Why Basel Should Not Apply A Blanket Infrastructure Risk Add-On For Group 1 Cryptoassets

  • The Basel Committee has proposed an “infrastructure risk add-on” for Group 1 cryptoassets to capture “unforeseen risks” arising from the use of distributed ledger technologies (“DLT”).
  • Any potential risks arising from novel features associated with Group 1 cryptoassets will eventually be captured through existing mechanisms for controlling and mitigating financial and non-financial risks. We demonstrate with three use cases that these potential risks are captured by the established prudential capital requirements and mitigated by prudential regulation and supervision respectively.
  • As a result, the Basel Committee should not apply a blanket infrastructure risk add-on for Group 1 cryptoassets. Otherwise, the infrastructure risk add-on will act as a strong disincentive for responsible financial innovation, with prudentially regulated institutions being deterred from meeting increased institutional clients’ demand for Group 1 cryptoassets products/services. In addition, it would effectively make all DLT deployments uneconomic compared to other tech deployments.

What Is the Infrastructure Risk Add-On?

In its second public consultation on the prudential treatment of banks’ cryptoassets exposures, the Basel Committee on Banking Supervision (“the Basel Committee”) classifies cryptoassets into two groups, i.e., Group 1 cryptoassets–cryptoassets including tokenized traditional assets (Group 1a) and stablecoins with effective stabilization mechanisms (Group 1b) that meet 4 classification conditions[1]–and Group 2 cryptoassets.  Classification Condition #3 requires that “the functions of the cryptoasset and the network on which it operates, including the distributed ledger or similar technology on which it is based, are designed and operated to sufficiently mitigate and manage any material risks.”

Despite this seemingly stringent classification condition, the Basel Committee also proposed an “infrastructure risk add-on” charge that would apply to Group 1 cryptoassets, except those backed by the full faith and credit of a central bank or sovereign entity.[2]  The infrastructure risk add-on requires a bank to increase its total credit (or market) RWA by 2.5% of the total exposure value for Group 1 cryptoassets in the banking (or trading) book respectively.  The Basel Committee states that “as the technology that underlies cryptoassets matures, [it] will review whether the infrastructure risk add-on continues to be needed and modify its calibration as appropriate.”[3]

What Risks is the Infrastructure Risk Add-On Intended to Capture?

The Basel Committee envisages the infrastructure risk add-on as a way to capture “unforeseen risks” arising from “the technological infrastructure that underlies all cryptoassets, such as DLT” but without delineating what these unforeseen risks are.[4]  By contrast, the EU’s Market in Crypto Assets (“MiCA”) legislation requires any entity making a public offer of cryptoassets or seeking admission to trading to “publish an information document (‘a crypto-asset white paper’) containing mandatory disclosures” but does not expect “that the whitepaper will contain a description of risks which are unforeseeable and very unlikely to materialize.”[5]

At the time of writing, prudential and market regulators of several major jurisdictions, e.g., U.S. (FSOC[6], FRB[7], OCC[8], FDIC[9], and SEC[10]), United Kingdom (Bank of England[11], and PRA[12]), European Union (ECB[13], ESMA[14], and ESA[15]), Hong Kong SAR (HKMA[16]), Australia (APRA[17]) and Canada (OSFI[18]), have identified a set of risks posed by cryptoassets activities, including the use of cryptoassets in financial applications and their associated infrastructure.  These risks can be broadly classified into two categories: (1) financial risk, e.g., credit and market risk (including basis risk), liquidity risk, leverage, financial stability risk, and operational risk (e.g., outsourcing, fraud, cybersecurity), and (2) non-financial risk, e.g., market integrity, operational resilience, third-party risk management, anti-money laundering, and counter terrorism financing.

We understand that the Basel Committee is concerned that certain novel features associated with cryptoassets and the infrastructure they operate in may give rise to additional risks.  These novel features include pseudonymity (i.e., a self-custody wallet is linked to a public key but often not the identity of an individual or entity), consensus mechanisms manipulation (i.e., 51% or Sybil attacks), composability (i.e., smart contracts interact with each other with no intermediaries which can lead to flash sales or liquidation), and interoperability issues (i.e., inter-blockchain linkage and funds transfer).

We wish to highlight that the existing Basel capital, liquidity and supervisory framework seeks to capture known financial and non-financial risk, as well as unknown risks through the imposition of buffers and other charges, such as the G-SIB capital surcharge, capital conservation buffer, and TLAC.  In addition, prudentially regulated institutions complement these buffers with additional management buffers to cushion the impact of loss from unforeseen risks/events and avoid triggering any negative regulatory or market penalty for failure to maintain these requirements.

