Top 10 questions every board should ask about cryptocurrencies


Cryptocurrencies tend to polarise opinion between sceptics and strong proponents, and to date, there has been little middle ground. However, this is quickly changing. Indeed, financial services firms in South Africa and globally are seeing increasing demand from their customers for access to bitcoin and other cryptocurrency-related products, and the capital markets are also confronting a broad set of crypto-related developments. As the field continues to develop, other organisations are exploring whether to get involved, and where to begin.

Given the dynamic nature of the market, the evolving legal and regulatory climate, and the sheer volatility of crypto assets (a term often preferred to cryptocurrencies), it can be a daunting task to define the space or even understand the strategic rationale of introducing a cryptocurrency into an organisation. This is especially true for directors and executives who may not be well versed in cryptocurrencies, their limitations, or even the underlying technology – not to mention the regulatory, risk, accounting, data security, and tax considerations that arise when dealing with a new asset class or service offering.

Boards and management teams are, or will soon be, compelled to consider the implications of the direct impact of cryptocurrencies on their businesses, and the potential indirect impact from several angles. In addition, there is considerable potential for new business models, which are starting to emerge in many areas. We unpack some key issues below.

As the role of the board is to discuss, review, and ultimately approve overall strategy, how can the board engage in constructive conversations about the potential strategic fit of cryptocurrencies? Some questions to discuss with management include:

  • What are the realistic use cases for our organisation?

Boards of financial services firms should start by asking management if the organisation can harness cryptocurrencies to increase the value of existing products or services. Firms within the commerce ecosystem, such as payments companies and merchants, may seek an increase in transaction volume or new customer interest in cryptocurrency. The business case for doing this must be offset by the volatility risk in cryptocurrencies. The boards of these firms should also ensure that management has explored the likelihood that cryptocurrency will be used for payments rather than as an asset, where it is largely used today.

Other opportunities, due in part to the development of a derivatives market, enable financial services firms to participate in the crypto ecosystem. What’s more, financial services firms can quickly serve new customer interest in crypto exposure. Here, the use case may be well-defined, with a quantifiable ROI.

Any conversation about crypto assets should take this practical approach to understanding the nature of the business opportunities and risks involved rather than seeing it as a technology project for business units to manage. Since there are many different cryptocurrencies, many with their own unique purposes and uses, it is important for senior management to define the appropriate use cases and how they fit into the overall strategy. As management develops the strategy – and decides whether crypto assets fit into this strategy – the board can then discuss the potential and strategic fit with management.


  • Are there new cryptocurrency-driven offerings that we could provide?

The introduction of cash-settled bitcoin futures products by the two largest US futures exchanges, the Chicago Board of Exchange (CBOE) and Chicago Mercantile Exchange (CME), has provided clearer opportunities for institutions such as banks and broker dealers in the US. Several brokerage firms now allow clients to trade bitcoin futures, and additional cryptocurrency financial products could emerge. In South Africa, some asset managers have announced crypto related products, and institutional trading is on the horizon, while areas such as custodial services are greenfield. The institutional ecosystem is currently forming, and custodial pricing for cryptocurrencies is at a material premium to vanilla asset classes.

Beyond the “market-established” cryptocurrencies, management should assess the different types of crypto assets—as some are true cryptocurrencies, while others are tokens—and they may also want to explore whether a company can or should harness its own cryptocurrency, which may enable the company to offer new products or enter new markets. This technology enables new business models based on the characteristics of blockchain and the ability to create crypto driven ecosystems, which is an exciting space. Although this could be an innovative opportunity in certain instances, it does require a thorough assessment of the risk-reward considerations.


  • How will extreme changes in valuations or volumes (5x-10x) impact the strategy?

Cryptocurrencies such as bitcoin (BTC), ether (ETH), and ripple (XRP) have seen significant increases in trading volume and interest from retail and institutional investors. The building blocks for an emerging ecosystem are now forming, providing market benchmarks (daily trading volume, customer demand) to help forecast and build a business case for a new product or service. For example, towards the end of 2017, the number of customers for a leading cryptocurrency platform overtook that of the largest US retail brokerages, at roughly 13 million.[1] The global volumes for BTC trading now rival those for widely-traded products such as S&P 500 futures (SPY) and far exceed those for the leading gold ETF (GLD) or high-yield corporate bond ETF (HYG).

Boards should expect management teams to develop market-validated assumptions around addressable markets, volumes and the growth potential for any crypto-based business case. Given the volatility of cryptocurrencies, boards should ask about market sensitivities and scenario assumptions if inputs were to go up or down by a factor of 5x-10x.

  • Does management have an effective system in place to model, manage, and balance risks and opportunity cost?

