CAI0075

Written evidence submitted by Imperial College London, Centre for Financial Technology, Quantstamp

 

1.0 Introduction

We would like to submit a co-authored piece of evidence to the Parliamentary Treasury Select Committee bringing together Imperial Business School’s Centre for Financial Technology's leading academic understanding of Blockchain technology and Quantstamp’s leading understanding of Blockchain cyber security that focuses on potential Blockchain regulation. This piece of evidence will first inspect current regulatory and enforcement weaknesses, then look at proposing areas where further development is needed, it will then culminate with a targeted regulatory proposal led by Quantstamp. It is our belief that through the effective and rapid development of technically literate and adaptive legislation and enforcement, the UK could take a leading role in an industry with significant positive implications both economically and socially. 

 

1.1 Respondents 

Imperial College Business School’s Centre for Financial Technology's was established to act as a hub for the interdisciplinary research that is needed to develop innovations, reveal insights, and answer questions by bringing together the activities of academics, start-up companies, and established industry and governmental organisations. It has been taking an increased focus on the implications and applications of decentralised technologies such as Blockchain, looking at how their benefits can be maximised while their costs are minimised. This focus was well represented at our recent conference on ‘DeFi and the Metaverse: what does a decentralised future look like?’ you can view a summary here. The Centre benefits from Imperial College London’s leading position in science and technology, and Imperial College Business School’s outstanding finance department while taking full advantage of London’s unique position as a global financial centre.

 

Quantstamp is an industry leader in Blockchain security, having performed over 500 audits and secured over $200 billion in value. Their mission is to facilitate the mainstream adoption of Blockchain technology through their security and risk assessment services. Quantstamp services include securing Layer 1 Blockchains such as Ethereum 2.0 and Solana, securing Layer 2 Blockchains such as Boba Network and OMG Plasma, securing smart contract powered NFTs and DeFi applications such as OpenSea smart contracts and MakerDAO, and developing financial primitives for Layer 1 Blockchain ecosystems. As well as working with enterprise companies including Visa, Toyota, and Siemens who trust Quantstamp to secure their Blockchain implementations.   implementations.   implementations.   implementations. 

 

Chainproof, a subsidiary of Quantstamp, is the world's first regulated cyber-insurance carrier for non-custodial smart contracts. It is backed by Japan’s 2nd largest insurer, Sompo, and is reinsured by the world’s largest reinsurer, MunichRe. It offers insurance policies to institutional investors who are end-users of decentralized applications (dApps) such as Decentralized Finance (DeFi) platforms, NFTs, and many other systems based on smart contracts. The insurance policy is bundled with a real-time monitoring and incident response service. This means the policyholder is notified how to react in case of a hack, such that the loss can be minimized. 

 

 

2.0 Current state of consumer protection for crypto and digital assets: recognising the risks

 

Whilst a cryptocurrency economy promises many positive financial innovations, it is essential that changes do not sacrifice the integrity and security of the UK’s financial infrastructure. Particularly as the financial sector is recognised by the UK Government as one of the nation’s critical national infrastructure assets which, if compromised, would lead to serious systemic damage to the lives of UK citizens.

 

Given the extant issues related to large-scale money laundering activities and link to the UK’s financial systems, we submit that this should be a key risk area that needs attention when considering developments involving crypto currencies and associated technology innovations. Following the report published in June 2014 by the Financial Action Task Force (FATF), the areas of concern of cryptocurrencies from the perspective of anti-money laundering (AML) include:

 

i.         High degree of anonymity

ii.        Cross-border transactions

iii.       Lack of central oversight

 

Recognising these risks, many governments, including the UK, have tightened regulation on the growing population of crypto and digital assets to prevent them from being an emergent weak spot of illicit financial activity. In the UK, the newly introduced bills such as the economic crime bill, and financial services and markets bill help outline legal jurisdictions but lack well thought-out methods of enforcement. As such, closer focus needs to be given to: 

 

i.         The capacity and technical knowledge of current law enforcement.

ii.        The need for closer ties with research institutions and practitioners who have the capability to support enforcement. 

iii.       Publication of investigations for accountability and reference in other investigations and research.

iv.      Better understanding and oversight of dark trades that are not done on centralised platforms.

v.        A strategy for regulation on policing of decentralised finance (DeFi), as traditional methods of regulating intermediaries will not be possible. This could be done by regulating from the design stage of the infrastructure of the DeFi system.

vi.      A clear definition of what front running means in a DeFi context e.g., even though it is using public information does it need to be regulated. This is currently what a lot of Crypto Hedge funds are optimising for.

