The Australian Prudential Regulation Authority (APRA) has set out in a letter its initial risk management expectations for all regulated entities that engage in activities associated with crypto-assets, and a policy roadmap for the period ahead.

APRA expects that all regulated entities will adopt a prudent approach if they are undertaking activities associated with crypto-assets, and ensure that any risks are well understood and well managed before launching material new initiatives.

In particular, APRA expects that all regulated entities will:

• Conduct appropriate due diligence and a comprehensive risk assessment before engaging in activities associated with crypto-assets, and ensure that they understand, and have actions in place to mitigate, any risks that they may be taking on in doing so;
• Consider the principles and requirements of Prudential Standard CPS 231 Outsourcing or Prudential Standard SPS 231 Outsourcing when relying on a third party in conducting activities involving crypto-assets; and
• Apply robust risk management controls, with clear accountabilities and relevant reporting to the Board on the key risks associated with new ventures.

The letter includes a high-level summary of the potential prudential risks to be considered for the following specific activities:

• Investments in crypto assets
• Lending activities linked with crypto assets
• Crypto assets issuance
• Services on crypto assets for customers
• Partnering with technology and other companies.

APRA says entities also need to ensure they comply with all conduct and disclosure regulation administered by ASIC. This will require robust conduct risk management and consideration of distribution practices and product design, as well as consideration of disclosure.

ASIC has provided specific guidance to help entities understand their existing obligations under the Corporations Act and ASIC Act in ASIC Information Sheet 225.

APRA plans to:

• consult on requirements for the prudential treatment of crypto-asset exposures in Australia for ADIs,
• release a draft prudential standard for consultation in mid-2022 on operational risk management which will be directly relevant to the management of operational risks associated with crypto-asset activities,
• consider possible approaches to the prudential regulation of payment stablecoins.

If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.