On 21 March 2022, Treasury released its consultation paper on a proposed regulatory framework for crypto asset secondary service providers (referred to by Treasury as CASSPrs) (Crypto Consultation Paper). Last December, the Australian Government provided its response to a raft of reviews (see our update - Australian Government gives nod to payments and crypto reform), providing particular support behind many of the recommendations set forth by the Senate Select Committee on Australia as a Technology and Financial Centre (see our summary - Senate Committee recommends new regulatory roadmap for digital assets and businesses). In this response, the Government announced it would consult on approaches to licensing digital currency exchanges and consider custody requirements for crypto assets, with advice to be provided on policy options by mid-2022.

Crypto secondary service providers

The Crypto Consultation Paper sets out an overview of the crypto industry’s rapid expansion and the corresponding Government desire to implement consumer safeguards that do not stifle innovation. The Crypto Consultation Paper identifies CASSPrs as being the most appropriate subject to such regulation.

Treasury defines CASSPrs as:

Any natural or legal person who, as a business, conducts one or more of the following activities or operations for or on behalf of another natural or legal person:

• exchange between crypto assets and fiat currencies;
• exchange between one or more forms of crypto assets;
• transfer of crypto assets;
• safekeeping and/or administration of virtual assets or instruments enabling control over crypto assets; and
• participation in and provision of financial services related to an issuer’s offer and/or sale of a crypto asset.

Treasury follows the definition of ‘crypto asset’ recently adopted by the Australian Securities and Investments Commission (ASIC) as “a digital representation of value or contractual rights that can be transferred, stored or traded electronically, and whose ownership is either determined or otherwise substantially affected by a cryptographic proof.”

Regulatory gaps

The Crypto Consultation Paper provides a brief background to the existing regulatory framework, primarily the financial services licensing and anti-money laundering and counter-terrorism financing (AML/CTF) regimes already applicable to crypto service providers. Further, it notes areas of actual or perceived regulatory gaps as:

• challenges classifying crypto assets as financial products or non-financial products;
• counterparty risks associated with using crypto as a store of value or investment;
• the perception that similar services are regulated in a similar way; and
• protecting the community from criminal enterprises and fraud.

This scope of regulatory inquiry is focussed on CASSPrs who are centralised providers that provide retail customers access to non-financial product crypto assets, provide custody on behalf of customers and are captured by the Financial Action Task Forces’ definition of Virtual Asset Service Provider. It is expected that the proposed regime would not apply to decentralised platforms or protocols.

Proposed regime

Obligations on CASSPrs

The Crypto Consultation Paper proposes a single licensing regime (separate from the financial services licensing regime) which would apply to all CASSPrs with varying obligations depending on the number and types of services offered. The regime imposes similar obligations on CASSPrs as currently exists for Australian financial services licence (AFSL) holders, including:

• do all things necessary to ensure that: the services covered by the licence are provided efficiently, honestly and fairly; and any market for crypto assets is operated in a fair, transparent and orderly manner;
• maintain adequate technological, and financial resources to provide services and manage risks, including by complying with the custody standards proposed in this consultation paper;
• have adequate dispute resolution arrangements in place, including internal and external dispute resolution arrangements;
• ensure directors and key persons responsible for operations are fit and proper persons and are clearly identified;
• maintain minimum financial requirements including capital requirements;
• comply with client money obligations;
• comply with all relevant Australian laws;
• be regularly audited by independent auditors; and
• maintain adequate custody arrangements.

As well as this, Treasury have proposed additional specific measures for CASSPrs, including:

• take reasonable steps to ensure that the crypto assets it provides access to are “true to label” (eg, that a product is not falsely described as a crypto asset, or that crypto assets are not misrepresented or described in a way that is intended to mislead);
• respond in a timely manner to ensure scams are not sold through their platform;
• not hawk specific crypto assets; and
• comply with AML/CTF provisions (including a breach of these provisions being grounds for a licence cancellation).

It is proposed that ASIC would be empowered to grant relief from some of the obligations if warranted, on a case by case basis, to ensure the regime remains agile and flexible.

Financial requirements on CASSPrs

It is also expected that financial requirements on CASSPrs would be specified by ASIC to reflect the scope and volume of services to be provided. The Crypto Consultation Paper does not set out a proposed structure for these requirements, however these appear to broadly align with the base level requirements that currently apply to AFSL holders.

Anti-hawking and pressure selling

Treasury proposes to implement an anti-hawking prohibition under which CASSPrs must not in the course of an unsolicited contact with a retail customer:

• offer specific crypto assets for sale; or
• require or invite a customer to ask for crypto assets offered through the service.

It is proposed that a consent based definition of unsolicited contact would apply.

Custody

The Crypto Consultation Paper sets out proposed mandatory principles based custody obligations for private keys that are held or stored by CASSPrs on behalf of customers. The scope of regulation would be on the entity that has a direct relationship with the customer and is liable for the safekeeping of private keys (whether or not a third party custodian is used).

The proposed obligations include:

• holding assets on trust for the customer;
• ensuring that customers’ assets are appropriately segregated;
• maintain minimum financial requirements including capital requirements;
• ensuring that the custodian of private keys has the requisite expertise and infrastructure;
• private keys used to access the customer's crypto assets must generated and stored in a way that minimises the risk of loss and unauthorised access;
• adopt signing approaches that minimise ‘single point of failure’ risk;
• robust cyber and physical security practices;
• independent verification of cybersecurity practices;
• processes for redress and compensation in the event that crypto assets held in custody are lost;
• when a third party custodian is used, that CASSPrs have the appropriate competencies to assess the custodian’s compliance necessary requirements; and
• any third party custodians have robust systems and practices for the receipt, validation, review, reporting and execution of instructions from the CASSPr.

Alternative proposals to the Crypto Consultation Paper

The Crypto Consultation Paper also seeks views on alternative regulatory options.