Blockchain risk management Risk functions need to play an active role in shaping blockchain strategy

Blockchain risk management – Risk functions need to play an active role in shaping blockchain strategy

Is your organization prepared for the new risks posed by the introduction of a blockchain framework?

The successful adoption and operation of any new technology is dependent on the appropriate management of the risks associated with that technology. This is especially true when that technology is more than an application and is part of the organization’s core infrastructure, as is the case of Distributed Ledger Technologies (DLT). DLTs have the potential to be the backbone of many core platforms in the near future. DLT is a peer-to-peer (or machine-to-machine) value-transfer framework that provides Byzantine fault tolerance with distributed databases updated with a consensus mechanism. Every participant node has an exact copy of the data and a consensus protocol synchronizes the updates across participant nodes. The blockchain protocol is a special case Risk practitioners across sectors are mitigate these risks?” It’s critical for firms to of DLT, where the consensus protocol very excited about blockchain’s promise understand that while blockchain promises creates a daisy chained immutable ledger to help organizations minimize—and in to drive efficiency in business processes and of all transactions that is shared across all some cases eliminate—the risks posed mitigate certain existing risks, it poses new participants. This framework allows for near by current systems. Blockchain is being risks to the firm and market. Additionally, it’s real-time value transfer (e.g. assets, records, viewed as the foundational technology for important to understand the evolution of identity) between participants without the the futurere of risk management. However, as regulatory guidance and its implications. need for a central intermediary. Any transfer the technology continues to mature and Earlier this year, the Financial Industry of value between two parties and the many theoretical use cases begin to get Regulatory Authority (FINRA) issued detailed associated debits and credits are captured ready for commercialization, it behooves the guidance1 on some of the operational and in the blockchain ledger for all parties to industry to start focusing on a less discussed regulatory considerations for developing see. The cryptographic consensus protocol question: “Do blockchain-based business various use cases within capital markets. ensures immutability and irreversibility of all models expose the firm and market to new Firms need to ensure that these regulatrory transactions posted on the ledger. types of risk? If so, what should firms do to requirements are addressed in the blockchain based business models.

3 Blockchain risk management – Risk functions need to play an active role in shaping blockchain strategy

Types of blockchains and inherent risks

Blockchains fall under two types: Permissioned blockchains do not have conditions required to consummate the permissionless and permissioned chains. the crypto currency requirement as the contract have been met. Smart contracts Permissionless blockchains allow any party consortium network or the administrator are generally the most vulnerable points for without any vetting to participate in the can predefine the update process without cyberattack and technology failures. Like network, while permissioned blockchains the use of unvetted service providers. any other software code, smart contracts are formed by consortiums or an Usually, this involves a choice of a consensus require robust testing and adequate administrator who evaluate the participation algorithm that is deployed on the network to controls to mitigate potential risks to of an entity on the blockchain framework. update the blockchain ledger. Additionally, blockchain-based business processes. scalability and privacy issues can be Firms across different industries are Permissionless blockchains start out with handled by the choice of infrastructure by investing heavily in this new technology to a pool of crypto currency to pay service the participants, and suspicious activity build a variety of use cases on topics such providers, or miners, to participate in the monitoring can be deployed across the as identity management, provenance, trade process. Miners are service providers who network by the administrator or the finance, clearing and settlement, cross- update the general ledger with transactions consortium. Therefore, this framework is border payment, etc. While the blockchain that occurred between participants. Anyone more suitable for institutions to use with a technology promises to drive efficiency or can participate as a miner as long as they group of known and predetermined peers. reduce cost in each of the use cases, the meet certain technological requirements blockchain, as well as the smart contracts dictated by the network. No other entity Regardless of the type of blockchain, encoding the business logic, have certain checks, such as know your customer (KYC) the business logic is encoded using inherent risks. It’s imperative that firms or other background checks of the service smart contracts. Smart contracts are understand the risks and the appropriate provider, are possible in this framework. self-executing code on the blockchain safeguards to reap the benefits of this Anyone acquiring this crypto currency on framework that enable straight-through technology. Failure to mitigate the risks the blockchain framework can transact with processing, which means that manual posed by adopting the new technology any entity on the blockchain. As such, intervention is not required to execute might undermine all the benefits. These there is increased risk of money laundering transactions. Smart contracts rely on data risks can be broadly classified under three and theft of currency from a user’s from outside entities referred to as “oracles,” categories: standard risks, value transfer blockchain account on that network. and can act on data associated with any risks, and smart contract risks. Additionally, permissionless blockchains public address or with another smart have scalability and privacy issues that pose contract on the blockchain. A smart contract a significant risk to the use of this framework can mimic a contract and can execute the by financial institutions. contract automatically if

