Security

Institutional crypto custody: How banks are housing digital assets

Large financial institutions are getting involved in digital assets by investing capital, time and effort into custody technology solutions.

Until 2020, most of the crypto market action was largely driven by retail enthusiasm. It was only around August 2020 that institutions started to participate meaningfully in this asset class. As the United States Federal Reserve unleashed trillions of dollars of liquidity into the market during the COVID-19 pandemic, retail and institutional investors jumped onto the cryptocurrency bandwagon.

While crypto loyalists claim large-scale institutional adoption over the last couple of years, the entire asset class is only around $1 trillion in size. That is quite small when compared to the gold market of $11 trillion and the bond market of over $100 trillion. There is still a long way to go for the institutional adoption of crypto and blockchain-based digital assets.

A quick look at Coinbase’s trading volumes below shows the rise of institutional capital in crypto. But, it is also clear that the institutional numbers are quite modest when compared to other asset classes.

Some institutions, particularly top-tier banks and fintech firms, have started building capabilities to offer digital asset products and services to their clients. This is because banks and fintech firms are starting to see crypto, nonfungible tokens (NFTs) and other digital assets as a systemically important asset class. Not offering these products and services to their clients would be leaving a pot of money on the table.

These clients that banks serve vary from hedge funds, asset managers, family offices, corporations, small and medium enterprises, to even retail customers. However, it is easier for banks to serve their institutional clients first, as they would have to go through lower regulatory hurdles than when serving a retail audience.

Financial institutions have focused on a few capabilities that have lower regulatory hurdles such as custody and data analytics within the crypto space. While this is largely true with banks, fintech firms have taken a more retail-friendly approach. For instance, Revolut offers crypto services to its customers.

As the first article in a series focusing on institutional involvement in digital assets, we will look into institutional custody solutions for digital assets.

What is digital asset custody?

Digital asset custody is the process of storing crypto, NFTs and other forms of digital assets safely and securely.

For the many things that Web3 and cryptocurrencies have got right, the user experience behind onboarding and self-custody is still lacking. A new user typically creates an account on an exchange like Coinbase or Binance and buys crypto there. These cryptocurrencies sitting in their exchange account are under the custody of the exchange.

However, if a user wants to take custody of their digital assets holdings, they would typically move them to a wallet like MetaMask or Phantom. This is called self-custody. This can be intimidating for users as it requires remembering a private key. To date, about 4 million Bitcoin (BTC) has been lost due to owners losing their private keys.

Self-custody may not be a solution for everyone. At the same time, institutions that provide custodial services to clients have had their dark days, too. For instance, Celsius, a centralized crypto lending platform, held custody of its client assets and have had trouble servicing its customers.

As markets hit peak crisis through the Terra episode, Celsius wasn’t able to return the crypto assets of their customers due to poor liquidity management practices. Therefore, institutions offering custodial services must have high-risk management standards to ensure their clients’ digital assets holdings are safe and liquid.

How do financial institutions approach digital asset custody?

Banks have been custodians of retail and institutional money for decades and have done a pretty good job. Particularly after the Great Depression, the self-custody of assets was considered too risky, and that led to the rise of banking institutions.

According to the Bank for International Settlements, reporting banks across the world held over $101 trillion in assets in 2022. The U.S. accounted for about 20% of that, at just over $20 trillion. This demonstrates that banks have historically been trusted with holding custody of both institutional and retail assets.

As a result, it is only natural that institutional and retail investors rely on banks to offer digital asset custody solutions. However, unlike custody of conventional money, digital assets require a new set of considerations from a bank.

What are banks’ custody considerations?

Banks looking to set up digital asset custody typically look at two broad approaches: building and buying capability.

Banks can choose to organically build custody capability. For instance, Nomura’s Komainu and Standard Chartered’s Zodia custody platforms are examples where major banks used their in-house technology to build digital asset custody solutions.

These banks can use these solutions for their own clients and offer custody platforms for other banks to use, too.

However, banks are not in the technology business. When a bank chooses to buy custody capability, it may just acquire a custody provider or the technology from an external vendor. Once they acquire the technology capability from a vendor, they can offer custody services to their clients.

Recent: Ethereum post-Merge hard forks are here — Now what?

Other alternatives are investing in a digital asset custody provider for long-term strategic synergies and/or partnering with a custody provider. In summary, they will look to inorganically create custody capability through strategic investments and acquisitions.

Where a bank chooses to buy or inorganically bring in the digital asset custody capability from an external vendor, there are certain product considerations:

Regulatory approvals

Banks must seek regulatory clarity and ensure compliance before choosing a custody provider. The custody platform under consideration must demonstrate compliance with regional regulatory policies around crypto custody. 

The Office of the Comptroller of the Currency in the U.S. and the Markets in Crypto-Assets in Europe drive custody regulations for their respective regions. As custody providers, banks will hold private keys on behalf of their clients. This adds additional operational risks and banks must demonstrate that suitable controls are in place to ensure safekeeping.

Blockchains and assets supported

When banks look at a potential custody platform, one of the key considerations would be the blockchains that the platform supports. Often these custody solutions support blue-chip assets like BTC and Ether (ETH). 

However, with more chains growing in stature, user base and transaction volume locked, clients may demand custody support for chains like Solana, Avalanche and others. Also, it may not be enough for custody platforms to just support crypto anymore.

