14 minute read 16 May 2023
Colleague videocall meeting discussion in meeting room

Digital asset ecosystem: US regulatory licensing and registration

Authors
John Boyle

Principal, Capital Markets Risk & Business Transformation, Ernst & Young LLP

Capital markets and risk transformation leader focused on process efficiency, cost optimization and advanced analytics. Family oriented. Avid traveler.

Mark Nichols

Principal, Capital Markets Strategy and Business Transformation, Ernst & Young LLP

Capital markets strategy advisor. Delivering digital transformation strategy for global investment banks. English native, Brooklyn resident. Husband. Travel enthusiast.

Michael Winter

EY US-West Region Financial Services Risk Management Lead, Ernst & Young LLP

Dedicated to solving complex business and regulatory challenges through innovation and transformation. Husband, father, passion for cooking.

Contributors
14 minute read 16 May 2023

Show resources

  • Digital asset ecosystem: Licensing, regulatory relations and strategic considerations - a US perspective (pdf)

Established frameworks offer guidance for digital asset ecosystem participants.

In brief

  • The digital asset ecosystem is seeking regulatory clarity on the treatment of digital native activities.
  • Firms must weigh risk, compliance, security and scalable operations and technology principles before launching new products or services.
  • It is crucial to ensure the quality and completeness of documentation created and submitted in support of regulatory engagement.

The digital asset ecosystem within the United States (U.S) has continued to mature, grow and evolve in recent years. With several high-profile incidents across the globe, US regulators have brought enforcement actions and are taking a cautious stance toward regulatory approvals and non-objections. Both federal and state regulatory agencies remain focused on their primary objectives of maintaining the safety and soundness of the financial system and ensuring the adequacy of investor and consumer protections in any decision-making related to digital asset activity.

The digital asset ecosystem continues to seek regulatory clarity on treatment of digital native activities such as some crypto exchange activity, customer asset protection, staking and decentralized finance (DeFi). However, there are well-established regulatory frameworks across money transmission, banking, securities and derivatives to provide clarity on expectations or directional guidance in addressing the unique nuances of the digital asset risk and control environment. 

For the majority of non-bank digital asset companies, primary regulation of the digital asset ecosystem occurs at the state level. US state agencies have taken divergent paths to regulating digital assets, either incorporating many cryptocurrency activities under the existing money transmission regulatory framework or preferring to observe the market and develop their own digital asset regulatory frameworks.

For banks, broker dealers, swap dealers and other regulated financial services companies seeking to develop services or add exposure to digital assets, state and federal regulators have followed their time-tested process for reviewing associated products, associated risks and controls.

These frameworks can be leveraged by the digital asset ecosystem as it moves from engaging in conversations with regulators to applying for applicable licensing, registering with the appropriate authorities or seeking non-objection. The regulators have made clear statements about the permissibility of certain digital asset activity if the safety and soundness of both the institution providing the services and the wider financial system can be demonstrated.

For digital asset ecosystem participants, this elevates the need to demonstrate robust, scalable and sustainable business models and control environments to the regulatory bodies that apply stringent banking supervisory standards on the industry. For entities seeking licensing, registration or non-objection, failure to demonstrate maturity and the operational application of a suitable control environment will likely lead to regulatory enforcement actions and delay or even rejection of applications.

Meeting these expectations requires digital asset firms to embed risk, compliance, security and scalable operations and technology principles into the fundamental design and strategic planning prior to launching new products or services — in many cases prior to serving new client types. Including risk management principles in platform and product design signals to the regulatory bodies that a company is ready to appropriately manage the unique risks presented by digital assets, at speed and scale, enabling long term value generation.

Application readiness and submissions

Over the past year, there has been a material increase in the number of digital asset companies and traditional financial services companies that have either submitted or are preparing to submit new license applications or non-objection letters. We anticipate the pace to accelerate as state and federal regulators continue to provide increased clarity of expectations through their rule-making, published guidance and enforcement actions.

While there are regulations currently in development, such as the implementation of the Basel Committee on Banking Supervision’s capital treatment for crypto-asset exposures, there are others that need to be developed and agreed across exchange activity, customer asset protection, staking and Defi. There are clear guidelines that ecosystem participants can follow for many of the digital asset capabilities in operation or build phases today.

Digital asset players need to prepare their capabilities, policies, procedures and processes as they mature and develop readiness to submit applications; these will be heavily scrutinized in the review phase by the regulators. As firms embark on this journey, policies will need to be formalized and, in many cases, approved at the board level, as required by most regulatory regimes, and be supported by robust line of business procedure documentation.

These capabilities and processes should be developed and documented with consideration for how each will be operationalized and scaled to meet the changing demands of a growing business. These documents, along with a well-conceived business plan, comprise the majority of the elements necessary to submit a license application for a regulator’s review and approval.

Robust documentation underpins the risk and compliance programs that regulators will scrutinize during regulatory examinations following the launch of a product or service. Critically, firms must demonstrate operational application and continuously review and enhance to adjust for evolving risk.