4 Blockchain risk management – Risk functions need to play an active role in shaping blockchain strategy

Standard risk considerations

Standard risk considerations

Business Information Strategic Reputational continuity security

Regulatory Ops and IT Contractual Supplier

Blockchain technologies expose institutions processes, and business continuity plans cross-border regulations related to privacy to risks that are similar to those associated should account for a shorter incident and data protection. FINRA’s regulatory with current business processes but response and recovery time. guidance2 calls for broker-dealers to introduce nuances for which entities need be cognizant of all applicable federal •• Reputational risk: Unlike fintech to account: and state laws, rules, and regulations applications, blockchain technology is part when exploring issuing and trading •• Strategic risk: First, firms need to of core infrastructure and will have to work securities, facilitating automated actions, evaluate whether they want to be at the seamlessly with legacy infrastructure. and maintaining transactions on a DLT leading edge of adoption or wait to adopt Failure to do so could result in poor client network. In its guidance, FINRA highlights until the technology matures. Each of experience and regulatory issues. DLT’s potential to affect various aspects these options have varying levels of risks •• Information security risk: While of the securities market, including market to business strategy. Second, given the blockchain technology provides efficiency, transparency, post-trade peer-to-peer nature of this technology, it’s transaction security, it does not provide processes, and operational risk. important for entities to determine the account/wallet security. The distributed right network to participate in, as their •• Operational and IT risks: Existing database and the cryptographically sealed business strategy could be impacted by policies and procedures will need to ledger prevents any corruption of data. the different entities participating on the be updated to reflect new business However, value stored in any account chain. Third, the choice of the underlying processes. Additional technology is still susceptible for account takeover. platform could pose limitations in the concerns could include speed, scalability, Additionally, there are cyber security risks services or products that can be delivered and interface with legacy systems in to the blockchain network if a malicious via this platform. implementing the technology. actor takes over 51 percent of the network •• Business continuity risk: Blockchain nodes for a duration of time, especially in a •• Contractual risk: There will likely be technologies are generally resilient due closed permissioned framework. several service-level agreements (SLAs) to the redundancy resulting from the between participating nodes and the •• Regulatory risk: Currently, across distributed nature of the technology. administrator of the network, in addition the globe there’s uncertainty around However, the business processes built to SLAs with service providers that will the regulatory requirements related to on blockchains may be vulnerable to need to be monitored for compliance. blockchain applications. Additionally, there technology and operational failures as may be regulatory risks associated with •• Supplier risks: Firms may be exposed well as cyberattacks. Firms need to have each use case, the type of participants in to significant third-party risks since most a robust business continuity plan and the network, and whether the framework of the technology might be sourced from governance framework to mitigate such allows domestic or cross-border external vendors. risks. Additionally, blockchain solutions transactions. This could also include shorten the duration of many business 5 Blockchain risk management – Risk functions need to play an active role in shaping blockchain strategy

Value transfer risk considerations

Value transfer risk considerations

Consensus protocol Data confidentiality

Key management Liquidity

Blockchain enables peer-to-peer transfer may lead to consensus never resolving •• Liquidity risk: The Bank for International of value without the need for a central and thus, ledger would not complete the Settlements warned that the adoption intermediary. The value transferred could transfer of value. of DLT, such as the blockchain, may be assets, identity, or information. This new introduce new liquidity risks.3 In current •• Key management risk: While the business model exposes the interacting business models, intermediaries typically consensus protocol immutably seals parties to new risks which were previously take on the counterparty risks and help a blockchain ledger and no corruption managed by central intermediaries. resolve disputes. Dispute resolution of past transactions is possible, it’s still in a distributed trust environment is a •• Consensus protocol risk: The transfer susceptible to private keys theft and the requirement that will rely on preordained of value in a blockchain framework occurs takeover of assets associated with public arrangements. by the use of a cryptographic protocol that addresses. Digital assets could become arrives at a consensus among participant irretrievable in the case of accidental loss nodes to update the blockchain ledger. or private key theft, especially given the There are several such cryptographic lack of a single controller or a potential protocols that are used to achieve escalation point within the framework. consensus among participant nodes for •• Data confidentiality risk: The consensus updating the blockchain ledger. Each such protocol requires that all participants protocol will have to be evaluated in the in the framework can view transactions context of the framework, the use case, appended to the ledger. While the and network participant requirements. transactions in a permissioned network could be stored in a hashed format so For example, the practical Byzantine fault as to not reveal the contents, certain tolerance algorithm requires parties to metadata will always be available to agree on the exact list of participants, network participants. Monitoring the and membership in the system is set by a metadata can reveal information on the central authority or closed negotiations. type of activity and the volume associated In a proof-of-stake consensus protocol, with the activity of any public address it’s possible for block generators to vote on the blockchain framework to any for multiple blockchain histories, which participant node.

