With election day approaching in the U.S., the regulatory environment for digital assets continues to be shrouded in uncertainty. No matter the outcome, investors should brace for regulatory changes in 2025, says Beth Haddock.
As the U.S. edges closer to election day, its digital asset regulatory landscape remains mired in ambiguity. Regardless of who wins, 2025 will bring regulatory shifts that investors must prepare for.
The recent World Economic Forum (WEF) report on global approaches to crypto regulation highlights the U.S.’s reliance on enforcement rather than clear policy, complicating growth and innovation, especially as compared to the EU’s structured MiCA (Markets in Crypto-Assets) framework which gives investors a regional roadmap for engagement. Regulatory uncertainty is particularly critical for decentralized finance (DeFi), where the U.S.’s aggressive enforcement strategy has resulted in chilling effects on innovation. For example, the SEC’s recent closure of its probe into ConsenSys without filing charges, while a short-term win for Ethereum-based DeFi projects, underscores the lack of regulatory consistency.
This uncertainty is creating opportunity as well as risk, as traditional financial (TradFi) institutions ramp up their entry into digital assets. TradFi firm’s sophisticated regulatory strategies, honed over decades of navigating complex compliance environments, are better positioned than smaller crypto-native companies. As major players launch products like Bitcoin ETFs and tokenized funds, innovators without regulatory expertise may be squeezed out unless they adapt to emerging frameworks such as those proposed by theStablecoin Standard, which offers voluntary requirements for transparency, operational resilience, and reserve-backing. This model could offer a path for other innovators to meet compliance expectations and accelerate growth and adoption.
For institutional investors, a strategic approach is crucial. Using a “regulatory ladder” framework, similar to a fixed-income ladder, can balance risk and opportunity across different asset profiles:
1. New TradFi entrants: Bitcoin ETFs and tokenized funds that have demonstrated regulatory compliance.
2. Payment processing innovations: Consider regulated stablecoins or other payment-related projects with transparent reserves and governance as seen in New York’s regulated stablecoins like Paxos and GMO-Z.com Trust.
3. Innovators: Allocate to high-potential, early-stage blockchain projects that are equipped to navigate shifting compliance requirements.
With potential regulatory shifts on the horizon regardless of election outcomes, investors should prepare diversified crypto portfolios that include both TradFi and nimble innovators backed by thoughtful regulatory strategies. Ultimately, as the WEF highlights, the U.S. must eventually reconcile its enforcement-first approach or risk losing its competitiveness to more progressive regulatory regimes in the EU and Asia.
At Berkshire Hathaway’s recent annual meeting, renowned investor Warren Buffett remarked on the growth potential of AI, stating, “[I]f I was interested in investing in scamming, it’s going to be the growth industry of all time.” Warren Buffett Buffett’s comment underscores the risks associated with utilizing AI that hasn’t undergone thorough safety vetting. For advisors to enhance productivity and competitiveness, it’s crucial to grasp the changing AI landscape. Here are three strategies to achieve this goal: understanding AI safety vetting, staying competitive, and increasing productivity.
1. There is history behind the hype
Generative AI applications are poised to revolutionize financial services, offering enhancements across various sectors, from personalized customer service through chatbots to improved order handling with the introduction of Dynamic MELO, the first AI-powered stock exchange order type. Navigating Generative AI’s Big Bang
While these innovations may seem groundbreaking, it’s essential to recognize that traditional AI applications, such as those powering recommendation engines on platforms like Amazon, have long been integrated into financial operations, including banking, to detect fraudulent activities like money laundering. What are your rights if your bank account is frozen?
Likewise, many of the risk management, compliance, and governance controls used for other technology can be applied to AI. To ensure effective integration of generative AI into financial services, firms must prioritize several key principles:
1. Understanding Priorities: Identify which generative AI applications are essential for their business.
2. Vendor Due Diligence: Implement governance processes to vet and manage technology usage, including third-party vendors.
3. Compliance & Governance Programs: Maintain a focus on safeguarding firm and client assets by monitoring usage disclosures and restrictions, adjusting cybersecurity controls, enhancing data governance, and ensuring adherence to privacy regulations.