For established companies, public or private, and newly formed entities, the application process is the same. During the application phase, regulators will seek to scrutinize the financial health of the applicant and its affiliates, the personnel responsible for operating and overseeing the business (Chief Financial, Compliance, and Information Security Officers at a minimum), the viability of the proposed offering, and the design of the risk management program.

Taking the time to understand the application process and the common challenges, and develop an application plan upfront is well worth it. This is especially true given the varying levels of clarity from the regulators regarding the permissibility of services and the increasing challenges for regulators to address the volume of applications while maintaining their normal supervisory activities.

  • We typically see the following four profiles in the application process:
  • Domestic digital natives moving to register new and existing products and services
  • International inbound digital natives registering existing products and services into the US markets
  • Traditional financial firms expanding their services into digital assets ecosystem
  • Technology firms expanding their offerings to include financial services

For all these firm profiles, it is important to start with a strategic plan and develop a strong understanding of the products and services they wish to offer and the regulatory regimes in which they will fall. This can be a complex endeavor in the US based on the permissibility of the digital asset services, the target client base and the states in which the services will operate. In many cases, multiple regulators may have jurisdiction over all or parts of the product or service.

Figure 1 illustrates some of the regulatory authorities, regulatory licenses and the corresponding digital asset service capabilities in the current but evolving US market. There remains a need for clarity on the treatment and regulatory oversight of the digital native activities highlighted earlier; however, there is clarity on a broad set of capabilities that is currently or is desired to be offered by the digital asset ecosystem.

It is also worth noting that in some cases, prior approval or non-objection may not be required for certain digital asset-related products and services. In these instances, firms typically seek legal counsel to provide a formal opinion to this effect. Once such an opinion is obtained, risk and compliance documentation should reference this to avoid any perception of skirting regulation. Firms should nonetheless follow robust new product and service review, risk assessment and approval processes; it is highly likely that such activities will be reviewed by regulators.

Engage with regulators collectively, early and often

Where there is clarity on jurisdiction, firms should identify relevant regulatory bodies and engage with them collectively, early and often. Many of the regulatory agencies will insist that firms engage with them prior to submitting an application. This is a feature of the process, not a bug. Particularly as related to digital asset offerings, early and continuous regulatory engagement is a process of education, as much as it is a process of regulatory review and approval.

The pace of evolution and variance in business models involving new and emerging technologies mandate that regulators take a cautious approach and gain a deeper understanding of new offerings. Expect many questions and be prepared to answer everything from wallet security and customer privacy to bank relationships and customer funds flows.

Through our experience guiding firms through applications, operating model design, new product launches or compliance program transformation, Ernst & Young LLP has identified numerous points of regulatory emphasis. Firms should consider the following priorities as they engage with regulators:

  • Strategic vision – Clearly defining the vision, strategic rationale and business case for the launch of digital asset products and services.
  • Product and delivery model – Outline details on what the product is, how it operates and clients that will be served; and understand integration between internal and external systems.
  • Financial and non-financial risk appetite – Development or enhancement of enterprise risk management framework, with a focus on identification of the incremental risks of the digital asset products and services, including how the services align with the enterprise risk appetite.
    • Regulatory leading practice is to require that a risk assessment methodology exists and has been appropriately executed to evaluate the inherent and residual risk of new digital asset offerings.
    • The need to thoroughly and comprehensively understand the unique risks that digital assets bring to an enterprise and how these will be mitigated cannot be understated.
  • End-to-end controls – Clearly demonstrating how the identified risks will be mitigated in a robust, scalable and sustainable manner is critical. Identification of how the risks and associated controls will be actively monitored is also an area of focus.
    • Some critical control examples include:
      • Robust client and business acceptance framework.
      • Uplift to ongoing monitoring and testing at client and product level.
      • Protocol, token diligence and monitoring framework; demonstrating an understanding and implementation of appropriate tools and technology is critical.
      • Exchange, custodian and token platform due diligence.
      • Ability to meet regulatory reporting standards.
      • Transaction signing, key management and physical security controls.
      • Business continuity and resiliency.
      • For traditional financial institutional, their approach to updating the liquidity and capital management plan.
  • Governance - The backbone of a risk management program, and a point of particular emphasis for the regulators, is a firm’s ability to demonstrate a robust understanding of applicable risks to its business and the governance over how it will manage, monitor and report on its ability to mitigate such risks. The board must define the firm’s risk appetite, foster a culture of compliance and provide oversight of risk management programs. Management is responsible for implementing proper governance through well-documented policies and procedures that are reviewed, tested for adherence and effectiveness, and with consistent tracking, monitoring and reporting of key performance and risk indicators.
  • Third party risk management (TPRM) – Introduction of third parties into the company’s funds flow or operational processes, while helpful to relieve operational burden, is an additional layer of risk and complexity to be closely managed. Regulators expect to see a TPRM program designed to mitigate the incremental risks associated with the introduction of third parties into a company’s operations. As it relates to digital assets, firms should demonstrate enhancements to the TPRM program designed to consider the unique risks of the offering, ensuring resiliency can be achieved in the third-party relationship.
  • Consumer protections – The protection of consumers within their respective jurisdictions is a primary focus of state and federal regulators. Demonstration of the ability to protect and monitor client assets and data and the existence of related disclosures is key.
  • Financial crimes – Financial crimes, including fraud, pose a high risk to the digital asset ecosystem. Demonstrating a robust understanding of the risks and how to mitigate them is critical to a successful regulatory relationship. Firms should be prepared to demonstrate how the company intends to mitigate financial crime risks, which is particularly complex in the digital assets space where anonymity of transactions and counterparties as well as ultra-sophisticated fraud schemes continue to impact the industry. Upgraded capabilities an infrastructure to support Know-your-Virtual Asset Service Provider (VASP), enhanced sanctions screening, negative news search and transaction monitoring are core areas of focus among others.
  • Financial impact – It is expected that applicants can demonstrate a thorough understanding of the impact to the financial performance and ratios of the organization along with the mitigating limits, concentrations and management approach across balance sheet, capital, liquidity and profitability, demonstrating safety and soundness will not be compromised. If affiliated with a larger parent company, the regulator will want to understand to what extent and how the parent will backstop any losses for the applicant. For certain types of business, the regulators will further want to understand how sufficient capital and liquidity will be maintained to protect customer funds through periods of stress.
  • Cyber and information security – The digital asset ecosystem is underpinned by controls to protect data and information. Confidence in the cybersecurity and protection of customer information is vital to the success of the industry. To that end, the regulators will dive deep to understand how transaction, personal and financial data is protected; what controls are in place to prevent and detect potential threats; and what response protocols are in place to address a cybersecurity event upon occurrence. Alongside financial crime, cyber and information security are at the forefront of regulators’ minds when considering new applications or an expansion of an existing license to cover new products and services.
  • Ongoing sustainability – While the preparation and submission of the initial licensing application(s) can seem like a significant undertaking, the real work occurs after receiving regulatory approval to conduct the offering. Given the complexity and variety of unique challenges posed by digital assets, ensuring the right talent and skill sets are hired and retained to implement and scale the operational and risk management processes is a persistent challenge. Regulators will want to vet the management team, including compliance, cyber and risk management personnel, for relevant experience and qualifications, as well as the staffing plan for a company’s initial scale-up. The adequacy of headcount, both in number and quality, will be an ongoing point of feedback during regulatory examinations.
  • Resolution planning – An emerging theme across significant players in the digital asset ecosystem is the focus around the development of recovery and resolution planning. Leading firms are developing detailed plans akin to those adopted by large, regulated banking institutions to provide detailed planning and roadmaps in how businesses may be unwound in an orderly manner. This leading practice is an indication of an emerging regulatory expectation around appropriate, planning and risk mitigation that can be leveraged to further enhance product design and capabilities.

Regulatory application expectations

State and federal regulators generally require firms to provide similar documentation and information when submitting applications for digital asset-related offerings; however, the level of scrutiny and areas of priority may vary. For activities overseen by state regulatory authorities, expect an emphasis on business resiliency, consumer protection, financial crime prevention and cybersecurity. Firms overseen by federal banking and other regulators can expect a thorough review of end-to-end controls, particularly related to the safety and soundness of the institution, with additional focus on consumer protection and financial crime prevention.

Firms engaging in digital asset offerings, regardless of regulatory regime, ultimately need to demonstrate they have robust, scalable and operationally sustainable controls that are commensurate with the risk. Importantly, firms should consider real and environmental factors when benchmarking whether a control framework is commensurate with the risk, and whether offerings can be provided in a safe and sound manner.

For firms that are regulated already today and are looking to expand their product offerings to cover digital assets or add new digital asset offerings, the focus of the regulatory engagement and application process should be on the incremental risks and controls of the additional services.

  • Chart description#Hide description

    A table noting the common components of regulatory application that can be filtered to highlight regulatory application by component; notably Financial and legal, Supervision, Compliance, Risk management and Operational readiness.

For applicants across the various regimes in both traditional financial services and in digital assets specifically, it is important to ensure the quality and completeness of the submitted documentation across the above categories. Some of the above components are product- or regulator-specific. However, many are common across regimes and firms can leverage the investments in the baseline infrastructure as they expand their product sets and come under the purview of the different regimes.

Mike Winter, Andrew Abdalla, Sam Holt and Seha Islam also contributed to this article.

Summary

Firms engaging in digital asset related activity can leverage existing regulatory frameworks for a wide variety of activities, while there continues to be a need for clarity around some key areas. Explore the leading practices around licensing, registration, and regulatory relations across digital assets.

About this article

Authors
John Boyle

Principal, Capital Markets Risk & Business Transformation, Ernst & Young LLP

Capital markets and risk transformation leader focused on process efficiency, cost optimization and advanced analytics. Family oriented. Avid traveler.

Mark Nichols

Principal, Capital Markets Strategy and Business Transformation, Ernst & Young LLP

Capital markets strategy advisor. Delivering digital transformation strategy for global investment banks. English native, Brooklyn resident. Husband. Travel enthusiast.

Michael Winter

EY US-West Region Financial Services Risk Management Lead, Ernst & Young LLP

Dedicated to solving complex business and regulatory challenges through innovation and transformation. Husband, father, passion for cooking.

Contributors