NFTs have started to make a mark, particularly within the art space. The most expensive NFT yet, The Merge, was sold for $91.8 million. As a result, private banking and wealth clients of banks may soon demand support for NFT custody too. This would be a key consideration for a bank looking to choose a custody platform.

Tech-only vs. custody vendors

Another key criterion for a bank is to choose between custody platforms and custody service providers. With the former, banks would treat them just as a technology vendor. In this scenario, the banks would still be responsible for owning the operating model behind the custody service.

On the other hand, banks could also choose to partner with custody service providers, where they get the technology and the entire custody capability out of the box. Banks would just be white labeling the entire service.

Fireblocks and Copper are custody platforms that provide the technology capabilities, whereas Coinbase and Gemini offer out-of-the-box “custody as a service” solutions.

Cybersecurity standards and audits

Cybersecurity is perhaps the biggest risk for a digital asset custody provider. As a result, custody vendors must show that they have been examined by auditors across key dimensions such as security, availability, processing integrity, confidentiality and privacy. 

There are two commonly used examinations that custody vendors go through. They are SOC1 and SOC2, with SOC standing for System and Organisational Controls. Gemini announced clearing both SOC1 and SOC2 examinations in January 2021.

While these are point-in-time examinations, periodic audits are essential to ensure cyber standards are kept up to date.

Wallet types

Custodians offer clients different wallet capability types. The choice of wallet types decides the level of security, recoverability, seamlessness and compatibility with various blockchains.

Hot wallets are connected to the internet and are a lot easier to use as they integrate with applications for decentralized finance (DeFi) and NFTs more seamlessly.

Cold wallets are mostly offline and are only connected to the internet through a controlled mechanism. Therefore cold wallets offer secure custody of digital assets. Due to the controls in place to make them secure, cold wallets are not the most seamless experience for buying and selling digital assets.

Multisignature wallets are used to increase the security of transactions, as they require multiple parties with individual private keys to sign a transaction. Although they make custody and transactions more secure, multisig wallets are not compatible with all chains. They can only support the custody of a limited number of digital assets.

Multi-party computation wallets are an alternative to multisig wallets and offer the same level of security but better compatibility. With MPC, no single party holds the complete private key. Different parties involved in signing transactions hold two independent mathematically generated secret shares.

As a result, the security levels rely on multiple parties signing transactions while still being able to support different blockchains more seamlessly.

Custody platforms and service providers. Source: Blockdata

Segregation of client funds

Custody providers should be able to service clients who want their funds held separately from other clients. This functionality is critical for banks to consider when they are choosing their custody partners to serve their institutional clients.

Pricing 

Custody providers have different pricing models that they charge to their banking partners. The custody providers/platforms charge the banks a licensing fee, often based on the features that the banks want to roll out to their clients. Banks typically charge a percentage of assets under custody to their clients.

Pricing often depends on the nature of the service or product that the custody providers offer. For instance, if the custody provider is just providing the technology platform, pricing would be a licensing fee model. However, if a bank chooses to go for a complete “custody as a service” provider, they may incur an “assets under custody” commission. They would pass on this fee to their clients.

Integration with apps for staking

Most crypto users expect to use the crypto positions in their wallets to make passive income through DeFi solutions. As DeFi solutions scale, this is another application for custody platforms to support. Therefore, compatibility with multiple chains, assets and their decentralized applications (DApps) is a critical functionality.

Integration and Interfaces

Custody platforms must provide various interfaces like mobile, PC, Mac and browser compatibility. This is another key consideration for banks when they roll out these solutions to their institutional clients.

Integration with tax and Anti-Money Laundering solutions are critical features that custody platforms must offer. Banks would want to provide seamless tax calculation integration to their clients based on the digital assets transactions they have made and the tax regime that their institutional clients fall under.

Recent: El Salvador’s Bitcoin decision: Tracking adoption a year later

Custody platforms like Fireblocks offer integration with on-chain analytics solutions, such as Elliptic or Chainalysis. This integration offers the intelligence to spot any money laundering activities that banks must be aware of.

Banks and digital assets: The future

In summary, digital assets will grow into a significant focus area for banks and financial institutions in the future. The convergence of conventional financial market participants and futuristic ones has just begun. 

The first set of capabilities that banks have been focused on is infrastructure, compliance and regulatory capabilities. This is evident from their investments and partnership focus areas within the digital assets space.

However, as regulatory frameworks become clearer, we should see more innovative digital asset sub-verticals being embraced by financial services.

Pentagon contracts with Inca Digital for a security-focused digital asset mapping tool

The creator of the Nakamoto Terminal will help the government and businesses understand the interaction of traditional and digital financial systems and track money into and out of blockchains.

Digital asset data analytics company Inca Digital will study the implications of digital assets for national security under a year-long contract with the Defense Advanced Research Projects Agency (DARPA), the company announced on Friday. DARPA is the R&D branch of the United States Department of Defense. 

Inca Digital will work on a project called “Mapping the Impact of Digital Financial Assets,” which will aim to create a “cryptocurrency ecosystem mapping tool” to provide information to the U.S. government and commercial businesses.

Besides looking at possible money laundering and sanctions evasions, the project will contribute to understanding interactions between traditional and digital financial systems, money flows into and out of blockchain systems and other uses of cryptocurrency in areas of concern to the U.S. government. Inca Digital CEO Adam Zarazinsky said in the announcement:

“The Department of Defense and other federal agencies need to have better tools to understand how digital assets operate and how to leverage their jurisdictional authority over digital asset markets globally.”

