What is cryptocurrency risk appetite and why is it crucial? Establishing a risk appetite statement is critical in any business that has a possible exposure to cryptocurrency financial crime risks. There are several considerations to consider when setting this statement, and it should be tailored to your business’ specific risk tolerance level. The cryptocurrency risk appetite statement will define everything that comes in the future.
Cryptocurrency Risk Appetite
The risk appetite statement is the level of tolerance an organization declares to have for financial crime-related risks. It allows for clear guidelines on what a firm considers acceptable and unacceptable risks. This statement can be used to determine whether a customer, a business activity, or the issuance of a new product or service is within your risk appetite or not.
Regarding cryptocurrencies, the risk statement would factor in the specific acceptable and unacceptable risks an organization is willing to assume regarding engaging in cryptocurrencies. The cryptocurrency risk appetite statement should align with the overall risk appetite statement.
When setting the cryptocurrency risk appetite statement, ask yourself the following five questions:
- First, what are the advantages of the risk that comes from engaging in cryptocurrencies for your business?
- Second, what are the advantages of taking on some risk with your business?
- Third, what are the dangers of taking risks with your business?
- Fourth, what things are you uncomfortable with?
- Lastly, under what circumstances does your company reject or mitigate that risk?
Defining a risk appetite statement for engaging in cryptocurrencies aligns perfectly with the risk-based approach, which involves focusing your organization’s resources where the biggest impact might occur.
If your organization is particularly susceptible to a specific type of risk, then you would focus more resources on that risk to ensure that very large risks that could impact your business are mitigated correctly. However, if the risk to your company is super low, it might not make sense to spend all of your time and effort mitigating that very tiny risk.
Risk appetite statements can formulate the firm’s tolerance for different and relevant risks. They are, therefore, an essential aspect of your wider framework and the risk-based approach.
You might commonly encounter a question: Why shouldn’t you aim for zero risk?
If you are in cryptocurrency, you will be very familiar with some challenges of just obtaining banking services or basic access to certain types of financial services. However, many organizations, particularly financial institutions, focus on keeping as much distance as possible or avoiding any risk regarding cryptocurrencies. Maybe this was on the premise that cryptocurrencies were just a passing trend that would eventually go away. However, there are several indications that this might not be the case.
Suppose you’re a bank, a fintech, or a payment processor. In that case, you unquestionably have customers who, even if they cannot access cryptocurrencies via your platform, may access the external and withdraw funds from your platform to buy them. In addition, the fund sources might even be cryptocurrencies, or they may derive their wealth from engaging in cryptocurrencies in whatever way. It is possible that some of those people either could be criminals or might act with someone who is a criminal.
Maintaining a zero-risk tolerance to any exposure to cryptocurrency-related financial crime risk isn’t practical. No matter what the organization’s posture is regarding cryptocurrencies, you’re almost inevitably going to touch some funds that have exposure to cryptocurrencies. It’s more constructive to think about where you draw the line and some of the more contextual indicators of risk you can look at to make informed decisions about the types of cryptocurrency risks you want to avoid by focussing your resources on.
Under the assumption that you are convinced to define an actual cryptocurrency risk appetite statement, let’s look at how to do just that.
First of all, traceability is something you should be thinking of when defining your tolerance level for certain types of cryptocurrency risk. For more popular cryptocurrencies like Bitcoin, the fund flow to and from their ultimate source and destination can be traced, making it easier for a company to make specific risk appetite statements. For example, a company might suggest that it will only allow its customer base to be 20% high risk at any time or 30% medium risk.
If you’re then thinking about whether to deal with another business that engages in cryptocurrency activity, you should consider how much of their overall flow of funds over a given month might involve illicit activity. It’s extremely important to think specifically about cryptocurrencies as you formulate these statements.
The risk appetite statement should be a formal written document. Ideally, it would help if you had a change log on this document, an owner, a list of editors, and stakeholders with access to them. This information should then be written down in a format that is accessible and easy to manage.
Alongside the risk appetite statement, you might want to introduce Key Risk Indicators or KRIs. KRIs will help you measure the fulfillment of your previously defined risk appetite statement. Therefore, the statement should be quantifiable and measurable. Within your risk appetite statement, you may say, “We have no tolerance for deposits over 500 US-Dollar within 24 hours”.
You would then want to look at the systems that might help you measure this. If your organization is a financial institution, this might be your transaction monitoring system for customers to check out their deposits. If you have something like an onboarding questionnaire, you want to look at the answers that your customers have submitted.
Suppose you’re a bank, and you decide that you only want a small percentage of our customer base in your cryptocurrency business area. In that case, you might want to look at your customers’ management information to ensure you are within your predefined tolerance.
Another key indicator is your Suspicious Activity Reports. Internationally, there are several methods used to report suspicious activity. These can be useful in gauging your risk appetite and understanding whether you’re operating within that spectrum.
Not to forget, here is that your cryptocurrency risk appetite statement should be reviewed and updated. You should ensure that the risk appetite statements reflect your business and are in harmony with your business at all times. As a rule of thumb, reviewing and eventually updating your cryptocurrency risk appetite statement should occur annually.
What to do if you’ve breached your risk appetite?
You can deal with a breach of your company’s risk appetite in three ways. It’s all dependent on your business and, within that risk appetite statement, how you have articulated that you will deal with breaches.
- Firstly, you might need to escalate it to a board-level to highlight that you are outside your risk appetite, which is quite common.
- Secondly, investigate why you have breached your cryptocurrency risk appetite statement. It might be that the calculation of your threshold is incorrect, or it could be a genuine breach, which then means that you will need to work out your systems of controls and ensure that it’s kept under control.
- Lastly, you can update and reassess these appetite statements.
Top 8 recommendations on defining your cryptocurrency risk appetite statement:
- First of all, set risk appetites early in your journey. Especially in the crypto world, everything is very quick and high-tech, so probably sitting and writing a document isn’t one of your top priorities, but this needs to be done in the early day to help you along the way.
- Secondly, work with your senior management team to get the statement done and to set the appetites and the limits.
- Thirdly, link the risk appetites to your risk assessment, which means you need to understand where your risks are and then collate that back to your risk appetite statement and vice versa.
- Fourth, make sure you can quantify your risk appetite statement. Don’t just make an “I want to catch it all” statement that you can’t quantify.
- Fifth, understand how you will practically implement your risk appetite statement and how it affects your wider business.
- Sixth, communicate your risk appetite statement correctly within the business so that everyone understands what your appetite is, what’s acceptable, and what isn’t.
- Seventh, assess and escalate scenarios outside your risk appetite statement and deal with them appropriately.
- Finally, Ttack the deviations from the risk appetite statements as part of your regular Management Information. Ensure that you record that you have been outside of that risk appetite statement. That is a valuable piece of management information that you can use in the future.
The financial system is at risk and vulnerable because there is no central governing authority, controlling body, or issuing authority with sufficient capital buffers and risk management systems, such as a bank, licensed non-bank, or any regulated intermediary in administering cryptocurrency. As a result, imposing self-regulation to make every user responsible for the storage and safety of their funds within the wallet is the essence of a cryptocurrency operational modicum.