资源描述:
Six Control Principles for Financial Services Blockchains October 20172 This publication, prepared during the summer months of 2017 by the Deloitte EMEA Blockchain Lab in Dublin in association with Deloitte Hong Kong and US, explores six control principles essential for blockchain adoption on a global scale 01. Best Practice – Standard for Blockchain Development 02. Interoperability and System Integration Controls 03. Audit Rules 04. Cybersecurity Controls 05. Enhancement of Traditional ICT Controls 06. Business Continuity Planning Authors Special Acknowledgements Lory Kehoe Director, Deloitte Ireland T 353 1 417 2582 E lkehoedeloitte.ie Paul Sin Partner, Deloitte Hong Kong T 852 28526448 E .hk Niamh O’Connell Consultant, Deloitte Ireland E nioconnelldeloitte.ie Guilherme Campos Senior Consultant, Deloitte Ireland E gucamposdeloitte.pt Eric Piscini Principal, Deloitte US T 1 404 631 2484 E Eoin Connolly Technical Architect, Deloitte Ireland T 353 1 483 0338 E econnollydeloitte.ie3 Table of Contents 1 Best Practice – Standard for Blockchain Development 07 1.1 Governance 07 1.1.1 Consortium 08 1.1.2 Joint Ventures 09 1.1.3 Statutory Organization 09 1.2 Legal and Regulation 09 1.3 Standards 10 1.3.1 Building Relations with Standard-Setting Bodies 11 1.3.2 Adopting Existing Standards and Establishing New Technical Standards 11 1.3.3 Smart Contract Upgradeability 11 1.3.4 Smart Contract Cyber Security 11 1.3.5 Smart Contract Interfaces 11 2 Interoperability and System Integration Controls 15 2.1 Security Considerations 15 2.2 Integration with Legacy Systems 15 2.3 Data Integration 16 2.4 Security Mechanisms 16 3 Audit Rules 19 3.1 The Immutable Record 19 3.2 Auditing Smart Contracts 19 3.3 Technical Controls 20 3.4 Audit Transation 204 4 Cybersecurity Controls 23 4.1 DLT Cybersecurity Challenges 23 4.2 Smart Contracts 24 4.3 Control Standards 25 4.4 DLT Cybersecurity Strengths 25 5 Enhancement of Traditional ICT Protocols 27 5.1 Security Management 27 5.1.1 Ination Classification and Protection 27 5.1.2 Authentication and Access Control 27 5.1.3 Security Administration and Monitoring 27 5.2 System Development and Change Management 27 5.3 Ination Processing 28 6 Business Continuity Planning and Blockchain 30 6.1 BCP Plan 30 6.2 BCP with PKI 30 6.3 BCP of Network Nodes 31 6.3.1 Public Blockchain Networks 31 6.3.2 Private Blockchain Networks 31 6.4 Security Specialists 315 Since its mention by Satoshi Nakamoto in the 2008 whitepaper “Bitcoin A Peer-to- Peer Electronic Cash System”, blockchain technology, also called Distributed Ledger Technology DLT, has attracted significant attention in the global financial services community. 67 Best Practice – Standard for Blockchain Development Since its mention by Satoshi Nakamoto in the 2008 white paper ‘Bitcoin A Peer-to-Peer Electronic Cash System’ 1 , blockchain technology, also called Distributed Ledger Technology DLT, has attracted significant attention among the global financial services community. Researchers and investors are increasingly interested in the transative and disruptive ability of this technology to Facilitate an exchange of value Enable the safe storage of value Achieve operational efficiencies Secure cost savings Increase industry transparency Enhance customer experiences In this paper, we consider three macro factors which we consider essential to the widespread adoption of private DLTs within the financial community in the long term. These macro factors are 2 01. Governance 02. Legal and Regulation 03. Standards Although this paper discusses each factor in isolation, financial institutions should view all three as interdependent and complementary when considering DLT adoption. 1.1 Governance The first macro factor is governance. The World Economic Global Risk Report 2017 highlights that a system of structured and effective governance is essential for all emerging new technologies. 3To develop appropriate structures for DLT adoption within the financial services community, three different governance models must be considered consortia, joint ventures and statutory organisations. i A consortium is established by several industry players joining together to a working group for achieving a common goal. ii A joint venture JV is a separate, autonomous entity established by two or more companies who share ownership, return, risk and governance. iii A statutory organisation SO is a body whose funding and operations are controlled by a regulatory authority. Depending on the governance model selected, questions may arise on matters such as who engages the independent auditor. In a consortium, the Board-appointed Audit Committee Board of Directors, or other owners of one member will usually engage the auditor and the auditor will report their findings to this member rather than to each of the consortium members separately. Audit is discussed in more detail in chapter 3. A B C Consortium