How to "shock reduction" The risk control method of the head digital currency institution

Text | Editing by Li Zheweng | Produced by Bi Tongtong | PANews

Risk is a word derived from the Italian word "RISQUE" which means objective danger in nature. In modern society, risk is not so much a fate as a choice, it depends on the degree of freedom we choose.

Financial historian Peter Burns writes in the classic risk management book, "Enemies with Heaven: A Legend of Risk Exploration." "Business is booming or declining, stock markets are booming or collapsing, wars and economic depressions are everything, but they always seem to come when people are caught off guard."

One of the core elements of finance is risk control, especially for exchanges that provide liquidity to the digital currency market. The digital currency trading platform, which has multiple functions such as asset custody, transaction matching, clearing, and transaction information release, also integrates the attributes of institutions such as securities dealers and funds, and it is a super financial center.

PANews interviewed the heads of front-line risk control of multiple trading platforms. The absence of risk control in the blockchain industry is clearly the consensus of front-line heads. This has also led to industry tragedies such as FCoin's "thunderstorm" and exchange stolen coins. How to do a good job of risk control has become an important proposition in the industry that needs real-time attention.

Risk jungle

The most affected and hardest to resist in the crypto market is the systemic risks brought by policies. Changes in regulatory policies have a direct impact on the volatility of the entire market.

Market participants can control non-systemic risks. For example, technical risks surrounding system security and stability; operational risks caused by improper decision making; liquidity risks that assets cannot be traded at a reasonable price in real time; trust risks caused by failure to perform operations such as cash withdrawal and transfer in a timely manner; To maximize the moral hazard that harms the interests of investors.

The risks are endless, and the relationship between the risk control department affects every nerve of the exchange. A veteran practitioner of the exchange told PANews, "The risk control department is in a high position in the company, always watching the risk control system, monitoring various risk items such as liquidity, wool party, arbitrage, account abnormalities, etc., and closely connecting with various departments. . "

The responsibility of recruiting a risk control supervisor at a head exchange also clearly requires that it communicate with other departments (such as products and technical teams) to carry out work, effectively affecting other partners.

Risk control is a game of freedom. In the rapid development stage, risk control will undoubtedly restrict the speed. The status quo of the industry still in the initial period is not ideal.

"From the actual situation, the awareness of many small and medium-sized trading platforms in risk control is still insufficient." When talking about the status of the industry's risk control awareness, the relevant person in charge of digital currency exchange OKEx risk control told PANews. "At present, the industry's awareness of risk control is still very lacking, whether it is at the physical level, system level, governance level, etc., many peers are relatively lacking." Matrixport senior vice president Lin Rong expressed the same opinion in an interview with PANews. Matrixport is a digital financial services platform from Singapore that provides digital currency trading, custody, lending, and payment services.

Needless to say, if the blockchain industry wants to leapfrog into the mainstream, the trading platform at the center of the industry must deal with the "risk control".

Core objective of risk control-asset security

According to Chainalysis, the total value of stolen assets on digital currency platforms in 2019 was as high as $ 283 million. Although the Mentougou incident has passed for nearly 6 years, the phenomenon of "missing" digital currencies still occurs from time to time. Whether digital currencies can get adequate security protection still affects the nerves of all practitioners.

The relevant person in charge of Huobi Risk Control told PANews that Huobi has established a strict financial audit and real-time monitoring and alarm system. Through the separation of hot and cold wallets and hardware wallets, a prepayment mechanism has been established for each user, and users have been established. Protection Fund. According to PANews, Binance, Gate.io and other exchanges have also set up investor protection funds for users.

The Binance team stated that in terms of asset security risk control, Binance pays attention to real-time and batch reconciliation, real-time tracking, judgment and traceability of blockchain addresses. At the same time, professional customer service and risk control experts were appointed to analyze user asset risk and strengthen user education for risk control.

Custody storage is an important way to guard the security of assets, it is also a key mapping of the traditional financial industry to the blockchain industry, and it is the only way to strengthen asset security.

Cobo wallet founder Shenyu told PANews that small and medium-sized blockchain companies without sufficient technical capabilities should not quickly iterate their businesses. Instead, they should consider introducing third-party custody services to improve the level of digital asset storage security. Buy insurance.

Constructing a multiple wallet system and introducing escrow services are external factors. Asset security also tests the subjective moral hazard of the platform. Zhao Dong, the founder of Renrenbit, suggested that the platform can choose to be as transparent as possible and invite peers to monitor themselves to prevent evil. After transparency, once the company misappropriates the customer's assets, all parties can pay attention to it, which reduces the possibility of customer assets being misappropriated.

Eliminating the Sword of Damocles-Compliance Risk Control

Digital currency platforms still face many uncertainties. Actively embracing supervision, compliance, and operating in accordance with laws and regulations are necessary conditions to reduce policy and legal risks. According to the interview of PANews, the current front-line digital currency platforms in the industry have established compliance risk control to varying degrees, covering compliance risk control before, during and after the event.

Huobi has a standardized KYC / AML anti-money laundering system, with strict account opening principles and prior review standards.

Matrixport holds a Hong Kong Trust Company license and is subject to supervision by the Swiss Monetary Authority (FINMA).

Binance spreads compliance risks through distributed operations, such as applying for licenses in Japan, Malta, Jersey, Singapore, and other countries and regions to open fiat currency trading channels. Binance officials stated to PANews that Binance has cooperated with multiple AML / KYC and other compliance companies and related consulting companies, such as Chainalysis, Refinitiv, Ciphertrace, IdentityMind, and Elliptic.