2. AI issues are fiduciary issues
Advisors have an obligation to act in the best interests of their clients which extends to use of technology including AI. Whether it’s ensuring accountability for AI-driven errors in order handling or avoiding AI-washing in marketing materials, firms must uphold fiduciary standards. Last year, the SEC proposed a new rule to regulate predictive data analytics, encompassing AI, highlighting the importance of aligning firm practices with evolving standards. While the proposed rule has not been finalized, the SEC has set the tone for standards with its speeches, press releases, and enforcement cases.
In short, that guidance covers familiar fiduciary standards that are also relevant to AI adoption. For instance, advisors must prioritize honesty, transparency, and prudent management of assets including data. Additionally, when implementing AI, advisors should manage risks by committing to implementation principles such as to
During AI vendor due diligence, it’s crucial to assess a potential vendor’s alignment with fiduciary duties and evolving AI standards. Advisors should understand if a vendor has committed to certain standards and whether it has a strategy to keep pace. For example, advisors can ask
These legislative and regulatory efforts should address ethical concerns, transparency, and accountability, promoting risk management. For instance, certain states have proposed regulations based on “automated decision-making systems” (ADM) that would require notice, opt-out, and redress for harm from mistakes or bias. Creating a new technology or AI forum will allow timely risk discussions about the trade-offs of using AI. Many of the proposed regulations and laws are tethered to a risk management approach where firms are expected to assess and address risks associated with AI by
1. Requiring human monitoring
2. Risk mapping
3. Disclosure of when AI is being used
4. Identification of unacceptable AI risks
Stay Informed
These insights into AI trends highlight the importance of balancing innovation with material risks. As AI continues to evolve, advisors must ensure they stay informed and adapt to AI product trends.
Below are the 5 takeaways from the SolarWinds case where a CISO was held personally liable for fraud…
1. Culture & a sub-certification process for government filings is important
CISO at the time signed the sub-cert SolarWinds’ executives relied on. The CISO was also the “approver” and accountable for the Security Statement on the public website. The Statement included claims about relying on a secure development lifecycle (SDL). The SEC alleges several employees knew about inadequate disclosures & misrepresentations in the filings and website and they willingly participated in the cover-up or failed to take action to fix the public statements.
2. Internal communications can make a case for regulators
The facts showed many communications re: concerns including one “Well, I just lied” about a failure to disclose issues to a client. The communications seemed to be mostly within the CISO’s department.
3. A disclosure committee can be helpful
The SEC alleged the risk disclosures were too generic & hypothetical especially because known risks were not disclosed. A disclosure committee can help avoid stale disclosures.
4. Gatekeepers have an important role
It appears as though the board & lawyers did not detect or prevent the failure to disclose/inadequate disclosures. With smart inquiry, I wonder if some of the issues could have been mitigated.
SolarWinds had government clients that were harmed. As a government contractor, adequate disclosure of security incidents should be a top issue because of anticipated enhanced scrutiny & the nature of SolarWinds business as an expert offering cybersecurity products.
There were several failures of security controls including non-compliance with the NIST Framework. Why wasn’t this discovered by third-party audits and/or internal audit tests of the Company’s cybersecurity program?
5. Insiders need to carefully consider when to exercise stock options
The SEC claims the failure to disclose was tied to the CISO’s self-interest in keeping SolarWinds’ stock price inflated.
So far 2022 has been one of the busiest regulatory years we have seen!
Here we leave you with three takeaways for traditional finance and blockchain compliance programs:
Follow Gensler & other top regulators on Twitter
Basics are important. Have an independent review of your program
Understand operational risks & build resiliency. Use technology for duty of loyalty (conflicts), transparency (performance & costs/expenses), and care (conduct standards, ESG)
Blockchain Highlights
A must-see is the debate on blockchain and DeFi regulatory approach. Click hereto watch it!
The FTX Breach article is an important reminder about the duty to users/customers
2022 SEC Wrap Up
Here is an inventory to help you recap SEC priorities for the testing of your compliance program.
Building the governance, risk, and compliance bridge between finance and blockchain
Guidance and developments overweigh enforcement this month. Please reach out with questions: understanding evolving standards is increasingly needed to navigate risks.
The Enforcement Environment
Token Promotion
The promotion of tokens/shilling increases securities law risks. In both SEC vs. Balina and SEC vs. Kardashian, the promoters failed to disclose they received compensation for promoting the tokens.
Requirements:In 2019, the FTC, which makes rules around truth and transparency in advertising, published simple guidance for social media influencers & required disclosure of payments. Though the SEC has its own rules for this issue, they largely parallel the FTC’s. SEC Chair Gary Gensler posted a videoto highlight its position.
