Which risk management questions should institutions ask when they're selecting a partner, especially a partner from whom they're intending to earn yield or borrow against their digital asset holdings?
Institutions looking to get into crypto and gain an understanding of yield and crypto lending must bifurcate the risk discussion to cover both [centralized financing] as well as [decentralized financing]..
In CeFi lending, there are several factors that an institution should consider. The first is overall credit risk management. At Abra we have a credit team that does a deep dive on all counterparties, including their use of funds, borrower financials and a whole array of other factors that determine their credit worthiness. The next step is the Investment Committee to determine whether a new counterparty is worthy of being considered for credit within the Abra lending system. Risk limits are subject to the approval of the Risk Committee. There's market risk where we consider the parameters of our business relative to changing market conditions. There's liquidity risk to consider; such that if you are taking collateral from a borrower in the form of bitcoin or ether, it is important that that collateral is highly liquid so that if the market goes against the borrower you can sell collateral when necessary without large slippage or a significant trading spread.
Duration risk gives an indication of the liquidity of the overall lending system. For example, if terms of service and contracts indicate that deposits are available for withdrawal in less than seven calendar days, but the lending book has a 30-day duration or a six-month duration there is a good chance that many depositors won’t be able to access their funds on time when desired. We keep conservative liquidity buffers and do not take cross asset risk. And the most important risk, which has been in the news a lot lately, is concentration risk, which is a fancy way of saying don't put all your eggs in one basket.
Is it the same set of risks for DeFi?
In DeFi you have smart contract risk, so the question is whether your engineering team is reviewing code, doing code audits, or using third parties to audit smart contracts used by the DeFi protocol. We also look at other qualitative factors and signals, such as the total value locked into the contract and the vintage of the protocol. The more money that's locked in the contract, the more interesting the contract becomes to hackers. So the total value locked and the vintage of the protocol signal how battle-tested the protocol is. You also have governance risk, which asks if a group of people can get together and coordinate to force changes upon the protocol, including the token economics, and how that affects the overall decentralization of the system. The Solana blockchain has had some issues recently where a small group of actors was able to force changes on a huge percentage of the user base via the governance model they have in place.
Then there are the basics of economic risk, meaning what are the incentives? Are they paying out the incentives in their own token and is that done in a way that can be exploited? There are also operational risks to think about because DeFi is 24/7 and has no off switch. So how do you monitor things on Sunday morning at 2 a.m.? Then there's the trading risk if you're dealing with relatively illiquid tokens, where you have issues like impermanent loss, slippage and exit liquidity, all of which factor into determining how you should value potential DeFi investment opportunities. In all cases, we make sure to have contingency plans in place, including close-out strategies, channels and cost.
What are the main lessons that institutions, as well as individuals, should learn from the recent problems that have faced some other crypto lenders out there?
Well, some of the problems were related to fraud. So, they should ask about the regulatory status of a company. Certain regulators are better suited to preventing the kind of fraud that we've seen in the markets. If a company tells you that they're doing something, are they really doing it? And the best way to do that is via the banking regulators. I think the banking regulators, ironically, are going to have a bigger and bigger role to play in the crypto lending markets over time.
That is ironic.
Very much so. There are two ways to look at crypto. The first is, if you know what you're doing, either as an individual or an institution, you can leverage DeFi and key management to become your own bank. That's the promise of being able to hold your own keys. Then there is the vast majority of the investing public, both individuals and institutions, who are not in a position to leverage crypto to become their own bank, and therefore they have to rely on trusted third parties. Most individuals and institutions are not able to do proper key management, proper risk management, or 24/7 monitoring of DeFi protocols. They need to know that the parties that they're trusting to do this are operating under all the parameters that I've described above from both a risk management perspective, and a compliance and licensing perspective.