适应金融区块链的风险管理

©GBBCGlobalBlockchainBusinessCouncil©OliverWyman

CoreIndustry-LeadingWorkingGroupContributors

AvaLabs

CardanoFoundation

Clearstream

EuroclearGroup

GlobalBlockchainBusinessCouncil(GBBC)

HederaFoundation

Ripple

OliverWyman

TheDepositoryTrust&ClearingCorporation(DTCC)

Observers

TheWorldBank

WewouldliketoextendoursinceregratitudetothefinancialinstitutionsthatarenotnamedyetparticipatedinRMF-Phase1.Yourcontributionsaregreatlyappreciated.

Contact

Commentsfromfinancialindustrystakeholdersandregulatorsareactivelyencouragedtoinformandrefinefuturephasesofthisinitiative.Pleasecontactrmf@tosharefeedbackandaskquestions.

FrequentlyAskedQuestions(FAQs)

Clickheretoaccess.

©GBBCGlobalBlockchainBusinessCouncil©OliverWyman

Contents

ExecutiveSummary 5

Fivekeytakeaways 6

1.Contextandscope 7

1.1.Overview 7

1.2.Objective 8

2.Referencemethodologyformanagingnon-financialrisks 9

3.Adaptingnon-financialriskmanagementframeworkstoincorporatepublicblockchain

risks 10

3.1.Riskframework 10

3.2.Approach 11

3.3.Riskmitigationcapabilities 13

4.Novelrisks 14

4.1.Technologyrisk 14

4.1.1.Publicblockchainrisksandmitigationstrategies 14

4.2.Informationsecurityrisk 18

4.2.1.Publicblockchainrisksandmitigationstrategies 18

4.3.Financialcrimerisk 22

4.3.1.Publicblockchainrisksandmitigationstrategies 22

4.4.Businesscontinuityrisk 24

4.4.1.Publicblockchainrisksandmitigationstrategies 25

4.5.Thirdpartyrisk 26

4.5.1.Publicblockchainrisksandmitigationstrategies 26

5.Adaptedrisks 28

5.1.Legalrisks 28

5.1.1.Publicblockchainrisksandmitigationstrategies 28

5.2.Transactionandprocessexecution 29

5.2.1.Publicblockchainrisksandmitigationstrategies 29

5.3.Datamanagement 30

5.3.1.Publicblockchainrisksandmitigationstrategies 30

6.Standardrisks 31

7.Privatepermissionedblockchains 33

8.SecurityTokens 34

8.1.Valuechains 35

8.2.Stakeholdersacrossthevaluechainandriskmitigationstrategies 37

8.3.Keyrisksandmitigationstrategies 41

©GBBCGlobalBlockchainBusinessCouncil©OliverWyman

9.Pathforward 43

Appendix 44

Riskandmitigationmatrices 44

Technologyrisksandmitigationsapproaches 44

Informationsecurityrisksandmitigationsapproaches 50

Financialcrimerisksandmitigationapproaches 56

Businesscontinuityrisksandmitigationsapproaches 60

Thirdpartyrisksandmitigationsapproaches 62

Legalrisksandmitigationapproaches 63

Transactionsandprocessexecutionrisksandmitigationsapproaches 64

Datamanagementrisksandmitigationsapproaches 64

Glossary 65

ExecutiveSummary

©GBBCGlobalBlockchainBusinessCouncil©OliverWyman5

ExecutiveSummary

Thefinancialindustryandregulatorsrecognizethetransformationalpotentialofblockchaintechnologytoreshapelegacyoperationsandbusinessmodels

withinthefinancialservicessector.Indeed,overthepastdecade,leading

institutionsandcentralbanksacrosstheworldhaveworkedonabroadset

ofexperimentsandinitiativeswhichhavedemonstratedtheprofoundbenefitsblockchaintechnologycanbringtothefinancialsystem.Thefollowingwork

focusesonpublicpermissionlessandpublicpermissionedblockchaininfrastructures(“publicblockchains”)astheirassociatedrisksarenotadequatelyaddressedbyexistingriskmanagementframeworks.

Publicblockchainsneedtobeseenwithinthecontextofever-increasinglevelsoftechnology-infrastructure

externalizationbyfinancialinstitutions—acontinuationofatrendthathasalreadygivenrisetothe

communicationinfrastructureoftheinternetandcloud-basedservices.Atthesametime,open-sourcesoftwaredevelopmentmodelshavegainedacceptanceandhaveproventobenotonlyresilient,

butinsomecasessuperiortotraditionalclosedsoftwaredevelopmentmodels.