DARPA program manager Mark Flood told The Washington Post, “DARPA is not engaged in surveillance. I’ll emphasize that we are careful in this research that we do not get involved in personally identifiable information.”

Related: Simba Chain Wins Another Contract from US Department of Defense

DARPA has been looking at blockchain technology for several years, both for its security implications and as a potential tool for its own purposes. In June, it partnered with Trail of Bits to analyze the degree to which blockchains are decentralized and identify their vulnerabilities.

Inca received a Phase II Small Business Innovation Research for the project. The company is the developer of the Nakamoto Terminal, a system used by the U.S. Commodity Futures Trading Commission for market surveillance. It was founded by former Interpol analysts in 2009.

BNB Chain launches a new community-run security mechanism to protect users

The AvengerDAO was developed in association with some of the leading blockchain security analy firms and top DeFi projects in the crypto ecosystem.

BNB Chain, the native blockchain of Binance, has launched AvengerDAO, a new community-driven security initiative to help protect users against scams, malicious actors and possible exploits.

The security-centric decentralized autonomous organization (DAO) has been developed in association with leading security firms and popular crypto projects such as Certik, TrustWallet, PancakeSwap and Opera, to name a few.

The AvengerDAO security initiative mainly consists of three major components, namely a passive API system called Meter, a subscription-based alert system called Watch, and a programmable fund management system called Vault.

When a user on the BNB Chain interacts with any applications or counterparties, AvengerDAO adds an additional layer of security. The Meter API system fetches security ratings on smart contracts, domains, and addresses and alerts users in case of a security vulnerability. The Watch system alerts users in real-time about ongoing exploits, while the Vault acts as an escrow where the funds a only released once certain pre-set conditions are met.

Gwendolyn Regina, investment director at BNB Chain, explained how the community would be responsible for security decisions in an exclusive conversation with Cointelegraph. She said that the community would perform a survey of existing security auditing service providers to see what types of common security vulnerabilities exist. She added:

“We think that when additional professional security audit firms join the DAO as members, we will collectively get a deeper understanding of the security landscape, and work on enhancing it.”

Some of the AvengerDAO members, including security decentralized application (DApp) Hashdit, have already released an integration with PancakeSwap that would allow its users to fetch the security ratings of smart contracts with which they are interacting at the start of September.

BNB Chain has paid special attention to user security and has launched several initiatives over the past few months. Before the AvengerDAO launch, the BNB Chain launched Dappbay equipped with a novel feature called Red Alarm. This feature assesses project risk levels in real-time and alerts users of potentially risky DApps.

Related: White hat hackers have returned $32.6M worth of tokens to Nomad bridge

Within a month of its launch, the Red Alarm feature of DappBay identified over 50 on-chain projects that posed a significant risk to users. The security feature analyzed 3,300 contracts in July alone.

While Red Alarm was just meant to flag vulnerable smart contracts and projects that possess financial risk, AvengerDAO aims to become a multidimensional security initiative with a focus on detecting real-time vulnerabilities and exploits.

Industry reps suggest improvements to Stabenow-Boozman crypto regulation bill

The crypto spokespeople testified before the Senate Agriculture Committee on Thursday with analyses of the bill’s strengths and recommendations for its weaknesses.

Representatives of the crypto community shared their responses to the proposed Digital Commodities Consumer Protection Act (DCCPA) on Sept. 15. Speaking at the second panel of a hearing held by the Senate Agriculture Committee, invited speakers praised the bill as a whole, but had recommendations for improvement.

Definitions were an issue for all five of the speakers and Blockchain Association head of policy Jake Chervinsky, who released a statement on the bill within moments of the conclusion of the hearing. All the commenters expressed a desire for a clearer definition of securities and commodities.

“While the bill includes a carve-out for securities, it does not explicitly define what is or is not a security (through the application of the Howey test or otherwise),” Coinbase vice president and deputy general counsel Christine Parker said.

Crypto Council for Innovation CEO Sheila Warren said:

“The bill leaves it to the agencies and the Courts to determine whether a digital asset, other than Bitcoin and Ether, is a security or not. To date, this approach has not worked well, with significant implications for consumers.”

Center for American Progress director of financial regulation and corporate governance Todd Phillips said that the bill’s definition of commodities does not take into account the role of miners and stakers.

In addition, Warren said, “The bill limits brokers, dealers, and trading facilities to transacting only in “transactions” or “digital commodities” that are not “readily susceptible to manipulation,” but it does not attempt to define what “readily susceptible to manipulation” means.”

Citadel Securities chief legal officer and former Commodity Futures Trading Commission (CFTC) chair Heath Tarbert found the descriptions of required registrants under the bill to be overly broad. He also favored an explicit ban on rulemaking by enforcement:

“While the CFTC has not typically engaged in rulemaking by enforcement, it is important for Congress to make its intent on this point crystal clear.”

Chervinsky was concerned that the definition of “digital commodity platform” was too broad and could impose “onerous requirements on some firms that aren’t justified by the minimal degree of risk they pose.” He also saw threats to privacy in the requirements for those platforms.

The speakers had a variety of concerns about the scope of the bill as well. The bill needs specifications to limit the authority of the CFTC to avoid regulating transactions that do not take place in the United Stat, according to Warren and Chervinsky.

