JRFMCrypto2024

See discussions, stats, and author profiles for this publication at: https://www.researchgate.
net/publication/386586350
Conceptualizing an Institutional Framework to Mitigate Crypto-Assets’

Operational Risk
Article in Journal of Risk and Financial Management · December 2024

DOI: 10.3390/jrfm17120550
CITATIONS READS
0 14
3 authors, including:
Daitri Tiwary
Birla Institute of Management Technology
19 PUBLICATIONS 10 CITATIONS
SEE PROFILE
All content following this page was uploaded by Daitri Tiwary on 23 December 2024.
The user has requested enhancement of the downloaded file.

Article
Conceptualizing an Institutional Framework to Mitigate
Crypto-Assets’ Operational Risk
Deepankar Roy 1 , Ashutosh Dubey 2 and Daitri Tiwary 3, *
1 Department of Information Technology, National Institute of Bank Management, Pune 411048, India;
d_roy@nibmindia.org
2 National Payments Corporation of India, Mumbai 400051, India; adashutosh@gmail.com
3 Birla Institute of Management Technology, Greater Noida 201306, India
* Correspondence: daitri.tiwary@gmail.com; Tel.: +91-8076327694
Abstract: Extent ecosystems of crypto financial assets (crypto-assets) lack parity and coherence
across the globe. This asymmetry is further heightened with a knowledge gap in operational risk
management, wherein the global landscape of crypto-assets is characterized by unprecedented
external risks and internal vulnerabilities. In this study, we present a critical examination and
comprehensive analysis of current crypto-asset operational guidelines across geographies. We
benchmark these guidelines to the Basel Committee for Banking Supervision (BCBS) risk classification
framework for crypto-assets, identifying gaps in the operations across organizations. We, hence,
conceptualize a novel institutional framework which may help in understanding and mitigating the
gaps in operational risks’ regulation of crypto-assets. Our proposed Crypto-asset Operational Risk
Management (CORM) framework determines how operational risk associated with crypto-assets of
financial institutions can be mitigated to respond to the increasing demand for crypto-assets, cross
border payments, electronic money, and cryptocurrencies, across countries. Applicable to firms
irrespective of their size and scale of operations, CORM aligns with global regulatory initiatives,
facilitating compliance and fostering trust among stakeholders. Strengthening our argument of
Citation: Roy, Deepankar, Ashutosh CORM’s applicability, we present its efficacy in the form of alternate hypothetical outcomes in two
Dubey, and Daitri Tiwary. 2024. distinct real-life cases wherein crypto-asset exchanges succumbed to either external risks, such as
Conceptualizing an Institutional hacking, or internal vulnerabilities. It paves the way for future regulatory response with a structured
Framework to Mitigate Crypto-Assets’ approach to addressing the unique operational risks associated with crypto-assets. The framework
Operational Risk. Journal of Risk and advocates for collaborative efforts among industry stakeholders, ensuring its adaptability to the
Financial Management 17: 550. rapidly evolving crypto landscape. It further contributes to the establishment of a more resilient
https://doi.org/10.3390/ and regulated financial ecosystem, inclusive of crypto-assets. By implementing CORM, institutions
jrfm17120550
can navigate the complexities of crypto-assets while safeguarding their interests and promoting
Academic Editors: Ramona sustainable growth in the digital asset market.
Rupeika-Apoga, Cristian Tiu
and Ole Jakob Bergfjord Keywords: crypto-assets; operational risk; operational risk management; risk classification frame-
work for crypto-assets
Received: 28 October 2024
Revised: 22 November 2024
Accepted: 29 November 2024
Published: 9 December 2024
1. Introduction
In recent years, cryptocurrencies have become one of the most intriguing investment
opportunities. A growing number of wealth managers and institutional investors are
Copyright: © 2024 by the authors.
getting ready to make cryptocurrency investments in the upcoming years as prices continue
Licensee MDPI, Basel, Switzerland.
to rise. The global crypto-asset management market is anticipated to grow at a compound
This article is an open access article
annual growth rate (CAGR) of 25.50% from 2022 to 2029, reaching USD 2801.87 million
distributed under the terms and
(Data Bridge Market Research 2022). The market for crypto-asset is shown in Figure 1 as a
conditions of the Creative Commons
percentage of market value.
Attribution (CC BY) license (https://
creativecommons.org/licenses/by/
4.0/).
J. Risk Financial Manag. 2024, 17, 550. https://doi.org/10.3390/jrfm17120550 https://www.mdpi.com/journal/jrfm

J.J. Risk
Risk Financial
FinancialManag.
Manag.2024,
2024,17,
17,550
x FOR PEER REVIEW 2 of 29
2 of 31
Figure1.1.Market
Figure Marketcapitalization
capitalizationofof cryptocurrencies,
cryptocurrencies, including
including stablecoins
stablecoins and and tokens.
tokens. Source:
Source: Au-
Authors’
thors’ Creation.
Creation.
Following
Followingthe theFTXFTXscandal
scandalinin2022,
2022, cryptocurrencies
cryptocurrencies went
wentthrough
througha bubble
a bubbleakinakin
to the
to
dotcom
the dotcom bubble of theoftwenty-first
bubble century
the twenty-first (KPMG(KPMG
century 2022b). 2022b).
Similar Similar
to how euphoric specula-
to how euphoric
tion caused dotcom
speculation caused company valuationsvaluations
dotcom company to soar before plummeting,
to soar the unexpected
before plummeting, the surge
unex-
in interest in cryptocurrencies and other crypto-assets has made
pected surge in interest in cryptocurrencies and other crypto-assets has made them a reg- them a regular feature
in
ularnews stories
feature in worldwide.
news storiesBased on blockchain
worldwide. Based on technology,
blockchaina technology,
variety of crypto-assets,
a variety of
including cryptocurrencies, fungible tokens, non-fungible
crypto-assets, including cryptocurrencies, fungible tokens, non-fungible tokens, and central bank
tokens, anddigital
cen-
currencies (CBDCs), have been created and embraced globally.
tral bank digital currencies (CBDCs), have been created and embraced globally. The ma- The majority of the analysis
is still of
jority abstract; however,
the analysis 90%abstract;
is still of centralhowever,
banks worldwide are currently
90% of central assessing the
banks worldwide arebene-
cur-
fits and hazards of issuing CBDC (RBI 2022). Central bankers
rently assessing the benefits and hazards of issuing CBDC (RBI 2022). Central bankers must consider a number of
potentially destabilizing concerns before deciding to engage the
must consider a number of potentially destabilizing concerns before deciding to engage digital currency race. It is
true that there is a race to determine the future of money, currency,
the digital currency race. It is true that there is a race to determine the future of money, and payments and that
authorities
currency, and frompayments
all over theand world
that must be clear
authorities andall
from consistent.
over the CBDCs
world mustprovide a distinc-
be clear and
tive substitute for cryptocurrencies. Central banks issue, oversee,
consistent. CBDCs provide a distinctive substitute for cryptocurrencies. Central banks is- and support CBDCs, in
contrast to the decentralized nature of cryptocurrencies. This indicates that they provide
sue, oversee, and support CBDCs, in contrast to the decentralized nature of cryptocurren-
an extra degree of protection and trust and are supported by the government. CBDCs are a
cies. This indicates that they provide an extra degree of protection and trust and are sup-
possibly more effective and economical alternative to cryptocurrencies since they can also
ported by the government. CBDCs are a possibly more effective and economical alterna-
be used to enable payments and transactions between banks. Additionally, by increasing
tive to cryptocurrencies since they can also be used to enable payments and transactions
transaction transparency and trackability, CBDCs can give governments greater insight
between banks. Additionally, by increasing transaction transparency and trackability,
into financial activity. In the end, if created on a blockchain, CBDCs can be categorized as
CBDCs can give governments greater insight into financial activity. In the end, if created
crypto-assets. They provide a safe and regulated substitute for cryptocurrencies and give
on a blockchain, CBDCs can be categorized as crypto-assets. They provide a safe and reg-
central banks a new avenue to communicate with their citizens.
ulated substitute for cryptocurrencies and give central banks a new avenue to communi-
As we commence with mapping of existing regulations for crypto-assets across USA,
cate with their citizens.
Europe, Saudi Arabia, China, and India, we identify gaps in terms of risk mitigation
As we commence
mechanisms. This gap iswith mapping
persistent of existing
in terms regulations
of operational for i.e.,
risks, crypto-assets
the risk ofacross USA,
loss caused
Europe, Saudi Arabia, China, and India, we identify gaps in terms
by weak processes, people, or systems. It is further magnified by systemic risks associated of risk mitigation mech-
anisms.
with This gap
financial is persistent
institutions, in terms
including legalof risks
operational risks, i.e., technology
and information the risk of loss
risks.caused
Though by
weak processes, people, or systems. It is further magnified by systemic
actual and potential operational risk events are assessed for their reputational, regulatory, risks associated
withoperational
and financial institutions,
impacts, we including
underscorelegalthe risks and
need ofinformation
a framework technology
which may risks. Though
be adopted
actual
for and potential
managing operational
operational risk events
risk, similar are assessed
to commercial for their
bank’s riskreputational,
management regulatory,
program
and operational impacts, we underscore the need of a framework
(KPMG 2022a). While we draw similarities of operational risk of crypto-assets with which may be adoptedthe
for managing operational risk, similar to commercial bank’s risk
operational risk built into all banking products, activities, processes, and systems, we management program
J. Risk Financial Manag. 2024, 17, 550 3 of 31
conceptualize a framework to determine how the operational risk can be mitigated in

response to the increasing demand for crypto-assets, cross border payments, electronic
money, and cryptocurrencies. In this process, we analyzed the development and evolution
of associated operational risk types relevant to crypto-assets.
Timeline of Risk Management Failures in Crypto-Assets

