Yesterday, the Basel Committee on Banking Supervision (BCBS) published a paper exploring the risks associated with permissionless blockchains and how they can be addressed. Recently, the Basel Committee highlighted that it does not believe banks can adequately mitigate the risks associated with permissionless blockchains. As a result, crypto rules for banks make it very costly to hold assets on permissionless blockchains, including digital securities or tokenized versions of conventional securities. Digital securities issued on permissioned blockchains are treated more or less like conventional securities.
Most public blockchains are permissionless. However, the Basel Committee does not see a problem with the public aspect. It is the permissionless aspect that it finds most problematic.
The article represents the views of the author, not necessarily those of the Basel Committee. It describes known issues, such as the risks of a blockchain hard fork and the lack of validator oversight. It explores KYC, AML, and CFT challenges and the lack of settlement finality on many DLTs.
This reminds us of a prediction made a few years ago by Caitlin Long of Custodia Bank: “Bitcoin is going to bring down a global systemically important bank (G-SIB) at some point because they don’t understand that the settlement risk is very different between bitcoin and traditional assets.”
One of the most difficult issues with many permissionless blockchains is low transaction throughput, which becomes a bigger problem in a crisis when everyone is heading for the exits simultaneously.
Managing Permissionless Blockchain Risks
While the steps to address permissionless blockchain risks are well known, this may be the first time anyone has documented them in a useful list. We think there is a good chance that the list will become more formal. As the Basel Committee becomes more comfortable with workarounds, it may relax the permissionless blockchain rule, but only if banks engage in assets and activities that qualify. From that perspective, this document could be important.
The first step is to plan for business continuity (BCP), for example by having an off-chain copy of asset ownership. This could also define an alternative blockchain where assets could be moved in the event of a crisis.
Many institutional tokens already use allowlisting, though denylisting is another option. Zero-knowledge proofs are mentioned as a path to privacy-preserving identity, though we favor truly decentralized identity.
Another commonly used de-risking strategy is to specify a token gatekeeper that can reverse fraudulent transactions and resolve other issues. This is a concept that crypto enthusiasts reject due to their “trust no one” philosophy. On the other hand, this same group has a strange willingness to park hundreds of millions, if not billions, of dollars in unregulated asset managers without independent oversight. For regulated institutions, the gatekeeper concept is a no-brainer.
In theory, privacy issues can be solved with privacy-preserving layer-2 permissioned chains. Alternatives include sidechains and various types of cryptography. Layer-2 chains can also solve congestion issues, but they still rely on layer-1 for final settlement.
Which public DLTs are already considered permissioned?
There are a number of authorized public chains, although most of them do not have a large number of users. Among the most institutional ones are the IDB’s LACChain, Alastria in Spain, EBSI and the European Public Network.
According to the Basel Committee definition, we believe that Hedera public DLT qualifies as permissioned and has a reasonable user base. The 31 corporate board members control the nodes that write to the network. These members include Google, IBM, Shinhan Bank, Standard Bank, Worldpay, Nomura, and abrdn. Another advantage is that Hedera offers fast settlement finality. However, Hedera does not intend to remain permissionless indefinitely. Once the board number reaches 39, it aims to transition to a permissionless situation.
Returning to methodologies to mitigate the risks associated with lack of authorization, the article concludes that “practices to mitigate these risks are in various stages of development and have generally not been pressure tested.”
Note: The author has no personal or financial interest in Hedera or associated tokens.
