Timothy Massad is a research Fellow at the Harvard Kennedy School; Adjunct Professor at The Georgetown Law School; non-resident scholar at The Brookings Institute; former chairman of the Commodity Futures Trading Commission; and former Assistant Secretary of the Treasury for Financial Stability.
The following speech text (as prepared for delivery) was given by Massad at the FIA/SIFMA Asset Management Derivatives Forum on 7 February in Dana Point, Calif.
Thank you for the introduction, and thank you to FIA and SIFMA for inviting me. It’s a pleasure to be here. I’m going to talk about digital assets. First, I will talk about stablecoins and central bank digital currencies, and in particular, the opportunity we as a nation should seize to improve our payments system through stablecoins. Second, I will talk about the general regulatory framework for trading crypto—or rather, the regulatory muddle, and what to do about that. These subjects will be front and center at Congressional hearings in Washington today and tomorrow.
Let’s start with CBDCs and stablecoins: it is likely to take years before we create a CBDC in this country, but we can and should modernize payments by permitting broader use of stablecoins now.
The Federal Reserve released its long-awaited report on CBDCs last month. It did not take a position, as was expected. Instead, the report will serve as the official kickoff of a public discussion about whether to create a CBDC. That discussion is likely to take time because of the complexity of the subject, the nature of our system, and the fact that there are already divergent views within Congress and the Fed.
Late last week, the Boston Federal Reserve Bank released a report on Project Hamilton, its collaboration with MIT to create a hypothetical CBDC platform. That report shows terrific work has been done to design a payment processing system capable of achieving very high speeds, throughput and reliability. Bitcoin processes 5-7 transactions per second, Visa is around 60,000. The Fed and MIT achieved 1.7 million TPS—through a parallel processing structure rather than a standard blockchain. This project has had some of the best coding talent in the world, and the U.S. government should be trying to hire even more. That is because the debate over whether to create a CBDC will be too abstract unless we figure out what it will look like. And for that, we need a lot more research and development.
Meanwhile, private stablecoins have become ubiquitous in the crypto sector as this chart shows (data from Coinmetrics and The Block). That’s because they meet an important need—they are the means to settle the cash leg of any transaction instantly, simultaneously with the crypto leg. But they could have much broader application. You may be thinking: I have a lot of electronic payment options--credit and debit cards that can be used without being present; mobile banking; Venmo, Apple Pay etc. But the fact is, they all run through bank-dominated payment rails that are relatively slow and expensive. The Fed’s real-time payments project, FedNow, will improve that, but perhaps not broadly enough or fast enough. Private stablecoins, on the other hand, if properly regulated, could be a means to create faster, more efficient payments. They could bring greater competition and innovation to payments. And they could help the millions of Americans who are unbanked or underbanked — who comprise 25% of American households — gain better access to financial services. They pay in fees about 10% of their income just to use their income, according to government estimates. If you live paycheck to paycheck, and your check doesn’t clear for three days, then you may have trouble paying your rent, or you may incur overdraft fees, or you go to an expensive check cashing service. Faster payments could help those Americans.
The Fed CBDC report, and Chair Powell in recent testimony, acknowledge that stablecoins could speed up payments, and could co-exist with a CBDC. But they just need to be properly regulated. Which brings me to my second point: The proper regulatory path is to bring stablecoins within bank-type regulation, but to not limit stablecoin issuers to traditional insured depository institutions.
The recent report of the President’s Working Group on Financial Markets on how to regulate stablecoins was excellent at summarizing their risks. But its recommendation to limit stablecoin issuers to insured depository institutions (IDIs) could limit competition and innovation. It could become a big win for the big banks.
Existing IDIs would likely have a big advantage because of the time it can take a new entrant to get a charter and deposit insurance, assuming the FDIC would even grant insurance to a stablecoin issuer. And big banks are more likely than smaller banks to have the tech platforms that can handle the instant settlement of stablecoins.
I believe a bank-type regulatory model is better than a money market fund regulatory approach because stablecoins are payment mechanisms, not investments. But the model needs to permit entities beyond just traditional banks, and the regulatory requirements should be more tailored to the risks.
