A Web3 Risk Mitigation Checklist

Also Published in Law360 (Found Here).

This article provides a compliance check-list for financial firms seeking to engage in Web3 related activities. It is a follow-up to my article published yesterday entitled, A U.S. Financial Regulatory Web3 Awakening (And Not a Moment Too Soon), which discussed in vivid detail the recent slew of Web3-related financial regulatory pronouncements and initiatives.

Some Background

For so-called fintech professionals in particular, take heed. The U.S. Federal Deposit Insurance Corporation, U.S. Securities and Exchange Commission, U.S. Department of Labor and U.S. Comptroller of the Currency have officially kick-started a range of burdensome, weighty and powerful regulatory initiatives pertaining to digital assets -- and cryptocurrency is not their only target. Financial regulators have also begun to set their sights on decentralized finance;?non-fungible tokens;?and other purportedly game-changing Web3 variants. (You can read all about these regulatory initiatives here.)

Of course, my advice for financial firms wishing to enter the Web3 fray is: Don't.

But if you insist, to help survive the burgeoning Web3 U.S. financial regulatory awakening, this article provides some guidance, in the form of a a Web3 financial regulatory and compliance checklist. The goal is for this checklist to prove critical for the challenging and trying road ahead for financial firms exploring, or already engaging in, Web3-related activities.?

The Stark Reality

Whatever prompted the current Web3 regulatory awakening, it should come as no surprise. Given the growing laundry list of perilous Web3 externalities; dangerous Web3 societal costs;?and potentially calamitous Web3 financial systemic consequences,?the engagement of U.S. financial regulators was inevitable.

After all, Web3 oversight falls squarely within the critical missions of U.S. financial regulatory agencies, which are fortified in bedrock principles of protecting investors; ensuring the safety and soundness of financial institutions; and policing fraud, chicanery and deception.??

Hence: 1) FDIC, SEC, DOL and SEC efforts to begin to construct a “crypto-firewall” around traditional financial institutions are likely the first of many steps regarding Web3 activities; and 2) Financial firms engaged in Web3 initiatives should prepare for a regulatory paradigm shift from laissez faire and caveat emptor to robust audit, inspection, investigation, surveillance, etc.?

A Checklist

Financial firms venturing into the Web3 morass, especially activities relating to cryptocurrency, should redouble and recalibrate their risk assessment and risk mitigation strategies in anticipation of federal regulatory scrutiny. Immediate action items include:??

1. Auditors. Consult with outside auditors to ensure that there exists a well-documented independent, expert and objective risk and security assessment of all Web3 operations;
2. Counsel. Meet with outside counsel to prepare for federal and state regulatory inquiries, requests, inspections, examinations and other inquiries;?
3. Independent Review. Confirm, via an independent review, that all financial statements, records and disclosure items relating to Web3 activities remain a fair and accurate depiction of those activities and in line with SEC and other regulatory accounting requirements. Confirm that all communications regarding the review are properly preserved and archived for easy access;
4. Web3 Risk Assessment Team. Form an internal Web3 risk assessment and compliance team to review all Web3 related activities in light of existing accounting policies, respective deadlines for compliance, additional disclosure for upcoming filings and to address generally the broad range of risk-related, disclosure and compliance responsibilities and obligations relating to any Web3 activities;?
5. Connect the Dots. Whether by regulation or perhaps even by contract, financial firms should focus on “connecting the dots” of potential technological, legal and regulatory risks and uncertainties related to all digital assets. For example, a financial firm should factor in potential loss events (e.g., theft, loss of the private key, loss of the crypto-asset, cybersecurity hacks), which could affect not just the value measurement and safeguarding of a digital asset, but also any overall existential risk to an enterprise or threat to its customers;?
6. Documentation and Communication. Document not only risk mitigation policies, practices and procedures but also ensure the proper communication, elevation and discussion of all reports, issues, problems, findings, etc. to the highest levels of the c-suite and to the board of directors;?
7. Financial Professionals. For any financial professional offering advice to invest in Web3, there should be meticulously prepared documentation and communications as to how they can square their actions with duties of prudence, loyalty, transparency, etc.;
8. Preemptive Strike. Develop a plan for a?preemptive strike, to engage with regulators (federal and state) early and often before engaging in Web3-related activities, which is a good rule of thumb for any innovative or controversial financial practice. Whatever the activity, regulators expect clear and convincing evidence that a financial firm can conduct all activities in a safe and sound manner. Cryptocurrency activities in particular present a material red flag that a financial firm’s safeness and soundness could be at risk. Thus, anticipate a laundry list of concerns and questions and an evolving regulatory approach that could hinder any Web3 business and operations. Even indirect investment in a fund with a small percentage of its assets in digital assets could be deemed to be unacceptably risky;???
9. Boards. Boards should consider engaging an outside and wholly independent audit firm (solely limiting their work to digital assets) to review Web3 activities and report directly to the board’s audit committee; and
10. State Financial Firms. Financial firms should read all of the recent pronouncements as if they apply, even if outside of their jurisdiction. For instance, state banks generally may participate only in activities that are permissible for a national bank, whether engaging in crypto activities or otherwise. Hence, state banks should discuss with their federal regulator the applicability of all financial regulatory pronouncements before engaging in any crypto-related activities. Whether mandatory or “in spirit,” compliance responsibilities relating to Web3 make sense for every financial firm, and it may be unwise to limit compliance solely based on jurisdictional mandates.?

Looking Ahead

To me, U.S. regulators have begun to understand that when it comes to Web3,?The Emperor Has No Clothes,?and as the regulators spring into action, fintech professionals better buckle up, and prepare themselves for the bumpy ride ahead. Hopefully, the checklist offered herein will make the journey a little less challenging, though I offer no guarantees.

Having worked at the SEC for 18+ yrs, the last 11 as Chief of the SEC Office of Internet Enforcement; having taught cyber law at Georgetown and Duke Law Schools for 20 yrs; having spent 5 yrs at Stroz Friedberg fighting cyber crime; and having written close to 150 articles addressing the juxtaposition of law, technology and business, one premise seems abundantly clear to me. The bulk of Web3 can be both scourge and scam, so fail not at your peril.

*John Reed Stark?is president of?John?Reed Stark Consulting LLC, a data breach response and digital compliance firm. Formerly, Mr. Stark served for almost 20 years in the Enforcement Division of the U.S. Securities and Exchange Commission, the last?11 of which?as Chief of its Office of Internet Enforcement. He currently teaches a?cyber-law course?as a Senior Lecturing Fellow at Duke University Law School.?Mr. Stark also worked?for 15 years as an Adjunct Professor of Law at the Georgetown University Law Center, where he taught several courses on the juxtaposition of law, technology and crime, and for five years as managing director of global data breach response firm, Stroz Friedberg, including three years heading its Washington, D.C. office. Mr. Stark is the author of "The Cybersecurity Due Diligence Handbook."