Regulators keep an eye on crypto

Regulators keep an eye on crypto

Australian and overseas regulators are keeping an eye on crypto, with Australian prudential supervisors writing an open letter to banks, insurers and superannuation companies on risk management associated with crypto assets.

While there are no new prudential standards at the moment, the open letter sets out expectations under the current prudential framework. Australia is currently also consulting on proposed regulation of crypto asset secondary service providers, namely digital asset exchanges and custody providers.

What does the APRA letter say about insurers?

The latest update is APRA’s open letter to the industry directly relating to crypto assets. Relevantly for insurance companies, the letter does not set out any specific risks or expectations relating to insurance of crypto assets. The one reference to insurers is in the context of insurers investing in crypto assets. APRA wants to make sure that insurers nonetheless hold a sufficient amount of regulatory capital.

The main risk for insurers at the moment arises due to the volatility of crypto assets and difficulties in valuation. Technological safeguards also play a key role and insurers generally undertake detailed due diligence prior to issuing a policy where insurance is in relation to custody of crypto assets.

Nonetheless, the open letter contains some interesting insights on APRA’s views in relation to prudential risks arising from crypto assets.

Proposed regulation of CASSPrs

Consultation is open until 27 May 2022 in relation to licensing of crypto asset secondary service providers (CASSPRs), namely digital currency exchanges and also custody requirements for crypto assets. 

The proposed licensing regime will apply to all secondary service providers such as brokers, dealers or those who operate and market for crypto assets, as well as secondary service providers who offer custodial services in relation to crypto assets.  The regime will not apply to decentralised platforms or protocols.

The regime proposes imposing obligations on CASSPrs similar to those obligations currently applying to AFSL holders.  These include the requirement to provide services efficiently, honestly and fairly, maintain adequate resources to provide the services, having appropriate dispute resolution arrangements in place, and ensuring directors and key persons are fit and proper people.

The regime also imposes minimum financial requirements, including capital requirements, on CASSPrs as well as client money obligations.  CASSPrs would also need to maintain adequate custody arrangements.


The proposal also involves mandatory minimum principle‑based custody obligations for private keys held or stored by CASSPrs on behalf of consumers.  The security of private keys to prevent unauthorised access to crypto assets is of critical importance.  Accordingly, Treasury is proposing that mandatory obligations should apply, including that the assets are held on trust for the consumer.  This is to ensure appropriate segregation of assets and that the custodian of the private keys has the required expertise and infrastructure, including having appropriate processes to minimise the risk of loss of unauthorised access, and processes for compensation in the event the crypto assets held in custody are lost.

Impact on Insurance?

Assuming these proposals become law, it will be interesting to see whether CCASPrs will seek to obtain insurance to assist with some of these obligations.  In particular, the processes for redress and compensation in the event the crypto assets held in custody are lost.

Insurance companies are no doubt watching this space closely, noting that very few insurance policies currently cover crypto. Where it is available, cover is generally limited to theft of private keys while in cold storage (ie. offline).

If CCASPrs are regulated, this may result in increased demand for insurance of private keys in custody.  Insurance can play a role to ensure there is the capacity to provide compensation in the event that private keys, for example, are lost due to negligence of the custody provider.

Want to hear more? You can subscribe to this blog for the latest updates and thoughts.

Tim Chan is an insurance & insurtech lawyer at global law firm Norton Rose Fulbright and Founder of The InsurTech Lawyer blog. He regularly advises insurers and startups on emerging legal issues affecting the industry. Follow Tim on Twitter: @timinsydney