A new Deloitte report titled " Six Control Principles for Financial Services Blockchains " covers six control principles essential for blockchain adoption on a global scale. The report has been produced by the Deloitte EMEA (Europe, Middle East and Africa) Blockchain Lab in Dublin, in association with Deloitte Hong Kong and Deloitte U.S.
The Deloitte report emphasizes that financial institutions will need to ensure that distributed ledger technology (DLT) solutions are designed, developed and maintained in a secure environment, and that they comply with industry best practices. Since Deloitte is in the business of advising large enterprises, the report is self-serving to a degree, but it nevertheless provides a useful overview of the issues that a DLT implementation should address.
Blockchain technology has "attracted significant attention from the financial services industry in EMEA and around the globe, with many organisations exploring different structures and governance models as they move from exploration to implementation," said Lory Kehoe, EMEA Blockchain Lab lead at Deloitte and co-author of the study, as reported by Silicon Republic . Kehoe emphasized the importance of a holistic approach to blockchain implementation and the enforcement of key control principles. According to Kehoe, "failure to consider these principles, or to consider them in isolation, may become riskier as alignment between business and IT is critical for successful implementation of this new and powerful technology."
The report identifies and explores six control principles that, according to Deloitte, are essential for blockchain adoption on a global scale.
Best Practice: Standard for Blockchain Development
The Deloitte authors consider governance, legal and regulatory issues and standards as macro factors for the widespread adoption of DLT and private blockchains within the financial community. Three different governance models are considered as appropriate structures for DLT adoption within the financial services community: consortia, joint ventures and statutory organizations.
Appropriate legal and regulatory support frameworks, as well as standards able to speed up DLT adoption by financial institutions, are also considered important macro factors. Deloitte views the 1987 United Nations EDIFACT standard and the more recent ISO 2002212, used by Visa and SWIFT, as good examples of relevant standards. According to Deloitte, DLT standards for smart contract management will need to cover upgradeability, security and standardization of interfaces.
The importance of smart contracts is highlighted throughout the report.
"From a technical and legal viewpoint, lack of clarity about the legal enforceability of smart contracts adds to the risk of implementing DLT within financial institutions," added the report authors. The report noted that smart contracts should ideally have the same legal status as traditional contracts, operate in the same way, and enable the successful delivery of blockchain solutions into the existing infrastructure of banking and other institutions.
Interoperability and System Integration Controls
The Deloitte report emphasizes that the introduction of DLT into enterprise business is no easy task. On the contrary, it requires careful attention to interoperability issues and operational aspects. Security considerations, and integration with legacy systems, data integration and security mechanisms, are considered as especially important.
"Once blockchain systems have a secure standard interface, they essentially become another enterprise component, albeit with the unique properties possessed by DLT systems," noted the authors.
Audit Rules
According to Deloitte, DLT will not automate audits entirely and will not make the role of the auditor obsolete; rather, it will change some of the processes. A previous Deloitte report concluded that DLT is unlikely to provide a complete representation of financial statements, and auditors will still need to consider evidence and information beyond the blockchain.
Smart contracts are considered as especially critical points where vulnerabilities may expose a system to the risk of unauthorized access to the data record. Therefore, security concerns and risk assessments will need to be part of audit processes for clients with DLT implementations.
The authors of the report noted that layering DLT with audit analytics could yield standardized, sophisticated audit routines and analysis that enable near real-time evaluation of transactions across the blockchain.
Cybersecurity Controls
The Deloitte report asserted that DLT's roots in cryptography make it a complex technology with important cybersecurity challenges, including key management, the risk of an attacker overpowering a private blockchain and the centralization of authority within the network and privacy. At the same time, and for the same reasons, DLT is potentially more robust from a cybersecurity perspective than systems relying on traditional methods.
Private blockchains with centralized authorities are seen as especially vulnerable, since the central authority could be a single point of failure and put the entire system at risk. To minimize this risk, peers in a permissioned blockchain should operate in a decentralized network.
Smart contracts, especially those that offer Turing-complete programming, constitute an important cybersecurity challenge.
"When deploying new or updated smart contracts, a robust governance process must be rigorously applied and followed," affirmed the Deloitte report authors.
Enhancement of Traditional ICT Controls
According to Deloitte, decentralized, DLT-based systems call for a different approach to the management of traditional information and communications technology (ICT) controls for security management, system development, information processing and the management of technology service providers. For example, disaster recovery planning needs to address the possibility of network glitches and data integrity losses. At the same time, DLT offers a high degree of resilience, which can and should be leveraged to implement better ICT control systems.
The Importance of BCP
Business continuity planning (BCP) refers to planning for the loss of critical infrastructure or other events that can negatively impact operations, leading to lost revenues, additional expenses and reduced profits, potential reputational damage and loss of client confidence. BCP for DLT-enabled enterprises addresses the loss of servers or connectivity and other risks such as cybercrime.
"A typical DLT implementation of BCP might encompass a wide range of complex technical areas, from key storage and key regeneration in the event of catastrophic data loss to creating new keys when a cyber-crime incident compromises data security," in the words of the Deloitte report. "[Other] potential risks include loss or theft of private cryptography keys, or the encryption of key system data by malware."
In private blockchains, network nodes need to be separated geographically to minimize the risk of data loss or service outages in the event of a site outage.
The authors noted that, since blockchain implementations are not yet common, there is an additional risk in being a first-mover. However, while DLT is relatively new, its core components, such as public key cryptography, have existed in other systems for decades and are well understood.
The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.
The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.