The need for business continuity planning in the crypto/blockchain community: ensuring resilience in digital finance

Written by Emily Landis Walker, Senior Financial Services Executive at Landis & Co

The cryptocurrency and blockchain sectors are rapidly evolving frontiers in the financial world, characterized by swift innovation and volatility. The nature of these digital assets, coupled with their technological underpinnings, necessitates robust business continuity planning to ensure operational stability. Given the dynamic regulatory landscapes and the potential for significant price fluctuations, entities operating within this space must prepare for disruptions to maintain resilience and secure trust from stakeholders. To effectively manage continuity, it is crucial for these entities to navigate the complexity of compliance while bolstering their information and communications technology (ICT) resilience. Dependence on technology and third-party services means that a singular focus on disaster recovery is no longer sufficient. Instead, a comprehensive approach that encompasses operational resilience, including proactive vulnerability and risk assessments is imperative to adapt and thrive amid potential challenges in the cryptocurrency and blockchain community.

Key takeaways

· effective business continuity planning is essential for operational stability in the crypto/blockchain sectors.

· entities must navigate compliance complexities and enforce rigorous Information and Communication Technologies (ICT) resilience measures.

· a proactive and collaborative approach is critical for adapting to disruptions and maintaining trust.

Understanding regulatory pressures

Regulatory pressures in the crypto/blockchain community mandate thorough business continuity planning. Entities in this space must navigate a complex web of regulations to maintain compliance and operational resilience and the rules and regulation differ from one jurisdiction is multi-faceted and rapidly evolving. Organizations must monitor and respond to various regulatory frameworks from institutions like the Financial Stability Board (FSB) and International Organization of Securities Commissions (IOSCO). A detailed report by PwC highlights the importance of understanding these frameworks as they differ significantly across jurisdictions.

UK Operational Resilience Rules — the Financial Conduct Authority (FCA) enforces the UK Operational Resilience Rules. These rules require firms to identify their important business services and set impact tolerances for severe but plausible disruptions. Firms must ensure they are able to remain within these tolerances during any disruption, as detailed in FSI insights.

EU’s Digital Operational Resilience Act (DORA) — The European Union has introduced the Digital Operational Resilience Act (DORA) will apply as of 17th January 2025 and aims to standardize the digital operational resilience framework for financial entities, including the crypto/blockchain community. DORA enforces rigorous requirements related to risk management, reporting, and testing digital resilience. It encapsulates the need for entities to demonstrate the capacity to withstand all types of ICT related disruptions. DORA impose a number of obligations in relation to risks on regulated institutions and importantly their third-party ICT services providers.

The crypto/blockchain community faces unique challenges that necessitate robust operational resilience, including the establishment of impact tolerances and the identification of critical business services as defensive measures against disruptions:

· establishing impact tolerances — for the crypto/blockchain industry, impact tolerances represent the threshold for disruption beyond which the community cannot operate effectively. This involves scenario planning where entities anticipate various types of threat — from cyberattacks to market volatility — and determine the maximum acceptable level of disruption. It is imperative that these impact tolerances are quantified, be it through potential financial loss, reputation damage, or client attrition rates.

· critical business services identification — critical business services are the backbone of any crypto/blockchain operation. They comprise the essential functions that, if disrupted, would cause significant harm to an organization’s operational capability. This identification process should prioritize services that are sensitive to latency, such as transaction processing and wallet accessibility. The identification also extends to impact analysis, assessing how disturbances to these services would affect stakeholders and the broader market. It is crucial for the resilience planning to map these services meticulously, considering both internal processes and external dependencies.

· compliance complexity for crypto entities — crypto entities operate within a framework of evolving regulations, facing distinctive challenges and the constant need to adapt to regulatory changes, making compliance an intricate aspect of their business landscape.

The crypto/blockchain sectors face arguably unique challenges when confronting regulatory landscapes, trying to satisfy rules and regulations that were more designed for more centralised structures and thus are not tailor-made for their decentralized operational models. The crypto/blockchain sectors must ensure transparency and compliance in an environment characterized by decentralized and borderless transactions, which traditional financial systems are not typically designed to accommodate. For instance, creating systems for anti-money laundering (AML) compliance presents a peculiar hurdle due to the pseudo-anonymous nature of crypto transactions. The absence of universally accepted standards and the rapid innovation cycles in the crypto sector compound the complexity. Companies must navigate a varied patchwork of international regulations, grappling with requirements that might be at odds with the very principles of decentralization and disintermediation that many crypto technologies espouse.

Adapting to regulatory changes

Crypto-related businesses must remain agile, ready to implement changes to their compliance programs in response to new regulations. This might entail revamping their reporting mechanisms or recalibrating risk management strategies to address the specific compliance demands laid out by entities such as FINRA which operates un the SEC in the USA. Flexibility and adaptability are crucial to manage the swift pace at which crypto regulations can change. Remaining proactive is key for crypto entities aiming to maintain compliance amidst shifting regulatory expectations. They must keep abreast of potential legislative developments — such as those impacting crypto company requirements — and constantly refine their internal controls and reporting processes. Being ahead of the regulatory curve not only minimizes the risk of enforcement action but also strengthens trust with customers and investors. To secure a crypto/blockchain system, one needs a comprehensive dependency mapping to outline the complex web of interconnections, involving:

· cataloguing critical components: blockchain nodes, wallets, and smart contract dependencies.

· assessing relationships with external entities: miners, exchanges, and third-party services.

These mappings should be represented visually, for instance, using tables to clarify the service interdependencies:

Once dependencies are mapped, the focus shifts to identifying vulnerabilities within each node of the built network:

· evaluation of security protocols for each component, such as encryption policies for wallets and smart contracts.

· analysis of recovery procedures to assess resiliency in the face of failure, like redundancy in consensus mechanisms.

· examination of potential disruption risks linked to dependencies, such as DDoS attacks on exchanges or node infrastructure.

The cryptocurrency and blockchain sectors face unique challenges in maintaining operational stability and compliance due to dynamic regulatory landscapes and evolving technological complexities. Robust business continuity planning, including proactive vulnerability assessments and compliance measures, is essential for resilience. Entities must navigate regulatory pressures, establish impact tolerances, and identify critical business services to ensure operational continuity. Adapting to regulatory changes swiftly and maintaining transparency and compliance in a decentralized environment are crucial for sustaining trust and resilience. The crypto and blockchain sectors will have to rise to meet these challenges and by doing so will make it easier for institutions to embrace these sectors further.