We observe that the biggest risk from an operational standpoint is storage loss. Crypto-
graphic keys, not coins, are used to hold cryptocurrency addresses. If the keys are revealed
or control is briefly lost, the money linked to a specific address may be lost entirely. Two
specific incidents in the recent history of crypto-assets are used to illustrate this operational
risk. For example, when Mt. Gox fell in January 2014, 850,000 bitcoins were destroyed
(Trust 2024). Since Ethereum’s 2016 introduction, additional platforms have been able to
develop their own coins and use smart contracts. Cardano, Tezos, and Neo adopted this
model in 2016. In January 2018, Coincheck, a cryptocurrency exchange based in Tokyo, was
robbed of $530 million. The thieves exposed Coincheck’s security by stealing money from
it via a “hot wallet” (Buck 2018). In August 2021, more than $600 million was taken from
Poly’s decentralized finance platform (Gagliardoni 2021). Additionally, a tweet urged the
project’s developers to donate $33 million in Tether. In December 2021, it was compromised
(Thurman 2021). Security companies drained BitMart addresses. Via the Binance Smart
Chain, $96 million worth of cryptocurrency was processed. Etherscan recognized the
address as “BitMart Hacker”. In December 2021, a front-end attack on the Badger DAO
(Decentralized Autonomous Organizations) led to a $120 million Bitcoin and Ethereum
theft by permitting an Externally Owned Account (EOA) to have infinite approvals. After
discovering that user addresses were being drained, Badger suspended smart contracts.
The fraudulent transactions failed after two hours and twenty minutes. One effective secu-
rity technique is the use of specialist key-storing hardware, such as hardware wallets and
hardware security modules (HSMs). However, hardware solutions are not perfect. Security
measures also include compartmentalizing funds and using multi-signature wallets.
Mining-power centralization presents a systemic risk in addition to the operational
risk of storage loss since it may result in blockchain and currency manipulation. In October
2022, for example, Binance was hacked for $570 million, which is considered to be one of
the largest attacks in the history of cryptocurrencies. A hack of the Binance Smart Chain
network resulted in the withdrawal of 2 million Binance Coins (BNB) and the creation
of additional Binance Coins (Livni 2022). BNB, a cryptocurrency exchange, has its own
token. Due to a smart contract flaw, blockchain security needs to be strengthened. The
ramifications of crypto-assets for policy are hotly debated. We further probe and map the
operational risks, to arrive at mitigation strategies and the conceptualized framework.
Our research is presented in the following Section 2, commencing with a review of
existing literature on operational risk in crypto-assets. In Section 3, we map the evolution of
crypto-assets’ regulatory ecosystem. Thereafter, in Section 4, we describe recent incidents
that have exploited operational risks of crypto-assets. In Section 5, we discuss global
initiatives to manage risks and associated risks that have been observed. In Section 6, we
propose a framework for managing operational risks associated with crypto-assets. Finally,
we discuss the application, limitations, and scope of our framework.
2. Review of Literature
As financial markets become more complex, inter-linked, and sophisticated, we refer
to extent research on risks associated with financial assets to unravel its antecedents,
relevant theories, and implications. Seminal literature defines risk to be an “exposure to
a proposition of which one is uncertain”, thus requiring both exposure and uncertainty
of outcomes (Holton 2004). Broadly classified in the category of systematic risk and
unsystematic risk, the scope, impact, and mitigation strategies widely vary. The focus of
empirical models in terms of assessing risks are dependent on probabilistic and quantitative
estimation of externalities. This includes the probabilistic approach of Knight (1921),
Markowitz’s (1976) theory of portfolio selection, and the market-benchmarked capital asset
pricing model of Fama and French (1993). Present research on crypto-assets, specifically
cryptocurrencies, have adopted similar approaches, with quantitative models of risks and
returns, hedges, spreads, and network effect with other asset class like gold, crude, etc.
(Chan and Nadarajah 2020; Almeida et al. 2022; Almeida and Gonçalves 2022). There
remains an evident gap in understanding the business-specific risks for crypto-assets. This
is pertinent since measures of portfolio efficiency of traditional financial assets have been
empirically proven to be inefficient in the case of crypto-assets (Juskaite et al. 2024).
Seminal research by Linter and Fama has, however, reduced unsystematic risks, i.e.,
risks unique to a business or industry and pertaining to factors within the asset-class, to
residuals of asset-pricing models, explaining them to be uncorrelated with returns (Beja
1972). This has been addressed in the previous decades, wherein unsystematic risks have
included compliance risk, reputational risk, security risk, competition risk, governance
risk, strategic risk, technological risk, and operational risk (Blackman 2014; Boitnott 2022;
Christiansen 2021). The literature suggests that these are risks which can be mitigated,
thus paving the way for business resilience. We note that while market risks of crypto-
assets have gained attention, operational risks, i.e., “uncertainty related to losses resulting
from inadequate systems or controls, human error or management” (Moosa 2007), emerge as a
persistent problem for crypto-assets, resulting in massive losses, as discussed in Section 1.
We refer to the Copernican shift in perception and estimation of operational risks for
financial assets due to the reforms of Basel II while probing in the context of crypto-assets
(Power 2005).
As definition of operational risk continues to be nebulous, the Commonwealth Bank
of Australia (1999) defined it as “all risks other than credit and market risk, which could
cause volatility of revenues, expenses and the value of the Bank’s business”. In another
contemporary definition by the Reserve Bank of New York (Shepheard-Walwyn and Litter-
man 1998), operational risk is defined as “a general term that applies to all the risk failures
that influence the volatility of the firm’s cost structure as opposed to its revenue structure”.
We therefore note that operational risks may affect both the revenue and cost incurred in a
business. Drawing parallels to the financial asset class, operational risks, such as loss of
storage, security threats, compliance and tax issues, cyber threats, etc., have been affecting
crypto-asset classes. However, empirical models and mitigation strategies are insufficiently
researched in the context of crypto-assets.
Peters et al. (2016) had one of the earliest discussions on operational risks in the
domain of cryptocurrencies. Referring to the Basel II and III banking regulations applicable
to virtual and cryptographic assets, the authors stated that operational risks are “not
incidental” but “fundamental” for crypto-assets, especially when they are accepted and
commence interacting with banking channels and financial networks. Citing the definition
of operational risk as “the risk of loss resulting from inadequate or failed internal processes,
people, and systems or from external events”, as stated in Basel II, Peters et al. (2016) claim
that the risk will be accentuated as crypto-assets become more active. Tetiana et al. (2022)
substantiate this by stating that operational risks have been influenced and heightened
by “bull runs” of crypto-assets. This presents a significant void in the literature since the
crypto-assets market has experienced exponential growth (see Figure 1), but there is a
dearth of insights on the extent and potency of its operational risks (CoinMarketCap 2024).
Citing recent research by Juskaite et al. (2024), we underscore that lack of knowledge
pertaining to operational risks has led the investor to underestimate the risk. While
empirical studies have applied portfolio optimization on the risk and return of crypto-
assets, the research shows that the results may not conform to traditional financial assets
(Juskaite et al. 2024). As explained by Mueller et al. (2023), this may be due to idiosyncratic
levels of operational risk associated with crypto-assets and their diverse interactions with
financial institutions.
Though technological infrastructure, security assumptions of cryptographic software,
open-source governance, digital asset custody, digital asset valuation, and code mainte-
nance have been cited as sources of operational risks, lack of regulatory auditing and
nascent stage of cloud forensics remain insufficiently explored in the scientific literature
(Zhao and Duncan 2018; Ikeno et al. 2022; Ward 2023). Theoretically, while operational
risk is well researched, its antecedents, measures, and implications for crypto-assets are
insufficient in the literature. We address this research gap by mapping the operational
risks of crypto-assets and conceptualizing an institutional mitigation framework based
on uncertainty theory (Liu 2009). Unlike probability theory (Kolmogorov 1963), which
dwells in finite outcomes, uncertainty theory, applied in the context of operational risks
in crypto-assets, posits that there may be infinite outcomes with respect to the prevailing
diverse risks. In a novel approach to explore uncertainty theory beyond mathematical repre-
sentations, we propose a framework which is able to address the lack of information about
crypto-assets’ operational risks by (i) defining uncertain variables in terms of operational
risks unique to crypto-assets, (ii) mapping the potentially impacted party, (iii) mapping the
operational risk pillar as per Basel Operational Risk (Loss Category 1), (iv) indicating loss
effect as per Basel Framework, and (v) proposing a mitigation approach.
3. Crypto-Asset Ecosystem and Its Evolution

A crypto-asset can be considered as a “a digital portrayal of value, which may be
provided by a financial institution or a central bank, or any private entity or a decentralized
software driven network, which is secured and transacted using cryptographic means”
(Lam and Lee 2015). Such crypto-assets may be used in certain situations in place of
lawfully offered funds. It could also be physically depicted through things like metal
objects with engravings or paper printouts. A form of anonymous cryptographic electronic
money was first proposed by American cryptographer David Chaum in a conference paper
published in 1983. It was envisioned that a currency could be transmitted untraceably and
without the involvement of centralized entities (such as banks). Chaum developed Digicash
as a prototype cryptocurrency in 1995 based on his early ideas. A white paper describing
the functioning of the Bitcoin blockchain network was published by Satoshi Nakamoto on
31 October 2008. On 22 May 2010, cryptocurrency was used to purchase something tangible
for the first time, a day now known as “Bitcoin Pizza Day”. A fork of Bitcoin, Litecoin,
appeared in October 2011 and was soon the second-largest cryptocurrency by market
capitalization. Digital currency is highly attractive to criminals because of its anonymity
and lack of centralized control. China banned transactions using crypto-currency in 2019
and started pilots of the Chinese central bank digital currency (CBDC) e-yuan in the country
from 2020 (Felix and Baker 2023).
A legal tender system for Bitcoin was introduced in El Salvador (PwC 2022) in Septem-
ber 2021. A variety of financial services activities are being executed using smart contracts
that are based on blockchain technology. Decentralized finance (DeFi) has been attract-
ing the attention of technology developers, investors, and financial institutions. A num-
ber of new crypto-asset markets have already been enabled by DeFi protocols on public
blockchains, including borrowing and lending, as well as decentralized exchanges. The
technology could facilitate transactions in real-world assets such as stocks, currencies, and
bonds. Real-world assets will need to be represented digitally, or via tokens, so that they
can be added to the blockchain. DeFi protocols may provide issuers, investors, and financial
institutions with significant cost savings and new business opportunities for tokenizing
real-world assets for transacting through them.
Figure 2 and Table 1 provide a list of participants in the crypto-asset ecosystem, with
examples identified by platform, institution, or service names (Roy et al. 2023).
J. Risk Financial Manag. 2024, 17, x FOR PEER REVIEW 6 of 29
Figure2.2.Crypto-asset
Figure Crypto-assetecosystem.
ecosystem. Source:
Source: Authors’ Creation.
Creation.
Table1.1.Crypto-asset
Table Crypto-assetecosystem.
ecosystem.(Adapted
(Adapted from:
from: Dubey
Dubey et
et al.
al. (2022)).
(2022)).
Layer Description Examples
The settlement layer of a network consists of network hardware, blockchain-based
The settlement
software, and datalayer of a network
management consists ofincluding
mechanisms, network the hardware,
Internet and connected Ethereum, Binance,
Settlement Layer blockchain-based
devices. software,
This layer serves and
as the data management
foundation for all themechanisms,
subsequent layers.including
In thisthe Bitcoin, Hyperledger,
Ethereum, Binance,
Internet
layer of theand connected
protocol, devices.
different This layer
consensus serves as such
mechanisms, the foundation
as proof offorworkall and
the R3 Corda, etc.
Settlement Layer Bitcoin, Hyperledger,
subsequent
proof of stake,layers. In this
are used layer the
to ensure of the protocol,
security different
of the consensus mechanisms,
blockchain. R3 Corda, etc.
such as proof of work and proof of stake, are used to ensure the security of the
This layer includes the creation of different assets over the blockchain layer. Some of
blockchain.
them are
This layer includes
Cryptocurrency the creation
(Fungible token): Aof crypto
different assets
token over the
functions asblockchain
a method to layer.
support
Some of them
governance, are and non-monetary transaction
access,
Cryptocurrency
Stablecoin: Tokens(Fungible token): A crypto
that are predominantly token functions
a payment settlement as asset
a method to
and intended
support governance, access, and non-monetary transaction
to sustain a steady value of exchange.
Stablecoin: Tokens that are predominantly a payment settlement asset and
Central Bank Digital Currency: A payment settlement token, or digital equivalent of Dogecoin, USDC,
intended to sustain a steady value of exchange.
physical
Centralbank
Banknotes andCurrency:
Digital coins, thatAispayment
issued bysettlement
a central bank
token, andor turns
digitalout to be Digital Rupee, Non
Asset Layer Dogecoin, USDC,
the third form of public money in conjunction with central bank
equivalent of physical bank notes and coins, that is issued by a central bank reserves and cash.
and Fungible Token (NFT)
Non-Fungible Tokens: A variation in tokenization of securities, securities tokens are Digital
for Arts Rupee, Non
Asset Layer turns out to be the third form of public money in conjunction with central bank
Fungible Token (NFT)
types of investment
reserves and cash.assets that only exist, including the proof ownership, in the
for Arts
blockchain
Non-Fungibleor Distributed
Tokens: ALedger Technology
variation (DLT) of
in tokenization ledger.
securities, securities tokens
are types
Native token:of A
investment
token backedassets
bythat only
assets may exist, including
represent fiat the proof ownership,
currency; expensive in
the blockchain
gems; or Distributed
precious metals like gold, Ledger Technology
silver, and platinum;(DLT)
basketsledger.
of assets; or even
Nativeastoken:
interest A token
cashflow backed
in real estate.by assets
Some may represent
represent a right tofiat currency;
claim expensive
an asset, while
gems; precious metals like gold, silver, and
others are digital representations of specific assets. platinum; baskets of assets; or even
interest as cashflow in real estate. Some represent a right to claim an asset, while
others are digital representations of specific assets.
J. Risk Financial Manag. 2024, 17, x FOR PEER

