Blockchain and accountability: 7 questions to Hubert de Vauplane
1. Would it be reasonable to claim that it is easier to ensure asset protection, and cybersecurity more broadly, in a decentralised system, such as blockchain, than in a centralised system?
At the present time, I would say no. Blockchain technology is still in its early stages and cannot be considered fully secure. This is also the message given by the ECB; it certainly sees a bright future for this technology, but we must see if it comes up with the goods first, particularly in terms of security. If we take the more specific case of assets, particularly securities “held” in the blockchain (as permitted by the Sapin II Law in France), there is also a distinction to be made: the issue is not as black and white for private blockchains as it is for public blockchains, as the latter’s security weaknesses are less about the technology itself than the third parties (market places) with which the assets (e.g. cryptocurrency) are held. We have seen a number of thefts of bitcoins and others owing to a lack of wallet security.
2. Many private blockchains simply seek to reap the benefits of registered shares by cutting out the middleman between issuers and investors. However, isn’t there a risk that we will also have to deal with the disadvantages, notably as regards a lack of external control of the register held by the issuers?
I am of the opinion that using blockchain for securities amounts to making the registered form of securities more widespread, since the investor is registered directly in the chain in his own name and the issuer has direct access to this information. Now, just as in the case of registered securities, I think that a certain number of issuers will call on third parties, such as financial intermediaries, to act as registrar for their decentralised registers in accordance to their mandate. Indeed, some issuers will prefer to entrust the keeping of their blockchain-based registers to experts, particularly given the complexity involved.
3. How is or how should the responsibility to protect the assets in a blockchain be shared in your opinion? Is the situation the same in a public blockchain with only one participant profile (such as on the Bitcoin blockchain) as it is in a private blockchain with several participant profiles (e.g. investors and issuers)?
Obviously, in a public chain, it is difficult to assign responsibility for an event or an act to a specific party without putting in place a governance regime that is accepted by all involved. As we know, the governance of public chains is their Achilles heel; we must therefore look at private chains to find a way of resolving the issue of responsibility through governance. The organisation and operating conditions of this private chain will be addressed in some form of Terms and Conditions. Where the roles of technology provider and users will be defined by the parties, as is currently the case in the Swift system, for example. This goes to show how important the implementation of the 8 December 2017 French decree is since it defines. How authentication can provide adequate safeguards.
4. Many private blockchains are choosing to make an official role for the operator in charge of the technical platforms that support blockchain. Doesn’t this boil down to reintroducing a trusted third party or at least a trusted service provider?
Yes, indeed. In this case, blockchain is a technology whose applications are offered by a specialised provider acting as the chain organiser. This is similar to in a football match, where a set of rules is applied by the players and it is the referee’s job to ensure those rules are adhered to.
5. If there aren’t any trusted third parties in a blockchain, what happens to the obligation to return assets that was previously imposed on custodians? Can it still exist? If so, is it an obligation of means or results?
You’ve touched on one of the most important legal (and practical) issues concerning securities. It is indeed difficult to conceive of an obligation to return assets in a public chain; who should it fall on? