Yesterday the Hong Kong Monetary Authority (HKMA) provided guidance to banks on their use of distributed ledger technology (DLT). It provided risk assessment topics but said each solution needs to be specifically considered. While the Hong Kong regulator is willing to allow banks to use public blockchains, in some cases it says they should not be the first choice. In all situations, banks must take steps to compensate for heightened risks.
For example, one of the considerations is using the ‘right’ DLT network. “Permissionless networks may not be a natural first choice for applications involving the transfer of sensitive data,” the HKMA says. That’s because it deems the networks as more accessible to malicious actors. However, it says it would not rule out an open network if appropriate steps are taken to manage the risks. For example, a solution could use zero knowledge proofs to prevent access to sensitive data, or the application can store the sensitive elements off-chain.
Similarly, some of the validators might be pseudonymous and insufficiently trustworthy on public blockchains. Again, the HKMA didn’t rule out their usage, but banks must take compensating risk management steps. Perhaps one approach is if a bank contractually allows itself to revert some transactions. They also need to provide contingency planning for situations such as forks, 51% attacks, network congestion or if the network goes offline temporarily or permanently.
While Hong Kong is taking a pragmatic approach to permissionless blockchains, the Basel Committee wants to consider all bank usage of public blockchains as high risk. The resultant balance sheet treatment will make it unattractive for banks and industry bodies are pushing back.
Tokenized deposits
In its guidance, the HKMA mentioned tokenized deposits more than once. It recently launched the wholesale central bank digital currency (CBDC) Project Ensemble, where a major aim is to support tokenized deposits.
On the topic of interoperability and compatibility, it explicitly mentioned it had seen tokenized deposit projects limited to the bank’s internal networks. Its view is that the value added benefits to customers are far greater if tokenized deposits can move between banks. So, it wants to see interoperability between different DLT systems and traditional infrastructures to prevent fragmentation.
Hong Kong’s ten DLT risk assessment areas:
- Governance – including tech risk management, business continuity planning, outsourcing and staffing expertise
- The right DLT network
- Smart contracts must be fit for purpose
- Understand and mitigate legal risks
- Manage third party risks
- Interoperability and compatibility
- Cybersecurity
- Private key safeguards
- Data and privacy protection
- Contingency planning and testing
