Digital Asset Controls to Mitigate Risk. No! Control Mitigation? No! Controlled Risk? Better.
A critical but sometimes ironic deep dive into the DASCP framework, exploring the nuances and inconsistencies in its approach to financial market risk management and tokenization.
An interesting new document to review and think about. So let’s get it over with. Whitepaper: Building the Digital Assets Ecosystem describing proposed Digital Asset Securities Control Principles (DASCP)
By: DTCC, Euroclear and Clearstream. Let’s dive in.
“By 2030, the tokenization of global illiquid assets is projected to be a $16 trillion business opportunity [...]”
This is marketing genius and, I’d say, also economist genius: The somewhat shaky previous claim penned down by BCG to have a market value of $16 trillion for tokenized assets is framed as a business opportunity. However, it’s a loose number because the way it’s formulated doesn’t tell us how to measure it. I suppose it’s not in terms of profit, nor revenues; it's an opportunity of undefined size in relation to a market capitalization supposedly worth $16 trillion. The exact relation is not defined.
Does it make a difference to say:
By 2030, the market capitalization will be $16 trillion
By 2030, the business opportunity will be something in relation to $16 trillion tokenization potential
My risk-reward calculation tells me one should be okay if option two makes it into the performance objectives.
Therefore, I should have been more careful in categorizing this approach as genius because at some point these statements may adhere to scientific standards only formally, which means they would no longer be scientific either. If you don’t have evidence to say $16 trillion has a high probability, then one should say this. It’s scientific and makes the number no less interesting.
One other but related ‘defect’ remains, which is the word ‘projected.’
What does it entail to project something in economic terms versus available alternatives such as crystal ball gazing?
A "projection" refers to a reasoned forecast based on data analysis, historical trends, and, importantly, logical assumptions. On the other hand, "crystal ball gazing" makes forecasts without a rigorous analytical basis. The nature of the problem—no significant past experience, uncertainty on how exactly market adoption should follow, regulatory uncertainty—renders the output an assumption, a scenario, but not a projection, in my opinion.
Overview About Proposed Framework
So here we have Digital Asset Securities Control Principles (DASCP), almost Germanic in its name: “Das Kontrollprinzip.” Unfortunately, this isn’t an entirely correct (using singular and not plural) translation because that would have been more fun.
It has a graphic, a pyramid with layers:
Tip: Control Development
Middle: Exploratory Risk Identification
Foundation: Principles Definition
This is formally what one would expect, but personally, I'm inclined to believe the framework here doesn’t apply and requires an amendment. Before Christopher Columbus sailed off to find India, he planned his risk taxonomy. He knew there were thieves, so protection against things like that for him and everyone in his company was essential because coming back alive was a corporate value he held dearly. Now you assess your risk and vulnerabilities: does my iron vest protect me from a thief’s sword in India as much as in Spain? They may have bigger swords. And then controls: Jose is tasked to check that Columbus wears his vest before going on a stroll once in India. All of this presupposes that the specifics being solved adhere to risks in other destinations. Columbus arrived in America, not India, and the question is: can the same principles sufficient for India work in America? Typically, we say yes, of course, there is IT risk, and financial and legal risk regardless of the market—Aztec or Mogul makes no difference.
That is true, but this is not how to answer the question meaningfully, although consultants like to argue in favour of this perspective (robust empirical evidence for my quip is obviously lacking).
One needs to ask a more qualitative question: is what makes you effective today still a key driver, and does it stay functionally where it is, or is the risk “shifting” even if that is not always obvious? Because it is the consequence of the fact that we expect benefits from blockchain in terms of automation, which means operational tasks could be embedded in blockchain protocol and thus materialize in IT. But they manage IT risk and do not apply the same lens as Ops did. So somebody needs to figure that out because you can’t download from the internet what that exactly means for your organization. This is part of my personal collection of Digital Asset Securities Opinions and Speculations (DASOS).
I am aware that this is all more personal opinion than consensus, but I think caution is advisable: thinking mainframe today and hash value tomorrow is not easy.