The word of the day here is “flexibility”. That is the word Treasury Under Secretary Nellie Liang used last month on a webinar to suggest that the PWG report’s IDI recommendation need not be a one-size-fits-all. It is the word she is using today in her testimony before the House Financial Services Committee on the report.
That is encouraging. So what might a more flexible model look like? It must include requirements to address run risk—standards on how reserves are held and invested as well as liquidity requirements. Cash and short-term Treasuries are best. If a stablecoin issuer parks 100% of the reserves in those assets, then what’s the purpose of, or need for, deposit insurance? Undersecretary Liang essentially said that on a recent webinar. Even if reserves are entirely cash, stablecoin issuers should have some capital as well, because of the risk of operational and other losses. There must be standards to ensure prompt redemptions at full value. There should be ongoing, regular oversight by a supervisor —and here, I think Treasury will want a federal regulator because of the variance in state standards and capabilities. There will need to be robust know-your-customer (KYC) and anti-money laundering (AML) procedures. There should be privacy and protection of data standards, as well as operational resilience and cybersecurity standards. With those sorts of requirements, one could have narrow banks or even non-banks as issuers.
Perhaps the most difficult challenge will be how to ensure KYC, AML and operational resilience standards are met on the decentralized blockchains on which a stablecoin might be traded. Because regardless of who the issuer is, it only mints and redeems the tokens. (The Libra or Diem proposal by Meta, formerly Facebook, was an exception in proposing the creation of its own network for transactions.)
A critical requirement is having a tech platform capable of handling instant settlement. Most banks don’t reconcile their books in real-time, but stablecoins require that. This goes to run risk as well: while people don’t convert in and out of stablecoins frequently today, we don’t have enough experience to know whether those reserves might be far less sticky than traditional deposits. Because of that possibility, I am very concerned about mixing instant 4 settlement with leverage—that is, allowing stablecoin reserves to be leveraged like traditional deposits, and allowing maturity transformation of that cash into long-term loans.
And that brings me to my third point: We should consider having the Federal Reserve provide master accounts to regulated stablecoin issuers. This could also be a means to create federal oversight.
The safest place to park the cash reserves that back stablecoins would be with the Fed. Some may say this ties up risk-free assets inefficiently. But I think it is important to be conservative as we allow for expanded use of stablecoins. The traditional bank trade associations may object to allowing a special purpose payment entity that is not FDIC-insured to have a master account at the Federal Reserve. But in fact, the Fed has already granted master accounts to uninsured entities whose business models are very different from traditional banks—and in fact, they are probably represented in this audience. Two derivatives clearinghouses have master accounts with over $100 billion on deposit on a combined basis, which monies represent customer funds9 They are permitted to have master accounts because they were designated by the Financial Stability Oversight Council (FSOC) as systemically important financial market utilities under Article VIII of the Dodd-Frank Act. They are subject to Federal Reserve oversight as a result of that designation.
We could create a regime where stablecoin issuers could obtain master accounts and be subject to oversight and application of consistent federal standards as a result.
My fourth point on stablecoins and CBDCs is this: for those who regard the digital revolution in payments as a race with China, and who worry about whether the dollar’s international strength can be maintained, this is all the more reason to play to our strength, which is to tap the innovative potential of the private sector.
The Olympics have started. If we were all watching the ski competition in person, we ‘d be a lot colder, but we would witness the rollout of China’s CBDC, the e-CNY. No, you wouldn’t see it on the head of this skier, but actually, among the hardware China’s banks have created to promote the e-CNY is a ski glove that can make a transaction by merely swiping it over a reader, as shown here. This photo shows a walking cane that can be used to make transactions. So if this is a race, you might say we haven’t even put on our skis. If more Americans were seeing this in person, perhaps this would be a Sputnik-like moment where we realize we are falling behind.
Now, I agree with Chair Powell that when it comes to CBDCs it is more important to get it right than to be first. But getting it right means recognizing that our country’s strength is the innovative power of the private sector. Our government will not suddenly mandate creation of a CBDC nor command industry to do so. That’s essentially what China did. When Facebook, now Meta, announced its proposal for Libra almost three years ago, many in the U.S. feared Libra would undermine the dollar. But China saw something else. I was in Shanghai shortly after the announcement, and government officials saw Libra as a threat. It 5 represented the digital advance of the dollar, and a possible backdoor dollarization of weaker economies, because the dollar would be the largest component of the basket. So they promptly accelerated their research and development of a CBDC, and that is why they are able to roll it out today.