Publicblockchainsrepresentanaturalextensionofthesebroadermacrotrends.Acriticalgapimpedingthe

wideradoptionofblockchaininfrastructureistheabsenceofrecognizedriskmanagementframeworksand

correspondingregulatoryacceptance,particularlybyfinancialinstitutions.AclearRiskMitigationFramework(RMF)addressingpublicblockchainscanbeestablishedbyexpandingandadaptingexistingriskmanagementframeworksdesignedforexternalizedinfrastructure,suchascloud,andopen-sourcesoftwaredevelopment.Significantadvancementsintheresilienceandsecurityofpublicblockchainssuggesttheseinfrastructurescannowofferreliablesolutionssuitableforinstitutionaluse.

Yet,despiteblockchain’smaturity,broadinstitutionaladoptionofpublicblockchainsstillfaceschallenges.UnlikemoderntraditionaltechnologieswhereServiceLevelAgreements(SLAs)canclarifyoperationalresponsibilities

andliability,publicblockchainstypicallyimplementintrinsicallymorecomplexoperatingandgovernancemodels.Conversely,thedecentralizedstructureofpublicblockchainsmitigatescertaintraditionaldigitalinfrastructure

risks,suchassinglepointsoffailureorsingle-operatordependence.

Financialinstitutionsseekingtousepublicblockchainsmustadapttheirriskframeworkstoidentify,assess,

andmitigatethesenewrisks.Additionally,publicblockchaincommunitiesshouldsupporttheseeffortstoenableadoptionatscale.Recognizingthesechallenges,theRMFproposalpresentsastructured,actionableapproach

tointegratethenon-financialrisksofpublicblockchainsintoestablishedriskmanagementstandardsandtools,suchastheOperationalRiskReferenceTaxonomyintroducedbytheOperationalRiskdataeXchangeAssociation(ORX).TheRMFaimstoadvancepublicblockchaininfrastructurebyprovidingaconciseandadaptablestandardforintegrationintoexistingframeworks,facilitateregulatoryendorsementtoadvanceharmonizedpolicy

development,andremoveinstitutionalobstaclestoadoption.

Finally,thelastsectionofthisRMFexaminesthespecificriskmanagementchallengesofsecuritytokens,oneofthemostprominentusecasesforpublicblockchains.Securitytokens,whethernativelyissuedorstructuredastokenwrappers,havesignificantpotentialtostreamlinecomplexmulti-infrastructureprocessesanddeliveroperationalefficienciesthroughinstantaneoussettlementandfractionalownership.Despitethispotential,

securitytokensonpublicblockchainsfacenotableadoptionhurdlesduetothelackofaunifiedrisksyntax.

TheRMFacknowledgesthecomplexityofthismultidisciplinarychallengeandrecognizesthatfurtheriteration

andimprovementarerequired.Therefore,theRMFisbeingpublishedasadraftbasedonthepracticalexperienceandinputfromparticipatinginstitutions.Commentsfromfinancialindustrystakeholdersandregulatorsare

activelyencouragedtoinformandrefinefuturephasesofthisinitiative.

Fivekeytakeaways

©GBBCGlobalBlockchainBusinessCouncil©OliverWyman6

Fivekeytakeaways

Blockchainintroducesspecificnovelrisksrequiringtargetedriskframeworks

Blockchaintechnologyofferssignificantadvantages—suchasdecentralizednetworkwithbuilt-

inredundancies,immutablerecords,andcontinuous(24/7)operations—thatenhancetransparency,

operationalefficiency,andresilience.However,thesesamefeaturesintroducenovelrisksthatdonotfitneatlyintotraditionalriskmanagementframeworks.Aclearlydefinedcategorizationintothreecategorieswhere1)novelriskmitigationstrategiesneedtobedefined,2)risksrequiringadaptationtoexistingstandards,and3)

wherestandardriskmitigationstrategiesaresufficientisimportanttoenablefinancialinstitutionsand

regulatorstoprioritizetheirriskmanagementefforts,whilemaximizingthebenefitsthatblockchainsbringtothefinancialsystem.