Promotional Videos Should be Risk Controlled
But before I can say anything about the document, I want to mention the promo video. This requires passing a test:
What Is the Correct Caption to Use
Watch to learn more about the collaborative work
Watch to learn more about the consortium
Watch to learn more about the cartel?
Answer: Option 1, and that is what the landing page says.
FYI: This test can be marked complete through self-attestation.
What does the promo video say?
“A consortium of Financial Market Infrastructure, [..] have collaborated with BCG.”
A consortium? That is surprising. A consortium is not a cartel because we would have seen a notification to the US Trade Commission, the EU, UK, and probably many more applicable competition regulators, and the subsequent approval before forming such a global risk framework cartel. A consortium is not per se illegal, but there are legal implications. Such a mode of cooperation is formed to do joint bids, etc., but the consortium must adhere to certain principles which require formal analysis and documentation. Saying you had a consortium means you got a lot of paperwork to prove that. Because if not, you may be designated for this activity as being that of a cartel possibly involving a fourth member. God forbid. Hence, it would be interesting to clarify if it is indeed a consortium. Or fix the video.
And then it says the DASCP provides ‘controls to mitigate’ risk.
This is a colloquial statement but, strictly speaking, it uses the terms incorrectly and it is thus counterintuitive to do so in a promotional video for a risk framework.
Here is some help for the risk ‘experts’ at BCG:
Control actions are proactive steps taken to prevent a risk from occurring. They focus on eliminating or reducing the likelihood of an adverse event.
Mitigation measures, on the other hand, are plans or actions implemented to reduce the negative effects of a risk should it occur. They aim to lessen the impact rather than prevent the event itself.
Not the same thing!
Done, let me now have a look into the actual document. This was just a comment on the landing page.
Deep Dive into DASCP
The document starts humoristically, which I like, but I'm unsure if that's intended.
“Title: DIGITAL ASSET SECURITIES CONTROL PRINCIPLES: A FRAMEWORK FOR ADOPTION”
More Marketing Genius: The title is clever but confusing. It’s unclear if this is a parentless framework seeking adoption or supporting an adoption agenda. The title now has comedic qualities, I would say.
CEO Letter
"Time and again, the global financial markets have relied on financial market infrastructures (FMIs) to drive change.
Inspirational! So is this: Mahatma Gandhi
'Time and again, the truth has been revealed in the actions of those who are willing to stand by their principles.'
Text continues:
[...] The principles serve as a set of guidelines underpinning our collective resolve to uphold the highest standards of integrity, security, and interoperability."
If you want to become a judge in England and Wales, you need to uphold and exemplify three values: Independence, Impartiality, and Integrity. There's not much more to it, really. What would we say if, for some reason, I were to say: proper judging requires the office holder to uphold and exemplify three values:
Independence, Impartiality, and Interoperability?
To the highest standards of interoperability? I haven’t heard that expression before, have you?. While integrity and security are universally understood values, interoperability is more technical and specific to systems and processes. It seems out of place and makes me wonder what it tells me about the author.
“The beginning of our collaboration was marked by our first white paper.”
The consortium is dissolved!
"This framework is crucial for creating an inclusive, resilient financial ecosystem."
This seems to be another example of the previous issue.
They mention BCG and thank them for
"valuable support in enriching and testing this framework."
“By leveraging them in our…”
‘Our’ refers to the former consortium members. The CEO Letter now becomes academic, they begin to define objectives:
“digital asset activities, we will effectively demonstrate to clients, regulators, and the broader industry that digital asset securities can be just as safe and secure as traditional assets."
“risk management principles and controls designed to unlock the transformative nature of distributed ledger technology (DLT)”
industry-wide risk and control framework, which serves as a guide to navigate the current set of challenges, fostering operational excellence in financial markets driven by DLT. [..]
And this:
aims to facilitate the adoption of tokenization into the financial markets.
It is an important artifact if one is interested in resolving the initial mystery about the title. But we need to check their definitions to form an informed opinion on how desirable it is that they should succeed in their undertaking. Oh and we should continue reading to come across this:
It is important to note that the current scope of the DASCP excludes secondary trading activities.