Now, there are many reasons why China’s CBDC path is not the right path for us. A major one is that its government values collecting data about its citizens much more than their individual privacy, so it relishes the extensive transaction data that a CBDC can provide. We must design systems that respect Americans’ reasonable expectations of privacy, whether with a CBDC or a stablecoin.
The right path for us is to create regulatory frameworks that encourage more private sector development of faster payment options. The Libra proposal was met with widespread hostility here for many reasons—including dislike of Facebook, concerns about the power it might have, and concerns about it undermining the dollar. I wrote a paper two years ago about the proposal, arguing that we should create a regulatory framework to permit single-currency stablecoins and address those concerns. Libra never got off the ground, but at least now we are having the right discussion.
There will still be those who fear that dollar stablecoins will undermine the U.S. dollar or conflict with a future CBDC. In fact, if we properly regulate them, they can advance the dollar in international commerce. The dollar’s strength internationally is due to many factors beyond technology. But stablecoins can nevertheless speed up dollar-based cross-border payments and thereby help ensure that the dollar remains strong as more countries move to digital payments.
They can potentially even address foreign policy objectives. Since 9/11, we have used dollarbased international payment systems to advance our foreign policy objectives through the imposition of financial sanctions. That has aroused opposition from China and other countries, and the development of CBDCs could, over the longer term pose a challenge to us. U.S.-based issuers of dollar-backed stablecoins could be required to comply with sanctions regimes.
Consider this possibility also: what is to prevent a foreign country from creating a dollar-based stablecoin? Dollar-based payments are today tied to our financial system; they run through our banks, which are subject to our regulatory standards and sanctions policies. But could a foreign country direct one of its banks to use the technological expertise developed through CBDCs and mobile payments to create its own dollar-based stablecoin? Could it use reserves in the form of Treasuries to back a dollar-based stablecoin? It would then have created dollar-based international payment rails that are not dependent on our banking system and not subject to our foreign sanctions regime. This may be unlikely in the near term, but we should not assume it would never happen.
Let me turn to the general regulatory framework for crypto and in particular the trading of crypto assets. I should say at the outset that while I see a lot of promise in stablecoins, I have some skepticism about the use cases of a lot of other digital assets. But I don’t believe the government should make judgments on what people invest in on principle—and because it’s hard to predict where innovation would lead. Look at how Bitcoin led to stablecoins which have caused central banks around the world to develop CBDCs. We should instead create a regulatory framework to ensure that markets operate with integrity and transparency. So I will focus on the quality of that regulatory framework--or what I would term the regulatory muddle.
The Regulatory Gap
There continues to be a widespread lack of understanding about the basic gap in our regulatory framework when it comes to crypto assets.
There is a common view that a digital asset is either a security or a commodity. (I recognize there may be some digital assets, such as so-called utility tokens that represent a right to use an application, that may not need to be regulated as financial instruments.)
Therefore, many people think the problem is that the SEC and the CFTC simply haven’t clarified which category a particular crypto asset falls into. The fact is that we have a gap in regulation that neither the SEC nor the CFTC has the power to fill. Neither agency has the authority to regulate the “cash” market for digital assets that are not securities.
That includes Bitcoin, Ether and many other highly traded coins—it’s where much of the trading activity is today. The SEC has authority to regulate digital assets that are deemed securities. The CFTC has jurisdiction to regulate derivatives involving digital assets because any digital asset used in a derivative can be deemed a commodity. The CFTC first took that position when I was chairman, and it was upheld in court. But the CFTC does not have authority to regulate the cash market for cryptocurrencies. And that’s the case with all commodities.
So you should “mind the gap,” as they say on the London underground.
Now, we could say: treat crypto like the cash foreign exchange market and leave it unregulated. But I think digital assets are far too complex a financial product to go unregulated. I think a reasonable principles-based regulatory regime will not only provide better investor protection; it can advance innovation.
