TRM Weekly Roundup | July 18, 2024

In this week’s edition of The Weekly Roundup, Ari Redbord , Isabella Chase , and Angela Ang give us the rundown on this week’s decentralization, stablecoin, ransomware, and regulatory happenings around the world. Here are the headlines:

• France and Denmark publish papers on decentralization
• Hong Kong finalizes stablecoin regulations
• Korea’s Virtual Asset User Protection Act goes live
• Atlantic Council updates Cryptocurrency Regulation Tracker for 60 countries
• Ransomware attacks are heating up this summer—but so has the global response
• US Treasury Secretary is “very attentive to use of cryptocurrencies” by Russia

Read up on these top stories below ??

???Deciding on DeFi: France and Denmark publish papers on decentralization

Last week, the Autorité des marchés financiers (AMF) – France – France published their Summary Response to last year’s discussion paper on “Decentralised Finance (DeFi): Trading, Protocols and Governance Issues.” This publication followed a paper from the Danish Financial Supervisory Authority titled “Principles for the Assessment of Decentralisation in the Markets for Crypto-assets,” released at the end of June.

Both papers dive into the importance of actual decentralization when it comes to regulation. And both papers acknowledge that the level of centralization impacts whether or not a project falls within the regulatory perimeter. For example, if a DeFi project’s infrastructure layer is truly decentralized, then regulation may not be necessary or appropriate. Additionally, both papers acknowledge that decentralization exists on a sliding scale and evolves over time—however, they diverge on the need to certify smart contracts, a primary position of the AMF.

What’s next? Both papers will contribute to the broader EU discussion on how MICA impacts the DeFi space, with a report from the EU Commission expected by the end of the year.

?????Hong Kong finalizes stablecoin regulations

This week, the Hong Kong Monetary Authority (HKMA) and the Financial Services and the Treasury Bureau (FSTB) released the conclusion to their December 2023 consultation on the stablecoin regulatory framework.

The proposal brings all stablecoin issuers who issue or actively market the issuance of their fiat-referenced stablecoins (FRS) in Hong Kong under the oversight of the HKMA. Requirements are broadly in line with the Financial Stability Board (FSB) 's recommendations for global stablecoin arrangements and other leading jurisdictions. In order to access Hong Kong retail investors, stablecoins must be regulated under this framework.

The final rules largely stick to the proposal, but provide more clarity on the scope of regulated activity and regulatory expectations.

HKMA also announced three successful applicants for its stablecoin sandbox. The sandbox was launched in March to align regulatory expectations between the HKMA and would-be issuers. Explaining its assessment, the HKMA said these applicants “demonstrate[d] genuine interest in developing a stablecoin issuance business in Hong Kong with a reasonable business plan.”

Next, the HKMA and FSTB will prepare a draft bill for legislative approval later this year, which means we could see stablecoin regulation come into force by 2025.

?????Korea’s Virtual Asset User Protection Act goes live

Over in South Korea, the Virtual Asset User Protection Act is set to go live this Friday (July 19). The Act, which was passed in June 2023, is Korea’s first omnibus digital asset legislation and has a heavy focus on detecting and disrupting market abuse, as well as protecting consumers.

Regulators have been gearing up for implementation. Here’s a look back at some of the key milestones since the Act was passed :

• The Financial Services Commission/Korea Financial Intelligence Unit (FSC) consulted on and finalized detailed rules. These include segregation of customer and proprietary assets, 80% cold wallet storage requirement for customer crypto, and monitoring systems to detect unfair trading practices.
• Meanwhile, its sister agency, the Financial Supervisory Service (FSS), which will be responsible for ongoing supervision of licensed virtual asset businesses, worked closely with major Korean exchanges to ensure they were ready to comply with the Act. The FSS provided VASPs with a checklist as well as a consultation process to align implementation expectations. During the process, the FSS generally found that structures and resources were in place to comply with the Act. However, it identified certain deficiencies in areas such as customer asset segregation and cold wallet management.
• The FSS also established IT systems for detecting, monitoring, and reporting of virtual asset activities, especially market manipulation and unfair trading practices. These include a system for transmission of data on unusual transactions between the FSS and its regulated exchanges.

The coming months will test the resilience of crypto exchanges in Korea. A number of exchanges have shuttered in the past year, due to “worsening business conditions.” Seven VASPs in Korea have ceased business since May 2023, with three more suspending business for between five to eight months. The FSC noted last month that the number of VASP closures may increase further due to heightened regulatory compliance burdens with the Act coming into force.

