Protecting Against Emerging Global Fintech Threats in Cyberspace and Cryptocurrencies
Originally posted by CFTC on Nov 30, 2022.
Keynote Remarks of Commissioner Christy Goldsmith Romero at the Futures Industry Association, Asia Derivatives Conference, Singapore
Remarks as Prepared for Delivery
It is a pleasure to be in Singapore today, a Fintech hub. I’m particularly excited to be here given that I sponsor the CFTC’s Technology Advisory Committee (TAC). Our world was already moving towards a more technology-driven way of life pre-pandemic. The pandemic accelerated our collective use of technology, at the same time, all around the world.
Changes in the way we work, communicate, and transact business, bring efficiencies, greater connection and access, and remove geographical limitations. With those benefits comes risks. Maybe it’s my law enforcement background that makes me naturally suspicious, to think that those with nefarious intent, whether criminal or greed, also gained those same benefits.
How to harness the best that technology offers, while protecting against emerging threats to critical infrastructure, financial systems, and consumers, is the challenge of our day. It is a challenge that is global. A challenge that is new and evolving. A challenge best met by like-minded nations working together cooperatively. The CFTC has a longstanding memorandum of understanding with the Monetary Authority of Singapore (MAS) for cooperation and coordination, and in 2018 we signed a cooperation arrangement to address emerging technology in financial markets.
Today, I will focus my remarks on cybersecurity and cryptocurrencies—two areas with emerging global fintech threats that are front and center for financial regulators and markets around the world. I will also briefly address uses of distributed ledger technology in agriculture and financial services.
Cyber-related vulnerabilities present what may be the most critical and persistent threat to financial markets. There is an urgent need to promote cybersecurity and cyber resilience to counter these threats.
The threat of a cyber-related shock to global financial markets is growing and taking on new and increasingly sophisticated forms. Global cyber criminals and state-sponsored efforts can create or leverage a serious disruption to markets and economies. Critical market infrastructure around the world, like exchanges and clearinghouses, already experience cyber security incidents.
I join many financial regulators globally who have identified cybersecurity and cyber resilience as a critically important priority.
The convergence of a widespread move to the cloud, new fintech players, and growing use of cryptocurrency necessitates rethinking cybersecurity. Real time information sharing benefits everyone. This month, Singapore and the United States conducted an inaugural bilateral Cyber Dialogue.
Today, I want to discuss three emerging global cyber threats: cyber threats related to third party service providers, zero-day vulnerabilities, and ransomware.
Cyber threat: Third party service providers
The move to remote work coupled with the rapid digitization of financial services during the pandemic has led to an increase in global cyber threats related to third-party service providers. Even if financial firms have strong cybersecurity systems, their cybersecurity is only as strong as their most vulnerable third-party service provider. The threat can compound where several firms use the same software or other provider.
Cyber threat: Zero-day vulnerabilities
A zero-day vulnerability is a known vulnerability in a system or device that has not yet been patched or updated. Cyber criminals are increasingly exploiting zero-day vulnerabilities.
Cyber threat: Ransomware
In March 2022, FBI Director Christopher Wray said that last year, 14 of 16 critical U.S. infrastructure sectors saw ransomware incidents. This includes the Colonial Pipeline and JBS, the world’s largest meat supplier.
The world faced a 93% rise in ransomware attacks this year. Asia Pacific faced the highest number of organizations being attacked weekly compared to other regions around the globe. Japan, Singapore, and Indonesia experienced the sharpest increases in attack activity in APAC last year.
A 2022 survey of 130 global financial institutions found that 74% experienced at least one ransomware attack over the past year and 63% experienced an increase in destructive attacks designed to counter incident responses. Ransomware is no longer limited to sophisticated actors. Anyone can purchase and deploy a ransomware kit, auction off stolen data on the dark web, and obtain payment in cryptocurrency.
Many of the major incidents over the past year have elements of all three of these trends, for example, a zero-day vulnerability of a third-party provider is exploited and used to deploy ransomware.
Promoting cyber resilience throughout the global financial markets
Promoting cyber resilience throughout global financial markets starts with a public-private partnership to share threat information and best practices. Financial service firms have a responsibility to shore up their cybersecurity to try to stay ahead of the threat, and that includes limiting vulnerable entry points. Key to cyber resilience is locking digital doors that can serve as vulnerable points of entry.
FSI Sharing and Analysis Center recommends to protect against ransomware, that firms safekeep critical data in an offline data vault that is not connected to main systems or backups. They also recommend that firms patch and update external facing devices quickly, through tracking devices, their location, and the software version, to protect against zero-day vulnerabilities, and strengthen third party provider risk management.
In cyber space, knowledge is truly power. Global authorities should support sharing cyber intelligence and effective threat response with each other, and with industry. MAS and the U.S. Department of the Treasury recently announced an MoU for cyber intelligence sharing.