Table REVIEW
1. Cont. 7 of 29

AA smart
smart contract
contract is is a program
a program stored
stored onona blockchain
a blockchainthat
thatisisexecuted
executedwhen
whencertain
certain conditions are met. With the growth of a blockchain, the
conditions are met. With the growth of a blockchain, the number of transactions number of will
transactions will increase. We need scalable solutions to
increase. We need scalable solutions to support the increased number ofsupport the increased
Protocol Layer Polygon, Polkadot
Protocol Layer number of transactions. It is common for off-chain solutions to be implemented Polygon, Polkadot
transactions. It is common for off-chain solutions to be implemented in order to
in order to resolve issues related to the protocol’s first layer. The features of the
resolve issues related to the protocol’s first layer. The features of the first layer are
first layer are not diminished by these solutions, but rather, they are enhanced.
not diminished by these solutions, but rather, they are enhanced.
This layer includes over-the-top customization to facilitate the financial services Uniswap, dYdX,
Application Layer This layer includes over-the-top customization to facilitate the financial services
Application Layer over blockchain protocol Uniswap,dYdX,AAVE
AAVE
over blockchain protocol
These
These are
are user
user interfaces
interfaces which
which enable
enable interaction
interaction with
with DeFi
DeFi ororblockchain
blockchain Wallets
Walletslike
likeCoinbase,
Coinbase,
Aggregation Layer
Aggregation Layer
application with the help of wallets or service provider
application with the help of wallets or service provider applications.applications. Metamask
Metamask
There
There are
are value-added
value-added services
services which
which arerequired
are requiredtotorun
runthetheblockchain
blockchainplatform Oracle
Oracleservices
serviceslike
like
Additional Services
Additional platform
with with
required required compliance,
compliance, guidelines,guidelines, and regulations
and regulations Bloomberg
Bloomberg
3.1.Global
3.1. GlobalInitiatives
InitiativestotoManage
ManageRiskRiskAssociated
AssociatedwithwithCrypto-Assets
Crypto-Assets
Theregulatory
The regulatoryfocus
focusonondigital
digitalassets
assetshas
hassignificantly
significantlyincreased
increasedininthe
thelast
lastfew
fewyears,
years,
andthis
and thistrend
trendisisexpected
expected to to continue.
continue. Market
Marketcapitalization
capitalizationand andvolatility
volatilityrose
rosequickly
quicklyas
asinstitutional
institutionaland
andretail adoption
retail grew.
adoption grew.Consumer
Consumer trust has has
trust beenbeen
damaged
damagedby recent high-
by recent
profile cryptocurrency company failures, fraud, scams, and improper
high-profile cryptocurrency company failures, fraud, scams, and improper handling of handling of client
assets.
client Because
assets. of this,
Because regulators
of this, have
regulators havecome
comeintointosharper
sharperfocus.
focus. The Figure33
The below Figure
(ThomsonReuters
(Thomson Reuters2022)
2022)depicts
depictsthe
thestatus
statusofofcrypto-asset
crypto-assetregulations
regulationsglobally:
globally:
Figure3.3. Global
Figure Global regulations for crypto-assets.
crypto-assets. Source:
Source:Thomson
ThomsonReuters.
Reuters.Cryptos Report
Cryptos Compen-
Report Com-
dium 2022.
pendium 2022.
Toguarantee
To guaranteeimproved
improvedconsumer
consumerprotection,
protection,aaprompt
promptandandcomprehensive
comprehensiveglobal
global
regulatory
regulatorypolicy
policyapproach
approachand
andsupervisory
supervisorystructure
structureare
arerequired.
required.There
Thereare
aretwo
twoprimary
primary
categories
categoriesinto
intowhich
whichthe
theregulations
regulationsfall:
fall:
3.1.1.
3.1.1.Category
Category1:1:New
NewRegulations
RegulationsforforHolding
HoldingCrypto-Assets
Crypto-Assetsby byRegulated
RegulatedEntities
Entities
To
Todetermine
determinewhether
whethera abank’s
bank’sexposure
exposuretotoaacrypto-asset
crypto-assetwill
willbebeallocated,
allocated,the
theBasel
Basel
Committee on Banking Supervision (BCBS) established criteria in its second consultation
Committee on Banking Supervision (BCBS) established criteria in its second consultation
on
onthe
theprudential
prudentialtreatment
treatmentofofcrypto-asset
crypto-assetexposures
exposuresininDecember
December2022 2022(Basel
(BaselCommittee
Committee
on
on Banking Supervision 2022). Every right and duty associated with thecryptocurrency
Banking Supervision 2022). Every right and duty associated with the cryptocurrency
asset is well defined and enforceable by law. Whether it is a tokenized traditional asset or
has a strong stabilizing mechanism that ties its value to a traditional asset, this also in-
volves settlement finality. According to the standard, crypto-assets shall be continuously
asset is well defined and enforceable by law. Whether it is a tokenized traditional asset
or has a strong stabilizing mechanism that ties its value to a traditional asset, this also
involves settlement finality. According to the standard, crypto-assets shall be continuously
categorized into two groups, Group 1 crypto-assets: Group 1a crypto-assets which include
tokenized traditional assets and Group 1b crypto-assets with efficient stabilizing mecha-
nisms. Group 1 crypto-assets are subject to Basel Framework capital requirements, which
are determined by the risk weights of the exposures in the portfolio. Group 2 comprises
unbacked crypto-assets. Hedging-recognition criteria are used to identify which Group
2 crypto-assets (Group 2a) can be hedged and which (Group 2b) cannot. Table 2 below
lists the financial and non-financial risks related to crypto-assets that were noted in the
December 2019 (Basel Committee on Banking Supervision 2022) discussion paper published
by BCBS.
Table 2. Basel Committee for Banking Supervision (BCBS) risk classification framework for crypto-
assets (Roy et al. 2023; KPMG 2020).
Category Risk Description

Market liquidity risk develops if cryptocurrency assets cannot be sold for
little to no loss of value. Banks that issue and/or accept deposits in
Liquidity risk
cryptocurrency assets may also be vulnerable during difficult times
because of a lack of financial liquidity.
Financial Risks The valuation and pricing of crypto-assets display a high degree of
Market Risk
volatility, and disjointed trading platforms may hinder price discovery.
Crypto-assets that are legally binding generate counterparty credit and
Credit and counterparty credit risks in the same manner as traditional assets. It points out that
credit risk banks find it challenging to estimate the risk of lending to crypto-asset
businesses due to the lack of historical data on these assets.
Since crypto-assets are digital and not supported by tangible assets,
operational and cyber risks are evident concerns. The technologies behind
Cyber and operational risk
crypto-assets expose financial organizations to a whole new set of
vulnerabilities from a governance and cybersecurity standpoint.
For businesses without a strong regulatory framework, crypto-assets
present new legal and regulatory dangers. Because cryptocurrency assets
are not subject to central regulation, regulatory arbitrage may occur.
Legal and regulatory risk
Furthermore, as blockchain technology facilitates value movement,
financial institutions will need to develop creative methods to adhere to
KYC, AML, and terrorist financing requirements.
Using cutting-edge coin offerings and crypto-asset management
technology carries reputational hazards. Since cryptocurrency assets are
Non-Financial Risks Reputational risk
distributed, unlike traditional assets, any unfavorable opinion or behavior
by one party could have an adverse effect on the ecosystem as a whole.
The majority of crypto-assets are operated by unregulated third parties
with community-driven software. To improve their product offerings,
Third party Risk financial institutions could also look for outside developers, partners, or
solution suppliers. All of these factors contribute to an increase in
third-party risk for a financial institution.
Internal policies and procedures must be created from the beginning and
throughout the lifecycle of a crypto-asset. A crypto-asset cannot be
Implementation Risk
implemented until an accounting treatment, operational method, and other
frameworks are in place.
Cryptocurrency assets adequately reduce material risks, including their operating

networks. It is necessary to control and oversee organizations and processes that handle
and process cryptocurrency assets or to subject them to suitable risk management protocols.
“A risk-based approach to virtual assets and virtual asset providers was published by the
Financial Action Task Force (FATF) in October 2021” (FATF 2021). Virtual Asset Service
Providers (VASPs) can use this document to better understand and fulfill their anti-money
laundering (AML) and counter-terrorism financing (CTF) obligations, as well as to assist
authorities in creating regulatory and supervisory standards for virtual asset operations.
The German government was one of the first to grant legal certainty to financial
institutions, allowing them to retain bitcoin assets (Federal Financial Supervisory Authority
(BaFin) (2024)). As per the regulations, only authorized exchanges and custodians are
permitted to purchase or trade cryptocurrency assets. The German Federal Financial
Supervisory Authority (BaFin) requires licenses for companies. The nation’s Crypto-assets
Taskforce is composed of the UK Financial Conduct Authority (FCA), the Bank of England,
and HM Treasury (Cryptoassets Taskforce 2018). Regulations created especially for crypto-
assets by the FCA address CFT, AML, and know your customer (KYC). Restrictions have
also been put in place to protect VASPs, but care has been taken to avoid limiting innovation.
Cryptocurrency exchanges need to register with the FCA if they have not already filed
for an e-money license. Cryptocurrencies are subject to activity-based taxes and are not
considered legal tender. The FCA has banned the trading of bitcoin derivatives.
3.1.2. Category 2: Classifying Crypto-Assets to Be Financial Products That Are Currently

Regulated and Expanding That Regulation to Include Other Ecosystem Components
“Cryptocurrency is a security covered by Israel’s securities laws, according to a ruling
by the Israeli Securities Authority” (Israel Securities Authority 2018). The agency has issued
warnings to the public about the risks of cryptocurrency. FATF’s position on AML/CFT
rules is comparable to that of the Israel Money Laundering and Terror Financing Prohibition
Authority. Cryptocurrencies are considered assets by the Israel Tax Authority, which also
mandates a 25% capital gains tax.
A warning “against dealing or investing in Crypto Assets including cryptocurrencies
as they are not recognised by legal entities in the kingdom” has been issued by the Saudi
Arabian Monetary Authority (SAMA) and its Ministry of Finance of Government of Saudi
Arabia (2019). They are outside the scope of the regulatory system and are not traded by
regional financial institutions.
The regulatory landscape surrounding cryptocurrencies in the US is evolving, despite
agency overlap and differing viewpoints. Divergent interpretations and guidelines have
been issued by the Financial Crimes Enforcement Network (FinCEN), the Securities and
Exchange Commission (SEC), the Commodity Futures Trading Commission (CFTC), and
the Federal Reserve Board, which are all considered to be the most powerful regulatory
agencies. The SEC consistently views cryptocurrencies as securities; “the Treasury calls
bitcoin a currency, and the CFTC calls it a commodity”. (Commodity Futures Trading
Commission 2020) “A digital representation of value that serves as a medium of exchange,
a unit of account, and/or a store of value” is how cryptocurrency is defined by the Internal
Revenue Service (IRS) and has published tax guidance accordingly.
Cryptocurrencies are governed by the Monetary Authority of Singapore (MAS 2020).
Both traditional and cryptocurrency payments and exchanges are governed by the Payment
Services Act of 2019. The Securities and Futures Act also governs the issuance of digital
tokens.
The Indian legislative council adopted the taxation laws on virtual digital assets
(VDAs), often known as the crypto tax, as suggested in the Budget 2022–2023 by approving
the Finance Bill 2022. The tax rate on cryptocurrency assets is 30%. A bill is now being
drafted by the Indian government. At the G20 summit in 2023, which India hosted, this
problem was a key topic of discussion. The draft bill on “Banning of Cryptocurrency &
Regulation of Official Digital Currency Bill 2019” (Press Information Bureau 2019), forbids
cryptocurrencies as legal cash or currency. Furthermore, it is forbidden to mine, keep,
sell, deal in, issue, dispose of, or utilize cryptocurrencies (Press Information Bureau 2019).
Creating cryptocurrencies and/or verifying buyer–seller cryptocurrency transactions are
the goals of mining.
4. Associated Risks with Crypto-Assets