Yes, it is very important, and in this instance, it is one of the few scenarios where the use of this otherwise annoying filler phrase is appropriate. I do not understand why this is not mentioned when all these fabulous claims are made. Because this is not so easy here. We do this all the time, humorously called benign back-office conspiring (but I want to be clear I do not wish to imply improper activities at all). Because the market exists, can be observed, and the delineation is also clear. I agree with the intention presented, but it points to the problem. Today’s trade flow: trade then post-trade. In what sequence are we going to define the new market: Post-trade then trade? Hmm? Maybe it is the right answer, or not. But this still feels lofty in terms of an execution plan.
So far they say digital asset securities (DAS), exclude cryptocurrencies. But it doesn’t necessarily mean tokens on blockchain.
“the DASCP framework is designed to be asset class agnostic and technologically neutral,”
I would say that is overly ambitious and a bit unexpected when they say here is a framework specific for digital assets you could also use to manage an operational setup using a computer with punched cards. And did BCG test this as well at least a little bit to say the method is tested? It ‘is’ a defining quality of the document to have these properties, it doesn’t say it wants to be ‘neutral’ in the future, it is already.
As expected later in the text it defines what technological neutrality means:
The DASCP framework is designed to be asset class and technology neutral, not advocating for any particular DLT architecture – be it public, private, permissioned, or public permissioned.
I am sure it’s difficult enough. But Apple is technology neutral as long as you use a Mac (which I do of course)??! Is this neutral? You can have a car in any colour as long as it is black? And what controls do they have to demonstrate that they can say this?
Ok then this:
“DASCP will serve as a baseline to help propel the industry toward standards.”
This sentence gave me a wonderful idea. Because I know now how to use DASCP with humor. ‘DAS Kontrollproll - DASCP’. Grammatically also incorrect (should be Der Kontrollproll) but it works because I am imagining a bit of an angry enforcement brutality as a result of the chosen word propel even though there is nothing wrong with it. Getting vehemently ‘propelled’ for failing to have standards!
"A neutral third-party industry association"
An industry association is not neutral; it propels (!) the vested interests of its members and thus is a mechanism to achieve consensus on how that collective is defined. This mechanism can be structured in all sorts of ways. Neutral means not independent, but certainly, a neutral party would not be expected to threaten propeller action if other actors don’t adopt and comply with a regime defined by the neutral party! However, it somehow runs the governance process, prioritizes, and changes the standards over time. Considering this party neutral sounds, logically speaking, impossible to me at least in terms of the conventional understanding of what the words mean. The association then is not neutral; it has a vested interest to ensure fairness and balances certain competing interests.
Can it work? Not without proper foundations and beginning to question adopting the preferred yet misleading definition to say securities “issued directly on a blockchain [are] native security tokens.” I consider it an indicator of significant risk factors! Let’s say in the case of Ethereum, the IT view would consider a token structure non-native. And this is indeed better because writing about digital twins does not offer the needed clarity. But since a token is not native compared to a coin, it gives the impression of relative standing but also its risk. If it’s non-native, it came from somewhere and probably brought some baggage. Again, it's a good definition because the word also offers the correct impression of the actual meaning. So, what I am saying is, if it is not recognized and accepted that it would be in the best interest of regulated financial institutions to correct this, and possibly other terms, then it is evidence of a worldview which could be challenging to maintain.
Final Thoughts
“DAS introduces new capabilities in financial services, re-envisioning existing processes and creating trust in real time.”
This is confusing to me, but I suppose they use "trust" in the sense of certainty, which is not trust. It implies that certainty makes us trust that this certainty is real and will continue to exist.
Instantaneous reconciliation is a key feature of DAS.
That is a very new claim. I can’t find any articles specifically claiming this, and I don’t want to speculate on what they think this is. There is, of course, a lot of writing supporting the claim that blockchain offers a solution for improving the efficiency, security, and reliability of reconciliation processes.
This is followed by a somewhat whimsical statement that DLT is ‘central to this,’ and a more concerning statement that cost savings of ~$15-20 billion have been estimated. Why is this problematic? Let’s ignore that BCG co-authored ‘Das Kontrollproll’ but also the document cited. Probably more a concern of style—citing oneself as evidence is not convincing to me, irrespective of how good the referenced work is.