Reminder: Many regulatory cases are paired with class action lawsuits. The Kardashian settlement may impact the pending class action suit too.
Are you Decentralized Enough?
The CFTC settled with bZeroX, LLC and its founders for allegedly acting as an unregistered futures commission merchant (FCM) and failing to adopt a customer identification program as part of a BSA compliance program required of FCMs. Simultaneously, the CFTC charges the successor entity to bZeroX, Ooki DAO, for violating the same laws.
The CFTC found:
Registration –Defendants failed to register as an FCM
Commodities – “Virtual currencies such as ETH, DAI, and others traded on the Ooki Protocol are ‘commodities’ under the Act.”
DAO was not decentralized –“The acts, omissions, and failures of the members of the Ooki DAO unincorporated association (i.e., the Ooki Token holders who voted their Ooki Tokens to govern the Ooki DAO by, for example, directing the operation of the Ooki Protocol), as well as of those authorized to work on behalf of the Ooki DAO, were done within the scope of their office, employment, or agency with the Ooki DAO.”
“While I do not condone individuals or entities blatantly violating the CEA or our rules, we cannot arbitrarily decide who is accountable for those violations based on an unsupported legal theory amounting to regulation by enforcement while federal and state policy is developing”.
The House Committee on Oversight and Reform has requested info from 4 Federal agencies and 5 crypto exchanges on their actions and mechanisms to combat fraud.
New EU Directive – The European Union has formally approved the Markets in Crypto-assets (MiCA) directive. (Europe.eu) The European Union released its 8th package of sanctions against Russia, which include a ban on “all crypto-asset wallets, accounts, and custody services, irrespective of the amount of the wallet.” (Europa.eu)
Date Security
Binance, the world’s largest cryptocurrency exchange, washacked. Binance reports mitigated losses of under $100M.
Global Coordination
International Securities law watchdog ISOCO (International Organization of Security Commissions) is working to create ‘common standards’ for crypto.
As the Ethereum network transitions its system through a new upgrade calledthe Merge, many are wondering which startups within its ecosystem will be best positioned to thrive in a post-Merge world.
Overall, it seems like the post-Merge startups that will succeed are ones that provide accessibility to both Web 2.0 and web3 users, whether it be something like a financial product or infrastructure that could try to ease the onboarding to Ethereum. Most notably, many think liquid staking pool providers will take the reins. Given the Merge’s switch to proof-of-stake, this could make sense.
The efforts to lower the network’s carbon footprint by about 99% are also at the forefront of many market players’ minds as it moves away from mining, which would make mining pool-focused startups a thing of the past. Startups that align with ESG objectives will definitely take a big step forward as sustainability efforts continue to grow.
It’ll be interesting to see how this all plays out over the next couple of months (to years) as the Merge is built upon and other upgrades are implemented into the network.
To further our understanding, we asked a range of crypto market players — including the co-founders of layer-2 blockchains Polygon and StarkWare, partners at VC firms, developers, and researchers — their thoughts on the Merge and which Ethereum-based startups may hit the ground running. (Some responses have been edited for clarity and length.)
One big misconception about the Merge is that it’s going to lower gas fees on Ethereum. This isn’t the case — it will lower the network’s carbon footprint by nearly 100% but won’t get rid of the high gas fees that have been a big issue for the ecosystem.
With that, we’re continuing to bet on projects that will make web3 more accessible to everyday users. The Ethereum network’s high gas fees and slow network speeds will continue to create high barriers to entry. At Symbolic, we’re looking for projects that will help onboard the next 1 billion users into web3. These are projects that everyday people accustomed to the frictionless experience of Web 2.0 will be able to easily pick up and engage with. We’re betting on dApps and infrastructure projects that will make web3 more accessible.
Mihailo Bjelic, co-founder of Polygon
To be frank, adoption of web3 startups will mainly be driven and determined by the same factors as in the Web 2.0 world — product-market fit and commitment of the founders. That being said, with the Merge and introduction of fast and efficient development platforms built on top of Ethereum, web3 infrastructure is pretty much ready for mass adoption and will additionally boost the adoption for web3 startups in general.