The Basel committee has identified some types of operational risk events, as shown in
Table 3, which have the potential to result in substantial losses. The current risk manage-
ment practices for financial institutions with reference to virtual assets and cryptocurrency
asset management have been examined in this article. It is critical to recognize that oper-
ational risk addresses outside variables like unforeseen circumstances and human error.
Global risk classification and an understanding of the workings of crypto-asset and ser-
vice providers are crucial. Table 4 illustrates the key risk pillars that define crypto-assets
(Roy et al. 2023). This table provides a comprehensive summary of the operational risk
pillars associated with crypto-assets, detailing various risks that financial institutions may
encounter in this domain. The table categorizes risks into seven distinct pillars: Business
Model, Technology, Custody and Security, Market Access and Data, Confidentiality and
Privacy, Compliance and Tax, and Centralization. Each risk is described in terms of its
implications, such as unauthorized transactions, system errors, and the need for robust
security measures throughout the lifecycle of private keys. The benefits of this table are
manifold; it enhances clarity and structure in understanding the complex landscape of op-
erational risks, raises awareness among stakeholders, and serves as a guide for developing
targeted risk mitigation strategies. Furthermore, it facilitates compliance with regulatory
requirements and supports informed decision-making by helping institutions prioritize
their risk management efforts. Overall, Table 4 acts as a vital resource for financial institu-
tions navigating the operational risks inherent in the crypto-asset ecosystem, promoting
effective risk management practices and fostering a safer operational environment.
Table 3. Basel Committee Operational Risk events loss classification (Adapted from RBI 2024; BIS 2001).
Operational Risk
Operational Risk Pillar 2 Description Illustrated Event
Pillar 1
This means that at least one internal party may
collude with other internal or external parties in Manipulation of prices
1. Theft and forgery order to deliberately cause loss to the of crypto-assets due to
2. Market manipulation organization. There are numerous reasons centralization of
Internal fraud 3. Improper transaction behind internal fraud. For example, an internal information.
capture, execution, and party may deliberately want to misappropriate Account take-over or
maintenance property owned by the company. In other cases, impersonation on
they can merely be taking more risks by trying to crypto-asset wallets.
by-pass the systems which have been built.
Firms have to deal with a varied variety of third
parties. It is likely that some of these third parties
may not have the intent of having a rational and
1. Hacks associated with Distributed denial of
candid deal with the enterprise. Instead, they
External Fraud theft and forgery service attack on
may intend to cheat the firm by swindling
2. System security crypto exchange.
money from them or by getting the firm to break
the law. In such circumstances, there are no
internal parties involved in the deceitful activity.
Office lawsuits such as those based on
non-observance of laws regarding gender or
1. Unauthorized data
cultural diversity can be put in this group. The
access
firm may not have pardoned the conduct of its
2. Consuming external
erring worker. However, it will be held
Employment investment for Stealing of user
accountable and may have to pay monetary
Practices and non-business areas information, wallet
compensations. Enterprises may also have
Workplace Safety 3. Unauthorized activity in keys, and tokens.
operational risks arising from non-compliance
systems
with policies concerning the well-being and
4. Discrimination with
safety of workers. As a result, they may have to
employees
pay compensations to the wounded or otherwise
distressed employee.
Table 3. Cont.
Operational Risk
Operational Risk Pillar 2 Description Illustrated Event
Pillar 1
AML, KYC, regulatory
A company may suffer operational risk because
1. Defects in product breach, and
of the customers it selects to work with. For
2. Improper advisory non-compliance
example, crypto companies like FTX were
Improper Clients, services regarding
punished for fraud when their staffs were found
Products, and 3. Wrong information management of
to be in cryto-asset mismanagement. Likewise, a
Business Practices sharing in market crypto-assets in the
company may have to face operational risk
among clients and geography.
because of non-compliance with its obligations
customers Insider trading of
towards the customer
crypto-assets.
Organizations all over the globe spend a lot of
Servers hosting
money on building physical assets. Companies
crypto-asset services
1. Failure of hardware have to spend money in order to construct
Losses to Physical became damaged due
2. Theft of physical servers factories, purchase machinery, vehicles, or other
Assets to system failure or
hosting services assets that may be required by their business.
improper business
Yet, these assets may get ruined in unrests,
continuity plan.
terrorist attacks, or even acts of God.
If a company faces any outage or data robbery Servers hosting
1. Damages due to that arises because of the incorrect working of its crypto-asset service
environmental, civic, business systems, it could face extreme losses. got damaged due to
Business
political, and other These losses could be connected to lost business act of god.
Disruption
disruptions in the income. Nevertheless, they could also be related Outage of network or
business to lawsuits that may arise because of the data electricity stops the
which have been compromised. crypto-asset system.
1. Promises on delivery of Crypto-asset portfolio

service returns offered to
2. Improper regulatory customers are not
reporting meeting the
Enterprises may also face operational risks
Delivery and 3. Third party causing expectations.
because they may not be able to follow through
Process failure or fraud in the Client consent and
on the assurances that they have made in their
Management system permissions not
contracts.
4. Improper client intake collected.
and documentation Data entry error in the
5. Customer/client A/c event of systemic
mismanagement failure.
Table 4. Summary of operational risk pillars associated with crypto-assets. (Adapted from PwC 2023;
BIS 2019).
S. No. Risk Description

Direct investing, futures trading, and staking assets to make money are only a few of the
operational hazards associated with various digital asset investment strategies and business
1 Business model structures. Operational hazards include, but are not limited to, unauthorised transactions,
incomplete or erroneous books and records, and digital asset holdings that do not balance
with the custodian or blockchain.
Technology risks include the possibility of unintentional or unauthorised logical and
physical access to vital systems, the possibility of system mistakes and reporting as a result
2 Technology
of change management operations, and the potential for an inefficient reaction to harsh
market conditions.
Strong controls should be in place at every stage of the private key life cycle, including
generation, distribution, storage, security, and usage, as well as private rotation and
3 Custody and security
destruction, when offering services involving crypto-asset custody functions like
onboarding, deposits/withdrawals, and reconciliation.
Table 4. Cont.
S. No. Risk Description

Market data service providers have put controls in place to preserve market data and
liquidity. The primary risk involved in this choice is whether the service user will use an
4 Market access and data
infrastructure provider to aggregate and offer a single solution for all services, or will they
connect to each decentralized exchange and blockchain independently?
Confidentiality and Confidentiality and privacy must be preserved in order to foster trust and satisfy
5
privacy stakeholder expectations. Data leaks and transaction data loss pose the biggest risks.
Providers of crypto-asset services are required to exhibit adherence to financial sector
6 Compliance and tax norms and laws, such as those pertaining to tax reporting, know your customer (KYC)
requirements, and anti-money laundering (AML).
Without any maker–checker governance, a small group of people—mostly owners—control
7 Centralization
the business model, technology choices, operations, and market decisions.
5. Crypto-Assets Operational Risk Mitigation Framework (CORM)

A thorough analysis has led to a unified framework for managing crypto-asset op-
erational risk with a mitigation approach. The framework has been named Crypto-asset
Operational Risk Management (CORM). It has been represented in Figure 4. It will be
used to determine how the operational risk management associated with crypto-assets of
financial institutions can be mitigated in reaction to the increasing demand for crypto-assets,
cross border payments, electronic money, and cryptocurrencies.
This framework is comprehensive and combines qualitative and quantitative analyses
to assess risks systematically while providing guidance for mitigation. The components
of the CORM framework have been classified into three broad categories—qualitative,
quantitative, and derived. Each category has been associated with the factors which help
in identification, classification, detailing, assignment, and mitigation of operational risk
associated with crypto-asset. Together, these components provide a structured approach
to analyzing, quantifying, and mitigating risks in the context of digital assets. The quali-
tative component and quantitative component provide the foundational analysis of risks,
considering both subjective (qualitative) and objective (quantitative) factors. The derived
component consolidates insights from the other two components into actionable risk point-
ers. Each risk is assessed in terms of its nature (uniqueness), affected parties, and mitigation
strategies and is then quantified to evaluate its potential impact.
Qualitative components focus on the descriptive aspects of the framework, empha-
sizing the nature of risks and the context in which they occur. Operational risk with
crypto-assets identifies the specific operational risks that are unique to crypto-assets, such
as risks related to market risk, internal fraud, hard fork, storage, transaction processing,
regulatory compliance, etc. Uniqueness to crypto-assets indicates whether the identified
risks are specific to crypto-assets or if they are applicable to all financial instruments. Im-
pacted party outlines the stakeholders affected by the operational risks, which include
financial institutions, customers, and regulators. Mitigation approach outlines the strate-
gies and measures that can be implemented to mitigate identified operational risks. It
includes creation of a detailed plan with the best practices for risk management, such as
robust security protocols, compliance measures, and incident response plans. The CORM
framework serves as a comprehensive guide for financial institutions to navigate the
complexities of operational risks associated with crypto-assets, ensuring that they can effec-
tively manage these risks while complying with regulatory requirements and maintaining
stakeholder trust.
J. Risk Financial
J. Risk Manag.
Financial 2024,
Manag. 17,17,
2024, x FOR
550 PEER REVIEW 13 of 29
13 of 31
Market risk
Internal fraud
Operational risks Unauthorized access

with
Hard forks
Others
Yes
Uniqueness
No
Qualitative component
Government institution
Impacted party Financial institution

CORM Framework
End users
Mitigation approach Detailed plan
Quantitative component Loss effect under

Basel framework
Basel operational risk

pillar
Derived component
Identified risk pillar As per Table 4

Associated with
Figure 4. 4.
Figure CORM framework.
CORM Source:
framework. Created
Source: byby
Created thethe
Authors.
Authors.
Quantitative
Quantitative components
components involve
involve measurable
measurable aspects
aspects ofof
thethe framework,
framework, focusing
focusing onon
theassessment
the assessmentand
andevaluation
evaluationofof risks.
risks. Loss
Loss effect
effect as
as per
perthe
theBasel
Baselframework
frameworkdescribes the
describes
potential
the impact
potential of the
impact identified
of the risks,
identified aligning
risks, them
aligning withwith
them the loss categories
the loss defined
categories by the
defined
Basel framework. This can be computed in terms of potential value loss for the institution
if risk is not mitigated. Thus, it can assist senior management to understand the potential
of risk and take decisions accordingly to mitigate said risk. Under the Basel framework,
financial institutions assess loss effects through quantitative and qualitative methods,
such as Basic Indicator Approach (BIA), where operational risk capital is calculated as a
fixed percentage of the institution’s annual gross income; Standardized Approach (SA),
where operational risk capital is determined by dividing business lines and applying
specific risk factors; and Advanced Measurement Approach (AMA), where institutions use
internal data, risk control indicators, and loss event models to estimate potential losses.
Institutions also use historical data and risk assessments to identify and mitigate potential
loss events proactively. The loss effect ultimately serves as a key metric for calculating the
capital reserves required to cover operational risks, ensuring institutions maintain financial
stability and resilience against potential disruptions.
Derived components are the outcomes or strategies derived from the existing global
regulatory frameworks like Basel, Financial Stability Board (FSB), etc., which acts as ref-
erence for building mitigation and management solutions. This classification helps in
understanding the CORM framework’s structure and its approach to managing operational
risks associated with crypto-assets, facilitating a comprehensive risk management strategy
for financial institutions. Basel Operational Loss Pillar refers to the categorization of risks
based on established frameworks, such as the Basel Operational Risk framework, which
helps in identifying and classifying the types of operational risks. The identified risk pillar
associated with crypto-asset emphasizes linking the operational risk identified for crypto-
assets with the risk pillar provided by global regulators associated with the crypto-assets.
This linkage is critical to map the definitions of risk with current regulatory guidelines,
which is crucial in the rapidly evolving landscape of crypto-assets.
Appendix A illustrates the applicability of the CORM framework to the current crypto-
asset ecosystem and its participants. CORM analyzes emerging risks, maps them to the
established BASEL risk framework, and provides mitigation strategies. Mitigation ap-
proaches like this will increase trust, compliance, and stability of crypto-asset management
in financial institutions that use it as a tool for payment, investment, asset allocation, and
portfolio management. CORM is tailored to identify and assess unique risks tied specifically
to crypto-assets, such as key management vulnerabilities, blockchain disruptions, and trans-
action irreversibility. Risk management frameworks like Basel III, designed for traditional
assets, does not fully address these areas. CORM provides crypto-focused risk mitigation
techniques like multi-signature wallets, decentralized governance for decision-making, and
specific key management policies. Risk management frameworks like Basel III’s mitigation
strategies lack specificity for decentralized and cryptographic asset environments. With
CORM, institutions obtain guidance on implementing advanced security practices, such
as hardware-based cryptographic key storage, which is crucial for securing digital assets.
Risk management frameworks like Basel III lacks these measures, as it assumes centralized
asset control. CORM also accommodates the decentralized and rapidly evolving nature
of the crypto landscape by allowing flexibility in managing crypto-related risks like hard
forks or software vulnerabilities. Risk management frameworks like Basel III are more
rigid, focusing on structured financial risks in regulated settings. CORM includes com-
pliance and regulatory practices adapted to crypto-assets, helping institutions navigate
legal ambiguities, tax compliance, and KYC/AML in a mostly unregulated market. Risk
management frameworks like Basel III assumes a regulated environment, making it less
applicable in the crypto space. The CORM framework thus helps financial institutions by
offering a tailored approach to managing the heightened risks of crypto-assets, facilitating
compliance, safeguarding asset integrity, and fostering institutional resilience against cyber,
privacy, and fraud risks in this emerging asset class.
The CORM framework provides a distinct and more comprehensive approach to
managing operational risks associated with crypto-assets, in contrast to the existing global
crypto-asset regulations. The global regulatory landscape and published guidelines spe-
cially promoted by the Bank for International Settlements (BIS), the Financial Stability Board
(FSB), the United States, China, India, and the European Union primarily focuses on estab-
lishing the legal status of crypto-assets, implementing taxation frameworks and enforcing
anti-money laundering (AML) and know-your-customer (KYC) requirements. For instance,
countries like Singapore, UAE, and Israel have classified cryptocurrencies as securities,
subject to their securities laws, while Saudi Arabia has warned against dealing in virtual
currencies. Similarly, the FSB and G20 committee has proposed a comprehensive regulatory
framework to address financial stability risks, consumer protection, and market integrity
concerns related to crypto-asset activities. In contrast, the CORM framework delves deeper
into the specific operational risk pillars that financial institutions and crypto-asset service
providers face. It systematically identifies and maps these risks, including internal fraud,
external fraud, technology failures, and compliance issues, to the established Basel Opera-
tional Risk framework. This level of granularity and alignment with industry-recognized
standards sets the CORM framework apart from the broader regulatory initiatives. Fur-
thermore, the CORM framework adopts a proactive and institution-driven approach,
empowering financial institutions to take ownership of their operational risk management
practices. It provides a structured methodology for risk assessment, policy development,
implementation, and continuous monitoring, enabling these organizations to enhance their
operational resilience and adaptability to the rapidly evolving crypto-asset ecosystem. For
example, the CORM framework suggests implementing robust key management systems,
conducting regular audits, and establishing governance structures to mitigate the risks
of internal fraud and unauthorized access. By offering a more specialized and practi-
cal approach to managing operational risks, the CORM framework serves as a valuable
complement to the existing crypto-asset regulations, providing financial institutions and
crypto-asset service providers with a comprehensive tool to navigate the complexities of
the crypto-asset ecosystem while also addressing the broader regulatory concerns around
financial stability, consumer protection, and market integrity.
6. Application of CORM Framework