Below, we demonstrate through real-life use cases involving commercial banks that any potential risks arising from these novel features will eventually crystalize through either financial risks or non-financial risks channel which are captured by the established prudential capital requirements and mitigated by prudential regulation and supervision respectively, especially for certain Group 1 cryptoassets.  In addition, to date, several central banks have experimented with DLT applications (e.g., Project Dunbar[19] and Project mBridge,sup>[20] involving central bank digital currencies (“CBDCs”), and other use cases involving cryptoassets, e.g., custody[21]) to take advantage of the benefits offered by DLT while adequately managing and mitigating any material risks associated with it.

Three Use Cases Involving DLT Technology and Group 1 Cryptoassets

In the U.S., prior to engaging in any new line of business including cryptoassets, prudentially regulated institutions go through a rigorous internal new business initiative approval process and signed off by all relevant senior stakeholders, and must either receive approval or non-objection from its primary prudential regulator and subject to extensive prudential regulation and supervision.  For instance, Federal Reserve Board expects supervised institutions “must ensure such activity is legally permissible and determine whether any filings are required under applicable federal or state laws.  A supervised banking organization should, prior to engaging in these activities, have in place adequate systems, risk management, and controls to conduct such activities in a safe and sound manner and consistent with all applicable laws, including applicable consumer protection statutes and regulations.”[22]  The Office of the Comptroller of the Currency sets out similar requirements in its Interpretive Letter #1179 released in November 2021.[23]

Below, we highlight three existing use cases involving DLT technology and Group 1 cryptoassets that illustrate all of the supervisory and risk controls that banks have prior to engaging with the use of this technology: (1) JPM Coin (not a cryptoasset but a fiat deposit whose ownership is recorded on DLT), (2) intraday repo, and (3) EIB Digital Bond.[24]

Use Case 1: JPM Coin System – a permissioned private blockchain system for recording deposit account balances and making instant payments
In 2020, JPMorgan Chase launched the JPM Coin System.  The system consists of the blockchain ledger, the deposit accounts recorded on the blockchain ledger (Blockchain Deposit Accounts), and certain technical components allowing clients to send instructions to the bank regarding their accounts.  The blockchain ledger used in the system is private and permissioned and the bank is the single entity that is the central authority determines who can participate and/or transact on the blockchain ledger.  The Blockchain Deposit Accounts are the official record and evidence of the deposit balance that the bank owes to each participating client under current applicable U.S. banking laws and regulations.  And are subject to existing prudential capital and liquidity requirements as well as other prudential regulation and supervision intended to control systemic and other risks associated with deposit taking activities.

Use Case 2: Intraday Repo – a permissioned tokenized traditional asset in a private blockchain
This is a private permissioned DLT system whereby settlement of repo transactions is carried out in concert with existing market platforms underpinned by existing legal and regulatory frameworks.  Repo transactions (that have traditionally taken minutes or hours) are executed in seconds, and the process for settlement front-loads the operational steps and prevents fails, partials, or other incomplete settlements.  Thereby, significantly reduces counterparty credit risk.  The private permissioned DLT platform controls and mitigates non-financial risks by following standard and rigorous processes for application development as mandated in operational risk requirements (including the identification and remediation of software vulnerabilities, segregation of duties regarding the production environment, hardware resiliency standards and testing, and cyber and wider technology control protections).   

Use Case 3: EIB Digital Bond – a permissioned tokenized traditional asset in a public blockchain
In April 2021, the European Investment Bank (EIB) issued its first digitally native bond tokens using

Ethereum blockchain.[25]  The bond tokens were legally characterized under French Law as MiFID2 financial instruments.  And were clearly defined in the issuance documentation as bonds in dematerialized form, issued in fully registered form in a public blockchain, conferring the same legal rights to bondholders as bonds issued in book-entry.  Fitch Ratings notes “that as per the terms and conditions, the legal classification of the security tokens registered on the DLT will be ‘titres de créances’ (debt financial instrument) under French law, i.e., the same as traditional bond issuances” and that “the use of a blockchain technology to register the notes does not bring additional credit risk compared with a traditional bond issuance”[26] suggesting that the use of DLT doesn’t introduce additional financial risks.