First and foremost, it will be about embracing the new technologies (e.g., Polygon) that build on top of Ethereum and provide all the features required for mass adoption like fast transactions, low fees, and a great user experience. Then, it will be about educating their users about the actual benefits of web3: transparency, ownership, borderless economy, and communities. I am personally confident that these two things will usher in the new chapter of adoption.
Eli Ben-Sasson, StarkWare co-founder and president
The Merge makes me think of the moment the first solar fields went live. We saw it’s possible to reduce the environmental impact of producing electricity. People didn’t say, “That’s great, problem solved.” They said if we’re generating electricity with less pollution, it’s time to double down on efforts to use the power more sparingly. There was a boom in power-conserving devices.
The same goes for the Merge. The computing power of Ethereum will involve a far smaller carbon footprint. But it will remain a scarce resource. Innovations aimed at using this resource more efficiently will now thrive. That is exactly why [Ethereum co-founder] Vitalik Buterin talks about layer-2 scaling solutions and the Merge almost in the same breath — because they are complementary.
All sorts of companies building on layer-2, whether ours or others, are going to thrive. I’m bullish on projects that bring crypto into daily usage for simple things like buying coffee and important things like owning and controlling our own data. The Merge, and successive changes on Ethereum, will also change the face of gaming, and companies that enable people to play games peer-to-peer and reduce reliance on big servers are likely to enjoy success.
Lauren Stephanian, partner at Pantera Capital
The Merge creates an environment where infrastructure for both staking and accounting is more essential than ever. Businesses like Staked, Blockdaemon and Figment abstract away the complexity of staking by enabling users to delegate their ETH and other proof-of-stake (PoS) tokens to [help] them to stake. Staking is also considered income, which creates a need for software that can help investors track and report rewards over time.
Beth Haddock, adviser to automated market maker DeFi protocol Balancer
A reduction of energy consumption by 99% will arguably align with sustainable development goals (SDG) and ESG investment objectives. With the Merge, projects can combat the critics of crypto’s so-called dirty secret.
Startups that are purpose-driven, either by community interests or commitment to SDGs, have a tremendous opportunity to tell a compelling story and gain more momentum. This is an opportunity to promote that alignment and attract more capital from those looking to support ESG-focused efforts and avoid greenwashing.
Vance Spencer, co-founder of Framework Ventures
I think the most direct beneficiaries of Ethereum’s Merge will be at the application layer. Once ETH becomes a yield-bearing asset, it’s entirely possible that it supercharges the DeFi platforms in which it is deposited. Additionally, I think several of the decentralized staking platforms, which provide users with liquidity after they lock up their assets, could see increased attention and usage after it becomes more clear that the Merge has gone through without any significant hiccups.
Jagdeep Sidhu, president and lead developer of Syscoin
There are a bunch of opportunities in the modular blockchain tech stack in the post-Merge world. For example, anything that helps rollups, anything related to zero-knowledge proofs, or anything that helps the infrastructure related to data availability. Very soon, Ethereum will integrateproto-danksharding (EIP-4844) along with danksharding subsequently. This will transition the Ethereum blockchain to be a unified data availability layer (for censorship resistance) in a rollup-focused road map.
With that in mind, there is a pressing need for services to index both optimistic and zero-knowledge rollup-based data availability for users to be able to have censorship resistance mechanisms to exit back to the main chain, assuming sequencers of the rollups fail to sequence or update with the user’s exit request. I haven’t seen anyone take that one on and it can be a service that can take tokens for payments for each request.
There also needs to be a unification of experiences related to having multiple rollups and segregated financial systems running on the differing rollups. Think of a rollup as a separate chain; we need better views on liquidity and state across these systems. Perhaps some astute developers can create liquidity sharing across rollups in secure ways, have ways to move across these rollups quickly or just have wallet experiences that can show what rollups you are involved in to let you switch easily.
Finally, as we scale the blockchain industry up through modular design, we will open up tons of untapped opportunities that we never would have thought possible (NFT, DeFi, and metaverse are examples of such market segments). We need better wallet experiences that allow users to differentiate their experiences compared to how they will be interacting with dApps.
Jupiter Zheng, head of research at HashKey Capital
A few sectors may benefit immediately after the Merge, namely scalability solutions and liquidity staking services. In regard to liquidity staking, we predict that staking yield will rise (meaning validators will see increased transaction fees and maximal extractable value). This in turn may increase user participation and broaden the market potential for liquid staking services.
