Client Alert

UK PRA's 'Dear CEO' Letter on Exposure to Crypto-Assets

15 Aug 2018


On 28 June 2018, the United Kingdom Prudential Regulation Authority (PRA) published a letter to the CEOs of banks, insurance companies and designated investment firms to communicate the PRA’s expectations regarding firms’ exposure to crypto-assets. In particular, the letter flagged the risks associated with crypto-assets and each firm’s responsibility to comply with the PRA’s Fundamental Rules 3, 5 and 7.

The letter highlighted several risk mitigation strategies and systems that the PRA considers necessary to protect against exposure to crypto-assets. The PRA also outlined their expectations with regard to classifications of crypto-assets and reminded firms to continue to update the PRA of any planned crypto-asset exposure or activity. Discussions around the prudential treatment of crypto-assets are currently ongoing among authorities (both nationally and internationally) and the PRA will communicate any supervisory or policy updates in due course.

Contents of the Letter

The stated purpose of the letter is to communicate the PRA’s expectations regarding firms’ exposure to crypto-assets, as well as to remind them of their relevant obligations.

The PRA acknowledges that most firms have taken limited exposure to crypto-assets to date and also recognises that the underlying distributed ledger or cryptographic technologies, on which many crypto-assets rely, have significant potential to benefit the efficiency and resilience of the financial system over time.

However, it reminds firms, in considering any existing exposures and/or plans for the future, to have regard to the PRA’s Fundamental Rules.

The applicable Fundamental Rules are:

FR3 – A firm must act in a prudent manner;

FR5 – A firm must have effective risk mitigation strategies and risk management systems; and

FR7 – A firm must deal with the PRA in an open and co-operative way, and must disclose to the PRA appropriately anything relating to the firm of which the PRA would reasonably expect notice.

The PRA believes that crypto-assets raise various concerns for firms, including those related to misconduct, market integrity (since many crypto-assets appear vulnerable to fraud and manipulation, as well as to money-laundering and terrorist-financing risks) and reputational risks. 

Therefore, in relation to appropriate risk strategies and management systems under FR5, the key recommendations of the PRA are as follows:

  1. Crypto-assets are a new and evolving asset with risks which need to be fully considered by the board and the highest levels of executive management;
  2. Any risk-assessment framework for any planned direct exposure of the firm to crypto-assets or crypto-asset-exposed entities should be reviewed and signed off by an individual approved by the PRA to perform an appropriate Senior (Insurance) Management Function;
  3. The firm’s remuneration policies should ensure that incentives provided for engaging in this activity should not encourage the taking of excessive risks;
  4. Policies for the management of risk (financial, operational and reputational) must be commensurate to crypto-asset risks; and firms should ensure they maintain access to appropriate, relevant expertise to assess the risks that may stem from exposure; and
  5. Exposure must be taken on only after extensive due diligence has been performed.

Prudential Treatment of Crypto-Assets

The classification of crypto-asset exposure for prudential purposes should reflect the firm’s comprehensive assessments of all the risks involved. However, crypto-assets should not be classed as currency for prudential purposes. This approach is consistent with the fact that crypto-assets are not a homogeneous asset class and may feature characteristics of securities, commodities, currency units or a combination thereof.

Firms should set out their consideration of crypto-exposure risks in their Internal Capital Adequacy Assessment Process or Own Risk and Solvency Assessment.

The considerations should include:

  1. Discussion of the major drivers of risk;
  2. Sensitivity analysis to assess how changes in risk drivers might affect valuations and projections and affect the firm’s capital/solvency ratios; and
  3. An assessment of risk mitigants and what capital should be held against this risk.

In terms of communication with the PRA, firms should inform their usual supervisory contact of any planned exposure to crypto-assets and provide an assessment of the risks.

Since discussions between national and international regulators are ongoing in relation to the prudential treatment of crypto-assets, any supervisory or policy updates will be communicated in due course, including through Pillar 2 for banks, if necessary.


The letter is intended by the PRA as guidance to PRA firms regarding the level of scrutiny appropriate to any proposed exposure to crypto-assets or to entities heavily exposed to crypto-assets. Nevertheless, the PRA expressly recognises the significant potential benefit that the underlying distributed ledger or cryptographic technologies can provide in relation to the efficiency and resilience of the financial system in future.



Unsolicited e-mails and information sent to Morrison & Foerster will not be considered confidential, may be disclosed to others pursuant to our Privacy Policy, may not receive a response, and do not create an attorney-client relationship with Morrison & Foerster. If you are not already a client of Morrison & Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.