The collapse of FTX — which demonstrates why emojis are not great controls — validates the need for internal controls and audit.
The recent boom of digital activities and, in particular, the introduction of new cryptocurrencies, has brought with it a rise in digital risk, compounded by a lack of visibility. In the world of fintech, so often, it’s hard to see beyond the curtain, and this opacity creates an environment ripe for fraud.
Case in point: the FTX collapse, in which at least $1 billion in client funds have been lost due to poor (and arguably criminal) governance, hidden from view by a lack of transparency and accountability.
But, truthfully, FTX is just the tip of the iceberg. Throughout fintech and across crypto markets, others are potentially obscuring poor governance practices and serious digital risks, with very real implications for consumers as well as the industry at large. Get up to speed on the risks of crypto, why recent events point to a need for stronger risk management practices across fintech, and what lies ahead for crypto as an unregulated space.
What Makes the Crypto Space So Risky?
Crypto comes with a number of risks, including little to no regulatory oversight, immature or non-existent risk management practices, and limited transparency, which provides an incentive for fraud. However, even though the crypto industry is well established, US regulators have only recently acknowledged the risky nature of the enterprises in an interagency joint statement.
To date, there are no regulatory controls in place to standardize how crypto companies approach enterprise risk management. As a result, governance and risk management practices can vary significantly across firms. And unlike the financial industry, privately held crypto companies are not required to make public disclosures or undergo third-party audits.
This lack of transparency means there’s no way for investors or consumers to know what internal controls are in place at crypto firms — they just have to trust these organizations are doing their due diligence to mitigate risk and only find out otherwise if something goes wrong. They can’t know if client and company digital assets are kept segregated, how well asset passwords are secured or if, as in the case of FTX, there’s unchecked fraud, mismanagement of funds, and a founder who isn’t even trying to manage risk, leading to the collapse of an entire exchange.
And FTX isn’t the only example of poor risk management and internal audit in crypto. Just look at Celsius, which declared bankruptcy in July. Despite claiming the business was “built on trust” and “transparency,” Celsius operated in a completely different manner behind the scenes. The company’s revenue generation ultimately failed to keep pace with its growth and, with an inadequate risk management function, the company didn’t have in place the culture, personnel, or controls to responsibly manage its complex and growing business. As a result, the company faced a liquidity crisis. Now, Celsius does not have enough funds to fully repay the $4.2 billion in deposits held by customers when the company filed for bankruptcy.
Why Stronger Risk Management Practices and Federal Regulations Are Needed in Fintech
Without standardized risk management controls and federal regulations governing the crypto industry, the next FTX or Celsius collapse could be waiting around the corner. Investors and consumers will always have to assume that risk.
In fact, we’re really seeing history repeat itself with crypto. Back in 1929, after the stock market crash, Congress enacted the Glass-Steagall Act to separate commercial banking from investment banking and “provide for the safer and more effective use of the assets of banks, to regulate interbank control, to prevent the undue diversion of funds into speculative operations, and for other purposes.” The Act was unwound in 1999 by the Gramm-Leach-Bliley Act and the comingling of banking businesses has since proved unwise. The young bucks leading crypto firms are not yet experienced enough to appreciate the need to separate investment activities from lending activities.
To safely and soundly operate crypto exchanges and crypto lending/depository institutions, structural regulations, such as Glass-Steagall, are imperative. In addition, crypto firms need to have disclosure rules in place to audit and report financial information properly. This requires a formal governance structure that, we know in hindsight, FTX should have had.
On the risk management side, crypto firms must have better internal processes and procedures, including regular audits and stress testing as well as strong cybersecurity, data privacy, and fraud protection measures. Otherwise, we will continue to see bankruptcy after bankruptcy in the crypto space, and consumers and investors will be forced to pay the price.
What’s Ahead for Crypto?
A rocky road lies ahead for the crypto industry. As 2023 progresses, we will begin to see an escalating number of crypto firms seeking bankruptcy protection — the ripple effects of which will be felt across the fintech space.
As the courts rule on civil and potential criminal activities in the cases of FTX, Celsius and others, perhaps setting new legal precedents along the way, the need to regulate the industry will become increasingly undeniable. In fact, although the US government has been relatively hands-off with crypto until now, regulators have finally started to crack down, with New York regulators recently ordering Paxos to stop issuing the world’s third-largest stablecoin and the SEC reaching a $30 million settlement with Kraken to end its crypto staking program. We can expect to see Congress begin to step into the fray as well with crypto regulations likely to become a hot election-year issue in 2024.
In the meantime, while crypto remains an unregulated and highly risky space — buyer beware!
John A. Wheeler is the Senior Advisor, Risk and Technology for AuditBoard, and the founder and CEO of Wheelhouse Advisors. He is a former Gartner analyst and senior risk management executive with companies including Truist Financial (formerly SunTrust), Turner Broadcasting, Emory Healthcare, EY, and Accenture. Connect with John on LinkedIn.