Financial services firms evaluating whether or not to enter the market should first take a stance on regulatory and reputational risk. Regulatory uncertainty or the inability to accurately calculate the fair value of a cryptocurrency may prove to be a challenge and will influence decisions whether to proceed.

Management should also establish scenario assessments for pricing, volatility and revenue, as well as the impact on existing processes, legal documentation and capital. Given that the regulated exchanges are reliant on trade flow and transaction details from a variety of sources for pricing (some unregulated), individual risk management considerations will vary. Boards should press management teams to consider whether adjusting existing risk management systems is adequate or whether new frameworks are needed.

As with other disruptive innovation, boards should also inquire about the opportunity cost of not participating. A full competitive assessment will be a dynamic exercise, as some of the Tier One market participants are taking a wait-and-see approach, while other nontraditional companies are aggressively entering the arena.

  • Is internal audit equipped to offer independent assurance of the technology, policies and controls?

Cryptocurrencies will ultimately introduce exposure to distributed ledger technology (DLT), which presents challenges to the traditional audit approach. The underlying concept of DLT is a peer-to-peer network where everyone on the network can see and verify that a transaction has occurred and been recorded properly. As such, the distributed ledger provides an accurate, real-time and shared record of all transactions without the need of a centralised certifying authority. Regardless of the promise of the technology, internal audit, risk or legal teams will still need to test and verify the systems and controls to adequately provide confidence to all stakeholders.

Boards should press management not just on policies and controls surrounding the new technology, but also on whether internal audit teams are properly suited and have the right expertise to perform their jobs. For DLT specifically, the technology is still new and audit teams may not have the understanding or comfort with systems that verify transactions through cryptographic concepts. Further, distinct DLT protocols may have different governance, organisational or technological approaches, which may necessitate a redesign of controls.

In addition, importantly, the audit itself will change. The challenge with DLT from an audit perspective is the premise that transaction records are irrefutable – 100% accuracy of all transactions diminishes the need for a point-in-time audit analysis. Instead, a process that confirms the validity of the transaction in real-time, as opposed to sampling, may be developed. Regardless of the different uses of crypto assets, the need for independent assurance of the underlying technology, controls and policies is a key part of the evaluation process.

  • What are the legal and regulatory guidelines, and how will the organisation monitor emerging regulatory considerations?

The inconsistency and early stage of regulation globally is arguably one of the greatest challenges to how a board or management should think about participation in these markets. As regulators begin to find their footing, the basics may matter the most – the crypto product, its use, who is using it, and where – to identify the potential regulatory regime.

In the US, cryptocurrency can be a commodity, a security, or neither, although regulators are clarifying that it is not a fiat currency (e.g. dollars, euro, yen). The Commodity Futures Trading Commission (CFTC) has become one of the more active agencies after declaring certain cryptocurrencies to be commodities in 2014,[2] and the recent self-certification of bitcoin futures by exchanges has brought these products further within its purview. The Securities and Exchange Commission (SEC) has so far had a wary stance with several cautionary statements regarding the treatment of tokens as securities, including the discouragement of select applications for bitcoin ETFs in 2017.[3]

Capital raising activities via initial coin offerings (ICOs) raise questions such as the legal nature of an ICO, token function and definition and tax considerations. In early 2018, the SEC issued subpoenas relating to ICOs to about 80 businesses. Primary concerns for new products focus on sufficient transparency of data (trade, price, volume) on the underlying crypto asset to adequately determine valuation of the ETF. Both agencies, along with other federal and state regulators and criminal authorities, have recently taken steps to reiterate their enforcement priorities to deter and prosecute fraud and abuse.[4] Globally, jurisdictions have taken different approaches, with some supportive (Switzerland, Hong Kong) and others more wary (EU).

Early approaches from regulators tend either toward clarifying how existing regulations apply to the crypto space, or to providing new rules to deal with crypto assets. Other standards-setting organisations (e.g. the Financial Accounting Standards Board) are earlier in the process and are starting to assess new cryptocurrency guidelines or rules.

In South Africa, there has been no clear guidance on virtual currencies from a regulatory perspective and the positions of important regulators such as the South African Reserve Bank (SARB) and the South African Revenue Service (SARS) remain unclear.

In December 2014, the SARB issued a Position Paper on Virtual Currencies stating that a virtual currency “can be digitally traded and functions as a medium of exchange, a unit of account and/or a store of value, but does not have legal tender status”.

The Position Paper highlighted the risks posed by virtual currencies but did not provide a clear position or clarify the status of virtual currency in South Africa. The Paper further pointed out the SARB does not oversee, supervise or regulate the virtual currency landscape, emphasizing that all activity related to virtual currency is at the risk of the user/trader with no recourse to the SARB. More recently, in February 2018, the SARB announced that it is reviewing its position on private cryptocurrencies to form an appropriate policy framework and regulatory regime. It is also experimenting with distributed ledger technologies.[6]

  • Has management given proper consideration to the global nature of cryptocurrencies?