Scalability solutions may also go through an upheaval. Companies and startups building with the data availability layer in mind may perform better and essentially enjoy the next layer-2-like opportunities. These early adopters may attract plenty of capital and projects to build around it.
Baek Kim, partner at Hashed
Ethereum’s move to a PoS mechanism fundamentally changes the power dynamics in the crypto industry. Liquid staking pool providers will play bigger roles and on-chain governance will become the most intense category to see new experiments to carry on the innovation.
Feras Al Sadek, managing partner at Ghaf Capital Partners
A post-Merge world will better equip mass adoption to take place for the back-end developers and the front-end users of the Ethereum ecosystem. With the Merge provoking enhancement in security, scalability, and overall functionality, all segments of this industry shall be given a platform to reinvent themselves.
Not to mention the reduction in energy consumption that a PoS model will bring by slashing down Ethererum’s electricity usage by 99%, allowing crypto to finally be in alignment with a greener future that the world is trying to build.
However, blockchain gaming and infrastructure services shall be at the start of the line claiming their spot as the initial benefactors of this massive upgrade.
Alex Ye, head of research and economics at Republic Crypto
One non-trivial consideration for the post-Merge era is how long it will actually take to sort and settle the existing developers and users to the new chain. Once that eventually subsides, I’m confident we’ll see roll-up projects, particularly in the zero-knowledge category, compete at a breakneck pace, where we’ll be keen to track and back the best teams. This will be the Ethereum ecosystem’s opportunity to answer the app-chain craze as applications evaluate running their own chains via subnets, Cosmos, supernets, etc.
That said, we have to remember that the Merge is just the beginning of potentially much more to come, with the Surge, Verge, etc., though we should certainly keep our expectations tamed given the amount of delay we’ve seen leading up to the Merge.
James Key, CEO, and founder of Autonomy Network
Most people don’t realize that the Merge won’t actually increase the scalability (cheaper transaction fees) of Ethereum immediately — this is the first stage of many and the scalability will come in later upgrades.
One thing that will actually change with the Merge and its switch to PoS is ESG. Since PoS no longer uses massive amounts of electricity, and therefore carbon emissions, like proof-of-work (PoW) mining, Ethereum now becomes an ESG-friendly platform and asset. The dApps building on Ethereum will now also be ESG-friendly; therefore, ESG-focused startups will be the largest benefactors from the Merge.
Building the governance, risk, and compliance bridge between finance and blockchain
This month we share a few articles about risk management and why it is important to consider emergent as well as current risks. We hope these thought pieces help you prepare for a busy fall and year-end.
The Environment
Tornado Cash Matter:Sanction Tornado and the development of smart risk-based controls in a Defi environment.
Blockchain Compliance & Risk Practice Tips:We need more FOMO for risk- Check on your legal and risk framework.
DAO Risk Framework Announced: A White Hat approach to Management of DAO Risks.
The California state legislature passed the Digital Financial Assets Law, a bill requiring crypto businesses to be licensed. If signed by the governor, it will be a big change for many companies.
UAE Regulatory Authority announces new guidelines requiring factual accuracy in marketing virtual assets. Review your marketing against these standards.
FINRA sanctioned National Securities Corp. for failing to disclose material information and attempting to artificially influence the market by attempting to induce purchases in the aftermarket of offering.
Your Compliance & Risk Program
Code of Ethics are an important training topic: Review your training against the latest SEC Risk Alert Investment Adviser MNPI Compliance Issues.
What is certain? Death, taxes… and, IMO, regulatory efforts against crypto projects will not slow down. Although there is more uncertainty than certainty when it comes to what it means for DeFi and other crypto projects to show good faith adherence to applicable laws, two facts certain to me are 1) taxes and anti-fraud are important bellwether issues and 2) we are moving towards global alignmentof expectations and enforcement.
If a project can develop and commit to a strategy that focuses on the knowns instead of the unknowns, they can avoid predictable surprises and mitigate risk and disruption.
What is known? If a project is fully and legally decentralized, they are operating with less regulatory risk. On the other hand, if a project aspires to become decentralized, they are in a risky posture. What I believe is also known, or certain, is that regulators will achieve their stated objectives indirectly if direct actions are not available or practical. For example, if regulators cannot rely on clear authority through laws, rules and regulations, as they have done in traditional finance, they will advocate standards through enforcement cases and informal guidance. This may be an unfair approach; however, there is precedent for this signaling strategy and it is not wholly unexpected after recent indications through speeches, proposed rules, investigations, and enforcement cases, particularly after Celsius and recent hacks that have been designated as nationalsecurity and economic resiliency risks.
