Blockchain in Financial Services: Not Yet Plug and PlayManaging Director, Cybersecurity Consulting and Advisory Services for Marsh Risk Consulting
As a data management and storage technology, blockchain quickly caught the attention of the financial sector because of its transformational potential.
Investment ramped up rapidly and steadily. Tech market intelligence firm IDC forecasted that worldwide spending on blockchain in the financial sector alone would reach nearly $2.9 billion for 2019, with overall annual global blockchain spending expected to reach $12.4 billion in 2022.
As the early-days exuberance fades, the experiences of recent blockchain trials in the sector have both revealed several inherent implementation challenges and created a growing blockchain-skilled workforce that is prepared to tackle them.
The Big Compelling Advantage
As with other transformational technologies, moving from proof-of-concept to pilot projects to enterprise-grade solutions is not easy. Blockchain as a technology has a relatively narrow application. As a database, blockchain is limited, resource intensive and slow.
But blockchain does one thing well: It enables all the participants to work from a single validated, immutable, and auditable version of a common data set at all times, and this alone may offer compelling structural improvements and operational efficiencies in certain functions.
Collaboration Is Essential
Blockchain is, first and foremost, a group solution — i.e., the members of a group of generally independent entities must commit to working together in both the implementation and the operation of a common blockchain solution to serve their mutual interests.
This cross-organizational collaboration is difficult in practice and may be the greatest roadblock to successful blockchain implementation.
The common solution is an IT system that must be implemented by each member of the group. This usually requires the blockchain to be knitted into the fabric of legacy infrastructure, systems and process and can involve significant IT and business process transformation at each of these independent enterprises.
Cybersecurity Is a Challenge
While it’s true that blockchain provides a way of increasing data security, blockchain is fundamentally a software technology, and software weaknesses make up the lion’s share of exploitable vulnerabilities in networks and systems today.
Errors or vulnerabilities in the blockchain protocol or in smart contracts could directly undermine the integrity of the blockchain itself.
Further, because of the need for businesses to interact with the data, to add new data and to access and process it, the usual tough security challenges of authentication of identity and overall management of access controls are just as important for the blockchain as they are for other systems.
Another critical challenge is developing enduring governance mechanisms, which address questions such as: How is a cross-organizational operational software system to be managed? How are major strategic and operational decisions to be made? How are costs to be shared? How are the identities and privileges of the participants to be established and managed?
Blockchain governance calls for a formal structure and set of processes that are agreed to by all members of the group, which can be quite a thorny issue.
For those enterprises that adopt blockchain, understanding and managing the risks associated with this new technology are critical for the health of the business.
Data Privacy Risks
Blockchain’s enterprise risks must be identified early and managed throughout the life of the system.
If the blockchain deals with the cross-border transfers of funds, it may be subject to know your customer and anti-money laundering regulatory regimes. This obligation may affect participants differently depending on their roles in the sector.
Additionally, data that is stored on a blockchain may be subject to state, national or international data privacy laws and regulations. There is uncertainty about how data privacy laws will be interpreted with respect to data that is distributed to multiple parties in multiple jurisdictions, which is inherent in distributed ledger technology (DLT).
A recent study on blockchain and GDPR published by the European Parliament noted that there is “a significant tension between the very nature of blockchain technologies and the overall structure of data protection law” and suggested that compliance with GDPR in the blockchain context be determined on a case-by-case basis.
Similar factors may affect compliance with the California Consumer Privacy Act and other data privacy regimes.
An important step in the mitigation of compliance risks is to build compliance into the blockchain architecture from the start and, where possible, to invite participation from the regulators in its design, implementation and operations.
The existing insurance programs of the participating organizations may not contemplate the risks that could arise due to blockchain’s peer-to-peer data sharing and processing. The cross-liability coverage commonly incorporated into commercial general liability policies may be adequate to address multiparty risks among the blockchain participants in most cases.
However, gaining a strong understanding of the cross-liability, joint liability and the joint-and-several liability issues that may arise will inform risk transfer decision-making, as well as the structure of agreements governing the relationship of the parties within the blockchain group.
In addition, all in-place insurance coverages, including the financial and professional lines coverages, should be reviewed and revised as needed to capture the potential exposure arising out of the blockchain implementation of any new technology.
Not Yet Plug and Play
Although there are many blockchain infrastructure platforms and resources available, blockchain is not yet plug-and-play.
Every blockchain adopter today is a pioneer.
For executives considering an investment in blockchain, the first step is to define the right use case. This should be a process of identifying the best solution for a business need and not one of finding a problem for blockchain to solve. Key gating questions include: Is the function to be supported by an enduring part of our business model? Is it inherently a multiparty function for us, our customers and market partners? Is a group ledger a core requirement?
Strong affirmative answers suggest that blockchain may be a viable design choice, but emerging alternative DLT concepts should also be considered.
For those enterprises that adopt blockchain, understanding and managing the risks associated with this new technology are critical for the health of the business. While the perils are not unique — including technology failure, data breach, data or platform corruption, compliance failure — the potential losses and liabilities are less well-understood than those of traditional technologies, meaning that risk identification and management should be given early and sustained attention when implementing blockchain technology.