???Atlantic Council updates Cryptocurrency Regulation Tracker for 60 countries

The TRM policy team is always looking for great resources on policy and regulation… which is why we were excited to see the Atlantic Council (AC) release a major update to their Cryptocurrency Regulation Tracker. According to the AC's insanely interactive tracker:

• Among the 60 countries studied, cryptocurrency is legal in 33, partially banned in 17, and generally banned in ten.
• Of the countries reviewed, 70% are in the process of making substantial changes to their regulatory framework.
• Both emerging-market and advanced economies still lag on regulatory frameworks and oversight. Only 19 of the 60 countries studied have regulations in place on taxation, AML/CTF, consumer protection, and licensing.
• Stablecoins are the next frontier of cryptocurrency regulation. With the implementation of MiCA in the EU, half of the G7 countries now have stablecoin regulations in place.
• Over 90% of the countries studied have active CBDC projects, indicating that countries adapt and update crypto regulation as they explore CBDCs.

Come for the great insights, stay for the cool global heat map and interactive country list here.

?? Ransomware summer?

This summer, we’ve seen a spate of ransomware attacks on a diverse set of businesses.

In June, CDK Global—a major provider of software solutions for automotive dealerships—suffered two significant ransomware attacks attributed to the BlackSuit ransomware gang. This double attack affected thousands of car dealerships across North America, impacting their ability to conduct normal operations such as vehicle servicing, sales, inventory management, and financing applications. TRM’s Head of Global Investigations Chris Janczewski confirmed to CNN that on June 21, about 387 bitcoin—then the equivalent of roughly USD 25 million—was sent to a cryptocurrency account controlled by hackers affiliated with a type of ransomware called BlackSuit. Mr. Janczewski did not identify who sent the payment, but, according to CNN, three other sources closely tracking the incident confirmed that a roughly USD 25 million payment had been made to BlackSuit affiliates and that CDK was very likely the source of that payment.

Then, just last week, AT&T disclosed that hackers had stolen the call records for tens of millions of customers—and the company paid a member of the hacking team more than USD 300,000 to delete the data and provide a video demonstrating proof of deletion.

According to reporting by Wired, the hacker him or herself—part of the notorious ShinyHunters hacking group—provided the cryptocurrency addresses that sent and received the ransom payment to Wired. TRM’s Mr. Janczewski confirmed to Wired that a transaction occurred in the amount of about 5.72 bitcoin (the equivalent of USD 373,646 at the time of the transaction), and that the money was then laundered through several cryptocurrency exchanges and wallets, but said there was no indication of who controlled the wallets.

While we have seen some major actions against ransomware groups this year (see LockBit), it is clear that attacks will continue to proliferate.

For more, check out TRM’s new blog post on recent ransomware attacks, tracing ransom payments, and how international law enforcement and regulators are attempting to fight back.

?? US Treasury Secretary is “very attentive to use of cryptocurrencies” by Russia

Last week, US Treasury Secretary Janet Yellen testified before the House Financial Services Committee. When asked about the Russian Central Bank’s recent statement urging the use of crypto to evade sanctions, Secretary Yellen responded, “We are very attentive to the use of cryptocurrencies and stablecoins. We don’t think it’s a very substantial thing that Russia is doing but as our sanctions bite more and more, it becomes a concern.”

As we shared last week, the Bank of Russia recently?advised?businesses to use cryptocurrencies and stablecoins to mitigate the impact of Western sanctions in the wake of Russia’s invasion of Ukraine. Russian Central Bank Governor Elvira Nabiullina acknowledged that payment issues are critical for the Russian economy and that “new financial technology creates opportunities for schemes which did not exist before. This is why we softened our stance on the use of cryptocurrencies in international payments, allowing the use of digital assets in such payments.”

• ????Join Kraken’s Crystal Noe , Zodia Custody’s Sophie Bowler , and TRM Labs’ Isabella Chase and Thomas A. for a webinar about sanctions and compliance, July 30 or 31. They’ll discuss how the regulatory landscape is changing for crypto businesses, talk about common sanctions evasion techniques (and how to overcome them), and share actionable guidance for building stronger sanctions programs. Get registered here.
• ?????Drew & Napier LLC and TRM Labs are teaming up for a panel discussion about the legal and compliance perspective on Web3 in Singapore on August 1. Request your invitation to join in on the learning, conversation, and networking here.