Regulators with access to threat intelligence can help the private sector. The Colonial Pipeline attack would have been much longer, but for them calling the FBI who had been investigating the criminal group responsible for the hack and knew just what to do. Time is of the essence. For that reason, regulators, including the CFTC are tightening cyber incident notification requirements. An immediate two-way flow of information between market participants and regulators will help counter and contain cyber threats. Together, we can combat cyber threats, safeguarding ourselves and our markets.
Distributed ledger technology
An area where I predict we will see explosive growth is blockchain also known as distributed ledger technology, for use cases outside of cryptocurrency.
Distributed ledger technology holds great promise for commodities, particularly in the agricultural industry. It can be used to trace individual livestock from birth. It can limit food recalls to a specific farm rather than an entire crop. It can assist in seeing changes in consumer demand in real time, and enhancing supply chain efficiency and inventory management. Distributed ledger technology has the potential to prevent disease, keep food safe, limit waste, and save our agricultural industry time and money.
Blockchain for financial services holds the promise of increased trust and transparency. The potential for settlements, the tokenization of collateral, and risk management needs to be thought through in terms of opportunities and risk. The potential to have a single record of a transaction, rather than each firm recording the transaction, and a third-party reconciliation, can reduce duplicate data and mistakes, only if there are no errors. Anti-money laundering and sanctions checks through blockchain can promote market integrity. Banks see these benefits. According to IBM, 91 percent of banks have invested in blockchain solutions.
To me, recent talk about blockchain solutions for financial services feels very similar to when people first started talking about the cloud. Widescale adoption will come down to whether service providers can actually provide the trust and transparency that blockchain promises, and without any significant tradeoffs.
For months I have been warning against growing risks in crypto assets—risks that parallel those seen in 2008. A few weeks ago, on October 26, 2022, I gave a speech where I said, “Just as regulators could not see the true exposures or risk in 2008 due to unregulated companies and products, we cannot see that today with unregulated crypto markets.” I also warned about novel risks of crypto assets, including cyber hacks, the lack of segregated customer assets, and conflicts of interest. On that last point, I warned, “Crypto-related companies may serve multiple functions that are separated into different entities in traditional finance….In an unregulated environment, the full extent of these conflicts may not be disclosed or resolved, which could lead to cascading losses and contagion risk.”
On the same day as my speech, MAS released its consultation paper that similarly warned about risks in crypto assets. We both warned customers about the risk of cryptocurrencies given their highly volatile and speculative nature. We both discussed concerns about hype, fear-of-missing-out (“FOMO”), and celebrity endorsements. We both warned that cryptocurrencies carry a higher risk of being misused for illicit purposes, scams and fraud, and cyber hacks and theft. We both warned that the opaque nature of crypto companies and assets increased risk.
Two weeks later, FTX imploded.
Recent events did not create risks; they revealed them, and how real people can be harmed. So, what can be done right now to protect customers, particularly household retail customers?
MAS considered whether to prohibit the offering cryptocurrency to consumers entirely, but instead decided on targeted regulatory measures, including limiting consumer access and improving business conduct.
Today, I want to discuss two of my proposals to reduce threats to customers and markets.
Proposal 1: Protecting household retail investors starts with redefining who is a retail investor and developing targeted customer protections
As we are seeing a rise in retail investors in crypto, the CFTC should shift its approach. My concern is that if regulation fails to keep pace with technology, it’s going to be those most vulnerable who are going to be hurt. This is a market where there are a lot of retail customers who have exposure. Most are young-born after 1980, diverse, and make less than $50k a year. That is not the typical customer that the CFTC is used to seeing.
For financial inclusion and greater opportunities in our markets for households, and because of the global availability of cryptocurrencies, I do not propose that we halt access to crypto markets for retail customers. But we also should not let them be crushed, which will happen without meaningful and targeted customer protections.
I recently proposed that the CFTC redefine who are retail customers. The CFTC’s current definition of retail is far too broad, including regular household customers all the way up to millionaires and hedge funds.
I propose that the CFTC create two categories of retail customers, separating household retail from professional and high net worth individuals. While some customer protections will apply to both groups, the CFTC could target additional customer protections to each group.
President Biden’s Executive Order on Digital Assets discusses expanding access to safe and affordable financial services. What is safe and affordable for a millionaire or hedge fund is likely to be very different for regular people who want access to markets, but cannot afford to lose everything. I am seeking public input on what the test should be for a household retail customer. What types of customer protections would make sense for household customers? I initially think about easy-to-understand disclosures, limitations on leverage, and bankruptcy priority (which can be lost in a disintermediated model).