The bill also “could be interpreted as a ban on decentralized finance (DeFi),” Chervinsky said. Warren echoed that point, saying the bill had provisions that are “unworkable” for DeFi. Stellar Development Foundation CEO and executive director Denelle Dixon made the point that “some could interpret the text to cover aspects of the technology rather than the participants offering products and services that leverage the technology.”

The DCCPA was introduced by Agriculture Committee chair Debbie Stabenow and ranking member John Boozman on Aug. 3. This was the first hearing on the bill, which is unlikely to be passed during this Congress.

Crypto for foreign trade: What do we know about Iran’s new strategy

Iran has decided to legalize the use of crypto in cross-border payments, which could impact how some countries view crypto.

With the Trade Ministry officially approving the use of cryptocurrencies for foreign trade, Iran will become the first-of-a-kind adopter in the world. 

The obvious problem with the news is that the country’s innovative policy obviously aims at circumventing financial sanctions that have been hampering its participation in the global economy for many years.

These circumstances set an ambivalent tone for Iran’s experiment — while for some, it could prove crypto’s emancipating ability to shirk the all-too-real hegemony of the United States political will and international financial institutions that enforce it, hardline crypto skeptics could get the proof they need for their prophecies about decentralized digital assets being a weapon of choice for disrupting the fragile global order.

Putting aside the ethical debates, it is still curious to know how exactly this strategy will work, what influence it will have on Iran’s trading partners and what challenges it will draw from the hostile enforcement bodies.

The road to adoption

The first public announcement of a trading system allowing local businesses to settle cross-border payments using cryptocurrencies in Iran came in January 2022. At the time, Iran’s Deputy Minister of Industry, Mine and Trade, Alireza Peyman-Pak, spoke of the “new opportunities” for importers and exporters in that kind of system, a product of joint action by the Central Bank of Iran and the Ministry of Trade should provide: 

“All economic actors can use these cryptocurrencies. The trader takes the ruble, the rupee, the dollar, or the euro, which he can use to obtain cryptocurrencies like Bitcoin, which is a form of credit and can pass it on to the seller or importer. […] Since the cryptocurrency market is done on credit, our economic actors can easily use it and use it widely.”

In August, Peyman-Pak revealed that Iran had placed its first import order using crypto. Without any details about the cryptocurrency used or the imported goods involved, the official claimed that the $10 million order represents the first of many international trades to be settled with crypto, with plans to ramp this up throughout September. 

On Aug. 30, Trade Minister Reza Fatemi Amin confirmed that detailed regulations had been approved, outlining the use of cryptocurrencies for trade. While the full text still couldn’t be attained online, local businesses should be able to import vehicles into Iran and a range of different imported goods using cryptocurrencies instead of the United States dollar or the euro.

Recent: Crypto’s correlation with mainstream finance could bring more bleeding soon

Meanwhile, the local business community voiced its concerns over the policy’s possible design. The head of Iran’s Importers Group and Representatives of Foreign Companies, Alireza Managhebi, emphasized that stable regulations and infrastructure should be prepared to be able to successfully use cryptocurrencies for imports. He also the possible threat of the new payment leading to the emergence of rent-seeking business groups.

How would it work? 

Speaking to Cointelegraph, Babak Behboudi, co-founder of digital asset trading platform SynchroBit Hybrid Exchange, said that although the official policy was approved only in recent years, the Iranian government and corporations have been using crypto as a payment method for a couple of years now. 

But, there is a range of reasons why the government decided to acknowledge such practices on a national scale, such as the disappointment of Iranian negotiators in achieving a win-win deal with the West on the nuclear deal, the frustration of the economy and hyperinflation in the domestic market.

The emergence of the Chinese digital yuan and the Russia-Ukraine geopolitical conflict also greatly influence such a decision, Behboudi added.

There remains the question about the effectiveness of the new strategy. Almost any potential foreign partner will face difficulties in conducting the deals in crypto, as, unlike Iran, most countries do not have a legal framework for using crypto as a corporate payment method or, at worst, directly prohibit it. The pseudonymous nature of Bitcoin (BTC) and other mainstream cryptocurrencies doesn’t leave possible partners too assured of their invisibility from U.S. financial enforcement.

This leaves foreign companies with two possible options, Behboudi believes. They could use either the intermediacy of proxy companies in crypto-friendly jurisdictions to convert the crypto to fiat or use the services of companies from third countries that conduct trade with Iran, such as Russia, Turkey, China, the United Arab Emirates and others.

Christian Contardo, global trade and national security attorney at law firm Lowenstein Sandler LLP, sees the scope of Iran’s potential partners as rather limited. The ease of crypto transactions can facilitate legitimate trade, particularly in regions where traditional banking may be impractical or unreliable. But, due to the regulatory regimes involved, it is unlikely that large legitimate commercial entities would transact in crypto with Iranian counterparties “unless they were seeking to hide their involvement in the transaction,” he adds. 

Allies and enforcers

Up to this point, reports about circumventing sanctions with crypto in Iran were rather scarce. While Binance didn’t get any allegations after journalists claimed Binance was serving Iranian customers, another major crypto exchange, Kraken, came under the investigation of the U.S. Treasury Department’s Office of Foreign Assets Control in 2019 for the very same reasons. At least one individual is currently alleged of sending more than $10 million in Bitcoin from a U.S.-based crypto exchange to an exchange in a sanctioned country. 

Recent: Boom and bust: How are Defi protocols handling the bear market?