Publicblockchaingovernancediffersfundamentallyfromtraditionaloperatingmodels

Unliketraditionaldigitalinfrastructureservicesthatarecentrallygovernedandwhererisksarecontractuallydistributed,publicblockchainsleveragevariousdecentralizedgovernancemodelsandrelysignificantlyon

open-sourcequalityassurancemechanisms.Publicblockchainecosystemsshouldendeavortoclearlydefinesuchgovernancestructures,includingtheirrisksandchallenges.Simultaneously,financialinstitutionsmustadapttheirowninternalgovernanceanddecision-makingprocessestotheirpublicblockchainsofchoice,

ensuringgovernancevisibilityandadequatereactioncapability.

Publicblockchainadoptiondemandsnewresiliencystrategies

Financialinstitutionsshouldconsiderpublicblockchainadoptioninconjunctionwithcomplementarysupportservices(e.g.,third-partynodeoperators,failoversystemstotraditionalserviceproviders,etc.)toachieve

resilience.Furthermore,financialinstitutionsmustmovefrombeingpassiveusersofsoftwareservicestoactivelyparticipatinginpublicblockchainecosystems.Institutionscanfurtherstrengthenpublicblockchainrobustnessandresiliencebydirectlyorindirectlyparticipatingintheiroperations(e.g.,runningnodes)andcontributingtounderlyingcodebases(e.g.,participatinginopen-sourcedevelopment).

Securitytokenspresentcompellingbenefitsbutrequirenewriskmanagementapproachesandanadaptedmarketstructure

Securitytokensprovideclearbenefits,includingenhancedtransparency,fractionalownership,potentiallyimprovedliquidity,operationalefficiencies,andautomatedcompliance.Nevertheless,theypresentuniquechallengessuchasinteroperability,settlementfinality,andspecializedcustodyrequirements.Effective

managementoftheassociatedrisksdemandscoordinatedeffortsfrombothregulatorsandmarket

participants.Regulatorsneedtoestablishclearregulatorystandardsforamarketstructurethatrequiresfewerintermediaries.Marketparticipantsneedtodevelopandimplementrobustblockchain-specificriskmanagementframeworks.

Astructuredapproachtoriskanalysisofblockchains

Institutionalblockchainadoptionshouldbeaccompaniedbyempiricalvalidationprocesses,adversarial

network,andloadteststoensureoperationalresilienceandcontinuousimprovement.Ongoingpublic-privatecollaboration,leveragingcommunity-drivenandopen-sourcemechanisms,isessential.Financialinstitutions

shouldactivelyparticipateinandprovideresourcesforsuchwork.Continuousimprovementstoexistingopen-sourceriskframeworksandstandardsshouldbepursuedtoensurerelevanceandresponsiveness.

Contextandscope

©GBBCGlobalBlockchainBusinessCouncil©OliverWyman7

1.Contextandscope

1.1.Overview

TheRMFisanindustry-ledeffort,facilitatedbyGlobalBlockchainBusinessCouncil(GBBC)andOliverWyman,

togivefinancialinstitutionsguidelinestoanalyzeandcontrolforthenon-financialrisksthatarisewhenthey

usepublicblockchaininfrastructure.Across-sectorworkinggroup—comprisingfinancial-marketinfrastructures,globalsystemicallyimportantbanks,multilateraldevelopmentbanks,andleadingLayer-1protocolteams—hascollaboratedtoprovideacommonreferencethatisrootedintheirpracticalexperienceofmanagingrisksor

blockchainimplementationsandprovideanoverviewofhowthenewtechnologycanbeincorporatedintoestablishedriskmanagementframeworks.

Whileblockchain,akintotheinternet,isinherentlyuse-caseagnosticandsupportsnumerousnon-financial

applications,thecross-sectorworkinggroupidentifiesitstransformativepotentialtodriveanewwaveof

financialinnovationwithapotentialtofundamentallyreshapefinancialservices.TheBankforInternational

Settlements(BIS)believestokenizationwillenhancethecapabilitiesofthemonetaryandfinancialsystemby

enablingnewwaystoserveendusersandbyremovingthetraditionalseparationofmessaging,reconciliation,

andsettlement

1.

Similarly,theExecutiveOrderissuedbythePresidentoftheUnitedStates‘EnsuringResponsibleDevelopmentofDigitalAssets’recognizesthatadvancesintechnologyandtherapidgrowthofdigitalasset

marketsareshapingthefutureoffinance

2

.

Publicblockchainsextendthesepotentialbenefitsbeyondtraditionalfinancialservices,offeringnew

infrastructurerailsforexchanginginformationandvalueoverashareddatabaselayer.Thisexpansionrequires

theadaptationandevolutionofexistingriskmanagementpractices.Justascloudservicesandtheinternethave

becomefoundationalforfinancialinstitutions,blockchaintechnologyrepresentsthenextstepintheevolution

oftheinfrastructure.Financialinstitutionsmustthereforeengagewiththesetechnologies,contributetotheir

developmentandgovernance,andadoptnewresponsibilitiesessentialtomanagingsharedpublicinfrastructures.