Crypto operational risks can affect various types of institutions operating in the
cryptocurrency industry. Some of these institutions include (i) cryptocurrency exchanges:
these platforms facilitate the buying and selling of cryptocurrencies and are exposed to risks
such as hacking, theft, fraud, and operational errors; (ii) wallet providers: cryptocurrency
wallets are used to store and manage digital assets and are exposed to risks such as hacking,
theft, and loss of private keys; (iii) payment processors: these companies enable merchants
to accept payments in cryptocurrencies and are exposed to risks such as fraud, errors, and
hacking; (iv) investment funds: cryptocurrency investment funds are exposed to risks such
as market volatility, liquidity risks, and regulatory risks; (v) ICO/STO issuers: Companies
that issue initial coin offerings (ICOs) or security token offerings (STOs) are exposed to risks
such as fraud, regulatory compliance, and market volatility; (vi) blockchain development
companies: these firms are involved in the development and maintenance of blockchain
technology or provider of services like Metaverse and Decentralized Finance (DeFi) and are
exposed to crypto-asset management along with risks such as software bugs, cyber-attacks,
and data breaches; (vii) financial institutions: traditional financial institutions such as banks
and investment firms are increasingly investing in cryptocurrencies and are exposed to
risks such as market volatility, regulatory risks, and cyber-attacks.
Following are the examples of applying the CORM framework to various actors in
the cryptocurrency space. The CORM framework serves as a comprehensive tool for these
actors, promoting effective risk management practices that enhance operational stability,
regulatory compliance, and stakeholder confidence in the rapidly evolving cryptocurrency
landscape. The CORM framework is designed to assist various actors in the cryptocur-
rency ecosystem, including cryptocurrency exchanges, wallet providers, crypto payment
processors, investment funds, and ICO/STO issuers, by providing a structured approach to
identifying, assessing, and mitigating operational risks associated with crypto-assets. For
cryptocurrency exchanges, the CORM framework helps in managing risks such as hacking,
theft, fraud, and operational errors by establishing robust policies and procedures for risk
mitigation, incident response, and business continuity planning. This is crucial for main-
taining user trust and ensuring compliance with regulatory requirements. Wallet providers
benefit from the CORM framework by implementing secure key management practices
and safeguarding against risks like hacking and loss of private keys. The framework
emphasizes the importance of regular audits and the establishment of secure environments
for managing cryptographic keys, which are vital for protecting users’ assets. Crypto
payment processors can utilize the CORM framework to address risks related to fraud,
errors, and hacking. By developing comprehensive risk assessment processes and incident
response strategies, these entities can enhance their operational resilience and ensure secure
transactions for their clients’. Investment funds that engage in cryptocurrency investments
can leverage the CORM framework to navigate market volatility, liquidity risks, and regu-
latory uncertainties. The framework provides a systematic approach to risk assessment
and mitigation, enabling funds to make informed investment decisions while managing
potential operational risks. For ICO/STO issuers, the CORM framework aids in ensuring
compliance with regulatory requirements and managing risks associated with fraud and
market volatility. By establishing clear operational guidelines and communication plans,
issuers can enhance transparency and build trust with investors.
Overall, any organization that operates in the cryptocurrency industry, whether di-
rectly or indirectly, is exposed to crypto operational risks and must have effective risk
management strategies in place to mitigate them. CORM is applicable to these institutions.
Implementing the CORM framework for the above institutions involve six steps:
Step 1. Identify the institution’s objectives: Define the institution’s goals and objectives
and ensure that the crypto-asset operational risk management framework aligns with these
objectives.
Step 2. Assess risks: Conduct a comprehensive risk assessment to identify potential
crypto-asset operational risks that the institution may face. This includes assessing risks
related to the technology, regulatory compliance, security, and other relevant areas.
Step 3. Develop policies and procedures: Develop policies and procedures to man-
age the identified risks. These policies and procedures should cover areas such as risk
mitigation, incident response, business continuity planning, and employee training.
Step 4. Implement the CORM framework: Implement the crypto-asset operational
risk management framework across the institution. This may involve appointing a risk
manager or team to oversee the framework’s implementation and ensure that the policies
and procedures are followed.
Step 5. Monitor and evaluate crypto risks: Continuously monitor and evaluate the
framework’s effectiveness and adjust it as necessary. This may involve regularly reviewing
risk assessments, conducting audits, and gathering feedback from stakeholders.
Step 6. Communication from Operational risk team: Communicate the framework’s
implementation to relevant stakeholders, including employees, customers, and regulators.
This helps to ensure that everyone understands the risks associated with crypto-asset
operations and how the institution is managing these risks.
In order for the framework to be effective, it must be aligned with the institution’s
objectives and continuously evaluated. The coverage of different departments in an institu-
tion’s CORM framework will depend on the size and complexity of the institution, as well
as the nature and scope of its crypto-asset operations. Here are some of the departments
that may be involved in the framework: (i) Risk Management: The risk management depart-
ment should play a central role in the crypto-asset operational risk management framework.
They are responsible for identifying, assessing, and monitoring crypto-asset-related risks
across the institution. They may also develop and oversee policies and procedures related
to risk mitigation and incident response. (ii) IT/Technology: The IT department is responsi-
ble for ensuring that the institution’s technology infrastructure is secure and up-to-date. In
the context of crypto-assets, they may be responsible for implementing and maintaining the
institution’s crypto-asset wallet systems, exchanges, and other platforms. They may also
be responsible for ensuring that the institution’s systems comply with relevant regulatory
requirements. (iii) Legal/Compliance: The legal and compliance departments are responsi-
ble for ensuring that the institution’s crypto-asset operations comply with relevant laws
and regulations. They may develop and oversee policies and procedures related to com-
pliance with anti-money laundering (AML) and know-your-customer (KYC) regulations.
(iv) Finance/Accounting: The finance and accounting departments are responsible for
managing the institution’s financial risks related to crypto-assets. They may be responsible
for developing and implementing controls around the accounting and reporting of crypto-
asset-related transactions. (v) Operations: The operations department is responsible for
managing the day-to-day activities related to the institution’s crypto-asset operations. They
may be responsible for executing crypto-asset transactions, managing custodial arrange-
ments, and ensuring the safe storage of crypto-assets. (vi) Human Resources: The human
resources department is responsible for ensuring that employees are trained and aware of
the institution’s crypto-asset operational risk management framework. They may also be
responsible for conducting background checks and monitoring employees for compliance
with relevant policies and procedures.
These are just a few examples of the departments that may be involved in an institu-
tion’s CORM framework. The key is to ensure that all relevant departments are involved
in the framework and that there is clear communication and coordination between them.
To measure the effectiveness of CORM framework, organizations should consider key
performance indicators (KPIs) such as (i) Risk exposure: This measures the level of risk
an organization is exposed to at any given time. It can be measured using metrics such as
the number of security incidents, the value of assets at risk, and the impact of any security
breaches; (ii) Risk assessment: This measures the quality of risk assessment processes,
including how well risks are identified, evaluated, and prioritized. KPIs here can include
the percentage of risks identified, the accuracy of risk assessments, and the time taken to
complete risk assessments. (iii) Risk mitigation: This measures the effectiveness of mea-
sures put in place to mitigate identified risks. KPIs here can include the percentage of risks
mitigated, the cost-effectiveness of mitigation measures, and the time taken to implement
mitigation measures. (iv) Incident response: This measures how well an organization
responds to security incidents. KPIs here can include the time taken to detect and respond
to incidents, the effectiveness of incident response procedures, and the impact of incidents
on the organization.
By measuring these KPIs, organizations can continually evaluate the effectiveness of
their CORM and make necessary improvements to ensure the security and success of their
operations.
Crypto-asset ecosystems vary in size and complexity. The CORM framework is adapt-
able for both small firms and large corporates, albeit with key differentiators in its applica-
tion. For small firms, CORM can serve as a foundational tool to establish basic operational
risk management practices, focusing on cost-effective measures such as simplified key
management systems and basic compliance protocols. These firms may prioritize agility
and rapid implementation, leveraging CORM to navigate the complexities of crypto-assets
without extensive resources. In contrast, large corporates can utilize CORM to develop a
comprehensive, multi-layered risk management strategy that integrates advanced tech-
nologies like artificial intelligence and machine learning for real-time risk assessment. They
can afford to invest in robust infrastructure, extensive training programs, and detailed
compliance frameworks that align with global regulatory standards. Additionally, large
firms may face more complex operational risks due to their scale, necessitating a more
sophisticated approach to stakeholder communication and incident response. While CORM
provides a structured approach to managing operational risks associated with crypto-assets
for both small and large entities, the scale, complexity, and resource allocation significantly
influence its implementation and effectiveness across different organizational contexts.
We have identified two specific instances in the recent years where crypto-assets have
succumbed to threats due to heightened operational risks. Hypothetically, we have applied
the CORM framework in these two distinct cases where crypto-asset exchanges succumbed
to either external risks such as hacking or internal vulnerabilities. We have analyzed how
CORM would have helped to mitigate operational risks. Following are the case studies
which show how the framework might function in real-world scenarios, strengthening our
argument of its applicability.
6.1. Case Study on BitMart: Mitigating External Frauds with CORM