 

2.1 Defining digital assets

 

The act of defining digital assets as legal property is an important one as it will enable already existing laws to be used in the Blockchain space to protect customers. Important steps by the law commission have already been taken, however, there are still significant weak points that require further analysis:

 

i.         Clarification on the legal regulation as to whether intangible, or digital representation can be recognised as an object of property right. This would ensure a well-defined application of legal rules to transactions involving digital assets. Over time, as the volume of digital transactions increases it can further be established whether a separate regime should be constructed for digital assets altogether to combat ambiguity and ensure higher consistency.

a.            One of the largest crypto exchange in Japan is an example of ambiguity in legislation. They considered that Bitcoins were “things” capable of ownership under Japanese Law as per Article 85 of the Japanese Civil code. In this article, things are defined as tangible and the right of ownership of intangible things is restricted. The regulator finally established that Bitcoin did not qualify as “things” under the civil code definition but had to also recognise that exceptions do exist in property law.

ii.        Intangible digital assets were defined under legislation as “data objects” for clarification purposes as previously advocated by the law commission

a.       If not regulated - it should be clearly acknowledged that, in fact, only utility tokens and exchange tokens fall under this definition so as to prevent consumers from the misleading belief of protection when holding any other digital asset.

iii.       Legal acknowledgement of ownership of an asset on the ledger, and of the changes required on said asset to transfer value among the users of the system. 

iv.      Extension to cover the unique properties of each digital asset

a.       As mentioned before, the rate of innovation in technology occurs quicker than legislation. This creates a gap between terming specifics in legislation among each digital asset. More regular revisions on reviewing current digital assets and cryptocurrency technology and adaption at the developing market rate.

 

2.2 Money laundering 

 

As of the 10th of January 2020, UK crypto-asset businesses need to comply with MLR (Money Laundering, Terrorist financing and transfer of funds regulation 2017). This was further coupled with the requirement to be registered with the FCA for economic crime regulation for ML and AML and counter terrorist financing activity.

 

Regulation and enforcement are not keeping up with the speed that the crypto industry is developing at. This is resulting in significant weak points in AML. Moreover, the FATF has reported that this is in fact a global issue with gaps in the global implementation of the FATF standards as well as high variability of regulation between different jurisdictions. Given the UK’s significant position in the global financial system and its role in policing ML, it could play a significant role as a standard setter in this space. One of the biggest concerns is that the absence of international digital identity standards is creating a barrier to fully adopting regulated Blockchain technology since it makes the tasks of tracking users across different systems, and of confidently validating who they are impossible. This leads to immense problems when it comes to abiding by AML rules and by data protection standards. An interesting technology that may be able to offer a solution to the data sharing and validation issue of identification is the use of zero knowledge proofs, which enable a user to be validated without the need to give away personal data.

 

It would be fair to say that the current perspective of the FCA in the crypto space would not be seen as universally positive with it lacking in the speed to keep up with the industry and the technical knowledge to fully understand it. This is acting as a major limiting factor in the UK’s ability to be a Crypto hub as the treasury has announced. Approximately 88% of the applications made by crypto businesses have been rejected by the FCA. Furthermore, approximately 90% of firms that have been assessed have withdrawn applications for registration. The two business areas that were caught by the registration requirements include crypto-asset exchange providers and custodian wallet providers.

 

Out of the applications that were approved by the FCA there were none for crypto ATMs which are prevalent in many other European Countries. One of the concerns made by the FCA was that due to the lack of background checks, money laundering was of higher risk. Most crypto ATMs do not follow the uniform KYC rules that the bank uses. This denotes that all crypto ATMs are illegal in the UK currently. The conclusion is that there is a major concern in the industry that the current AML registration regime is encouraging firms to set up abroad due to the very high bar that has been set for firms looking to register with the FCA and that these crypto companies are still able to target consumers in the UK and invigorates cross-border transactions which are onerous to monitor.