Joint Venture Statutory Organisation Statutory Organisation Continue to operate in a consortium model where decisions are made through consensus as an association. By definition, it is not a legal entity. Each participant owns and operates their own node. Participating members contribute resources to drive common objective forward. Each bank will send a representative to negotiate and make decisions on its behalf. Create a seperate, autonomous legal entity that owns and develops the plat. The plat will be offered as a utility for participants who operate their individual nodes. Jointly funded by founding members e.g., banks as core stakeholders in the Steering Committee. Create a statutory organisation that will operate as a seperate legal entity that will provide and manage the common plat. Government provides funding to set up the organisation, own and operate the nodes. Participating members will follow the organisation’s directives and contribute to drive common objective. The organisation may include representatives from the banks. Bank 1 Bank 2 Bank 3 Bank 1 Bank 2 Bank 3 Bank 1 Bank 2 Bank 3 1 Nakamoto, Bitcoin A Peer-to-Peer Electronic Cash System, 2008 2 De Meijer, Blockchain How To Make It Operational In Your Company, Nov 2016 3 World Economic Forum Global Risks Report, Jan 20178 1.1.1 Consortium ing consortia for private DLTs is a popular phenomenon today 4 , particularly within the banking sector. Consortium members share set-up and maintenance costs, pool resources, per research, and establish the operational and process standards required to implement the DLT solution within their existing infrastructure. Each member has a representative on a steering committee who negotiates and makes decisions on their behalf. For example, a consortium comprising UBS, BNY Mellon and Deutsche Bank recently ed a ‘Utility Settlement Coin’ to facilitate digital cash settlement. 5The consortium model works well where a financial institution would benefit from access to shared data. Currently, blockchain-powered Know Your Customer KYC utility consortia comprising asset servicers who share the cost of onboarding new investors are being explored in the marketplace. Imagine a world where KYC would only need to be done by one financial institution while other institutions endorse and validate the ination and share access to the KYC profile thereby reducing the effort and costs of the onboarding process. According to the 2016 Goldman Sachs report, ‘Blockchain Putting Theory into Practice’, the banking sector could achieve a 10 headcount reduction and a 30 decrease in transaction monitoring with the use of blockchain technology. The report estimates that the overall operational savings could amount to 2.5 billion. 6 While consortium benefits such as shared risk, knowledge and IP are attractive, decision-making can be time-consuming, and holding specific entities and members accountable may sometimes cause internal conflict between members , particularly in times of uncertainty. This is a business issue that cannot be solved by technology, including DLTs. Consequently, protocols around decision making need to be defined and agreed at the outset, to reduce the likelihood of disagreements occurring in the long term. Source Celent, Goldman Sachs Global Investment Research 2016 4 Gilbert Tobin, Blockchain Shared Ledgers The New Age of Consortium, Nov 2016 5 Wiegmann, A, UBS Leads Team of Banks Working on Blockchain Settlement System, Aug 2016 6 Gartner, Gartner’s 2016 Hype Cycle For Emerging Technologies Identifies Three Key Trends Organizations Must Track to Gain Competitive Advantage, Jan 2017 12 10 8 6 4 2 0 Current Blockchain Transaction monitoring Account onboarding Technology Training 10.0bn 7.5bn Operational savings of 2.5bn9 1.1.2 Joint ventures Joint ventures JVs are separate entities established by two or more firms, where consensus on critical decisions can be achieved more easily, thus resulting in a faster time to market. Since JVs are considered legal entities, accountability protocols and guidelines are defined at the outset and the likelihood of internal conflict is lower than with a consortium. 7The JV model focuses on pursuing activities that will maximise financial profitability. This approach works well where multiple stakeholders from different sectors are involved. Trade finance is a practical example members from banking institutions, regulators and importers and exporters can come together with their associated banks to establish and develop a private DLT. The DLT IP rights would be owned by the JV rather than by the parent entities, and profits would be distributed equally amongst those members with a stake in the JV. In today’s marketplace JVs are being ed between FinTechs and banking institutions. For example, Credit China Fintech entered a 30 million deal with Bitfury which includes setting up a JV focusing on the Chinese market. 