Example of Misquoting
Then a quote from one of the CEOs:
As highlighted by Valérie Urbain, CEO of Euroclear, FMIs are actively working “toward the co-creation of tomorrow’s financial system – one that’s open.”
She is indeed quoted with these comments, but this would be an example of misquoting, in this case, selectively quoting a portion of a statement, thereby altering the meaning and intent of the original message. This is a serious error known as a contextual error or quote mining. Her full statement seems indeed very commendable to me.
Adding random quotes does not make a text one of methodological rigor. It is not my intention to suggest BCG self-quoting is as significant an error as my Euroclear quote. It is simply the first random example I could think of. One additional comment: I tend to test any quote I give for how easy it is or not to cut somewhere and create this effect. Hence why my quotes tend to be complex (convoluted?). But it’s by design!
The Manifesto and Risk Framework
Then comes their manifesto, but they don’t call it that and I can’t find page numbers to tell you where exactly, but it starts with “We believe” that our standards are “foundational” and “valuable,” and then a bit of fluff like ‘cooperation’ is good, but they say it more eloquently. Some of their abstract beliefs, I would contend, are not a slam dunk, like standardization is the solution here. It could be, sometimes. This is a sign of a worldview if such a comment is not followed by reflecting in what way this is not a like-for-like standardization process as we are used to it. But sharing their belief in the correctness of their claims, some of which can be empirically tested, would feel odd to me. In those instances, I have hypotheses based on evidence or not. I would not sign up to locking in my level of understanding at a date in time. Hopefully not mandatory beliefs unless the proposed association has grander ambitions: not a cartel consortium cooperation, a cult!
Then comes the risk framework, and they tend to be like Renaissance paintings when you spend an afternoon in the Gallerie degli Uffizi: they start to look the same, but of course, each is a masterpiece in its own right. I am not sure what makes these so appealing. Some things surprise me—for instance, they have what seems like an IT domain and an Ops domain and then a separate Connectivity domain. And maybe it makes sense in the chosen methodology, but was the absence of this a binding factor?
Then they repeat this:
The specific risk that the control mitigates is listed below the control.
Based on this, I would claim that this word-smithing is from BCG and not the control function of any of the FMIs. My hunch. I don’t find everything they present very agreeable, and what they have done with categorizing controls is not so clear. Under Legal, you have all policies and procedures. Is Legal writing them and implementing? No. Maybe signing off. So what insight is presented based on what assumption? Maybe it is made clear somewhere why they think that, but my point is—I am not sure having a standardized risk taxonomy is the most pressing issue.
And some things oversimplify this too much, but I understand where the need comes from. A sentence:
In parallel, an asset manager issues a Money Market Fund. The custodian tokenizes the MMF shares and makes them available for lending in the Securities Lending Market.
"In parallel" is unclear. There is another fund manager, yes, but it’s not clear what they have to do with each other. Where did the money come from for the custodian to pay the MMF, or are they creating fund units without an order and thus no cash coming in? What am I looking at? There could be a hundred business events—let me pick one halfway through its lifecycle and then postulate something that should happen. Doing this could be helpful or not, but I can’t establish that fact with sufficient confidence using this approach. The FMIs have strong SME knowledge, of course, maybe it’s just meant as an example, but the idea to say "OK, ping me this document and now I have all I need to run" is unrealistic. They don’t even claim that. How does this help to propel tokenization—it’s mandatory for financial institutions to have something of this kind. That is fully correct.
Inconsistencies and Further Observations
One more comment - there are inconsistencies. BCG has the example, although I could not find a proper statement to this effect (but I skipped a few pages towards the end), that the private equity tokenization is managed by the custodian. So a lot of these smart contract controls that have super elevated importance in their model are not so relevant because if I manufacture it then this is part of normal IT software release management, hence why creating a smart contract control category now creates inconsistencies, if it is applying traditional risk categories in a specific context. No right or wrong here. But?!
That’s my view. I like the idea of exploring cooperation opportunities, but I am not sure I would start with standardising risk taxonomies of Euroclear and Wells Fargo, for instance. Or I am not clear why that should be the priority?