Rather than only lament about the need for a change or wait for regulatory authority to be certain, projects should also adopt smart risk-based controls to meet current expectations. Now is the time to consider which vendors can help you and how a project can collaborate and build its own risk program, so it can limit reliance on vendors and sharing information. It is important to call attention to overreaching and inappropriate regulation by enforcement, but it is also important to plan for the new normal until there is formal legal certainty.
So what does this specifically mean for projects trying to manage risks?
In addition to inventorying the knowns that are relevant for your project, I’d offer that you need:
To be agile, expect developments will continue.
To expect the pressure will increase, not go away.
Educate yourself and secure advisers that can help you build your own risk-based controls, like sanctions screening, that you’re comfortable with.
The Tornado Cash matter is not a total surprise for a number of reasons. In addition to regulation by enforcement, regulators target pressure points, such as mixers, in order to be efficient. Regardless of fairness or authority, in this case, they are sending a clear message that any entity that is facilitating fraud is fair game.
“While most virtual currency activity is licit, it can be used for illicit activity…”
They do not consider this action as simply banning and sanctioning open source code on the internet.
“Despite public assurances otherwise, Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks” — OFACNotorious press release
Industry pushback on scope, approach and authority should not be the only focus. Projects should also focus on fixing any unintended consequences of the recent addition to the sanctions list. Use of sanctions vendors should be audited, adjusted to adhere to requirements and eliminate false red flags such as blocking a wallet that was victim to dusting.
How can projects adjust?
Consider these 4 takeaways:
Vendor help is only step 1: A vendor only provides info. Projects make the decisions about use of the tool. Projects should review and check vendor rules. Vendors make mistakes or use standards that don’t fit every project. Users should manage the vendors.
Investigate, instead of block, where possible: Projects can drift from blocking all wallets to investigating hits and only block wallets if it is blocked activity.
Calibrate the approach. Be risk-based:Projects can use de minimus thresholds, when appropriate, before blocking and plan to calibrate the tools.
Create an escalation and appeal process that quickly addresses false positives:When there is a new addition to a list or a new requirement, there will be implementation issues. If a beta or pilot isn’t possible – be prepared to address feedback.
To recap – the topic is complicated and elicits strong opinions and discourse. IMO projects should prioritize three next steps:
Decentralize further
Implement — Implement a governance, risk and compliance (GRC) program. Don’t wait for more certainty about explicit laws.
Commit to ‘Need to Know’— Protect privacy of users, but don’t fight the current expectations to address sanctions and anti-fraud. There is a big gap between web2 data collection with use of data to grow a business and DeFi data collection of only data that is needed to reasonably protect contributors and follow applicable sanction laws. Limited collection and use still protects users’ privacy. We will need to smartly tackle how to address the practical implications of the conflict between protection of privacy and protection from fraud.
At the heart of most web3 projects is the assumption users will be better off with decentralization than with centralized control. But what if in an effort to innovate and disperse control, projects are putting users in a more vulnerable position?
Vulnerability can grow when risks are underestimated or ignored. We are seeing some of that pressure with Celsius, Three Arrows Capital, and most recently with the SEC action against Forsage. Risk management is more important than ever, yet many DeFi and web3 projects spend time and money creating a legal framework without carefully considering operational risks. A stress test of a project’s legal structure can help assess its resilience and indicate whether it is well-positioned to handle predictable surprises such as governance, compliance, and risk (GRC) events. In a time of growing concerns about the financial stability of crypto-assets, and a call for more regulation, this assessment exercise is needed to deftly adjust to the changing tides. FSB July Statement
“DAOs — decentralized autonomous organizations — are an essential tool in achieving the self-empowering benefits of web3, including more equitable ownership among stakeholders, reduced censorship and greater diversity” Jennings & Kerr framework
DAOs are a crucial counterbalance to centralized technology innovators, but to make open and decentralized alternatives sustainable, risk management needs to be prioritized. If it isn’t, users are exposed to unnecessary risk of loss of their data, investments, and other contributions.
In a previous post, I introduced a new GRC framework that can be used to score how well a project manages risk.