The person in charge of OKEx Risk Control stated that the compliance department is responsible for the compliance review of various product lines and business lines within OKEx and provides risk management guidelines; the legal internal control department provides professional legal guidance to avoid legal risks.

Building the patron saint of platform security-technical risk control

For trading platforms, technical security issues are the most common risk control issue, and it is difficult to avoid even large head manufacturers. According to reports, OKEx experienced several DDoS (distributed denial of service attacks) from the evening of February 27th to 5am on the 28th. During the 29th and 28th, both Bitfinex and Binance suffered the same attack, the latter even There was a brief outage.

A solid technology shield is the guardian of asset security and platform credibility.

Matrixport implements quantitative monitoring and automatic strategy hedging of market risks for various businesses including transactions, lending, etc., and establishes network security, compliance systems, privacy data protection, and technical risk control as required by licensees. It also employs leading global external companies for IT Audit consulting

OKEx's technical risk control department focuses on technical risk control and launches a CDS big data risk control security brain based on the blockchain industry, which is dedicated to risk monitoring, analysis and disposal. Realize all-round real-time risk monitoring from the six dimensions of "device, location, behavior, relationship, habits, and account".

Binance has built a relatively complete risk control system and methods, based on specific data analysis to build real-time data calculations, and online machine learning models (AI) intelligent detection, to conduct risk assessment and security of users and platform assets protection.

Elephant in the room-internal risk control

According to insurance claims data from Wills Towers Watson, a leading global consulting and brokerage company, nearly two-thirds of cybersecurity issues are caused by internal staff negligence. Shenyu said that the internal security of blockchain companies is more important than the external, because most of the security incidents are caused by collusion between inside and outside or hackers lurking inside for a long time and know the internal structure.

In terms of importance, internal risk control should be at a higher level. Regardless of whether it is OKEx, Huobi, Binance, or Matrixport or Cobo, its internal control staff emphasizes the standardization of processes, as well as standard measures such as clear division of responsibilities, authority management, and regular audits.

Binance emphasizes that they have fully isolated the platform system and permissions, and used various components and processes of permissions and information management to minimize the management of information permissions. (PANews Note: The principle of minimum permissions is also called minimum authorization or The principle of least privilege refers to ensuring that the subject is only authorized to perform the tasks and perform the necessary tasks).

Lin Rong admits that Matrixport strictly manages authority separation internally, and has established a risk control committee system and a security incident handling framework. What is quite unique is that, in addition to irregular training on risk control for employees, Matrixport also conducts internal "phishing enforcement", such as sending imitation phishing emails to all employees and establishing "Wall of Sheep" for employees who are not familiar with risk control. .

Cobo's measures are similar to Matrxport's approach to sending "phishing emails" to employees. The former implements the "zero trust model", which assumes that every step of the operation, whether external or internal, may be dangerous. Trust, tested by real-time risk control system. Shenyu also suggested that blockchain companies must build their own internal data system, real-time reconciliation system and internal risk control.

The Stone of Other Hills in Traditional Finance

You cannot reach depth unless you pass the path of memory.

Talking about his feelings about risk control, Lin Rong said, "The risk control requirements of the digital currency market should be even higher than traditional. In particular, on the one hand, the volatility of the digital currency market exceeds most traditional financial assets. On the other hand, On the one hand, the information flow of the blockchain payment is integrated with the flow of funds, and the anonymity is stronger. The money is transferred out, and it is difficult to have a chance to regret it. "

As practitioners who have been struggling in key positions in front-line financial institutions such as Deutsche Bank and Ant Financial, Lin Rong and the Matrixport behind it have adopted measures in the enterprise that have borrowed from many traditional financial / Internet fields. These are the valuable experiences that the risk control of the blockchain industry needs to learn.

The relevant person in charge of Huobi Risk Control believes that the traditional financial sector credit reporting system is relatively mature, and the Internet will use big data to convert user behavior into credit records. For the blockchain field, how to effectively extract the information on the chain and transform it into risk control decision-making indicators is an important direction that requires efforts.

Zhao Dong pointed out that the more mature industry structure should be that transactions and assets should be separated, and the exchange is only responsible for matching and liquidation. If we go further, the settlement, liquidation and custody of assets should be completed by different entities. All parties jointly audit all accounts and each is responsible.

To do a good job of risk control in the digital currency market, it is necessary to graft experience from mature industries on the one hand, and on the other hand, the intensity of related inputs still needs to be improved.

A research report published by the University of Cambridge Judge Business School in December 2018, "Global Cryptoasset Benchmarking Study", shows that the security team of digital currency exchanges accounts for an average of 13% of the total team and spends an average of 17% The budget is used to ensure the safe operation of the exchange.

Considering the high profitability and huge growth space of digital currency platforms, digital currency platforms obviously need to consider long-term, invest more funds, recruit more high-level risk control personnel, and build a more advanced and complete risk control system.

"Investment in risk control can be seen as opportunity cost. The stricter the risk control, the more resources you need to invest, the more business opportunities you may lose, and the lower the probability of loss of existing assets. Similar to ours The more an enterprise attaches importance to its reputation and long-term interests in an existing industry, the more it naturally attaches importance to the safety of its customers' assets, "said Lin Rong.

Disclaimer: This article is only for market information and does not constitute any investment advice.