 

2.3 Advertising to the Consumer

 

A quick and relatively easy win for regulators for developing consumer protection would be the enforcement of already existing rules in the advertising space. There are regular stories of social media influencers peddling a new cryptocurrency or NFT. This has sometimes resulted in a significant inflow of capital to the project, with the project token then ending up as a front for a scam leading to a fast and coordinated outflux of capital to a small number of parties with privileged information (a.k.a. ‘rug pull’). Resulting in the average consumer losing a substantial part of their investment. This is one of the most common legal “crimes” in the crypto industry and significantly undermines trust in the system. There needs to be greater enforcement of already existing rules on fraudulent advertising. 

 

In 2022 the UK announced plans to strengthen current regulations on various forms of crypto assets in aim to protect consumers from misleading claims by bringing them into regulation with the FCA. Although this will not be taken in effect until 2023. It is critical to note that NFTs are not included in the proposed future due to pertaining to the umbrella class of “collectibles” despite their increasing popularity and high daily trading volume. For now, it is understood that all unregulated crypto assets will continue being subjected to the Advertising Code, with the Advertising Standards Authority (ASA) having executive oversight over all forms of cryptocurrency advertising.

 

2.3 Auditing Projects

 

More than 2 billion GBP have been lost in DeFi hacks in the first half of 2022 alone,[1] More than 60% of the hacked projects were unaudited before they launched, and many of the remaining 40% have not fixed all vulnerabilities/issues that their auditors found. To make matters worse, scams have been the most common attack on consumers over the past decade.

 

Scammers are successful because it is still common in the crypto space to have founders or whole project teams that are pseudonymous. Oddly enough, some of the most famous crypto projects are run by anonymous teams, e.g., Yearn Finance, SushiSwap and Algodex.     

 

While the cryptographic protocols that underlie the Blockchain ecosystem are practically     unbreakable (with current technological capabilities), the code that interfaces with them is not. In essence the biggest risk projects face are vulnerabilities in the software and mistakes in the understanding of underlying monetary and economic concepts. For example, there have been cases where unaudited Solidity code led to monumental hacks such as the Beanstalk Farms, Ronin Network, and Poly Network exploits where hackers diverted north of $1.4b in total. Furthermore, when it comes to previously unknown, or “zero-day”, exploits, they are unfortunately impossible to prevent, and focus should therefore lie on mitigation. In contrast to the exploits of vulnerable code, one example of dubious tokenomics is the DYDX protocol, where liquidity providers are observed to be periodically selling their token rewards at the end of the month, implying a constant and significant selling pressure on the token which could turn ugly quickly for the average retailer if it were to be exacerbated by institutional selling.

 

 

 

 

 

3.0 An approach to crypto regulation

Ensuring Cybersecurity Standards

 

As covered, there are significant gaps in the regulatory structure that Blockchain projects can take advantage of. As such there needs to be a way of validating that they are not out to harm consumers either on purpose or unintentionally. Currently, there is no government entity or regulator that can hold project owners/teams accountable for their actions. This means unaudited projects can be launched, and even audited projects can ignore or just acknowledge any vulnerabilities found during the audit and launch without fixing identified issues.

 

3.1 A crypto focused regulator 

There needs to be a more informed and adaptive regulatory process for Blockchain regulation. One solution we would propose is the creation of a dedicated technically literate team (“CryptoReg”) that would have cryptocurrency, smart contracts and decentralized finance regulation in their scope. This can be either a separate organisation or a group that has teams embedded in already existing regulators. CryptoReg would:

i.         Leverage the existing crypto infrastructure and companies already in place to scale easily without needing to hire an unreasonable number of people.

ii.        Create and offer a curated and public list of crypto projects (“Curated Project List”) that are safe for end consumers to use. 

iv.      Maintain a list of trusted third-party auditing companies (“Auditor List”) as well as a public database containing general “dos and do nots” for writing secure Solidity and Rust.

v.        Publish a set of criteria to be fulfilled by projects who wish to apply to the Curated Project List. Such criteria may include:

a.       Strict KYC of project/company owners who would be held accountable if something goes wrong and their consumers are affected. It would be the responsibility of project owners to KYC the rest of their team such that they would not have a situation where a malicious developer remains anonymous and steals the money. 