In December 2021, the BitMart exchange was hacked, leading to the loss of $196 million
in assets due to unauthorized access to private keys. Attackers gained access to hot wallets
and stole assets through unauthorized transactions. If BitMart complied with CORM
framework, it will mitigate risk which led to this event. CORM advises strong controls over
private key management, including the use of hardware security modules (HSMs), multi-
signature wallets, and strict access controls. These measures prevent unauthorized access by
compartmentalizing key management, ensuring that critical keys are stored offline or with
restricted access, and requiring multiple layers of approval for any key use or transfer. The
BitMart exchange hack in December 2021, resulting in losses of approximately $196 million,
exemplifies the critical need for a robust operational risk management framework in the
crypto-asset sector. The Crypto-asset Operational Risk Management (CORM) framework is
designed to identify, assess, and mitigate operational risks associated with crypto-assets,
making it particularly relevant in this context. The hack highlighted significant operational
risks, particularly related to cybersecurity, such as external fraud and system vulnerabilities.
The primary stakeholders affected included BitMart, its customers, and regulatory bodies
concerned with compliance and consumer protection. The incident aligns with the Basel
framework’s categorization of operational risks, emphasizing the need for effective risk
management strategies. To mitigate such risks, the CORM framework advocates for the
implementation of robust key management systems, regular security audits, and compre-
hensive incident response plans. Continuous monitoring and assessment of the operational
environment are essential for identifying vulnerabilities before they can be exploited. Addi-
tionally, adopting industry best practices, ensuring regulatory compliance, and establishing
decentralized governance structures can further enhance security. Applying the CORM
framework to the BitMart hack illustrates how a structured approach to operational risk
management can effectively identify vulnerabilities and mitigate risks. By implementing
these strategies, crypto-asset exchanges like BitMart could improve their security posture,
protect against future incidents, and safeguard the interests of their stakeholders, ultimately
fostering greater trust and stability in the crypto-asset ecosystem (Thurman 2021).
6.2. Case Study on Binance: Mitigating Internal Vulnerabilities with CORM

Binance is one of the largest cryptocurrency exchanges globally, facilitating the trading
of various cryptocurrencies. In October 2022, the exchange suffered a significant security
breach, which was attributed to a flaw in its smart contract code. This incident highlighted
the operational risks associated with cryptocurrency exchanges, particularly concerning
security vulnerabilities and the management of private keys. The CORM framework
emphasizes the importance of identifying potential operational risks, including those
related to technology and security. In the case of Binance, a thorough risk assessment
could have identified the vulnerabilities in the smart contract code that led to the hack. By
conducting a comprehensive risk assessment, Binance could have evaluated the potential
impact of identified risks, including the financial implications of a security breach and
the reputational damage that could ensue. The CORM framework advocates for the
development of robust policies and procedures to manage identified risks. Binance could
have established stringent security protocols, including regular code audits, penetration
testing, and the implementation of multi-signature wallets to enhance the security of user
funds. The CORM framework stresses the need for ongoing monitoring and evaluation of
risk management practices. Binance could have established a dedicated risk management
team responsible for continuously assessing the effectiveness of security measures and
adapting to emerging threats in the cryptocurrency landscape. The framework provides
guidance on implementing effective mitigation strategies. For Binance, this could have
included the adoption of advanced security measures such as hardware security modules
(HSMs) for key management, real-time monitoring of transactions for suspicious activities,
and a well-defined incident response plan to address potential breaches swiftly (CoinDesk
2022; Forbes 2022; Livni 2022; TechRadar 2023).
7. Conclusions
For any business involved in the cryptocurrency sector to succeed and last, effective
crypto operational risk management is essential. It entails recognizing, evaluating, and
reducing risks related to the people, procedures, and technology used in crypto operations.
Among the many benefits of cryptocurrencies and other crypto-assets are decentralization,
transparency, and quick transactions. They do, however, have inherent dangers, including
market volatility, security breaches, and regulatory uncertainty, just like any other financial
asset. It is becoming more and more crucial for organizations participating in the financial
ecosystem to have a clear operational risk management strategy for crypto-assets as they
continue to acquire traction and popularity. While still taking advantage of the innovation
that crypto offers, such a framework assists institutions in recognizing, evaluating, and
reducing the risks related to crypto-asset operations.
Paving the way for future policy responses to mitigate operational risk, CORM pro-
vides a structured approach to addressing the unique operational risks associated with
crypto-assets. By aligning with the Basel Committee for Banking Supervision (BCBS) risk
classification, CORM not only aids financial institutions in navigating the complexities
of crypto-asset operations but also serves as a valuable tool for regulators in establish-
ing coherent guidelines. The framework enables institutions to proactively manage risks,
thereby preserving their reputation and safeguarding stakeholder interests. Future research
should focus on refining the CORM framework by incorporating real-time data analytics
and machine learning techniques to enhance risk assessment and mitigation strategies.
Research can explore the incorporation of artificial intelligence (AI) and machine learning
(ML) to improve risk assessment and mitigation strategies within the CORM framework.
These technologies can facilitate real-time monitoring of operational risks and enhance
predictive analytics, allowing institutions to proactively address vulnerabilities. Also,
empirical studies being conducted to validate the effectiveness of the CORM framework in
various institutional contexts is essential. This could involve case studies of financial institu-
tions that have implemented CORM, assessing its impact on operational risk management
and overall performance. Future research can also focus on comparing the application of
the CORM framework across different regulatory environments and jurisdictions. This
analysis can identify best practices and highlight how varying regulatory landscapes influ-
ence the effectiveness of operational risk management strategies. Research can focus on
creating models that adapt to changes in market conditions, technological advancements,
and emerging threats. Additionally, exploring the integration of CORM with existing
regulatory frameworks across different jurisdictions can provide insights into harmonizing
global standards for crypto-asset management. Research can also be performed on the
development of educational programs and training modules for financial institutions to
effectively implement the CORM framework. This can include creating resources that
enhance understanding of operational risks specific to crypto-assets and best practices for
mitigation.
The industry can contribute to the adoption of the CORM framework by fostering
collaboration among stakeholders, including financial institutions, technology providers,
and regulatory bodies. Engaging in public–private partnerships can facilitate the sharing
of best practices and resources, ultimately leading to the development of a more resilient
and secure crypto-asset ecosystem. Furthermore, industry-led initiatives to standardize
operational risk management practices can enhance the framework’s applicability and
effectiveness, ensuring that it meets the evolving needs of the crypto-asset landscape. By
working together, stakeholders can create a robust operational risk management framework
that not only addresses current challenges but also anticipates future developments in the
rapidly changing world of crypto-assets.
Theoretically, we extended the realm of uncertainty theory of risks in the context
of crypto-assets, wherein the antecedents, catalysts and outcomes of operational risks
are unprecedented. Since the threats are evolving and pervasive to a finite domain, our
framework paves the way for empirical investigations in the future. This will lead to further
insights into idiosyncrasies of crypto-assets. Academically, we propose a parsimonious
measure in the form of a simple framework. It can complement research on measures of
risks and return of portfolios consisting of crypto-assets. It may further lead to actionable
insights into audits and benchmarks of the operational risks of crypto-assets. CORM as
a framework may lead to a culmination of insights from industry and academia, with its
application to map and measure specific controls for operational risk mitigation, such as
multi-signature wallets, blockchain verification protocols, etc.
The proposed framework helps institutions to navigate the unique challenges posed by
crypto-assets and ensures that they are in compliance with relevant regulatory requirements.
Institutions can reduce the possible impact of operational mishaps involving crypto-assets,
preserve their reputation, and safeguard the interests of their stakeholders by adopting
a proactive approach to operational risk management. Institutions must exercise caution
when handling the dangers connected to crypto-assets, even while they present exciting
prospects for innovation and expansion. For institutions to confidently engage in the crypto
ecosystem while successfully reducing the risks related to crypto-assets, CORM as a clear
operational risk management framework is essential.
Author Contributions: Conceptualization, D.R. and A.D.; methodology, D.R. and A.D.; validation,
D.R., A.D. and D.T.; formal analysis, D.R. and A.D.; investigation, D.R. and A.D.; writing—original
draft preparation, D.R., A.D. and D.T.; writing—review and editing, D.R., A.D. and D.T.; visualization,
D.R. and A.D. All authors have read and agreed to the published version of the manuscript.
Funding: This research received no external funding.
Data Availability Statement: The research is based on secondary data published on public domains.
Data sources have been cited in-text and in references with URL.
Conflicts of Interest: Author Ashutosh Dubey is employed by the company National Payments
Corporation of India. The remaining authors declare that the research was conducted in the absence
of any commercial or financial relationships that could be construed as a potential conflict of interest.
Appendix A. CORM for Crypto-Assets
Loss Effect as per

Operational Risk for Unique to Basel Operational Risk
Impacted Party Operational Risk Pillar Description Basel Framework Mitigation Approach
Crypto Assets Crypto-Assets (Loss Category 1)
(BIS 2001)
1. Key management systems should
include a secure environment to
store, manage, and protect
cryptographic keys.
2. Robust policies and procedures
should be implemented to
A number of regulatory safeguard the keys and enable
authorities have already access control.
raised concerns about It is important to keep track of
misappropriation of assets who has access to the keys and
(such as cryptocurrencies how they are used.
Internal Fraud due to involving the theft of private 3. Key management systems should
unauthorized access Institution, Confidentiality and and public keys) as well as tax Loss or Damage to also include a backup and
No Internal fraud
and theft or access to Customers privacy evasion (as this issue has Assets recovery system in case the
private keys already been raised with primary system fails. This will
several regulatory agencies). help to ensure that the keys are
Employees who are familiar always available and secure.
with micropayment systems 4. Regular audits should be
are at risk of committing conducted to ensure the system is
internal fraud. functioning properly and to
identify any potential weaknesses.
5. Implementation of best practices
for cryptographic key
management, such as regularly
updating keys and implementing
multi-factor authentication
Loss Effect as per

(BIS 2001)
Decentralization is associated
with inherent operational
risks because cryptocurrencies
1. Setting up of Decentralized
operate through peer-to-peer
autonomous organization
networks, independent of a
(DAO)Governance board for
central authority. The
financial and technical decision of
independence of
Clients, products, and Legal Liability the system
cryptocurrency is an
Price manipulation No Customers Centralisation business Loss or Damage to 2. Implementation of
appealing feature, but
practices Assets Communication policy
decentralization means that
3. Ensure tougher authentication of
the network manages
developer write access to the code
functions like issuing,
repository by demanding digital
processing transactions, and
signatures on commits and tags.
verifying together.
Coordinated attacks are
possible as a result of this.
1. Operating guidelines for
ecosystem
Fraud occurs when someone 2. Proper communication plan for
deceives someone for personal investors and retail users
or financial gain, causing 3. Financial responsibility
them to suffer losses. Payment distribution in case of frauds
arrangements protect end reported.
users against fraud by 4. Create a backup strategy in case of
Non Protections for Clients, products, and
No Customers Custody and Security providing preventive controls Regulatory Action a disclosure incident—even if it is
fraud losses business practices
(e.g., security features) and questioned.
compensating them for 5. A suitable operation plan outlines
financial loss in the event of a sequence of actions to switch to a
fraud (e.g., liability policies). new secure private key without
Fraud protection policies compromising control or access to
make up the latter. protected data and with little effect
on the availability of services
provided by the organization.
Loss Effect as per

(BIS 2001)
The outsourcing of a material
business activity, when it
1. Entities should ensure that
Partnering with involves collaborating with a
Execution, delivery, and vendors meet the requirements
technology and other Institution, Business Model third party in the context of Restitution
No process that apply to the outsourcing
companies to offer Customers Market access and data crypto-asset related activities, Loss of Recourse
management regarding data management and
end solutions leads to the exposure of
intellectual property
personal information to a
wider audience.
It is known that a hard fork is
one of the settlement risks that
are unique to blockchains. A
hard fork, which produces
two irreconcilable ledgers,
might result from an
unresolved dispute between
developers or other 1. Third party audit
participants in a distributed 2. Open source audit
Hard Forks (FSB 2019;
Clients, products, and ledger, such as miners. It is 3. Frequent checks with software
IOSCO 2020) by Technology Loss or Damage to
Yes Institution business also possible for forks to result vulnerabilities as per international
Platforms managing Centralisation Assets
practices from changes to the code in publications
Crypto Assets
the underlying protocol that 4. Monitoring the operations of
are not compatible with platform managing crypto-assets
previous versions. The forking
of a chain is typically
undertaken by a large subset
of node operators who believe
that it is necessary to preserve
the integrity of the chain, even
though it can be disruptive.
Loss Effect as per