To start the assessment, consider two pivotal questions:
Are you positioned to engage with the community and get ahead of developing risks?
Are you agile enough to address inevitable GRC risks or does your legal structure increase operational friction and inefficiency?
How do you measure up?
Use the GRC Comparison Chart below as a check on your legal and risk framework. As you consider these questions, test your assumptions against 5 different priorities. These will inform your conclusion about whether you are positioned to handle GRC.
GRC Comparison Chart: Observations about whether and how each organizational structure can help manage specific GRC risks within GRC Principles & Pillars.
Incentives
Alignment
Sustainability
Personal Liability
Crisis Management
Managing GRC is more than just working on your initial legal structure. Reach out if you are interested in learning more about how to protect your project and users with GRC risk management. team@warburtonadvisers.com
Beth Haddock is an advisor to stablecoins, Defi platforms, and fintech projects including the Balancer ecosystem and GYEN.
A bear market can be a clear test of resiliency. We are seeing some blockchain projects struggling to pass that stress test. Celsius halts withdrawals;Rari goodbye & nod to predatory tactics; Babel suspends redemptions & withdrawalsBut we also see successful white hat hacks that raise the potential for more holistic resilience across web3 projects. DeFi Attack Averted Surprisingly, these ethical hacks resemble risk and compliance controls in heavily-regulated businesses, but they are more effective because of timing. Instead of a centralized gatekeeper trying to cajole a team’s commitment to risk mitigation, the power of wide engagement in DAOs allows behavioral incentives to be more intuitive and effective with less resistance.
For sustainable growth in web3, let’s adopt a behavioral incentive approach for all governance, risk and compliance (GRC) matters, not just cyber security. Incentivizing self-reporting by aligning everyone with the interests of the community (a “white hat approach”), at a minimum, will more clearly separate the bad actors and innovators. A framework for DAOs is crucial in order to align behavioral incentives, so web3 projects do not repeat the inherent dysfunction of traditional GRC programs. Action is needed now to ensure the framework fits the new ethos and can refute increasing claims by regulators and litigants that a layer of traditional controls should be mandated for web3 projects. One recent example is the debate about how to regulate Tether.Let’s use decentralized consensus and collaboration to incentivize better business conduct.
II. Perils of Traditional GRC and Wait and See Strategy
Once there is a decision about business priorities and the legal entities to support them, the next step is to decide if a project will build a GRC program. After funding is secured, regardless of the size of a project or its potential treatment as a financial product, it’s time to understand threats to the project’s viability. Viability threats can be vast, from operational risks that cause errors or difficulty recruiting and retaining talent, to regulatory and legal risks that impact whether the project could be halted or distracted with government inquiries. Yet, most projects do not proactively address regulatory and operational risks after establishing their legal and business framework. With a bear market and increasing concerns about protection of users, many regulators and legislators are considering how to regulate web3, particularly how to retrofit traditional GRC requirements. SEC Chair Gensler speech; Sec Yellen remarks;New EU-wide regulation; New crypto framework in Brazil; New Singapore crypto law
A Web3 project has at least two choices:
Wait and see whether government requirements apply and build a framework then, taking on all the material civil and criminal risks that comes along with a wait and see strategy, or
Build a tailored framework that uses the same ethos as ethical hackers and permits the ecosystem to choose its priorities.
If the majority of the web3 projects opt for the wait and see approach, web3 would arguably lose an opportunity to build a better GRC paradigm. Businesses would accept the heightened risk that they need to build a traditional GRC program into the DAO and/or that they are not prepared for inevitable changes to tax, legal and regulatory requirements.
The traditional GRC framework has a mixed record on effectiveness. The transparency international corruption perception index (CPI) indicates that despite all the money and effort to adhere to legal and regulatory requirements designed to fight fraud, traditional GRC programs are failing to eliminate fraud. With no meaningful improvement in the last decade and over 50% of countries receiving a failing CPI grade for fighting corruption and fraud, the centralized approach is not delivering a ROI. Transparency International CPIInstead, many compliance officers struggle to align incentives & gain collective ownership to report and solve governance gaps. We continue to see corrupt corporate behavior at some of the world’s most successful companies. FCPA Violation 120 mil in fines; Retirement Account Fraud;Fraudulent Bond Sale
The new GRC paradigm is poised to leverage the power of decentralization and incentives. For example, compare white hat (ethical) hackers protecting against cyber threats to whistleblowers allegedly fighting corruption and theft. Whistleblower reporting is required under several existing regulatory regimes to incentivize self-policing. EU Whistleblower Directive; SEC Whistleblower and Bounty Program; Anti-corruption Whistleblower Cases. However, whistleblower reporting within businesses is notoriously ineffective at preventing corruption before it occurs and instead is reserved for bringing the problem to the public after the fact. Facebook Whistleblower
There is a strong rationale for not waiting for new regulatory mandates and instead building a Web3 GRC framework that uses the same ethos as ethical hackers to proactively self-govern. This will allow the ecosystem to choose its own priorities and make its own decisions.
