—a ridiculous idea—instead, focus should be placed on where that software begins to do real harm to both individuals and the financial system, and that is where dollars are converted to crypto tokens and vice versa.
Thank you for your time and for inviting me to speak.
Disclosures for my work and writing pertaining to cryptocurrencies and web3 can be found here.