How to pass the time on a 24-hour flight

Two recent white papers on crypto assets and cyber securitiy by the ISSA will make excellent reading material for readers making the long-haul flight to SIBOS 2018 in Sydney next week.

With the advent of SIBOS, ISSA has found a solution to the long boring hours of flight out to Sydney. It has produced an outstanding and relevant newsletter which is well worth downloading. For European travellers, I recommend the paper on crypto assets for the outbound flight to Singapore, Bangkok or Hong Kong. Cyber security is an excellent palliative to the ennui of the final leg to Sydney. And the regulatory development piece will ensure that attendees are up to date with events in a fast-changing world.

Having been an advisor and consultant for over a decade now, I am amazed at how much more professional and demanding the industry has become since the days when, if I look at relative fees and cost structures, I had a licence to print money as the global head of a securities services business. As a past director of ISSA with over 18 years of board experience, I am amazed at how it has evolved into a genuine think tank, but has managed to retain its pragmatic edge by seeking solutions and not baulking at the difficult challenges.

As one who was introduced to the industry in its Neolithic paper-based age, my experience of crypto assets has been superficial. But the ISSA paper explains the broad field of this emerging asset class and tackles some of its issues. Satoshi Nakamoto argued for crypto assets to self-police. Indeed, he said “the main benefits are lost if a trusted third party is required”. But he approached, perhaps, the issue from a historic year 2000 risk management perspective and not one where safety of assets is an intermediated rather than investor risk.

I remain to be convinced, despite the ISSA paper, that infrastructure needs to become a trusted intermediary in this space; I question if well capitalised financial institutions could not have a role.  But the ISSA paper correctly points out that crypto assets, whether a currency, asset backed or traditional assets with their inherent stored value, tend to be traded and operated over blockchain or similar distributed ledger environments. These environments tend to have their own rules and live outside or partially on the cusp of regulatory, legal and fiscal ecosystems.

The main challenge, according to ISSA and in sensible contradiction to the views of Nakamoto, lies in the need for trust and sound governance. Although sound governance is not fully defined it has surely to embrace the safety of assets, resolve the question of the regulatory status of the DLT environment used and identify the capital backing to any commitments made to holders. Crypto assets are estimated at $214 billion, although the volatility, partly due to absent liquidity as the ISSA paper shows, may mean these changes dramatically by the time of SIBOS; but any extrapolation of past growth trends indicates we could easily be talking of a trillion-dollar market in a decade or so.

The second ISSA paper, recommended for the Asia to Sydney route, relates to cyber security. I am surprised how the millennials are much more alert to this risk at a personal level, using VPNs over hotel internets as just one example. Conversely, management at top level know it is an issue because they can be fired as a result of a breach, but they are amazingly ignorant of the subject. Thus, the ISSA paper is an excellent document for them to read.

Quite rightly it advises that “theft of securities may be considered less appealing to cyber attackers than a payment”. But this should not give false comfort to the industry for theft of cash may be more complex than theft of securities in poorly shielded environments; thus, increasing the appeal of the more complex asset thefts. And the paper, quite rightly points out, that our industry holds three core attractive values for criminals, namely traded assets, cash and data. And a cyber attack causes disruption. And, if we are moving into an era of cyber warfare, the major targets will be the infrastructure and access could be through their weakest link among suppliers and users. The comments around cybersecurity due diligence and internal controls in the paper is an excellent starting point. As in the standard KYC industry package, we need to institutionalise those ideas. This will be less simple than the standard due diligence approach as the border between cyber due diligence and protection of the integrity of one’s controls is indeed a fine line.

The final paper in the ISSA newsletter related to regulatory developments. It is very readable and informative. Although it will bring no surprises to many major firms, or at least those who read their internal briefings, it does provide a valuable tour d ’horizon of the regulatory environment and the added responsibilities of management in the business. The section on taxation of digital services was opportune given the work being undertaken by many governments to ensure they achieve parity between the e world and the physically located one.  Reading the paper, and so relevant to SIBOS, I could not fail to notice the demand for data, the need for logical and comparable data pools or lakes or seas.  And, just as cybersecurity requires due diligence on one’s broader environment including suppliers and clients, the liability of intermediaries, which is highlighted far beyond the section on asset safety in the ISSA paper, makes such regulatory due diligence an imperative as well.

And in case of delays at the airport there is also a useful article on a segment of the market where ISSA has become the expert voice, namely financial crime compliance. As I have memories of flying out to SIBOS 2008 and getting embroiled in the trauma of Lehman the night after I landed, I hope SIBOS Sydney is associated with meaningful debate on these critical issues and not a crisis due to industry failings in the control process.