Financialinstitutionshaveanopportunitytoleverageblockchaintechnologytoofferintegratedfinancial

services,improvefinancialinclusion,modernizelegacysystems,andreducerisksassociatedwith

interconnectedinfrastructuresandprocesses.Blockchain’spotentialhasgainedwidespreadrecognition,

withregulatedinstitutionsaccumulatingconsiderableexperiencedesigningandoperatingpublicandprivateblockchainsystems.However,tomovefromproof-of-conceptstagestoscaledproduction-leveldeployments,clearerregulatoryguidanceandindustrystandardizationisnecessary.Financialinstitutionsmustalso

systematicallyintegratetheseemergentinfrastructuresintoestablishedriskmanagementpractices.

ThisfirstversionoftheRMFaddressestwoarchetypesofpublicblockchains:publicpermissionlessandpublic

permissioned.Thesetwotypespresentdistinctcharacteristicsandriskprofiles,necessitatingtailored

approachestoidentify,assess,andmitigateriskseffectively.TheRMFdeliberatelydeprioritizesprivate

permissionedblockchainsfromitsscope,astheirgovernancetypicallyresemblesconventionaloutsourcedIT,

whichisadequatelycoveredbyexistingcloud,outsourcing,andthird-partyriskmanagementstandards.TheRMFfocusesprimarilyonpublicblockchains,characterizedbysharedandopeninfrastructuremaintainedbyaglobalcommunityratherthanbilaterallycontractedvendors.

TheRMFleveragesestablishedgloballyrecognizedfinancialindustrystandards,frameworks,andtaxonomies

3

toensureseamlessandappropriatemitigationsforpublicblockchainuseintoexistingnon-financialrisk

managementframeworks.

1BIS,Thenext-generationmonetaryandfinancialsystem

2TheWhiteHouse,StrengtheningAmericanLeadershipinDigitalFinancialTechnology

3Frameworks,standards,andtaxonomiesleveragedinclude:CommitteeofSponsoringOrganisations(COSO)oftheTreadwayCommission,NISTCybersecurityFramework,CloudControlsMatrix,DigitalAssetSecuritiesControlPrinciples,DigitalOperationalResilienceAct,,MarketsinCrypto-AssetsRegulation,BaselBCBS44,IdentityandAccessManagement,PrinciplesforFinancialMarketInfrastructure

©GBBCGlobalBlockchainBusinessCouncil©OliverWyman8

1.2.Objective

TheRMFtargetsthreekeyobjectivestoadvancingpublicblockchaininfrastructureadoption:

•Provideaconcise,adaptable,baselinestandardbydesigningseamlessintegrationintoexistingriskmanagementframeworks.TheRMFshouldaccommodatefinancialinstitutionsatanystageofpublicblockchainadoption.

•Facilitateregulatoryfeedbackthroughactivedialoguewithpolicymakersandregulatorstosupportharmonizedpolicydevelopmentandrulemaking.

•Removeinstitutionalobstaclesbyaddressingoperationaluncertaintiesandregulatoryambiguitieswithmitigantsandcontrols,enablingconfidentandrisk-awareinteractionswithpublicblockchains.

TheRMFwillbedevelopedinphases,progressivelyexpandingitsrisk-basedmitigationfocusacrossassetclassesandusecases.

Exhibit1:Riskmitigationframeworkphases

Referencemethodologyformanagingnon-financialrisks

©GBBCGlobalBlockchainBusinessCouncil©OliverWyman9

2.Referencemethodologyformanaging

non-financialrisks

TheORXReferenceTaxonomy,developedbytheOperationalRiskdataeXchange

Association,wasfirstintroducedintheearly2000sandhasevolvedoverthepasttwodecadesintoagloballyrecognizedframeworkforclassifyingnon-financialrisks.It

providesastructured,hierarchicalmodelthatorganizesrisktypesintoconsistent

categories.Sinceitslaunch,thetaxonomyhasbeenrefinedtoincorporaterisksfromnewandemergingtechnologies,suchascloudcomputingandtheinternet.Severalregulators,liketheEuropeanBankingAuthority(EBA),explicitlyreferenceoralign

theirguidancebroadlywithORXtaxonomyprinciples.