Contardo is sure that enforcers, the United States, in particular, will increase their scrutiny of transactions linked to countries like Iran. And although, in practice, it is next to impossible to track all large transactions, they still have all the tools they need:

“Enforcement agencies and even commercial investigative services have multiple sources of information to identify parties involved in a transaction. Once that information is aggregated and the parties identified, the evidence on the ledger makes for a strong enforcement case.”

Given recent announcements by Russian officials, who are also actively exploring the potential of using crypto for cross-border payments, the Iranian strategy may initiate the digitalization of a parallel market, which would include sanctioned countries and the nations that are willing to trade with them. Behboudi links this possibility to the further development of central bank digital currencies (CBDCs):

“The rise of CBDCs, like digital yuan, ruble, rial and lira, can minimize the risks if these countries can manage their transactions through bilateral and multilateral agreements, allowing the businesses to deal with each other using their CBDCs.”

Thus, in a way, Iran’s innovative strategy of adopting crypto as a cross-border method doesn’t change much — unless the use of decentralized currencies as a method of payment for private companies is allowed — this loophole would attract a limited list of nations that haven’t shy away from the trade with Iran earlier. 

Entrepreneurs must learn to tackle business risks in the Metaverse

The Metaverse is fraught with risks. Implementing effective safeguards — both physical and virtual — will be critical to entrepreneurs seeking to do business there.

Hyped as it is, the Metaverse remains largely undefined. It’s a challenge to answer the question “What is the Metaverse?” in part because its definition depends on whom you ask. As it stands today, the “Metaverse” includes virtual reality and what we might previously have called “cyberspace” — including digital assets like non-fungible tokens (NFTs), cryptocurrencies and more.

In the rush to become the first to innovate in metaverse technology, companies are deprioritizing risk management. But risk management is as critical in the Metaverse as in our physical world — all risk is linked and must be managed in a connected way. If new entrants to the Metaverse are meant to protect against the overwhelming scale and cost of cyber risks, they must learn to identify these risks, continuously monitor for threats, and make informed decisions for a strong future based on information gained from past threats and attacks.

Here are three types of metaverse risks expanding the attack surfaces for businesses.

Physical hardware risks

From headsets to chips with highly efficient computing power, virtual worlds need hardware to operate. The physical hardware used to run the Metaverse can create a cyber risk of its own.

As people create, expand and join metaverse worlds, the huge and powerful potential of this virtual space creates new attack surfaces for bad actors to test and breach. The assemblage of hardware from multiple sources required to successfully enable entry into this digital reality invites increased threats like the man-in-the-middle (MITM) attacks we’ve seen (in real life) at ATMs and on mobile applications.

Related: The dark side of the metaverse and how to fight it

To ensure safety, companies entering or experimenting in the Metaverse will have more places to monitor as part of their risk management strategy. Companies will need to create more advanced and comprehensive security controls for physical hardware as well as digital gateways while continuously managing their compliance.

Risk in cryptocurrency assets

In the Metaverse, crypto trades have been huge sources of risk. While cryptocurrencies started as a controlled niche industry driven by experts who were very concerned with security and privacy, growth in the crypto space has brought with it more opportunity for risk.

Growing numbers of consumer traders, new companies, and hackers all increase the risk factors in crypto transactions. Crypto also has become the de facto currency for ransomware; as a result, cyberattacks against crypto accounts are on the rise. The growing number of metaverse technologies will continue to endanger crypto security until companies catch up and begin dedicating resources toward addressing this type of risk.

Tracking fraudulent activity and implementing secure authentication can make a significant difference against cybersecurity threats, particularly in crypto. Threats happen faster than ever before, so continuous monitoring of risks is a necessity.

Organizations can only do so much, as individual users — the holders of crypto wallets — are a large part of the risk. Scams, hacks and password threats target vulnerabilities at the individual level. Individuals share an important responsibility in conducting due diligence against crypto threats in the Metaverse.

Identity risk

By design, the Metaverse is based on anonymity and fluidity. A digital reality, unlike the offline world, allows users to cloak their identities and reinvent their characters. Digital avatars assume characteristics chosen by their owner, and these identities are not carefully regulated — as on the internet, aliases are changeable.

This opens individuals, as well as the companies that operate metaverse territories, up to even greater potential risk. With innovation rapidly expanding and security a lower priority, it is difficult for users and metaverse technologists to tell the “good guys” and the “bad guys” apart. Increasing calls for controls around identity risk in the Metaverse stem from incidents relating not just to unintentional data-sharing between human players and automated “mimic” avatars (bots), but also alleged episodes of player-to-player verbal abuse and even sexual harassment.

Related: 34% of gamers want to use crypto in the Metaverse, despite the backlash

Implementation of safeguards against these breaches in privacy will only increase in difficulty if the future metaverse ideal — one large, interconnected web of metaverse territories where identities and assets are entirely portable — comes to fruition.

Right now, that technology isn’t yet available — and maybe it won’t ever be. But there’s no question that the Metaverse is emerging as a real business and consumer technology — and a real risk factor. And like every space, it requires real, proactive risk management.

Gaurav Kapoor is the co-CEO and co-founder of MetricStream Solutions & Services, where he is responsible for strategy, marketing, solutions, and customer engagement. He also served as MetricStream’s CFO until 2010. He previously held executive positions at OpenGrowth and ArcadiaOne, and spent several years in business, marketing and operations roles at Citibank in Asia and in the U.S.