8This JV has since established a working prototype payment system which includes both P2P lender and payment DLT services. Currently, consortia and partnerships are the most popular choice for banking institutions investigating and developing DLT-enabled solutions. Blockchain technology is still very much in its infancy and we are unlikely to see JVs ed strictly between banking institutions until they develop stand-alone blockchain capabilities internally. 1.1.3 Statutory Organization In the statutory organisation model, participating members such as banking institutions follow the SO’s directives and contribute to common objectives. For example, the Monetary Authority of Singapore Electronic Payment System MEPS is an online interbank payment and fund transfer system that is SO-owned and operated. 9This governance model offers the benefits of transparency and data governance. The regulator provides transparency, has authority over the process for creating standards and monitoring compliance, and ensures that the standards are in line with data privacy regulations PDPO 10 , protecting the rights of all participants with minimal risk. The SO model is a viable option for regulatory reporting. Private DLTs can act as shared data repositories where banking institutions and regulators access and retrieve their financial data. However, these implementations need to be driven by the regulators, unless banking institutions agree amongst themselves to use a DLT to store and share ination, which may subsequently persuade regulators to adopt the technology. 1.2 Legal and Regulation To maximise effectiveness, DLT commercialisation requires an appropriate legal and regulatory support framework. Therefore, the second macro factor to consider is the legal and regulatory environment. Each of the three governance models outlined above will require a legal and regulatory committee. Collaborating with regulated entities within APAC will also be important for driving forward DLT adoption and acceptance. From a technical and legal viewpoint, lack of clarity about the legal enforceability of smart contracts adds to the risk of implementing DLT within financial institutions. Smart contracts should ideally have the same legal status as normal contracts and operate in the same way. Real-time obligations, rewards and sanctions must apply to hold the contracting parties accountable. What differentiates a smart contract from a paper-based contract is that the er is written in a computer-cutable language and shared on a common blockchain plat without the necessity for a third party. For banking institutions, the potential benefits are the enforcement of legal agreements through code, access to a shared immutable data store without the need for an intermediated third party, and the potential to share required raw data with the financial regulator. 7 Lawless, A, A Guide to a Joint Venture in Ireland, Feb 2010 pp. 6 8 Kastelein, R, Blockchain Startup Bitfury Backed For 30m From Credit China Fintech to Expand To China, Jan 2017 9 Monetary Authority of Singapore, MAS Electronic Payment System, Dec 2006 10 Lovells, H, An Overview of Hong Kong’s Personal Data Privacy Ordinance Key Questions For Business, Mar 201410 However, while smart contracts have the potential to serve as legal plats, a complex two-step process is needed to reach this point. Legislation will have to be enacted to define smart contracts as legal agreements within each specified region before financial institutions can use them as an alternative to paper-based contracts. In addition, to facilitate cross-border activity with other institutions, multiple jurisdictions will need to agree on the same enforceable definition. Achieving this may prove difficult and costly. In the absence of pre- emptive legislation or a regulatory decision about the enforceability of smart contracts, it is possible that financial institutions in some jurisdictions may not be able to progress with the implementation of blockchain technology. Other considerations in achieving higher quality regulation for private DLT adoption include Cooperation between the joint venture and financial authorities to shape regulations at a regional or global level. Re-thinking how participants will be regulated, given that regulators could potentially have near-real time access to data via the blockchain. A blockchain does not mean that a regulator has direct access to each bank’s internal system, but rather that participants access a shared data source with the blockchain properties of immutability and absolute auditability. Redefining the regulatory framework when operating in a cross-border model. Where the SO governance model is adopted, it will be essential to ensure that all banks agree to the terms outlined by the legal and regulatory committee. Failing to gain agreement could endanger the success of any proposed solution. Before investing
展开阅读全文