After exchange hacks, Japan’s FSA tables new regulatory options

This month’s meeting of the Japanese Financial Services Agency’s Virtual Currency Exchange Services Study Group, has seen exchange security again at the top of its agenda after the bewildering theft of 7 billion Yen from the Zaif exchange which is one of Japan’s officially ‘permitted’ exchanges.

Prior to being officially registered, exchanges had to go through a rigorous FSA vetting process, particularly focused on cyber security, anti-money laundering, terrorist financing, user protection and data security.

However, both the Zaif hackers, and the hackers of the Coincheck exchange in which 58 billion Yen ($519 million USD) in NEM was stolen in January, targeted the exchanges "hot wallets" — which are used to facilitate cryptocurrency transactions and managed with private keys.

The Coincheck breach prompted the establishment Virtual Currency Exchange Services Study Group in March, with a mandate to bring together experts with the goal of generating responses to problems in the virtual currency exchange business.

In the guidelines and laws related to the Payment Services Act, which was passed in April 2017, the FSA recommends "split management" of assets with a clear classification between the company’s cryptocurrency and customer cryptocurrency, as well as management of assets through "cold wallets," or wallets that are managed offline, to the "greatest extent possible."

To prevent future ‘outflow incidents’, the group considered a list of proposals to strengthen the self-regulation of Japanese cryptocurrency exchanges. These included:

• the establishment of business divisions that bear responsibility for split management of assets,
• the setting of internal regulations that place a limit on the amount of cryptocurrency that can be managed in a hot wallet,
• the mandatory disclosure of cryptocurrency safekeeping policies — which would include all the relevant details of multisignature technology (used for additional transaction security),
• mandating the retention ratios of cold wallets.

Finally, the group also discussed the possibility that, in the event that assets are lost in a cyberattack, mandatory explanations could be made to customers about countermeasures taken. Such user protection initiatives are a high priority for the study group, and are expected to be strengthened even further in future as Japan attempts to pioneer global regulatory efforts.

In addition to the new security proposals, the connection between financial regulations and the diversification of cryptocurrency usage methods was also discussed.

A variety of characteristics

When it comes to regulating cryptocurrencies with diverse usage methods, the FSA group determined that due to the presence of derivative transactions and Initial Coin Offerings (ICOs), cryptocurrencies can be considered to possess a variety of use case characteristics, "including not only payment and payment methods, but also investment and fund procurement methods."

As to whether the FSA would consider regulations on these usage methods, the agency took the position that it would be necessary to determine "whether individual actions involving cryptocurrency have a financial (monetary versatility) function." If they do, then it was said that "the introduction of financial regulations could be expected, but that it would be dependent upon the social significance of cryptocurrency, and whether or not it could be considered harmful to encourage speculation on it"

In the event that these financial regulations are introduced, the FSA says it will consider "the extent to which user protection is necessary" and also the potential impact that a guarantee of reliable operations in cryptocurrency would have on the entire financial system.