In response to this, and following a multitude of reviews in this space, on 21 March 2022 Treasury released a Consultation Paper outlining the Government's proposed regulatory and licensing framework for crypto asset secondary service providers (CASSPrs) and proposed custody obligations to safeguard private keys.
The Consultation Paper broadly endorses the recommendations set out in the Senate's Final Report of Select Committee on Australia as a Technology and Financial Centre and aims to create a framework that gives consumers greater confidence in their dealings with CASSPrs, while recognising the growing importance of the crypto asset ecosystem to both the Australian and global economy.
As noted by Treasury, the existing regulatory framework is governed by an assortment of piecemeal principles-based obligations drawn from the Corporations Act 2001 (Cth), Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act) and the Australian Securities and Investments Commission Act 2001 (Cth). In the absence of a uniform framework that regulates crypto assets and the associated CASSPrs, Treasury has identified the following actual and perceived regulatory gaps:
- challenges classifying crypto assets as financial products or non-financial products due to the variety of different features and rights, and the broad range of novel use cases, attached to each crypto asset;
- counterparty risks associated with using crypto as a store of value or investment, which expose consumers to potential loss of their crypto assets or balance with limited recourse in the event of operational, cybersecurity or financial failures of CASSPrs;
- perception that CASSPrs provide similar services to financial services licensees. However, CASSPrs are not subject to similar regulatory oversight; and
- while certain existing digital currency exchanges are subject to AUSTRAC registration and Australian AML/CTF compliance, owners, directors and managers of CASSPrs are not subject to fit and proper person tests.
The regulatory and licensing regime outlined in the Consultation Paper proposes to regulate CASSPrs who provide retail consumers access to non-financial product crypto assets, provide custody of all crypto assets on behalf of consumers and who are Virtual Asset Service Providers (as defined by the Financial Action Task Force) for AML/CTF reasons. However, this regime is not intended to apply to decentralised platforms or protocols.
Crypto asset secondary service providers
The Consultation Paper recognises the importance of implementing appropriate and effective regulatory safeguards to improve the reputation and credibility of the crypto asset ecosystem without discouraging future innovation, growth and competition. CASSPrs have been identified in the Consultation Paper as being the most appropriate subject of such regulation. This is on the basis that CASSPRs interact with consumers and provide a range of services to allow such consumers and businesses to access and use crypto assets; thereby exposing consumers to significant operational, custodial and financial risks.
Treasury relevantly defines CASSPrs as:
"Any natural or legal person who, as a business, conducts one or more of the following activities or operations for or on behalf of another natural or legal person:
- exchange between crypto assets and fiat currencies;
- exchange between one or more forms of crypto assets;
- transfer of crypto assets;
- safekeeping and/or administration of virtual assets or instruments enabling control over crypto assets; and
- participation in and provision of financial services related to an issuer's offer and/or sale of a crypto asset."
For the purposes of this definition, and in line with ASIC's definition in ASIC Consultation Paper 343: Crypto-assets as underlying assets for ETPs and other investment products, "crypto assets" is defined as:
"…a digital representation of value or contractual rights that can be transferred, stored or traded electronically, and whose ownership is either determined or otherwise substantially affected by cryptographic proof."
The proposed definition of crypto assets is intended to be applied across all Australian regulatory frameworks. On this basis, Treasury is seeking feedback on the proposed definitions and whether the proposed licensing regime should carve out certain types of crypto assets (eg. NFTs).
Proposed CASSPrs licensing regime
CASSPrs are required to comply with existing regulatory regimes where services provided in respect of crypto assets meets the definition of a financial product under the Corporations Act. However, to ensure a simple, consistent and efficient regulatory approach is maintained, Treasury proposes a single licensing regime, which is to apply to all CASSPrs with graduating obligations that are dependent on the number and types of services offered. Notably, the proposed licensing regime is intended to be separate from the Australian financial services licensing and the Australian markets licensing regimes (although one of the alternatives that is canvassed, and upon which submissions are sought, is that CASSPrs be regulated under the existing financial services regime – see below).
