Blockchain Control Principles in Financial Services
Which control principles are essential for blockchain adoption on a global scale?
- 1. Best Practice
- 2. Interoperability and System Integration Controls
- 3. Audit Rules
- 4. Cybersecurity Controls
- 5. Enhacement of Traditional ICT Protocols
1. Best Practice – Standard for Blockchain Development
Since its mention by Satoshi Nakamoto in the 2008 white paper ‘Bitcoin: A Peer-to-Peer Electronic Cash System’, blockchain technology, also called Distributed Ledger Technology (DLT), has attracted significant attention among the global financial services community. Researchers and investors are increasingly interested in the transformative and disruptive ability of this technology to:
- Facilitate an exchange of value
- Enable the safe storage of value
- Achieve operational efficiencies
- Secure cost savings
- Increase industry transparency
- Enhance customer experiences
In this paper, we consider three macro factors which we consider essential to the widespread adoption of private DLTs within the financial community in the long term. These macro factors are:
- Legal and Regulation
Although this paper discusses each factor in isolation, financial institutions should view all three as interdependent and complementary when considering DLT adoption.
2. Interoperability and System Integration Controls
When introducing DLT into the enterprise, it is essential that the DLT system is capable of integrating and interoperating with other systems, including other blockchain solutions or technologies. Even within individual DLT implementations, the blockchain component is likely to be a single part of a larger whole, with additional data stores, messaging systems, interfaces and touch points to both internal and external systems. Institutions therefore need to ensure that all systems are capable of interconnecting and communicating with one another.
3. Audit Rules
Will Bible, partner at Deloitte, argues that it is only a matter of time before clients start moving portions of their businesses on to a blockchain-based infrastructure.22 The existence of DLTs will impact how financial audits are conducted. Blockchains will not automate audits entirely and will not make the role of the auditor obsolete, but rather it will change some of the processes. Financial and technical auditors will play a fundamental role in assessing the transactional data on the DLT platform, as is the case for auditing financial statements and systems today. Although financial data is stored on an online repository, off-chain records upstream and downstream from the on-chain transactions will also need to be audited. In 2017, Deloitte released the findings of their investigation into applying professional auditing and assurance standards to private blockchain protocols and applications, to enhance the trust of DLTs amongst their wide client base. The conclusion was that a blockchain platform is unlikely to provide a complete representation of financial statements, and auditors will still need to consider evidence and information beyond the blockchain.
4. Cybersecurity Controls
DLT is intrinsically linked with cybersecurity considerations. The foundation of blockchain technology is private and public key cryptography, digital signing and cryptographic hashes. The ability to write to a blockchain usually requires ownership of a private key that is either in possession of the cryptocurrency tokens or is in an access control list within the platform’s smart contracts. Access may also involve ownership of the decryption key required to read information stored on the blockchain.
Blockchain solutions restrict access to owners of certain cryptographic keys which are used to sign interactions digitally, encrypt and decrypt data, and send or receive tokens representing an asset. The security of keys is critical. The ENISA paper ‘Distributed Ledger Technology & Cybersecurity’ states that: “Stringent policies and procedures must be followed when managing keys, including people, processes and technology”.
Breaches involving theft or unauthorised control of these keys can have severe ramifications for a platform using DLT. In 2014, a Verizon Breach Report highlighted that only 15% of breaches are discovered within a day, 69% take more than a day to discover and 35% take weeks or even longer.27 Later in this chapter, we shall consider potential threats to private blockchains, but first we need to look at the general cybersecurity challenges facing organisations implementing a blockchain solution.
5. Enhancement of Traditional ICT Protocols
Information and Communication Technology (ICT) encompasses automated means of originating, processing, storing and communicating information, and covers recording devices, communications networks, computer systems and other electronic devices. Management of this infrastructure calls for a specific set of procedures to guarantee that risks related to technology can be identified, measured, monitored and controlled.
In the HKMA Supervisory Policy Manual on General Principles for Technology Risk Management, ICT controls can be broken down into five different categories: security management; system development and change management; information processing; communications networks; and management of technology service providers.
The decentralised nature of DLT calls for a differing approach to the management of these controls.
6. Business Continuity Planning and Blockchain
Business continuity planning (BCP) is a subset of risk management. It deals with the risk of an event such as the loss of critical infrastructure negatively impacting operations. Disruption of services could lead to lost revenues, additional expenses and reduced profits, in addition to potential reputational damage and loss of client confidence.
With regard to DLT, BCP covers the potential loss of data and processing capability due to loss of servers or connectivity, and risks such as cyber-crime. A typical DLT implementation of BCP might encompass a wide range of complex technical areas, from key storage and key regeneration in the event of catastrophic data loss to creating new keys when a cyber-crime incident compromises data security.