This article is for general information purposes and is not intended to be and should not be taken as legal or investment advice. The views, thoughts, and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.

South Korean regulators to prepare guidelines for security tokens in 2022

South Korea will get a separate security tokens market operated by Korea Exchange.

Guidelines for security tokens in South Korea will be announced by the end of 2022. Simultaneously, the pilot market with a regulatory sandbox will be launched before the formal institutionalization. 

Chief South Korean financial regulator, the Financial Services Commission (FSC), published the report with the results of a joint policy seminar it held together with the Financial Supervisory Service, Korea Exchange, Korea Securities Depository and Capital Market Research Institute on Tuesday. The stakeholders gathered to discuss further national strategy on security tokens issuance and distribution.

As the current capital market and electronic securities system in the country doesn’t include any legal definitions of non-standardized securities issued via blockchain, the FSC deemed it necessary to draft separate guidelines to “support the sound development of the market and industry.”

The FSC will prepare and announce the guidelines for security tokens in the fourth quarter of 2022. After that, it will proceed with establishing the “Security Token Discipline System” through revisions of existing legislations, such as the Electronic Securities Act and Capital Market Act.

The digital securities market will be operated by the Korea Exchange, while the Korea Securities Depository will assess the tokens before registering and listing them. In the first stages, the regulator will allow over-the-counter trading on a limited scale.

Related: South Korea’s financial watchdog wants to ‘quickly’ review crypto legislation

The announcement makes another step in a series of regulatory initiatives in the country, whose newly-elected government has set the mission to promote the crypto market. On Sept. 1, local lawmakers proposed enacting the Metaverse Industry Promotion Act, which would foster the development of the Metaverse in South Korea. An ambitious plan to set up a comprehensive general crypto framework by 2024 had been leaked to the press in May.

What is decentralized identity in blockchain?

What is a decentralized identity, and why does it matter? In this guide, we break it down for you.

Decentralized identity protocols

Several identity protocols, from crypto startups to big tech solutions, deal with decentralized identification, and each has its specifics and features.

Though the decentralized identity technology is fairly new, initiatives and players in the decentralized identity space, software for implementing decentralized identity wallets and supporting services are plentiful. They range from the Hyperledger open-source developing community, through a range of decentralized identity protocols and startups, to some of the biggest names in the industry.

Decentralized identity protocols and private identity stores such as uPort or 3Box are called identity hubs. Recently, the Ethereum-based uPort platform split into two new projects: Veramo, an open source framework for identifiers and credentials, and Serto – both of which carry on the mission of decentralizing the internet. 3Box Labs, in turn, went headlong into the development of Ceramic Network, a decentralized data network that brings unlimited data composability to Web3 apps, and Identity Index (IDX), a cross-chain protocol for decentralized identity and interoperable data.

Other DID platforms are ION, an open public layer-2 decentralized identity network that runs atop the Bitcoin (BTC) blockchain based on the purely deterministic Sidetree protocol. The notable Polkadot (DOT) ecosystem player Dock protocol enables everyone to issue and build solutions for decentralized identity and verifiable credentials that are instantly verifiable using blockchain. The Sovrin Network is an open-source, decentralized, public identity network metasystem to create, manage and control self-sovereign digital identity. ORE ID is the universal authentication and authorization platform for blockchain that functions cross-chain.

Connecting blockchain with crypto-biometrics, the Humanode project enables liveness detection checks that help identify real and unique human beings while accessing wallets and platforms and provide Sybil-resistance to any decentralized identity network.

Moreover, in the background, many vendors that provide decentralized identity wallets or help organizations incorporate the technology into their apps are members of the Decentralized Identity Foundation and the Trust Over IP Foundation. The World Wide Web Consortium provides standards for identity technologies and interoperability via the W3C-DID and VC projects. These organizations are working tirelessly to standardize and shape decentralized identity.

The future of decentralized identity

The decentralized identity space is still in its infancy; however, it is clear that it has the potential to change existing identity management for the better.

The world moves more toward Web3, the next evolution of the internet. Through decentralization and blockchain technology, an increasing number of people are taking back control of their data.

The digital identity space is still in its inception; however, from all the above discussion, it is obvious that decentralized identity with blockchain has the potential to make identity management decentralized, simplified and seamless, completely transforming the landscape.

While startups and DID initiatives continue to develop proofs of concepts for decentralized identity in government, finance, healthcare and other fields, the opportunities for decentralized identity continue to grow.

Overall, the goal is to make users feel more empowered online and build up and share a verifiable reputation and proof of existence. Analysts predict that one of the latest hottest trends in the tech industry — the Metaverse — may become a key initiator for decentralized identity spread.

With the advancement of avatars in the form of nonfungible tokens serving as users’ digital identities within virtual spaces, soulbound tokens, blockchain, biometrics and related cutting-edge technologies, decentralized identity will soon reach the masses in the flourishing Web3 ecosystem, which will boom in the coming years.

Purchase a licence for this article. Powered by SharpShark.

The pros and cons of decentralized identity

The four main benefits of decentralized identity management include control, security, privacy and ease of use. However, the main concerns are a low level of adoption, the lack of regulation and interoperability.

Control gives identity owners and digital devices power over their digital identifiers. Because users have complete control and ownership of their identities and credentials, they can decide which information they want to reveal and can prove their claims without depending on any other party.