Who decides what is safe and affordable for any particular customer? I support suitability determinations to ensure that products and terms are safe and affordable based on a customer’s risk profile. In traditional finance, that’s typically a broker’s role. With customers increasingly seeking direct access to markets, through a phone app, often without a broker, it is important for regulators to assess risk to customers.
I caution against market structures that remove a broker’s duties to retail customers without a full assessment of what will be lost. I am not in favor of using a disintermediated model without undergoing a full assessment of risks to customers.
Proposal 2: Heightened Supervision of Crypto Exchanges
Today, I am calling publicly for the first time for the CFTC to invoke heightened supervision of crypto exchanges—something I have called for internally within the CFTC for months. It is well within our existing authority for derivatives exchanges.
At a minimum, heightened supervision would include frequent examinations, and heightened focus on cybersecurity, conflicts of interest, and a safety and soundness financial review. Despite my multiple requests, the CFTC has not implemented heightened supervision. My proposal should take on urgency in light of recent events. Heightened supervision would include heightened focus on cybersecurity threats. Cryptocurrencies present significant and novel threats of cyber attacks. Cyber hacks are at an all-time high, with more than $3 billion stolen this year alone. According to Chainalysis, “In past years, hackers focused their efforts on attacking crypto exchanges, but those companies have since strengthened their security.” These days, cybercriminals are targeting "cross-chain bridges," which allow investors to transfer digital assets and data among different blockchains.
Heightened supervision would also include heightened focus on conflicts of interest and contagion threats, particularly from unregulated affiliates. The Commission should explore the full measure of existing authorities in all areas related to crypto, including unregulated affiliates. We should be able to demand information, perform risk-based reviews, and limit risks, as necessary related to unregulated affiliates where there are inter-affiliate contagion risk and/or conflicts of interest.
To the extent that the CFTC is limited in its access to affiliate information, the Commission should explore all options to increase access. In my review of any crypto company applications before the CFTC, I will continue to be focused on conflicts of interest and the potential for inter-affiliate contagion risk that could hurt customers and financial stability.
Future U.S. legislation is at its best when it stands the test of time
I hope that Congress acts to provide a comprehensive regulatory framework that brings a whole of government approach and does not create regulatory arbitrage. Although this will undoubtedly take time, what is most important is that Congress gets it right, and that the legislation can stand the test of time. Congress should close existing loopholes and regulatory gaps, and mitigate currently known risks.
For any legislation that Congress considers, I urge them to ban commingling of customer funds with company funds—one of the most pressing known threats—and to provide all customers bankruptcy priority. There is not enough awareness or attention on this critical threat to customers. Customers are often unaware of their lack of protections.
Unfortunately, the use of omnibus accounts that include customer and exchange funds is a commonly used business model of crypto exchanges—a model that could present serious risk of loss to customers. User agreements posted online for Coinbase and Kraken, two of the largest digital asset exchanges in the world, appear to authorize the commingling of customer and exchange assets. This suggests that commingling is widespread throughout the unregulated crypto markets.
Commingling of customer and company funds presents a significant threat to customers. That is why in my conversations with Congress and others, I have stressed the importance of a complete ban on commingling as the single most important customer protection needed to counter the threat of misuse of customer funds. Congress could require it, regulators could require it where they have authority, and the private sector can demand it.
I also join Commissioner Caroline Pham’s call for a new Office of Retail Investor Advocate. That office has long existed at the SEC, where I used to work. It is important for retail customers to have an advocate so that their voices are heard on Commission action.
Global regulators are stronger when we act together to protect against emerging global fintech threats in cyberspace and cryptocurrencies. The United States and other jurisdictions must resist the siren song of a race to the bottom or regulatory arbitrage. There will always be a temptation and an incentive for firms to seek delays in implementing new laws or to call for weakening standards or bespoke treatment. As regulators, we must resist.
There was significant work after the 2008 financial crisis to strengthen the financial stability of global markets. When it comes to emerging technology, we must resist the chorus of voices that will seek exemptions, exclusions, and bespoke treatment. We do not know the full consequences of straying from effective post-crisis regulatory frameworks—frameworks that work well. As we consider emerging Fintech, existing regulatory frameworks that have strong customer protections and market guardrails should be our guide.