The EIB bond tokens were structured in accordance with the Compliant Architecture for Security Tokens (CAST) security tokens framework which facilitates risk management and compliance in line with traditional securities market practices.  Transactions on the bond tokens are based on permissioned services by SG-FORGE (EIB’s agent, a regulated subsidiary of Societe Generale) enabled on Ethereum blockchain.  SG-FORGE is whitelisted to prevent non-identified actors from intervening on the transactions.  The smart contract of the bond tokens included a function requiring that any transfer of financial securities between the issuer and investors and between two investors be validated by SG-FORGE based on banking-grade KYC/AML, and sanctions and embargoes controls.  This ex-ante validation of any transaction on the public blockchain makes it feasible to verify that the future owner of the bond tokens is duly identified and checked before the completion of the transaction.  In addition, SG-FORGE has, according to French Law, put in place a business continuity plan to always keep an ‘off-chain’ monitoring of the EIB bonds holders’ positions and mitigate any potential technological issues.  Thus, non-financial risks are captured by the established prudential regulation and supervision.

In summary, as demonstrated by the well-established internal approval, and regulatory approval and  notification processes that U.S. prudentially regulated institutions must follow and above real-life use cases, we believe the established prudential regulation and supervision are adequate and rigorous for prudentially regulated institutions’ Group 1 cryptoassets activities based on permission-based systems and related API interfaces operated by one or more prudentially regulated institutions, or a financial market utility due to the presence of embedded access, governance, and risk management controls.

Why Basel Should Not Apply A Blanket Infrastructure Risk Add-On For Group 1 Cryptoassets?

As a gating matter, the Classification Condition #1 prescribed by the Basel Committee requires Group 1a cryptoassets to “pose the same level of credit and market risk as the traditional (non-tokenized) form of the asset”, and Classification Condition #3 requires sufficient mitigation and management of “any material risks that could impair the transferability, settlement finality or redeemability of the [Group 1] cryptoassets”.[27]  In addition, given the risk management requirements prescribed in the proposed standards (e.g., technology risk, cyber risk, legal risk, and AML/CFT), existing prudential guidance for technological innovation including the Basel Committee’ March 2021 principles for operational resilience[28], and existing guidance for the prudent use of third-party service providers, any additional material risks–financial or non-financial–arising from the novel features associated with cryptoassets and the infrastructure they operate in are adequately mitigated by prudentially regulated institutions.  As a result, Group 1 cryptoassets will pose same level of credit and market risk as the traditional non-tokenized form of the asset.

Given the significant infrastructure build costs associated with Group 1 cryptoassets activities and the meaningful further increase in minimum capital requirements[29] under Basel 3 endgame package which will come into effect as of January 1, 2025 as planned in several major jurisdictions (e.g., EU), an additional capital charge of 2.5% of exposure value, though appear modest, would strongly discourage prudentially regulated institutions from meeting surging clients’ demand for Group 1 cryptoassets products/services.  Therefore, we believe the Basel Committee should not apply a blanket infrastructure risk add-on to Group 1 cryptoassets.  By not applying the add-on charge, the Basel Committee would be supporting the ongoing work of the BIS Innovation Hub, as well as various central banks and commercial banks, on DLT for traditional payment and tokenized asset use cases; it would also facilitate the work of various financial market utilities on enhancements to post trade settlement processes.  Moreover, this treatment would be more consistent with the approach to cryptoasset regulation and supervision being taken in several major jurisdictions, including the European Union[30] and the UK[31].


DLT will be crucial to the ongoing capital market and financial system innovations, particularly in the areas of securities tokenization and increased processing automation.  It is vital that prudentially regulated institutions remain central to innovation in this area in order for their benefits to be fully realized by a broad range of market participants and end-users.  Introduction of the infrastructure risk add-on for Group 1 cryptoassets will deter the uptake of this technology by prudentially regulated institutions and limit the beneficial impact of DLT.  Moreover, as we have shown in this blog, the application of an infrastructure risk add-on is unnecessary; any novel risks associated with this new technology are already captured by other regulatory and supervisory requirements (including capital requirements).  As such, the Basel Committee should not, in our view, apply a blanket infrastructure risk add-on to Group 1 cryptoassets.