WhiletheORXframework’staxonomyremainsbroadlyapplicabletoblockchaintechnologies,certain

blockchain-specificcharacteristicsalterthenatureandimpactofunderlyingrisks.Consequently,tailored

mitigationstrategiesarenecessarytoeffectivelymanagetheseriskswithininstitutionalriskappetite.

Therefore,thisRMFusestheORXtaxonomyasitsfoundationalstructure,adaptingittoaddressblockchain-specificriskscenariosandmitigationstrategies.

TheORXtaxonomyisbasedonanevent-drivenstructurethatdrawsfromthebow-tiemethod.Thismethodmapsriskscenariosacrossthreecoredimensions:causes(theunderlyingdriversorconditionsthatmakeriskevents

possible),events(theactualincidents),andimpacts(theresultingconsequences

)4

.Italsoemphasizesthe

importanceoflinkingthesedimensionstomitigationstrategiespresentedthroughpreventive,detective,andcorrectiveactions.Thisstructuresupportsadynamicapproachtonon-financialriskmanagementandiswidelyusedbyfinancialinstitutions.

Exhibit2:Bow-tiemethodology

4OliverWyman,ORXReferenceTaxonomyforoperationalandnon-financialrisk-Causes&Impacts(SummaryReport-November2020)

Adaptingnon-financialriskmanagementframeworkstoincorporatepublicblockchainrisks

©GBBCGlobalBlockchainBusinessCouncil©OliverWyman10

3.Adaptingnon-financialrisk

managementframeworksto

incorporatepublicblockchainrisks

3.1.Riskframework

TheRMFfocusesonthesuccessfulincorporationofnon-financialrisksandmitigationsintostandardrisk

taxonomyandstrategies.FinancialinstitutionstypicallyhaveexistingEnterpriseRiskManagement(ERM)andNon-FinancialRisk(NFR)frameworks.Itiscrucialthatblockchain-relatedrisksaremanagedinanintegratedratherthanisolatedmanner;thus,thisRMFisintentionallydesignedtoalignseamlesslywithstandardERMandNFR

structuresusedbyfinancialinstitutions,facilitatingstraightforwardadoptionandintegration.

Exhibit3:Standardriskmanagementframeworkstructure

Adaptingnon-financialriskmanagementframeworkstoincorporatepublicblockchainrisks

©GBBCGlobalBlockchainBusinessCouncil©OliverWyman11

WhilenotfallingdirectlyundertherubricofthisRMF,forthepurposeofcompletenesswehaveoutlinedhowafinancialinstitutioncouldincorporatepublicblockchain-relatedriskmanagementpractices:

1.Strategyandappetite:Financialinstitutionsmustclearlyarticulatehowtheusageofpublicblockchainsalignwiththeiroverallriskstrategy.Aspublicblockchainsbecomesintegratedintocorebusinessprocesses,the

riskappetitemustexplicitlyreflectthisshift,ensuringclearthresholds,tolerances,andescalationcriteriaforblockchain-relatedrisks.Riskappetiteshouldbenetwork-specificandevidence-basedwithresultsfrom

technicalandgovernanceduediligence(e.g.,codequality,sustainability,validatorconcentration,upgradehistory,bug-bountyscope,oracledependencies).

2.Governance,policies,andinterfaces:Financialinstitutiongovernancestructuresmustexplicitlyrecognizeandincorporatepublicblockchain-relatedactivities,especiallyiftheybecomestrategicallysignificant.Publicblockchainsoperate24/7andareoftenhighlyautomated.Therefore,theyrequiremechanismsthataremoreinlinewithtrading-relatedgovernanceprocesses.Policiesandproceduresshouldbereviewedandupdatedtoclearlydefinepublicblockchain-specificroles,responsibilities,andescalationpaths,ensuringeffective

oversightandintegrationwithexistinggovernanceprocesses.

3.Organizationalskillsandculture:Publicblockchainasamoderntechnologynecessitatesspecialized

expertise.Institutionsshouldproactivelyembedknowledgeintotheirriskfunctionsthroughdedicated

trainingandtargetedaugmentationoftheskillset.Thetransparentnatureofpublicblockchaindatamayalsorequireadaptationoftheinternalcodeofconducttoensureteamsunderstandandeffectivelyaddressthe

uniquechallenges.Softwarerisk-controlmechanismsneedtobesystematicallyembeddedinbusinessprocessesthatusesmartcontracts,requiringthattherespectiveteam’sskillsareadequate.

