Get Ready for the Ultimate Bank Robbery of All Time

In February, the Office of the Comptroller of the Currency’s acting head Michael Hsu announced plans for new rules on operational resilience for large banks with critical operations, including third-party service providers. Hsu pointed out that bank call report data show the top four custodian banks alone now safeguard over $108 trillion in assets, and these assets are in the process of being tokenized. Tokenization is the process of creating digital representations of real world assets and liabilities on the blockchain, and big banks have been piloting this with bank deposits, with plans to soon tokenize U.S. Treasuries and corporate debt.

Regulators are aware of this trend and have taken steps to address it. The Federal Reserve’s Vice-Chair Michael Barr announced the launch of the Fed’s Novel Activities Supervision Program in September, and state-member banks have also been allowed to explore tokenization with sufficient risk management. Regulators in Hong Kong and the OCC have also issued guidance and held symposiums on tokenization.

While the mainstreaming of crypto by traditional financial institutions and regulators is exciting, most banks are tokenizing on permissioned networks, which regulators are encouraging. In December, the Basel Committee on Banking Supervision announced that the highest bank capital requirements would be retained for crypto-assets held on permissionless blockchains, stating that permissionless blockchains create risks that cannot be sufficiently mitigated. This is because permissionless blockchains are maintained by thousands of validators not subject to regulatory authorities, while permissioned networks would be controlled by banks.

At a recent OCC symposium on tokenization, top economic advisor at the Bank for International Settlements Hyun Song Shin reiterated the BIS’ vision of a unified ledger for all global central banking. However, he did not explain how tokenization would work without blockchains, which are necessary for decentralized systems. Without the need for blockchains, the financial stability implications could be dire.

This is because regulators tend to misunderstand the key feature of blockchain technology, which is decentralization. A truly decentralized blockchain requires thousands of validators to build and maintain it, ensuring operational resiliency. By contrast, most successful crypto hacks involve centralized protocols, making permissioned networks more vulnerable to attacks.

Encouraging the use of permissioned networks over permissionless blockchains could lead to cyber attacks on a scale previously unknown as the financial system moves to tokenize trillions of dollars’ worth of real world assets and liabilities. The concentration of attack vectors on the big banks that control these permissioned networks is a major concern, and regulators should address this issue to prevent the potential for the biggest bank heist in history.