 CFTC-MAS Arrangement on Financial Technology Innovation.  See, e.g., CFTC Commissioner Christy Goldsmith Romero, Statement on Proposed Rule on Cybersecurity Incident Reporting (Nov. 10, 2022).  U.S. Department of State, The Inaugural U.S.-Singapore Cyber Dialogue (Nov. 3, 2022) (Singapore and the United States share deep mutual interest in enhancing cyber and digital security cooperation, particularly as cybersecurity has become a key enabler for both countries to leverage the benefits of digitalization to grow their economies and improve the lives of their people.)  Financial Services Information Sharing and Analysis Center, Navigating Cyber 2022: Annual Cyber Threat Review and Predictions (Q1, 2022).  Financial Services Information Sharing and Analysis Center, Navigating Cyber 2022: Annual Cyber Threat Review and Predictions (Q1, 2022).  Christopher Wray, Director, Federal Bureau of Investigation, FBI Partnering with the Private Sector to Counter the Cyber Threat — FBI, Detroit, MI (Mar. 22, 2022).  Colonial was responsible for transporting almost half of the fuel to the eastern United States. After being hit by a ransomware attack from a group called DarkSide, Colonial shut down their pipeline. Panicked ensued, leading to a run on gas stations. The Colonial attack followed numerous other cyber incidents that year, including incidents at JBS, the New York City transportation system, and health care facilities. See, e.g., Cyber Threats in the Pipeline: Using Lessons from the Colonial Ransomware Attack to Defend Critical Infrastructure, Hearing before the Committee on Homeland Security, House of Representatives, 107th Congress, First Session (June 9, 2021).  Financial Services Information Sharing and Analysis Center, Cyber Trends and Threats in Asia Pacific, Guidance for 2022 FS-ISAC_APAC_CyberTrends_02 (fsisac.com).  Id.  VMware, Modern Bank Heists 5.0: The Escalation: From Heist to Hijack, From Dwell to Destruction (April 26, 2022).  See Id.  Id.  Id.  Id.  Blockchain for financial services | IBM  See CFTC's Goldsmith Romero warns of similarities between crypto today and banks in 2008 - MarketWatch (June 14, 2022); CFTC Commissioner Christy Goldsmith Romero, Financial Stability Risks of Crypto Assets: Remarks before the International Swaps and Derivatives Association’s Crypto Forum 2022, New York (Oct. 26, 2022) (The vulnerabilities seen during this beginning of what some call the “Crypto Winter” warn of growing intra-market risks, with parallel themes seen in 2008. Opaque, complex, leveraged, and unregulated products. Underappreciated risk. A lack of confidence that underlying assets were stable or of high quality. Lots of connections between market participants. A market vulnerable to contagion risk, run risk, risk of defaults, cascading losses and a liquidity crisis. Customers, including many retail investors, saw redemptions halted and a significant loss of wealth as their assets were frozen, tied up or lost.)  See CFTC Commissioner Christy Goldsmith Romero, Financial Stability Risks of Crypto Assets: Remarks before the International Swaps and Derivatives Association’s Crypto Forum 2022, New York (Oct. 26, 2022), in addition to warning about conflicts of interest risks, I stated, “Cyber hacks and thefts pose significant risk…The Lack of Segregated Customer Assets: Segregation of customer assets from a company’s operating funds is a foundational customer protection in regulated entities that is not common for unregulated digital assets, nor is bankruptcy priority. There is not enough awareness or attention on this critical area where customer protections dovetail with financial stability risks. Customers may be left in a musical chairs’ dilemma. This increases run risk at the first sign of a company’s or counterparty’s weakness. In my conversations with Congressional members, their staff, and market participants, I remain focused on the need to segregate customer assets for purposes of financial stability and customer protection.”  Monetary Authority of Singapore, Consultation-Paper-on-Proposed-Regulatory-Measures-for-Digital-Payment-Token-Services-v2.pdf (mas.gov.sg) (Oct. 26, 2022).  Id. at 2.9-2.11.  Hackers have stolen record $3 billion in cryptocurrency this year - CBS News (Oct. 13, 2022).  See, Id., see e.g., Chainalysis, Vulnerabilities in Cross-chain Bridge Protocols Emerge as Top Security Risk (Aug. 2, 2022) (estimating that “$2 billion in cryptocurrency has been stolen across 13 separate cross-chain bridge hacks, the majority of which was stolen this year,” and noting that bridges are a top target for North Korea-linked hackers that have stolen approximately $1 billion this year).  Omnibus Accounts. In order to more securely and effectively custody assets, Coinbase may use shared blockchain addresses, controlled by Coinbase, to hold Supported Digital Assets for Digital Asset Wallets on behalf of customers and/or held on behalf of Coinbase. Although we maintain separate ledgers for users’ Coinbase Accounts and Coinbase accounts held by Coinbase for its own benefit, Coinbase shall have no obligation to create a segregated blockchain address for your Supported Digital Assets. Coinbase, Coinbase User Agreement (last updated Nov. 10, 2022). Omnibus Accounts. In order to more securely and effectively custody assets, Payward may use shared blockchain addresses, controlled by Payward, to hold Digital Assets on behalf of users and/or held on behalf of Payward. We maintain separate ledgers for users’ Kraken Accounts and Payward accounts held by Payward for its own benefit. Kraken, Terms of Service (last updated Oct. 10, 2022).