Dr. Guowei Zhang is Managing Director and Head of Capital Policy SIFMA, Dr. Peter Ryan Managing Director and Head of International Capital Markets and Strategic Initiatives SIFMA, and Mr. Carter McDowell is Managing Director and Associate General Counsel SIFMA

[1] The Committee specifies 4 classification conditions.  Classification Condition 1: The cryptoassets is either: (i) a tokenized traditional asset, or (ii) has a stabilization mechanism that is effective at all times in linking its value to a traditional asset of a pool of traditional assets (i.e., reference assets).  Classification Condition 2: All rights, obligations and interests arising from the cryptoassets arrangements are clearly defined and legally enforceable in all the jurisdictions where the asset is issued and redeemed.  In addition, the applicable legal framework(s) ensure(s) settlement finality.  Banks are required to conduct a legal review of the cryptoassets arrangement to ensure this condition is met, and make the review available to their supervisors upon request.  Classification Condition 3: The functions of the cryptoasset and the network on which it operates, including the distributed ledger or similar technology on which it is based, are designed and operated to sufficiently mitigate and manage any material risks.  Classification Condition 4: Entities that execute redemptions, transfers, storage or settlement finality of the cryptoasset, or manage or invest reserve assets, are regulated and supervised, or subject to appropriate risk management standards.

[2] The Basel Committee on Banking Supervision, “Prudential treatment of cryptoassets exposures – second consultation”, June 30, 2022. https://www.bis.org/bcbs/publ/d533.htm

[3] See Endnote 2.

[4] The Basel Committee on Banking Supervision, “Prudential treatment of cryptoassets exposures – second consultation”, June 30, 2022. https://www.bis.org/bcbs/publ/d533.htm

[5] Council of the European Union, “Proposal for a Regulation of the European Parliament and of the Council on Markets in Crypto-assets, and amending Directive (EU) 2019/1937 (MiCA)”, October 5, 2022. https://data.consilium.europa.eu/doc/document/ST-13198-2022-INIT/en/pdf

[6] Financial Stability Oversight Council, “The Financial Stability Oversight Council’s Report on Digital Asset Financial Stability Risks and Regulation”, October 3, 2022. https://home.treasury.gov/system/files/261/Fact-Sheet-Report-on-Digital-Asset-Financial-Stability-Risks-and-Regulation.pdf

[7] Federal Reserve Board, “Engagement in Crypto-Asset-Related Activities by Federal Reserve-Supervised Banking Organizations”, August 16, 2022. https://www.federalreserve.gov/supervisionreg/srletters/SR2206.htm

[8] The Office of the Comptroller of the Currency, “OCC Clarifies Bank Authority to Engage in Certain Cryptocurrency Activities and Authority of OCC to Charter National Trust Banks”, November 23, 2021. https://www.occ.gov/news-issuances/news-releases/2021/nr-occ-2021-121.html

[9] Federal Deposit Insurance Corporation, “Advisory to FDIC – Insured Institution Regarding Deposit Insurance and Dealings with Crypto Companies”, July 29, 2022. https://www.fdic.gov/news/financial-institution-letters/2022/fil22035.html#:~:text=The%20FDIC%20does%20not%20insure,including%20those%20with%20crypto%20companies

[10] Securities and Exchange Commission, Staff Accounting Bulletin 121, March 31, 2022. https://www.sec.gov/oca/staff-accounting-bulletin-121

[11] Bank of England, “Financial Stability in Focus: Cryptoassets and decentralised finance”, March 24, 2022. https://www.bankofengland.co.uk/financial-stability-in-focus/2022/march-2022?utm_source=Bank+of+England+updates&utm_campaign=b72220ed0c-EMAIL_CAMPAIGN_2022_03_24_10_45&utm_medium=email&utm_term=0_556dbefcdc-b72220ed0c-113508009

[12] Sam Woods, “Dear CEO letter”, March 24, 2022. https://www.bankofengland.co.uk/-/media/boe/files/prudential-regulation/letter/2022/march/existing-or-planned-exposure-to-cryptoassets.pdf

[13] European Central Bank, “Decrypting financial stability risks in crypto-asset markets”, May 2022. https://www.ecb.europa.eu/pub/financial-stability/fsr/special/html/ecb.fsrart202205_02~1cc6b111b4.en.html

[14] European Securities and Markets Authority, “Crypto-assets and their risks for financial stability”, October 4, 2022. https://www.esma.europa.eu/sites/default/files/library/esma50-165-2251_crypto_assets_and_financial_stability.pdf

[15] EBA, ESMA and EIOPA, “EU financial regulators warn consumers on the risks of crypto-assets”, March 17, 2022. https://www.esma.europa.eu/press-news/esma-news/eu-financial-regulators-warn-consumers-risks-crypto-assets