Security reduces attack surfaces by storing PII. Blockchain is an encrypted decentralized storage system that is safe, flexible and impenetrable by design, reducing the risk of an attacker gaining unauthorized access to steal or monetize user data.

Decentralized identity management also helps organizations reduce security risks. Based on how organizations collect, process and store users’ data, they are subject to regulations. Organizations face sanctions and fines even for unintentional rule violations or data breaches. With decentralized identity management, they have an opportunity to collect and store less identity data, simplifying their compliance responsibilities and reducing the risks of cyberattacks and information being misused.

Privacy enables entities to use the principle of least privilege (PoLP) to designate minimal or selective access for identity credentials. PoLP is a term correlated with information security. It states that any person, gadget or process should only have the minimal rights necessary to execute the considered task.

And last but not least, decentralized identity technology gives users the advantage of easily creating and managing their identities with user-friendly neoteric decentralized identity apps and platforms.

As for flaws and drawbacks, there are a bunch of them, primarily — adoption. Governments and organizations are still attempting to figure out how to deploy the decentralized identity technology at scale, while most non-tech users have not even heard of this phenomenon.

Overcoming the legacy systems and regulations and creating interoperable global standards and governance are also important issues. While a secondary issue, identity data fragility, which refers to duplication, confusion, and inaccuracy in identity management, remains.

What is self-sovereign identity?

Self-sovereign identity is a concept that refers to the use of distributed databases to manage PII.

The notion of self-sovereign identity (SSI) is core to the idea of decentralized identity. Instead of having a set of identities across multiple platforms or a single identity managed by a third party, SII users have digital wallets in which various credentials are stored and accessible through reliable applications.

Experts distinguish three main components known as the three pillars of SSI: blockchain, verifiable credentials (VCs) and decentralized identifiers (DIDs).

Three pillars of self-sovereign identity (SSI)

Blockchain is a decentralized digital database, a ledger of transactions duplicated and distributed among network computers that record information in a way that makes it difficult or impossible to change, hack or cheat.

Second, there are VCs referred to as tamper-proof cryptographically-secured and verified credentials that implement SSI and protect users’ data. They can represent information found in paper credentials, such as a passport or license and digital credentials with no physical equivalent, such as, for instance, ownership of a bank account.

And last but not least, SSI includes DIDs, a new type of identifier that enables users to have a cryptographically verifiable, decentralized digital identity. A DID refers to any subject like a person, organization, data model, abstract entity, et cetera, as determined by the controller of the DID. They are created by the user, owned by the user and independent of any organization. Designed to be decoupled from centralized registries, identity providers and certificate authorities, DIDs enable users to prove control over their digital identity without requiring permission from any third party.

Alongside SII, which is rooted in blockchain, DIDs and VCs, decentralized identity architecture also embraces four more elements. They are a holder who creates a DID and receives the verifiable credential, an issuer that signs a verifiable credential with their private key and issues it to the holder, and a verifier that checks the credentials and can read the issuer’s public DID on the blockchain. Moreover, a decentralized identity architecture encompasses special decentralized identity wallets that fuel the whole system.

How decentralized identity works

The basis for decentralized identity management is the use of decentralized encrypted blockchain-based wallets.

In a decentralized identity framework, users utilize decentralized identity wallets — special apps that allow them to create their decentralized identifiers, store their PII and manage their VCs —instead of keeping identity information on numerous websites controlled by intermediaries.

Besides distributed architecture, these decentralized identity wallets are encrypted. Passwords to access them are replaced by non-phishable cryptographic keys that do not represent a single weakness in the case of a breach. A decentralized wallet generates a pair of cryptographic keys: public and private. The public key distinguishes a concrete wallet, while the private one, which is stored in the wallet, is needed during the authentication process.

While decentralized identity wallets transparently authenticate users, they also protect users’ communications and data. Decentralized apps (DApps) store PII, verified identity details and the information needed to establish trust, prove eligibility or just complete a transaction. These wallets help users give and revoke access to identity information from a single source, making it faster and easier.

On top of that, this information in the wallet is signed by multiple trusted parties to prove its accuracy. For example, digital identities can get approval from issuers such as universities, employers, or government structures. Using a decentralized identity wallet, users can present proof of their identity to any third party.

Why does decentralized identity matter?

A decentralized identity aims to give people official proof of identity and complete ownership and control over their identities in a secure and user-friendly way.

A verifiable proof of existence is often needed for citizens to access essential services like healthcare, banking and education. Unfortunately, according to Worldbank data, 1 billion people on our planet still do not have an official proof of identity. A considerable part of the population is in a precarious position, unable to vote, open a bank account, own property or find a job. The inability to obtain identification documents limits people’s freedom.

What’s more, traditional centralized identification systems are insecure, fragmented and exclusionary. Centralized identity databases are at risk as they often become prime targets for hackers. From time to time, we hear about hacks and attacks on centralized identity solutions in which thousands and millions of customer records are being stolen from major retailers.

The ownership issues remain as well. Users who have traditional forms of digital identity still don’t have complete ownership and control over them and are usually unaware of the value their data generates. In a centralized scenario, PII is stored and managed by others. Thus, it becomes more challenging, if not impossible, for users to claim ownership of their identities.

Decentralized digital identity addresses these issues by providing a way for digital identity to be used across multiple participating platforms without sacrificing security and the user’s experience. In a decentralized identity framework, users need only an internet connection and a device to access it.