Bitcoin is arguably the first monetary vehicle that can efficiently be transacted and settled on a global basis without an intermediary. As mentioned above, companies need to see that the proper responsibility is defined internally to oversee the various global jurisdictions where the company may face exposure.

With the decentralised technology underpinnings of cryptocurrencies, there is no centralised or regulated oversight of the currency itself. User identification and verification are not native and, as such, management will need to consider proper know-your-customer and anti-money laundering (KYC/AML) compliance. Companies also need to consider how various national regulatory regimes are weighing different standards and rules to deal with cryptocurrencies and the surrounding ecosystem, which increases overall regulatory uncertainty.

  • Is management aware of the tax framework and implications?

Members of the management team may not have the necessary tax background, but boards should probe whether appropriate responsibility will be or has been delegated. Exposure to cryptocurrencies or related financial products will raise complex tax considerations that are unique to the cryptocurrency ecosystem, and for which there is currently little definitive guidance.

From a tax perspective, it is important to differentiate ‘currency’ from an asset in the context of virtual currency, as the tax consequences differ significantly.

With respect to what guidance there is, SARS made an announcement in January 2018 that it is “treating cryptocurrencies under Capital Gains Tax (CGT)”, i.e. as any other capital asset that is subject to tax on sale. SARS has, however, mentioned that this is an area that they need to explore and that they are “looking at the implications of virtual currency on its tax base” and are engaging in “exploratory discussions with other jurisdictions”.

Further, in the 2018 annual budget, National Treasury proposed to update income tax and VAT legislation to address uncertainties posed by potential administrative difficulties associated with virtual currencies.

Each organisation’s exposure to this new asset class will vary significantly depending on the specific role and use case taken. The complexities of the tax treatment should be considered prior to exposure to ensure that the right processes and reviews are in place for emerging or changing tax considerations.

  • Is the company prepared for unforeseen exposure to cryptocurrencies?

Board members should ask if management is considering whether the internal treasury is ready for cryptocurrencies. The decentralised and cross-border nature of cryptocurrency is different from other conventional asset classes, as is the conversion process to fiat currency. Select standard payment services now accept cryptocurrencies, meaning payment intermediaries, financial services firms and retailers – depending on the process of converting between cryptocurrency and fiat currency – may face unforeseen balance sheet exposure to these currencies (largely bitcoin, as it is one of the few true liquidity options for fiat conversion). Organisations need a control, risk, and operational framework for how to deal with cash and treasury management functions, even if the exposure is unanticipated.

In addition, institutions may have invested in, or may be considering investment in, companies whose business model involves cryptocurrency. Existing portfolio companies may well also be considering crypto based business opportunities that may create exposure.

  • Has management considered the technology and security concerns for cryptocurrencies?

Boards should ask probing questions about the security of cryptocurrency keys. The storage and retrieval of cryptocurrencies is critical and, much like any cybersecurity role, largely thankless work. Boards should ask management teams what role their organisations want to take with formal security programmes and secure storage of cryptocurrencies, and to quantify risk-reward.

Organisations should also consider whether to focus on in-house development or work with one of the emerging third parties that are dealing with insurance around cyber breaches and working with regulators. After all, the crypto or DLT technology is not at fault for most of the crypto thefts. Rather, it is the broader set of systems including identity management, credentials control and storage approaches that present risk.

A company’s specific cyber-risk plan should also be updated for cryptocurrency. For example, how will existing software upgrades and patching processes be handled when crypto assets are involved? Many of the same best practices and proper security hygiene apply (properly managing credentials, multi-factor authentication, remediation plan, etc.), and updating these processes and educating internal and external individuals are effective steps in the prevention of security issues or lost keys.

The security topic is much broader than our discussion here. The mainstream media has, for example, covered the risks associated with various unregulated exchanges. The higher level of security that can potentially be offered by DLT is a wide-ranging conversation that we cover separately.

The cryptocurrency market will undoubtedly provide new opportunities for financial services organisations of all sizes and types. When it comes to developing a strategy, however, there is no one answer or way to approach all the issues that must be considered. Rather than getting distracted by the hype or by how other organisations are responding, each institution needs to evaluate the opportunity based on its own unique strengths, market position, regulatory circumstance and growth strategy.

In the case of cryptocurrencies, the right questions span many parts of the organisation. With our comprehensive viewpoint, which leverages insight and capabilities across the full spectrum of PwC services, board members can help the organisation understand how cryptocurrency may fit within the overall strategy.


About Author

Leave A Reply