To comply with the proposed regime, the Consultation Paper outlines a number of obligations that CASSPr licensees must adhere to:
- do all things necessary to ensure that the services covered by the licence are provided efficiently, honestly and fairly; and any market for crypto assets is operated in a fair, transparent and orderly manner;
- maintain adequate technological, and financial resources to provide services and manage risks, including by complying with the custody standards proposed in the Consultation Paper;
- have adequate dispute resolution arrangements in place, including internal and external dispute resolution arrangements;
- ensure directors and key persons responsible for operations are fit and proper persons and are clearly identified;
- maintain minimum financial requirements including capital requirements;
- comply with client money obligations;
- comply with all relevant Australian laws;
- take reasonable steps to ensure that the crypto assets it provides access to are "true to label" e.g. that a product is not falsely described as a crypto asset, or that crypto assets are not misrepresented or described in a way that is intended to mislead;
- respond in a timely manner to ensure scams are not sold through their platform;
- not hawk specific crypto assets;
- be regularly audited by independent auditors;
- comply with AML/CTF provisions (including a breach of these provisions being grounds for a licence cancellation); and
- maintain adequate custody arrangements.
Relevantly, a number of these obligations imposed on CASSPrs mirror those obligations which apply to Australian financial services licence holders to ensure minimum standards of conduct and operational resilience. In this regard, CASSPrs are also expected to meet certain financial requirements specified by ASIC, which would reflect the services provided and the volume of transactions.
Treasury has also proposed the following alternative regulatory options and are seeking advice on these options:
- Regulating CASSPRs under the financial services regime: this would involve applying the existing financial services regime to CASSPrs by defining crypto assets as financial products under section 764A of the Corporations Act and providing carve outs for certain crypto assets to achieve the appropriate outcomes. Under this option, CASSPrs that provide a trading venue would also be subject to the Australian market licensing regime; and
- Self-regulation by the crypto industry: this option would involve industry developing a code of conduct for crypto asset services, which could be approved by a regulator and meet minimum regulatory policy goals. Noting that the existing regime for AML/CTF obligations would continue to apply.
Existing AML/CTF obligations
Treasury confirms in the Consultation Paper that AUSTRAC will remain the AML/CTF supervisor for CASSPrs that provide designated services under the AML/CTF Act. However, consideration will be given to how the existing AUSTRAC registration requirements may be integrated with the proposed regulatory regime to ensure regulatory efficiencies are met and duplication is minimised.
Proposed custody obligations
The Consultation Paper also outlines proposed mandatory minimum, principles-based custody obligations for private-keys that are held or stored by CASSPrs on behalf of consumers. Treasury acknowledges that consumers are exposed to custody risks that their service providers face and are not well-placed to assess the resilience of their service providers' custody arrangements. This proposal intends to mitigate the custodial risks faced by consumers and aims to increase consumer confidence in providers of custody services.
CASSPrs who maintain custody (either themselves or via third parties) of crypto assets on behalf of consumers will be required to comply with the following proposed obligations, which are designed to afford customers necessary custodial protections without restricting custodians to specific technology or prescribed requirements that evolve over time:
- holding assets on trust for the consumer;
- ensuring that consumers' assets are appropriately segregated;
- maintain minimum financial requirements including capital requirements;
- ensuring that the custodian of private keys has the requisite expertise and infrastructure;
- private keys used to access the consumer's crypto assets must be generated and stored in a way that minimises the risk of loss and unauthorised access;
- adopt signing approaches that minimise "single point of failure" risk;
- robust cyber and physical security practices;
- independent verification of cybersecurity practices;
- processes for redress and compensation in the event that crypto assets held in custody are lost;
- when a third-party custodian is used, that CASSPrs have the appropriate competencies to assess the custodian's compliance necessary requirements; and
- any third-party custodians have robust systems and practices for the receipt, validation, review, reporting and execution of instructions from the CASSPr.
Treasury has also proposed, and is seeking advice on, an alternative option for industry to self-regulate and maintain minimum standards and expectations that are used by crypto custodians. Under this proposal, crypto asset custodians would work collaboratively and self-regulate in accordance to codes or standards that are created by industry.
The Consultation Paper seeks feedback on the various types of crypto assets to inform the token mapping exercise, which is slated to be completed by the end of 2022. It is noted that further consultation on the token mapping exercise will follow.
Treasury has outlined a number of questions and considerations for industry in the Consultation Paper. The closing date for submissions and input on the Consultation Paper is 27 May 2022.
Thanks to Louise Yuen for her contribution to this article.