[16] Hong Kong Monetary Authority, “Regulatory approaches to Authorized Institutions’ interface with Virtual Assets and Virtual Asset Service Providers”, January 22, 2022. https://www.hkma.gov.hk/media/eng/doc/key-information/guidelines-and-circular/2022/20220128e3.pdf

[17] The Australian Prudential Regulatory Authority, “Crypto-assets: Risk management expectations and policy roadmap”, April 21, 2022. https://www.apra.gov.au/crypto-assets-risk-management-expectations-and-policy-roadmap

[18] The Office of the Superintendent of Financial Institutions, “Interim arrangements for the regulatory capital and liquidity treatment of cryptoasset exposures”, August 18, 2022. https://www.osfi-bsif.gc.ca/Eng/fi-if/rg-ro/gdn-ort/adv-prv/Pages/crypto22.aspx

[19] The Bank for International Settlements, “Project Dunbar – International settlements using multi-CBDCs”, March 22, 2022. https://www.bis.org/publ/othp47.htm

[20] The Bank for International Settlements, “Project mBridge: Connecting economies through CBDC”, October 26, 2022. https://www.bis.org/publ/othp59.htm

[21] BNY Mellon, “BNY Mellon Launches New Digital Asset Custody Platform”, October 11, 2022. https://www.bnymellon.com/us/en/about-us/newsroom/press-release/bny-mellon-launches-new-digital-asset-custody-platform-130305.html

[22] Federal Reserve Board, “SR 22-6/CA 22-6: Engagement in Crypto-Asset-Related Activities by Federal Reserve-Supervised Banking Organizations”, August 16, 2022. https://www.federalreserve.gov/supervisionreg/srletters/SR2206.htm

[23] The Office of the Comptroller of the Currency, “OCC Clarifies Bank Authority to Engage in Certain Cryptocurrency Activities and Authority of OCC to Charter National Trust Banks”, November 23, 2021.  https://www.occ.gov/topics/charters-and-licensing/interpretations-and-actions/2021/int1179.pdf

[24] SIFMA, “Second Consultation on the Prudential Treatment of Cryptoasset Exposures”, October 4, 2022.  https://www.sifma.org/resources/submissions/second-consultation-on-the-prudential-treatment-of-cryptoasset-exposures/

[25] European Investment Bank, “EIB issues its first ever digital bond no a public blockchiain”, April 28, 2021. https://www.eib.org/en/press/all/2021-141-european-investment-bank-eib-issues-its-first-ever-digital-bond-on-a-public-blockchain

[26] Fitch Ratings, “Fitch Assigns European Investment Bank’s Proposed Digital Bond Issuance ‘AAA’ Rating”, April 28, 2021. https://www.fitchratings.com/research/sovereigns/fitch-assigns-european-investment-bank-proposed-digital-bond-issuance-aaa-rating-28-04-2021

[27] See Endnote 2.

[28] The Basel Committee on Banking Supervision, “Principles for operational resilience”, March 31, 2021. https://www.bis.org/bcbs/publ/d516.htm

[29] BCBS, “Basel III Monitoring Report”, February 21, 2022.  https://www.bis.org/bcbs/publ/d531.htm

[30] The European Union’s DLT Pilot Regime “allow[s] for certain DLT market infrastructures to be temporarily exempted from some of the specific requirements of Union financial services legislation that could otherwise prevent operators from developing solutions for the trading and settlement of transactions in crypto-assets that qualify as financial instruments, without weakening any existing requirements or safeguards applied to traditional market infrastructures.” See European Union, “Regulation (EU) 2022/858 of the European Parliament and of the Council”, May 30, 2022. https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32022R0858&from=EN

[31] The UK Financial Services and Markets Bill 2022 grants HM Treasury the power to create a regulatory sandbox for financial market infrastructures (FMI sandbox). See UK Parliament, “Financial Services and Markets Bill”, July 20, 2022. https://bills.parliament.uk/bills/3326/publications. It is envisaged that the FMI sandbox will enable firms designated to participate in it to test and adopt new technologies and practices, e.g., DLT, by temporarily disapplying, modifying or even applying certain legislation for specific purposes. It appears that the first FMI sandbox can be created in the second half of 2023, in light of the launch of the EU Pilot Regime on 23 March 2023. See Clifford Chance, “Innovation in the UK Capital Markets – The FMI sandbox takes shape”, September 12, 2022. https://www.cliffordchance.com/insights/resources/blogs/talking-tech/en/articles/2022/09/innovation-in-the-uk-capital-markets—the-fmi-sandbox-takes-sha.html