4.Riskprocessesandtools:Representstheprimaryareaoffocusandadaptation.Centraltoeffectivenon-

financialriskmanagementisthedevelopmentofastructuredrisktaxonomythatexplicitlyincorporatespublicblockchain-relatedrisks.Thistaxonomyshouldbebuiltuponandintegratewithstandardindustry

frameworks,ensuringconsistencyandcomprehensiveoversight.Thisincludesidentifyinguniquepublicblockchainrisks,assessingtheirspecificnature,andimplementingrobustblockchain-specificmitigationstrategies.

5.Risksystems,data,andreporting:Mustaccommodateblockchain'scontinuous(24/7)operating

environment.Systemsshouldseamlesslyintegrateblockchaindatastreams,ensuringreal-timeriskdetection,monitoring,andtimelyreporting.Enhancinginfrastructuretomanagecontinuousdataflowsandproviding

effective,real-timemanagementinformationreportingwillbeessentialtomaintainingoperationalresilienceandrobustriskoversight.

3.2.Approach

Asoutlinedabove,publicblockchainsdifferinseveralsignificantwaysfromtraditionaldigitalinfrastructures,

particularlywithinthefinancialmarketdomain.Manyofthesedifferencesstemfromthedistributed,multi-

partyoperationalandgovernancemodelsthatpublicblockchainsadopt.Whileselectnon-financialriskscan

beaddressedthroughconventionalgovernanceandcontrols,asubsetofthreatscallsforbroaderstructural

changesininstitutions’riskmitigationstrategiesandappropriategovernancemechanismsthatreflectthesharedresponsibilityamongnetworkparticipants.Thesechallengesareintrinsictohowblockchainsystemsoperate—

forinstance,vulnerabilitiesinconsensusmechanismsorgovernanceshortfallsindecentralizednetworks—whichnosingleinstitutioncanmitigateonitsown.

TheRMFanalyzesknownpublicblockchainrisksandcomparesthemwithexistingORXrisktypesandestablishedriskmanagementpositions,identifyingthreedistinctcategories:novelrisksrequiringentirelynewmitigation

strategies,risksrequiringadaptationsofexistingstandards,andstandardrisksmanageableusingestablishedframeworks.TheRMFacknowledgesthecomplexityandmultidisciplinarynatureofthischallenge,requiring

furtheriterationandimprovement.Consequently,weinviteindustryparticipantsandregulatorystakeholderstoprovidefeedbackandinputforthefuturedevelopmentanddetailingoftheframework.

Adaptingnon-financialriskmanagementframeworkstoincorporatepublicblockchainrisks

©GBBCGlobalBlockchainBusinessCouncil©OliverWyman12

Table1:Risksassessed

Risktype

RelevantORXRisk

Specificrisksassessed

Novel

risks

Technologyrisk

Hardwarerisk•Third-partydependencies

•Limitednodediversity

Softwarerisk•Datacorruptionduetosoftwareorconfigurationerrors

•Codevulnerabilities

Networkrisk•Protocolgovernancerisk

•Weaknessinconsensusdesign

•Scalabilityconstraints

•Protocolupgradeandhardforkrisk

•Finalitylagandtransactionrollbackrisk

Information

securityrisk

Riskofdataloss•Compromiseddataintegrity

•Privatekeylossandinadequatekeymanagementpractices

Cyberriskevents•Cryptographicvulnerabilities

•Smartcontracterrorsandexploits

•Consensusattacks

•Denialofservice(DoS)

Riskofdataprivacy

breach/confidentialitymismanagement

•De-anonymizationthroughpublictransactiondataanalysis

•On-chainexposureofsensitiveorconfidentialdata

Riskofimproperdataaccess

•Privilegemisconfiguration

•Misuseofdatatransparencyandroles

Financialcrimerisk

Riskofmoney

launderingand

terrorismfinancing

•Illicitfundintegration

•Terroristfinancing

•Obfuscationoftransactionoriginthroughcomplexmulti-stepactivity

Riskofsanctionsviolation

•Insufficientscreeningofon-chaintransactionsandcounterparties

•Sanctionsevasionrisk

Briberyandcorruption

KYC/KYT/Transactionmonitoringcontrolfailure

Businesscontinuityrisk

Inadequatebusinesscontinuityplanning/eventmanagement

Dependencyonexternalgovernancefornetworkrecovery

Thirdpartyrisk

Relianceonpublicblockchains

Inabilitytoeffectivelymanage