III. New GRC Framework
In order to maintain a sustainable peer-to-peer ecosystem, the members need to build trust and deliver on transparent governance. A sustainable GRC program will incentivize addressing conflicts and issues before they threaten the viability of the project. SushiSwap CTO Resigns;SushiSwap Feud
Guiding principles for sustainable governance are:
Agile & Iterative — Expect changes, build in flexibility and a modular approach that can be adjusted when new risks surface
Disclosures & Transparency — Assume conflicts and risks should be known, so users are informed
Anti-Fraud & Consumer Protection — Prioritize well-being of users and adopt a guardian lens
Caution & Escalate — Create the white hat approach, build in self-reporting incentives and avoid whistleblower pitfalls
A sustainable GRC program should adopt 5 pillars
Know the environment and prepare
As with pen testing or hackathons — expect inquiries from government authorities and litigants. Prepare with an advisory bench and narrative of the project. The narrative should include in and out of scope features to tell the project’s story before being asked to defend the story to the government or litigants. Hire a “white hat” advisor to audit your performance against these pillars and guiding principles.
2. Create and manage a road map
Create a practical risk inventory based on current developments and maintain it. Assess the relevance of the risks to the project and prioritize drafting a project list to address the top risks. Use the inventory as a confidential road map with use cases and examples to size risks.
3. Create escalate and questions forum
Create a GRC private Slack channel, Discord, Team meetings and Q/A. Make it easy to ask questions and escalate concerns. Consider building a path where reporting is anonymous to remove any hesitancy. Set a record retention policy to make sure you retain documents you need and create a rational destruction schedule to balance data sharing with security risks. For instance, corporate documents should be retained for the life of the organization, whereby Slack and text messages may contain personal information and should have a short retention period to prevent data breaches.
4. Have a public relations & communications strategy
Set standards for community, project and personal opinions. Set guidelines to avoid shilling and conflicts of interest and provide examples of balanced communications. Consider
creating an understandable risk mantra/disclosure on public communications such as “Be informed & accept the risks”, “Consider before you act”, “Read our forum and blogs for more info” and then create an FAQ,
the experience of the target audience as you write,
sourcing a third party, when making projections or promissory statements,
avoiding investment terms unless there’s an expectation of investment oversight from the government.
5. Develop protocols for managing GRC
Rather than creating protective traditional legal documents, create short, accessible standards for the team to follow. Be strategic about accepting certain risks, create a risk plan to address short, medium and longer-term issues.
Expect to change the GRC program and adopt 4 north star attributes
Support and Affirm Alignment: Draft a Code of Conduct, Terms of Use and UI Disclosures
Global Approach: Adopt a borderless strategy, but focus on the jurisdiction of a concentration of users, prevent criminal liability & rely on jurisdictions with guidance — DOJ Criminal Division — Evaluation of a Compliance Program
Tech Company Policies: Orient your GRC efforts for a technology company. Draft a Sanctions, Privacy and Cookies policy and procedures
Anti-Fraud Efforts: Include an anti-fraud mindset within product development perhaps as part of user experience efforts. Mitigate risks with a consistent focus on serving the interests of users, community and ecosystem. Draft listing standards, implement user protection with bad actor blocking, focus on cyber security, follow a marketing/business development review process before content is posted on public forums.
IV. Conclusion
Resilience of a web3 project will not just entail fighting TradeFi and the government’s perception of risks, it is also addressing concerns from within the community. “Most crypto projects are designed with extremely predatory tactics that hurt retail. Most crypto projects have 0 intention of doing anything besides dumping on retail.” Founder Rari Capital
Reach out if you are interested in a confidential GRC assessment. Warburton offers assessment services including advice on options and best practices and a set of template documents.
