Capital markets Legal and IP News

Luxembourg regulator CSSF issues checklist for blockchain risks

blockchain dlt security

Yesterday Luxembourg’s primary financial regulator, Commission de Surveillance du Secteur Financier (CSSF), published a whitepaper about blockchain. The document covered more than the risks, but this was the focus.

Consider that regulators don’t have an easy job as they grapple with a raft of innovations, not least blockchain and cryptocurrencies. The CSSF acknowledged that blockchain “like any other innovation, can bring advantages and opportunities to the financial sector.” However, it noted that these sorts of “evolving technology-based innovation” present a challenge for regulators.

The CSSF emphasized that it was not endorsing the use of blockchain but outlined three examples of use cases. These include KYC, where one provider can verify a person’s identity and share that verification with other organizations via blockchain. This avoids the need for individuals to go through verification multiple times. 

Another application example is to reduce the intermediaries involved in cross border payments. And the third use case provided is blockchain for fund distribution. This involves tokenizing funds as digital assets, which helps with automation, to reduce intermediation costs, and enables the sector to mutualize the costs of the platform. Notably, Luxembourg has a high profile example here, FundsDLT, which was initiated by a subsidiary of the Luxembourg Stock Exchange and has attracted backing from Clearstream, Credit Suisse and Natixis.

Blockchain, DLT risks

The CSSF did a decent job of creating a checklist for risk assessment. It divided the areas into governance, DLT-specific technology risks and traditional ICT risks. However, how the technology risks are managed might also be considered as governance.

Unsurprisingly, some risks are quite different depending on whether a permissioned or permissionless network is chosen. From a regulator’s perspective, an enterprise blockchain provides more control.

When it comes to DLT-specific technology, the CSSF sees five risk areas: the blockchain’s design, node management, smart contracts, key management, and privacy issues.

To highlight a handful of the issues raised, in terms of DLT design, one needs to look to the future. More specifically, how to prevent an entity from monopolizing consensus and how to increase performance as adoption grows.

The strongest wording was reserved for key management. The loss of a private key “is a very high-risk unknown in the conventional financial sector.” It recommends duplicating hardware wallets and using multi-signature wallets to prevent being locked out. Separately it raised the issue of what happens to assets when someone dies if those assets are held on a public blockchain. If nobody has access to the key, the assets will remain in limbo.

On the topic of blockchain security, the Cloud Security Alliance has published assessments for multiple enterprise blockchains, including Corda and Hyperledger Fabric. And in 2020, the DTCC published a DLT security whitepaper.