b.       Mandatory security audits by at least two trusted third-party auditors on the Auditor List. 

i.         Security audits must be completed with all issues fixed or adequately addressed before the project launches in production. CryptoReg would communicate directly with the auditor to determine if this criteria item is met.

ii.        Software development practices must be held to high standards similar to those in the banking industry. This includes but is not limited to:

1.       Peer-reviewing of pull requests for each feature

2.       Pull requests for new features should always be accompanied by tests. 

3.       The test suite should always pass, and branch coverage should always be higher than 90%

4.       A high number of assertions should be present in test cases to check for effects and side effects of each state-changing function call.

c.        Security monitoring of the project smart contracts and web front-end in place at the time of launch.

iii.       A bug bounty program is in place for at least 5% of the Total Value Locked in the project at all times. If the TVL grows, then the bounty needs to be increased. A private database with the zero-days identified by said white hat hackers should then be maintained at all times.

v.        Publish a set of criteria to be fulfilled by auditing companies wishing to apply to the Auditor List. Such criteria may include:

a.       Strict KYC of company owners who would be pulled in for questioning in case something goes wrong, and their customers are hacked. 

b.       Detailed profile of each employed auditor, including credentials that indicate skills needed to audit code.

c.        (Optional) Track record of audits performed and customer references.

d.       (Optional) Portfolio of tools built by the company.

e.       Portfolio of tools used by the company.

vi.      To reduce the burden on CryptoReg on checking all the criteria for the Curated Project List, they can leverage the work of regulated smart contract insurance companies such as Chainproof Digital Asset Insurance Ltd (Bermuda). Such insurance providers already check all of the criteria to consider offering insurance for a particular protocol, except for the strict KYC of the project owner and the development team.

 

3.1 Other solutions and targets

 

This section covers other areas we believe would lead to the promotions of a healthier crypto market:

  1. JMLIT (Joint Money Laundering Intelligence Taskforce, a partnership between law enforcement and the financial sector to exchange information in relation to economic threats and ML) should be expanded further to develop projects in the less-researched areas, such as DeFi, NFTs and DAO’s.  
  2. Creating a link between the public-private sectors to assist with policy, to develop appropriate measures to create an appropriate environment that harnesses development and reduction of crime that is inevitable:
    1. Public sector benefits from newly adapting technology
    2. Private sector can benefit from the security concerns and objectives
  3. Acknowledge and reduction of the gap between the knowledge of traditional financial markets and crypto asset markets. Further familiarisation on crypto assets among the FCA assessors
  4. working closely with cryptocurrency companies to be on the MLR standard, and
    1. A more project specific approach to the application standpoint, with in consideration of type of digital asset- rather strict guidelines for digital assets
  5. To combat the issues around advertising
    1. Clarity on regulation standards and setting more discrete regulations.
    2. More widespread information on the volatility of crypto - Although there are restrictions on the material that the citizens are ingesting, there is little financial knowledge about digital assets in general – knowledge about crypto should be synonymously spread as stocks, and be treated as financial investment similarly, and have equally as much publication as traditional financial investments. In situations where there is no consumer protection like in DeFi and when you hold assets with a third party, knowledge is the easiest preventative measure in these situations.
    3. Social media regulation of Crypto. FCA has conducted research and have found that 40% of new investors started investing into cryptocurrency after seeing ad on social media. This could be done by placing a greater onus on the influencers to do due diligence on the project they partner with.
    4. The government to work more closely with social media providers, or for pressure to put cautionary messages for the cryptocurrency ad.

 

4.0 Summary and solutions

In this document, we have provided the context of the current state of cryptocurrency and DeFi and emphasised the problem of billions of pounds in lost funds due to scams and bad security practices of crypto projects. We have also proposed a solution to this problem through a regulatory body that would collaborate with existing cryptocurrency and DeFi security providers such as auditors, bug bounties and insurance providers. We believe that leveraging the work of such cryptocurrency and DeFi security providers will allow the regulator to scale up their operations without incurring a high cost of (human) resources.

 

 

September 2022

[1] Chainanalysis. (2022). 2022 DeFi Hacks. Retrieved from Chainanalysis: https://blog.chainalysis.com/reports/2022-defi-hacks/