6 Blockchain risk management – Risk functions need to play an active role in shaping blockchain strategy

Smart contract risk considerations

Smart contract risk considerations

Business and regulatory Legal liability

Enforcement of contract Information Security

Smart contracts can potentially encode •• Contract enforcement: Currently process to deploy new or amend existing complex business, financial, and legal there is no legal precedent around the smart contracts. They will also need a arrangements on the blockchain, and could enforcement of a smart contract in lieu robust incident management process to result in the risk associated with the one- of a physical contract. And there are no identify and respond to glitches in smart to-one mapping of these arrangements regulations governing smart contracts. contract operations. from the physical to the digital framework. Also, as the data on a blockchain Oracles are entities that exist outside the Additionally, cyber security risks increase as framework is immutable, care should be blockchain framework but feed data to the smart contracts rely on outside oracles taken to amend smart contracts to avoid the network, which could trigger the to trigger contract execution. breaches of existing regulation by acting execution of the smart contracts within on data from the past on the blockchain •• Business and regulatory risks: the network. The biggest that are not within the statutory legal Smart Contracts should accurately risk to a blockchain framework may lie limits for a financial arrangement. represent business, economic, and legal within these oracles as these could be arrangements defined between parties •• Legal liability: In a permissioned subject to malicious attacks to corrupt in the framework. The smart contracts network, the legal liability remains the data being fed to the blockchain. This that are defined on a blockchain network unclear for an improper, erroneous, or could cause a catastrophic domino effect will apply in a consistent manner to a malicious administration of a smart across the entire network. all participants across the network. contract resulting in a transaction with two Therefore, these smart contracts will have or more entities on the network, causing to be capable of exception handling, and assets to leave the network via those the consequences of these exceptions in transacting entities. the form of a programmatic output •• Information security risks: Smart on the blockchain framework will have to contracts may be susceptible to security be tested across the universe of all other breaches and improper administration. smart contracts within the Participant entities or the network network for adherence to business administrator will need a strong and legal arrangements and compliance governance and change control with regulations.

7 Blockchain risk management – Risk functions need to play an active role in shaping blockchain strategy

Conclusion

The blockchain peer-to-peer framework While the benefits are clear, there are Blockchain technology will transform offers the potential to transform current myriad risks that may be imposed by this business models from a human-based business processes by disintermediating nascent technology. Understanding of the trust model to an algorithm-based trust central entities or processes, improving blockchain technology and its associated model, which might expose firms to risks efficiencies, and creating an immutable risks articulated in this paper may change that they have not encountered before. audit trail of transactions. This provides and evolve as this technology continues In order to respond to such risks, firms the opportunity to lower costs, decrease to mature. It’s therefore imperative for all should consider establishing a robust risk interaction or settlement times, and organizations to continue to monitor the management strategy, governance, and improve transparency for all parties. development of this technology and its controls framework. This transformational framework could application to various use cases. alter the way financial institutions conduct business as many transactions are peer to peer in nature.

Components of an effective blockchain risk management framework

Risk management framework

Business Improved time to Risk and compliance Growth / innovation Client experience Cost reduction objectives market management

Core processes, Information supporting Human resources Compliance Finance Other technology functions

Standard risk considerations Value transfer risk considerations Smart contract risk considerations

Risk Business Strategic Reputational Security Consensus protocol Data confidentiality Business and regulatory Legal liability considerations continuity

Regulatory Ops and IT Contractual Supplier Key management Liquidity Enforcement of contract Governance

Operating Governance and Policies and Management Tools and Risk metrics and model Risk culture oversight standards processes technology reporting components

1. Distributed Ledger Technology: Implications of Blockchain for the Securities Industry, January 2017: https://www.finra.org/sites/default/files/FINRA_Blockchain_Report.pdf

2. ibid

3. Distributed Ledger Technology in payment, clearing and settlement, February 2017: http://www.bis.org/cpmi/publ/d157.pdf 8 Blockchain risk management – Risk functions need to play an active role in shaping blockchain strategy

Contacts

Authors Contributors Prakash Santhana Eric Piscini Managing Director Principal Deloitte Risk and Financial Advisory Deloitte Consulting LLP Deloitte and Touche LLP 191 Peachtree Street 30 Rockefeller Plaza Suite 2000 Atlanta , GA 30303-1749 New York , NY 10112-0015 +1 404 631 2484 +1 212 436 7964 [email protected] [email protected] Yang Chu Abhishek Biswas Senior Manager Senior Manager Deloitte Risk and Financial Advisory Deloitte Risk and Financial Advisory Deloitte and Touche LLP Deloitte and Touche LLP 555 Mission Street 30 Rockefeller Plaza San Francisco, CA 94105-0920 New York , NY 10112-0015 +1 415 783 4060 +1 212 436 6398 [email protected] [email protected] Swagatam Chakraborty Senior Consultant Deloitte Risk and Financial Advisory Deloitte and Touche LLP 100 Kimball Drive Parsippany, NJ 07054 +1 973 602 6000 [email protected]

Livia Lima Fava Senior Consultant Deloitte Risk and Financial Advisory Deloitte and Touche LLP 30 Rockefeller Plaza New York , NY 10112-0015 +1 212 492 4456 [email protected]

9 9

This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.

Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.

About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. In the United States, Deloitte refers to one or more of the US member firms of DTTL, their related entities that operate using the “Deloitte” name in the United States and their respective affiliates. Certain services may not be available to attest clients under the rules and regulations of public accounting. Please see www.deloitte.com/about to learn more about our global network of member firms. Copyright © 2017 Deloitte Development LLC. All rights reserved.