(BIS 2001)
By creating a regulated
crypto-asset like CBDC,
central banks could threaten
1. Operating guidelines to manage
the very two-tiered banking
the funds
system. Whenever confidence
Regulatory Action 2. Risk rules, transaction limits
Operational Bank Run Custody and security Clients, products, and in bank deposits begins to
Yes Institution Loss or Damage to 3. Frequent checks regarding
(Angelo et al. 2021) and Business Model business practices wane, people tend to convert
Assets software vulnerabilities
that money to CBDC which
4. Compliance to global financial risk
might lead to a decrease in
guidelines like Basel
loanable money in the system
eventually leading to a
financial crisis.
Each bank does not process
blockchain verification or
currency creation. To ensure
the reliability of the
cryptocurrency network, 1. Third party audit
including transaction 2. Open source audit
Loss or Damage to
Business disruption and processing and verification, an 3. Bounty bug programs
Software Failure No Institution Technology Assets
system failures external group of entities in 4. Frequent checks with software
Write-down
different geographies is vulnerabilities as per international
essential. A bank processing publications
cryptocurrencies and deposits
that relies on external
hardware faces large
operational risks
Loss Effect as per

(BIS 2001)
1. Regular business and technical
audit with external information
provider
Data theft can include wallet 2. Interfaces should go through
addresses, public and private security assessment and scans
keys, along with other 3. Bug bounty program for the
personal identification interface
information such as 4. Change log management
transaction information 5. Plan for predictable incidents at
between users in virtual third-party partners and
External Fraud due to Technology Loss or Damage to
Institution, currency and cryptocurrency document the stages to reinstate
System abuse and No Market access and data External fraud Assets
Customers networks. service or ensure the continuity of
theft Centralisation Write-down
Oracle services expose service.
systems to systems that 6. Review the design of the
require platforms in order to third-party API with an emphasis
perform operations. It is on how it implements access
possible to lose assets and controls, how it prevents message
funds as a result of any spoofing and how it handles
Oracle hack. credential-reset functionality.
7. Document the points of contact on
both ends of the association with
your partner organization.
1. Business continuity plan for the
hardware failure
2. Network protection using firewall
3. Multiple sites setup to avoid
Failure of the blockchain failure in one site to improve
Business disruption and Loss or Damage to
platform which is running system resiliency
Blockchain Failure Yes Institution Technology system Assets
the system due to defects 4. Use tamper-resistant
failures Write-down
or attacks cryptographic hardware device
peripherals intended to store and
perform operations with private
keys without ever divulging the
keys to a host computer.
Loss Effect as per

(BIS 2001)
Due to peer-to-peer 1. Operating guidelines for
verification, a transaction can ecosystem
take up to ten minutes to be 2. Proper communication plan for
published to the network and investors and retail users
registered on the ledger 3. Financial responsibility
blockchain.These delays distribution in case of frauds
create a significant reported.
Improper Peer-to-peer
Business disruption and opportunity for fraud, system 4. Create a contingency plan in
Verifications of Institution,
Yes Technology system attacks, double spending, and Write-down preparation for a disclosure
Transactions and Risk Customers
failures fake transactions. It is possible incident, even a doubted incident.
of Double Spending
for an adversary to use the 5. A proper operation plan describes
same Bitcoins in multiple a sequence of steps to shift to a
transactions during these new secure private key without
waiting periods. This could losing access to or control of
result in losses for the vendor protected data, and with nominal
if the goods are released impact to the organization’s
instantly. service availability
1. Operating guidelines for
ecosystem
2. Proper communication plan for
Banking networks, virtual investors and retail users
Transaction
wallets, and cryptocurrency 3. Financial responsibility
Irreversibility and Institution, Technology Clients, products, and
Yes are at risk of cybercrime and Write-down distribution in case of frauds
Risk of Uncoverable Customers Business model business practices
hacker attacks due to reported.
Losses and Mistakes
transaction irreversibility. 4. Use wallets in which the private
keys are split across separate
systems and 2-of-3 consensus is
required to spend from the wallet
Loss Effect as per

(BIS 2001)
In addition to fraud,
cybercrime, conduct, financial
crime and technology risks,
1. Background check of the
there are likely to be a range
Crypto-asset provider
of operational risks to identify,
2. Financial assessment by third
Compliance and tax assess and manage.
Investment in Institution, Clients, products, and party
No Market access and data Crypto-assets and networks Regulatory Action
Crypto-assets Customers business practices 3. Financial risk assessment
Centralisation may also be susceptible to
regarding the investment
novel risks, such as risks
4. Compliance check and trend
associated with relying on
monitoring of the industry
third parties for redemption or
operation, or using crypto
infrastructure and exchanges.
1. Governance board or power of
The minting, issuance, and delegation based on stake or rights
burning of coins will involve a 2. Regular audits internal and
range of operational risks, external to avoid any
including fraud, cyber, discrepancies
conduct, and technology risks. 3. System access and rights based on
Compliance and tax It is important to consider delegation of powers
Uncontrolled Crypto Institution, Clients, products, and
Yes Market access and data risks when designing and Regulatory Action 4. Limit access to the majority of
assets issuance Customers business practices
Centralisation distributing new products. assets in a wallet on an offline
Data collection, storage, and (air-gapped, physically
safeguarding systems, as well access-controlled) system.
as a robust redemption 5. Transactions can be signed with
process, are other key maker-checker principle and then
considerations. taken to an online system for
publication to the blockchain
A range of operational risks
may exist for services 1. Operating guidelines for
involving crypto-assets more ecosystem
Services on Compliance and tax broadly. Security risks, such 2. Proper communication plan for
Institution, Clients, products, and
crypto-assets for No Market access and data as the possibility of losing Restitution investors and retail users
Customers business practices
customers Centralisation private keys, wallets 3. Financial responsibility
containing funds, and distribution in case of frauds
authentication devices, should reported.
be taken into consideration.
Loss Effect as per