The fact that the cash market is not subject to a federal regulatory framework means weak investor protection today, particularly when one considers the crypto exchanges that not only trade digital assets but perform multiple roles. Because of the absence of requirements, the quality of investor protection is simply not comparable to that in our securities and derivatives markets. Here is a list of just a few of the areas where we do not have adequate standards, such as governance and prevention of conflicts of interest; prevention of fraud and manipulation; trade execution procedures; operating resilience and cybersecurity; and transparency, reporting and record keeping. The one exception is that FinCEN can enforce KYC and AML requirements because exchanges are typically licensed at the state level as money transmitters, but the state requirements are minimal and are not a substitute for a robust federal framework.
This situation is ironic because when Bitcoin was launched in the depths of the 2008 financial crisis, proponents claimed it would eliminate the need to rely on large intermediaries that had almost brought down our financial system. But it has instead created a whole new class of intermediaries-- that is, the crypto exchanges-- that are less accountable than those big banks.
Let me give you also a visual way to remember and explain this to others: This first image on the left is the logo of the National Beef Company. It’s owned by a South American company today, but when it was a US public company, the sale of its securities was regulated by the SEC, as were the intermediaries on which that trading occurred.
To the right is a screen from the CME, and in the bottom you can see the prices of cattle futures. The CFTC regulates the trading of cattle futures, as well as the intermediaries where they are traded.
And here we have a cow. If you want to buy or sell a cow, you’re on your own. Neither the SEC or the CFTC regulates cows or the markets in which they are bought or sold. So, this Sunday when you watch the Superbowl, and you see these ads from crypto exchanges claiming to be well regulated, you can say, “That’s bull----.”
Ways to Fix the Gap
SEC Chairman Gensler has suggested that these exchanges are probably trading some crypto currencies that are securities, and therefore the exchanges themselves should be subject to SEC oversight. We may see the SEC move to assert that position, and if the SEC were to win, exchanges would have to decide whether to eliminate trading of those digital assets or bifurcate their business. In addition, if the SEC prevails in its litigation over whether Ripple is a security, that could lead to considering many other cryptocurrencies to be securities. So the landscape could change through enforcement actions.
But while enforcement is critical to hold market participants accountable for failing to follow the rules, it is not an efficient way to effectively create new rules. It is expensive for the agency and time-consuming, and a success doesn’t always establish a clear precedent. There is also no public comment process. It would be better to set standards for how crypto exchanges should behave through regulatory authority.
The CFTC’s case last year against Coinbase illustrates the regulatory gap and the limits of enforcement. The CFTC imposed a small fine on Coinbase related to wash trading. The CFTC has the power to bring a manipulation case in the “cash” market even though it does not regulate Coinbase. What was ironic is the case was not about Coinbase failing to detect wash trading by a customer, which is what you might expect. This was wash trading by Coinbase itself. Unlike our securities and derivatives exchanges, there is no prohibition against wash trading by customers. In addition, there’s no prohibition on proprietary trading by an exchange itself. That is not allowed in securities or derivatives markets, and it creates the risk of all sorts of bad practices, including front-running a customer’s trades. But the CFTC can’t set standards for the exchanges, and so even one CFTC commissioner expressed concern that the public would be misled by the case.
I wrote a paper three years ago saying that in order to fix the gap, Congress should give either the SEC or the CFTC the authority to regulate the cash crypto market and the additional resources they would need to do it. There are pros and cons with choosing either agency. The main thing is it should be a principles-based approach to allow for innovation, and that delegates to the agency the power to write rules. There’s more attention to this in Congress today, but unfortunately some of the recent congressional proposals might actually worsen the muddle.
The absence of a clear federal regulatory framework means there are also societal risks arising from the operation of these intermediaries. There is a greater risk that exchanges will be used for illicit activity, notwithstanding FinCEN’s efforts. The lack of standards to ensure integrity in trading, transparency and adequate reporting makes it easier for criminals to use exchanges to perpetrate improper activity and makes it harder for FinCEN and other law enforcement to do their jobs. I think there’s potentially a greater risk of cyber hacks that could have collateral damage elsewhere in the financial sector; we’ve strengthened cybersecurity in financial infrastructure generally, but it’s not clear that crypto intermediaries are at the same level. Also, the absence of transparency requirements could mean the quality of data on the market is not as reliable or as robust, and that makes it harder to assess any potential financial stability risks.
