The Australian Securities Exchange (ASX) has issued a warning to investors keen to buy into the crypto scene, particularly around the security of the private keys used to access digital funds.
In a submission [PDF] to the committee considering Australia as a Technology and Financial Centre, the ASX said it would be worth considering whether investors understood the risks and benefits of owning digital assets through a custodian or an exchange operating as a custodian.
Digital assets are associated with a user through an address, with the “owner” being the one with the address.
“The user’s address is a mathematical derivation of their private key, which in turn is derived from a random seed. The user must keep their random seed secret to prevent other users from deriving their private key and accessing the address associated with their digital assets,” the ASX explained.
“In effect, access to the private key of an address will confer custody of the underlying assets in that address. In that sense, access to the private key can be likened to legal title.”
See also: We’re not flying to Mars: ASX on using distributed ledger for new CHESS system
The ASX added it was concerned that many users are leaving their digital assets on a crypto exchange, with the private key held by the exchange, leaving the user vulnerable to security breaches on the exchange or to the risk that their assets may be dealt with in an undisclosed or unauthorised manner.
Similarly, it said the fact that access to the private key determines access to a user’s digital assets raises challenges in the secure storage and management of private keys by crypto exchanges.
“In most cases, the custodian of the underlying digital assets is the exchange itself, and the user does not have access to their private key unless they choose to transfer their digital assets to an address away from the exchange, and for which they directly manage the private key,” it continued.
Crypto exchanges, the ASX said, are no different to other businesses that may be subject to cybersecurity risks, as a number of recent examples of breaches can attest to. However, those that wish to keep their crypto in a “hot wallet” themselves are also vulnerable.
The ASX believes a more regulated environment could counter some of these risks.
It has asked the committee to consider and recommend measures to address, disclosure requirements in relation to crypto assets, including disclosure of the terms of custodial arrangements — whether through a crypto exchange or otherwise — and the key risks to users.
It has also suggested the examination of core standards and requirements for digital asset custodians, including in relation to capital, technological, operational, and governance matters, as well as independence assurance requirements for digital asset custodians, in relation to matters such as legal title to crypto assets left on the exchange.
“In saying this, we also note that crypto assets and crypto exchanges are subject to inconsistent, and in some cases minimal, regulation globally,” it continued. “Any measures such as those canvassed above would need to be considered in the context of the broader regulatory framework considered appropriate, in view of the nature and risks associated with these assets and activities.”
The Australian Transaction Reports and Analysis Centre (Austrac) in late 2017 gained authorisation to extend anti-money laundering and counter-terrorism financing regulation to cryptocurrency exchanges.
As a result, digital currency exchange service providers must apply the same obligations as other financial sector businesses, and are required to identify, manage, and mitigate risks of money laundering, terrorism financing, and other serious crime. They are also required to report suspicious matters to Austrac.
Appearing before Senate Estimates in May, Austrac said it received 4,200 suspicious matter reports from registered digital currency exchange providers. In response to questions on notice, Austrac revised this figure to be 4,722 between 25 May 2020 and 24 May 2021.
“As part of their anti-money laundering and counter-terrorism financing obligations, digital currency exchange providers must submit [suspicious matter reports] if a suspicion is formed in relation to a transaction or a person,” it explained.
As Austrac gives direct access to its database to state and Commonwealth law enforcement agencies, it said it does not often have visibility of which reports have resulted in operational outcomes, however.
Consistent with the remarks made by the ASX, Austrac said digital currency exchange service providers operating in Australia are at risk of being exploited by criminals.
“Offshore digital currency/virtual asset service providers not subject to regulation will continue to be attractive to criminal exploitation,” it added.