(BIS 2001)
Crypto-asset collateral may be 1. Governance board or power of
subject to operational risks delegation based on stake or rights
including fraud, financial 2. Regular audits internal and
Lending activities Compliance and tax crime, and technological external to avoid any
Institution, Clients, products, and Regulatory Action
linked with No Market access and data failure. A third party, such as discrepancies
Customers business practices Restitution
crypto-assets Centralisation a custodian, an exchange, a 3. Investment risk and market risk to
wallet provider, or a crypto be properly evaluated before any
infrastructure provider, may lending allowed on crypto-assets
also represent a risk. held in custody
Financial risk must be
considered when examining 1. Ensuring communication plan for
this vulnerability, including retail investors or users
the privacy of customer 2. Operating guidelines for
transactions, money ecosystem
laundering, and account 3. Financial responsibility
Anonymity and Risk Institution, Execution, delivery, and
No Compliance and tax taxation. Losses due to Regulatory Action distribution in case of frauds
of Financial Crime Customers process management
operational risk may occur in reported
some cases.In the case of 4. Reporting based on the law of the
crypto-asset deposits made by land
institutions knowingly or 5. Framework to apportion of assets
unknowingly originating from in dispute
crime, the risk of fraud is high
When someone gains access to
the private key, they are able
to create and sign a 1. Regular business and technical
transaction message, possibly audit with external information
transferring the currency units provider
to their own address as if they 2. Interfaces should go through
Handling of Sensitive are the original owner. security assessment and scans
Compliance and tax
Information and Risk Institution, Additionally, the storage of 3. Bug bounty program for the
No Business Model Internal fraud Regulatory Action
of Fraud due to Customers virtual wallets and private interface
Centralisation
improper accounting and public encryption keys 4. Change log management
are also major risks (all may 5. Wallet security using Hardware
affect different aspects of security module
cryptocurrencies). Data entry 6. Key management including
errors, accounting errors, and rotation
negligent loss of client assets
are also major risks.
Source: Created by the Authors.
References
Almeida, Dora, Andreia Dionísio, Isabel Vieira, and Paulo Ferreira. 2022. Uncertainty and risk in the cryptocurrency market. Journal of
Risk and Financial Management 15: 532. [CrossRef]
Almeida, José, and Tiago Cruz Gonçalves. 2022. Portfolio diversification, hedge, and safe-haven properties in cryptocurrency
investments and financial economics: A systematic literature review. Journal of Risk and Financial Management 16: 3. [CrossRef]
Angelo, Riva, Stefano Ungaro, and Eric Monnet. 2021. Bank Runs and Central Bank Digital Currency. Available online: https:
//cepr.org/voxeu/columns/bank-runs-and-central-bank-digital-currency (accessed on 7 October 2024).
Basel Committee on Banking Supervision. 2022. Prudential Treatment of Cryptoasset Exposures. Available online: https://www.bis.or
g/bcbs/publ/d545.pdf (accessed on 4 May 2024).
Beja, Avraham. 1972. On systematic and unsystematic components of financial risk. The Journal of Finance 27: 37–45. [CrossRef]
BIS. 2001. QIS 2—Operational Risk Loss Data. Annexure 5. Available online: https://www.bis.org/bcbs/qisoprisknote.pdf (accessed
on 7 May 2024).
BIS. 2019. Designing a Prudential Treatment for Crypto-Assets. Available online: https://www.bis.org/bcbs/publ/d490.pdf (accessed
on 8 May 2024).
Blackman, Andrew. 2014. The Main Types of Business Risks. Available online: https://business.tutsplus.com/tutorials/the-main-typ
es-of-business-risk--cms-22693 (accessed on 13 May 2024).
Boitnott, John. 2022. Seven Business Risks Every Business Should Plan For. Available online: https://www.americanexpress.com/en-u
s/business/trends-and-insights/articles/7-business-risks-every-business-should-plan-for/ (accessed on 14 May 2024).
Buck, Jon. 2018. Coincheck: Stolen $534 mln NEM Were Stored on Low-Security Hot Wallet. Available online: https://cointelegraph.co
m/news/coincheck-stolen-534-mln-nem-were-stored-on-low-security-hot-wallet (accessed on 4 June 2024).
Chan, Stephen, and Saralees Nadarajah. 2020. Extreme values and financial risk. Journal of Risk and Financial Management 13: 32.
[CrossRef]
Christiansen, Leif. 2021. Types of Business Risk. Available online: https://zipreporting.com/enterprise-risk-management/types-of-b
usiness-risk.html (accessed on 21 June 2024).
CoinDesk. 2022. Binance Hack: $570 Million Exploited in Smart Contract Bridge Vulnerability. CoinDesk. Available online:
https://www.coindesk.com/business/2022/10/07/binance-hack (accessed on 14 November 2024).
CoinMarketCap. 2024. Global Live Cryptocurrency Charts & Market Data. Available online: https://coinmarketcap.com/charts/
(accessed on 10 May 2024).
Commodity Futures Trading Commission. 2020. The CFTC’s Role in Monitoring Virtual Currencies. Available online: https:
//www.cftc.gov/media/4636/VirtualCurrencyMonitoringReportFY2020/download (accessed on 5 May 2024).
Commonwealth Bank of Australia. 1999. Annual Report. Melbourne: Commonwealth Bank of Australia.
Cryptoassets Taskforce. 2018. Final Report 2018; HM Treasury, Financial Conduct Authority, and Bank of England. Available
online: https://assets.publishing.service.gov.uk/media/5bd6d6f0e5274a6e11247059/cryptoassets_taskforce_final_report_fin
al_web.pdf (accessed on 1 May 2024).
Data Bridge Market Research. 2022. Global Crypto Asset Management Market—Industry Trends and Forecast to 2029. Available online:
https://www.databridgemarketresearch.com/reports/global-crypto-asset-management-market (accessed on 4 May 2024).
Dubey, Ashutosh, Deepnarayan Tiwari, and Anjali Tiwari. 2022. Blockchain as a foundational infrastructure of Web 3.0 and
cryptoassets. In Blockchain Foundational Infrastructure of Web 3.0 and Cryptoassets. New York: Taylor & Francis. Available online:
https://www.taylorfrancis.com/chapters/edit/10.1201/9781003282914-6 (accessed on 8 June 2024).
Fama, Eugene F., and Kenneth R. French. 1993. Common risk factors in the returns on stocks and bonds. Journal of Financial Economics
33: 3–56. [CrossRef]
FATF. 2021. Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers. Paris: Financial Action Task Force.
Available online: https://www.fatf-gafi.org/en/publications/Fatfrecommendations/Guidance-rba-virtual-assets-2021.html
Federal Financial Supervisory Authority (BaFin). 2024. Crypto Custody Business. Available online: https://www.bafin.de/EN/Aufsi
cht/BankenFinanzdienstleister/Markteintritt/Kryptoverwahrgeschaeft/kryptoverwahrgeschaeft_node_en.html (accessed on 10
June 2024).
Felix, Katherine, and Nicholas Baker. 2023. China and Its Central Bank Digital Currency. Paris: Friedric Ebert Stiftung. Available online:
https://library.fes.de/pdf-files/international/20024-20230214.pdf (accessed on 1 July 2024).
Forbes. 2022. What Happened with the $570 Million Binance (BNB) Hack? And What Does It Really Mean for Crypto Investors?
Available online: https://www.forbes.com/sites/qai/2022/10/09/what-happened-with-the-570-million-binance-bnb-hack-
and-what-does-it-really-mean-for-crypto-investors/ (accessed on 14 November 2024).
FSB. 2019. The Financial Stability Board in 2019. Paper Presented at Joint Conference of the European Central Bank and the Journal
of Money, Credit, and Banking, Frankfurt, Germany, March 28. Available online: https://www.fsb.org/uploads/S280319.pdf
Gagliardoni, Thomas. 2021. The Poly Network Hack Explained. Cheseaux-Sur-Lausanne: Kudelski Security Research. Available online:
https://research.kudelskisecurity.com/2021/08/12/the-poly-network-hack-explained/ (accessed on 10 May 2024).
Holton, Gerald. 2004. Defining risk. Financial Analysts Journal 60: 19–25. [CrossRef]
Ikeno, Yoshiaki, John Angel, and Sudip Panigrahi. 2022. Soundness of stablecoins. In International Conference on Financial Cryptography
and Data Security. Cham: Springer International Publishing, pp. 66–73.
IOSCO. 2020. International Organization of Securities Commissions Priorities for 2020. Available online: https://www.jdsupra.com/le
galnews/international-organization-of-68360/ (accessed on 10 May 2024).
Israel Securities Authority. 2018. Warning to Investors Regarding Cryptocurrency Investments. Available online: https://www.iosco.org/
library/ico-statements/Israel%20-%20ISA%20-%20Warning%20to%20Investors%20Regarding%20Cryptocurrency%20Investment
s.pdf (accessed on 10 May 2024).
Juskaite, Lina, Loreta Gudelyte-Zilinskiene, and Rita Tamosiuniene. 2024. Investment portfolio’s including different cryptocurrencies
efficiency study. Transformations in Business & Economics 23: 272–95.
Kolmogorov, Andrey Nikolaevich. 1963. The theory of probability. Mathematics, Its Content, Methods, and Meaning 2: 110–18.
Knight, Frank H. 1921. Risk, Uncertainty, and Profit. University of Illinois at Urbana-Champaign’s Academy for Entrepreneurial
Leadership Historical Research Reference in Entrepreneurship. Available online: https://ssrn.com/abstract=1496192 (accessed
on 10 May 2024).
KPMG. 2020. Basel 4: The Journey Continues. Available online: https://assets.kpmg.com/content/dam/kpmgsites/xx/pdf/2020/08
/basel-4-the-journey-continues.pdf.coredownload.inline.pdf (accessed on 18 November 2024).
KPMG. 2022a. Beyond Basel IV: Incorporating Crypto-Assets into the Basel Framework. Available online: https://www.scribd.com/d
ocument/586742700/Basel-IV-Crypto-En (accessed on 10 May 2024).
KPMG. 2022b. The Collapse of FTX: Lessons and Implications for Stakeholders in the Crypto Industry. Available online: https:
//assets.kpmg/content/dam/kpmg/cn/pdf/en/2022/11/the-collapse-of-ftx.pdf (accessed on 10 May 2024).
Lam, Patrick N., and David K. C. Lee. 2015. A Light Touch of Regulation for Virtual Currencies. In Handbook of Digital Currency.
Available online: https://www.sciencedirect.com/topics/economics-econometrics-and-finance/virtual-currency (accessed on 10
May 2024).
Liu, Baoding. 2009. Some research problems in uncertainty theory. Journal of Uncertain Systems 3: 3–10.
Livni, Ephrat. 2022. Binance Blockchain Hit by $570 Million Hack. The New York Times. Available online: https://www.nytimes.com/
2022/10/07/business/binance-hack.html (accessed on 10 May 2024).
Markowitz, Harry. M. 1976. Markowitz revisited. Financial Analysts Journal 32: 47–52. [CrossRef]
Ministry of Finance of Government of Saudi Arabia. 2019. MOF Warns Against Dealing in Virtual Currencies, Including Cryptocurren-
cies That Claim Relationship with the Kingdom. Available online: https://www.mof.gov.sa/en/MediaCenter/news/Pages/New
s_20082019.aspx#:~:text=The%20Ministry%20of%20Finance%20(MOF,traded%20by%20financial%20institutions%20locally (ac-
cessed on 5 May 2024).
Monetary Authority of Singapore (MAS). 2020. A Guide to Digital Token Offerings. Available online: https://www.mas.gov.sg/-/med
ia/mas/sectors/guidance/guide-to-digital-token-offerings-26-may-2020.pdf (accessed on 10 May 2024).
Moosa, Imad. A. 2007. Operational risk: A survey. Financial Markets, Institutions & Instruments 16: 167–200.
Mueller, Lars, Stefan Stöckl, Johannes Mueller, and Dirk Schiereck. 2023. Estimating Crypto-Related Risk: Market-Based Evidence from
FTX’s Failure and Its Contagion on US Banks. Available online: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4582569
Peters, Gareth W., Aurélien Chapelle, and Emmanuela Panayi. 2016. Opening discussion on banking sector risk exposures and
vulnerabilities from virtual currencies: An operational risk perspective. Journal of Banking Regulation 17: 239–72. [CrossRef]
Power, Michael. 2005. The Invention of Operational Risk. Review of International Political Economy 12: 1–21. [CrossRef]
Press Information Bureau. 2019. Inter-Ministerial Committee on Virtual Currencies Submits Its Report Along with Draft Bill ‘Banning
of Cryptocurrency & Regulation of Official Digital Currency Bill, 2019’. Available online: https://pib.gov.in/PressReleseDetail.a
spx?PRID=1579759&reg=3&lang=1 (accessed on 10 May 2024).
PwC. 2022. El Salvador’s Law: A Meaningful Test for Bitcoin. Available online: https://www.pwc.com/gx/en/financial-services/pd
f/el-salvadors-law-a-meaningful-test-for-bitcoin.pdf (accessed on 10 May 2024).
PwC. 2023. Global Crypto Regulation Report 2023. Available online: https://www.pwc.com/gx/en/new-ventures/cryptocurrency-as
sets/pwc-global-crypto-regulation-report-2023.pdf (accessed on 8 May 2024).
RBI. 2022. Concept Note on Central Bank Digital Currency. Mumbai: Reserve Bank of India. Available online: https://rbi.org.in/Scripts
/PublicationReportDetails.aspx?UrlPage=&amp,ID=1218#:~:text=While%20Wholesale%20CBDC%20is%20intended,primaril
y%20me (accessed on 7 June 2024).
RBI. 2024. Guidance Note on Management of Operational Risk. Mumbai: Reserve Bank of India. Available online: https://www.pdicai.org
/Docs/RBI-2024-25-31_15202415340467.pdf (accessed on 1 September 2024).
Roy, Deepankar, Ashutosh Dubey, and Sarika Lohana. 2023. A study to review global regulations regarding mitigation of operational
risk associated with crypto-assets. In Recent Trends in Engineering and Science for Resource Optimization and Sustainable Development.
Edited by Jelonek Dorota, Narendra Kumar, Mamta Chahar, Rusudan Kinkladze and Lila Knop. Boca Raton: CRC Press, p. 259,
ISBN 978-1032466390.
Shepheard-Walwyn, Tim, and Robert Litterman. 1998. Building a coherent risk measurement and capital optimisation model for
financial firms. Economic Policy Review 1998: 4. [CrossRef]
TechRadar. 2023. Hackers Exploited Binance Smart Chain Vulnerabilities in $568 Million Breach. TechRadar Pro. Available online:
https://www.techradar.com (accessed on 18 November 2024).
Tetiana, Zadorozhna, Sviatoslav Volodymyr, Oleksandr Demchuk, Vasyl Borys, and Tetiana Drahun. 2022. Investment Models on
Centralized and Decentralized Cryptocurrency Markets. Dnipropetrovsk city: Scientific Bulletin of National Mining University.
Thomson Reuters. 2022. Cryptocurrency Regulations by Country. Available online: https://www.thomsonreuters.com/en-us/posts
/wp-content/uploads/sites/20/2022/04/Cryptos-Report-Compendium-2022.pdf (accessed on 18 June 2024).
Thurman, Andrew. 2021. Crypto Exchange BitMart Hacked with Losses Estimated at $196M. CoinDesk. Available online: https:
//www.coindesk.com/business/2021/12/05/crypto-exchange-bitmart-hacked-with-losses-estimated-at-196-million/ (accessed
on 18 November 2024).
Trust. 2024. The Story of Mt. Gox: Explained. Available online: https://trustwallet.com/blog/mt-gox-explained (accessed on
8 August 2024).
Ward, John. 2023. The crypto investing landscape. In The Emerald Handbook on Cryptoassets: Investment Opportunities and Challenges.
Leeds: Emerald Publishing Limited, pp. 25–41.
Zhao, Yi, and Benjamin Duncan. 2018. The impact of cryptocurrency risks on the use of blockchain for cloud security and privacy.
Paper presented at 2018 International Conference on High Performance Computing & Simulation, Orleans, France, July 16–20.
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual
author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to
people or property resulting from any ideas, methods, instructions or products referred to in the content.
View publication stats

JRFMCrypto2024

Uploaded by

Copyright:

Available Formats

JRFMCrypto2024

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

JRFMCrypto2024

Uploaded by

Copyright:

Available Formats

See discussions, stats, and author profiles for this publication at: https://www.researchgate.

Conceptualizing an Institutional Framework to Mitigate Crypto-Assets’

Article in Journal of Risk and Financial Management · December 2024

The user has requested enhancement of the downloaded file.

J. Risk Financial Manag. 2024, 17, 550. https://doi.org/10.3390/jrfm17120550 https://www.mdpi.com/journal/jrfm

conceptualize a framework to determine how the operational risk can be mitigated in

Timeline of Risk Management Failures in Crypto-Assets

3. Crypto-Asset Ecosystem and Its Evolution

J. Risk Financial Manag. 2024, 17, x FOR PEER

Layer Description Examples

Category Risk Description

Cryptocurrency assets adequately reduce material risks, including their operating

3.1.2. Category 2: Classifying Crypto-Assets to Be Financial Products That Are Currently

4. Associated Risks with Crypto-Assets

1. Promises on delivery of Crypto-asset portfolio

S. No. Risk Description

S. No. Risk Description

5. Crypto-Assets Operational Risk Mitigation Framework (CORM)

Operational risks Unauthorized access

Impacted party Financial institution

Mitigation approach Detailed plan

Quantitative component Loss effect under

Basel operational risk

Identified risk pillar As per Table 4

6. Application of CORM Framework

6.1. Case Study on BitMart: Mitigating External Frauds with CORM

6.2. Case Study on Binance: Mitigating Internal Vulnerabilities with CORM

Appendix A. CORM for Crypto-Assets

Loss Effect as per

Loss Effect as per

Loss Effect as per

Loss Effect as per

Loss Effect as per

Loss Effect as per

Loss Effect as per

Loss Effect as per

View publication stats

You might also like

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.