Coin check heist shows up holes in cryptocurrency rules
After the Mt Gox cryptocurrency exchange was stung by a half-billion dollar theft in 2014, Japanese regulators swung into action. Their goal was to craft rules that both protected traders and allowed a promising sector to flourish. By last April, they thought they had arrived at a set of guidelines that did just that.
Japan’s national system to oversee cryptocurrency trading was the world’s first, rolled out even as policymakers elsewhere grappled with how to deal with the sector. Under the Japanese framework, some exchanges would be allowed to operate — even though they hadn’t yet won regulatory approval.
One of those was Coincheck. Last month, hackers stole about $530 million from the Tokyobased exchange, a theft rivalling Mt Gox’s as one of the biggest ever for digital currency.
The Coincheck heist exposed flaws in Japan’s system. And for some experts, it raised questions over the country’s dash to regulate the industry — a sharp contrast to clampdowns by countries like South Korea and China. Interviews with a dozen government officials, lawmakers and cryptocurrency industry leaders depict a regulator that opted for relatively loose rules to help nurture an industry largely populated by start-ups. Japan’s Financial Services Agency declined to comment. But proponents of its regulatory approach say the system and the hack were not connected.
“It’s too much to say that the FSA or institutional design was lax because there was one hack,” said former information technology viceminister Mineyuki Fukuda, previously a supporter in parliament of promoting and regulating cryptocurrencies.
In the wake of the Mt Gox bankruptcy, Japan didn’t know what to make of bitcoin. “It’s not money,” Finance Minister Taro Aso told reporters days after the exchange collapsed. “Does the Financial Services Agency have jurisdiction? The Finance Ministry? The Consumer Affairs Agency? The Ministry of Economy, Trade and Industry?” Amid the vacuum of oversight, the governing Liberal Democratic Party, seeing the fintech sector as a way to stimulate growth, initially called for the cryptocurrency industry to form a body to regulate itself.
That led to the formation of the Japan Authority of Digital Assets (JADA), comprising blockchain and cryptocurrency start-ups and entrepreneurs. When the FSA was later tasked with creating regulations for cryptocurrencies, it turned to JADA for help. The group lobbied for rules friendly to start-ups, like low capital requirements. “We had constant discussions with the FSA, giving technical information and ideas,” said So Saito, a founding member of JADA and now general counsel of its successor, the Japan Blockchain Association (JBA).
The FSA’s rules required exchanges to register, operate robust computer systems and address risk management. But they left the storage of assets to a set of non-binding guidelines. Exchanges should keep the encrypted keys needed to access digital money in “cold wallets” — for example, USB drives not connected to the internet - only if doing so didn't overly inconvenience customers, the guidelines said. In effect, the clause left no obstacle to Coincheck’s holding $530 million worth of NEM crypto-coins in an online “hot wallet” — essentially a digital folder stored on a server - from which the funds were stolen.