Let me also close with a few thoughts on regulation as it pertains to DeFi or decentralized finance. I reject the idea that because DeFi involves autonomous software protocols operating on decentralized blockchains, without an entity or company overseeing the operation, that regulation should not apply. I think if a protocol or app is performing a 10 function that’s regulated in the traditional finance world, then it should be regulated in the same way or in a way that accomplishes the same ends.
We’re seeing this issue arise in various ways, such as with the tax reporting language in the infrastructure law, as well as KYC and AML requirements. In addition to the “no one is in charge” argument, some DeFi proponents argue that these requirements shouldn’t apply because a transaction on a DeFi protocol is analogous to two individuals transacting on their own, in cash.
But I think these arguments aren’t persuasive. The language in the infrastructure law may have been badly drafted, but it doesn’t mean there should be no reporting, that it’s scout’s honor for reporting of gains for tax purposes. And while transactions involving small dollar amounts should not trigger any requirements, large ones should—just as if I walk into my bank and ask for a $10,000 withdrawal in cash, you can bet questions will be asked.
I find it ironic that some DeFi proponents claim that on the one hand, DeFi can eliminate the need for intermediaries, but on the other hand say DeFi protocols aren’t capable of or don’t need to perform some of the functions that traditional intermediaries perform. To me, that amounts not to replacing intermediaries, but to bypassing them. It’s as if Tesla said, we can produce electric cars that are far more efficient than gasoline-powered cars by not equipping our cars with brakes. Yes, they will go farther, faster on less energy—but they will also fail to stop at stop lights and cause lots of damage.
We should also recognize that DeFi protocols and crypto generally is not as decentralized as it is often made out to be, and that’s potentially relevant to the who is responsible aspect. Founders, developers and venture capitalists often own a large percentage of governance tokens of many DeFi platforms and protocols. In addition, when a hack or outage occurs, there’s often a fairly small group that steps in to fix something—look at what happened with the Solana outages, where the creator of Solana (who is the CEO of the Solana foundation) apparently organized a small group of validators to design the fix. Yes, it then had to be voted on, but it is often the case that only a small percentage of holders vote or they have staked their tokens with other addresses. (Another example of crypto concentration is Bitcoin mining capacity: a recent MIT study estimates that 50 miners have frequently controlled 50% of mining capacity.)
There’s nothing wrong with relying on a few—it’s inherent in the nature of a complex society and economy. Few of us have the expertise, or the time, to be able to evaluate the code of a blockchain or even to analyze whether an app works properly.
And don’t get me wrong, I’m all for DeFi protocols that can bring greater efficiencies, greater consumer choice, more inclusion and even less concentration in financial services. I spent the better part of eight years of my career dealing with the wreckage caused by the 2008 global financial crisis. But I don’t think we should say that regulatory requirements don’t apply 11 because DeFi is creating a new decentralized, democratic financial system in which no one is in charge and everyone participates as equals.
You all appreciate how much your organizations spend on KYC, AML and similar types of regulatory requirements. If there are ways to improve KYC and AML processes to make them more efficient and less burdensome—more risk-based for example—for everyone, those should be considered. But I don’t think it’s enough to simply rely on the on ramps or off ramps to DeFi—like centralized exchanges, banks or brokers through which individuals might move money or acquire tokens—for tax reporting, KYC, AML and so forth. Those are important checkpoints, for sure. But if the DeFi universe grows, and you can do more and more without exiting, then we’re going to have to find ways to achieve regulatory goals when it comes to self-custody or unhosted wallets and their interaction with DeFi protocols. Whether that’s some sort of approved list or whitelist, digital identity screen, or other measure, I don’t know.
I’ll close with this thought: in late 2020 the Congress adopted amendments to the Bank Secrecy Act to require antiquities dealers to do KYC and AML, because of the risk that bad actors were using antiquities to hide funds acquired in illicit activity. A “financial institution” now includes “a person engaged in the trade of antiquities, including an advisor, consultant or any other person who engages as a business in solicitation or sale of antiquities. Think back to the last time you were in an antiques shop.
Surely, if we can require antiquities dealers in their musty, dusty shops, to do KYC and AML, then one would think the brains behind DeFi platforms and protocols can figure out ways to comply with the law as well. Thank you.