Furthermore, in decentralized identity systems, distributed ledger technologies and blockchain, in particular, validate the existence of a legitimate identity. By providing a consistent, interoperable and tamper-proof architecture, blockchains enable the secure management and storage of PII, with significaant benefits for organizations, users, developers and Internet of Things (IoT) management systems.

Centralized identity vs. Decentralized identity

What is a decentralized identity?

A decentralized identity is a self-owned, independent identity that enables trusted data exchange.

Decentralized identity is an emerging Web3 concept based on a trust framework for identity management. Such decentralized identity management includes an approach to identity and access administration that allows people to generate, manage and control their personally identifiable information (PII) without a centralized third party like a registry, identity provider or certification authority.

Considered to be private and sensitive data, PII refers to the body of information about specific individuals that directly or indirectly identifies them. Usually, it combines name, age, address, biometrics, citizenship, employment, credit card accounts, credit history, et cetera. In addition to PII, information that forms a decentralized digital identity includes data from online electronic devices, such as usernames and passwords, search history, buying history and others.

With a decentralized identity, users can control their own PII and provide only the information that is required to be verified. Decentralized identity management supports an identity trust framework where users, organizations and things interact with each other transparently and securely.

Crypto users push back against dYdX promotion requiring face scan

“No matter the cause, this is an absolutely horrible idea and you should walk this back immediately,” said Adam Cochran, a general partner at Cinneamhain Ventures.

Many users on social media have been lambasting decentralized exchange dYdX over the identification verification process to receive a sign up and deposit bonus of $25.

In a Wednesday blog post, dYdX announced that new users who deposited 500 USD Coin (USDC) for their first transactions could receive a bonus promotion of 25 USDC, provided they were willing to do a “liveness check.” According to the exchange, the verification process accessed a user’s webcam and “compares if your image has been used with another account on dYdX.”

Though the giveaway was completely voluntary, many on Twitter implied the checks were tantamount to invasions of privacy. DeFi Watch founder Chris Blec accused the exchange of “​​bribing users to allow their faces to be scanned & disguising it as a ‘promotion,’” hypothesizing that dYdX and other platforms could offer greater incentives in return for clients giving up more information.

“What dYdX is doing now is just wrong,” said Blec. “They’re misleading users on the intent. They know that every face scan they’re collecting is from an innocent. A criminal won’t face-scan but can still use dYdX. They’re bribing new users to give up privacy just to satisfy regulators.”

According to dYdX — which reported “reviewing many solutions” — the face scans were a solution that offered “the best UX for our users to indicate that they are, indeed, one person without revealing their full identity.” In a statement to Cointelegraph, a dYdX spokesperson said that the promotion did not require users to “provide personal information” and the image verification was intended “solely to prevent fraud.” Marc Boiron, the chief legal officer of Polygon and former chief legal office at dYdX, also claimed on Twitter that the liveness checks were “incomplete and ineffective without combining it with other requirements.”

However, Blec claimed that the exchange may have been acting on behalf of regulators:

“It’s ridiculous to assume that a crypto exchange paying people to scan their faces is for any reason *except* some form of regulatory compliance, or at least testing a mechanism that they plan to expand in the future.”

“No matter the cause, this is an absolutely horrible idea and you should walk this back immediately,” said Adam Cochran, a general partner at Cinneamhain Ventures. “There is absolutely no acceptable reason to be collecting user biometrics. You’d be better dropping the incentive program entirely.”

Related: dYdX confirms blocking (and unblocking) some accounts flagged in Tornado Cash controversy

From its Twitter account, a dYdX spokesperson said the verification had “ZERO to do with regulations” and was “simply a product to detect if you are a unique person.” However, the platform seemingly did not address concerns as to what service would be providing the facial scans and how the data would be stored.

Crypto Twitter shares security concerns regarding Meta’s recent NFT integration news

Meta recently announced its latest NFT feature will allow users to connect their digital wallets to Instagram and Facebook.

On Monday, Facebook and Instagram’s parent company, Meta, announced that its users will now be able to post digital collectibles and nonfungible tokens (NFTs) across both platforms by simply connecting their digital wallets to either site.

While Meta’s announcement may have seemed to some like a mass adoption win for some digital asset enthusiasts, not all members of Crypto Twitter were thrilled by the news.

Skeptical users took to social media to express concerns surrounding the security and privacy of the data disclosed when digital wallets are connected to these social media platforms.

Twitter user and Web3 community member NPC-Picac tweeted, “I don’t think entrusting digital collectibles to connect to ‘Meta’ is in any way smart.”

Another Crypto Twitter community member, CryptoBartender, raised concerns about what Meta could possibly do with the data they access from digital wallets, tweeting, “So they can figure out which wallets are yours and keep tabs on you and your crypto activities?”

Some users felt that publicly attaching valuable digital assets to one’s identity could turn users into targets for fraud and theft. A user operating under the handle famousfxck questioned, “This is great for adoption. But isn’t it also dangerous?”

Others shared their thoughts on individuals broadcasting even more personal data for the benefit of companies that have long histories of abusing users’ data and privacy.

In the announcement, Meta disclosed that, as part of keeping its platforms safe and enjoyable, “people can use our tools to keep their accounts secure and report digital collectibles which go against our community guidelines.” Meta has not yet shared any concrete plans it has to keep its user’s digital wallet-related data safe.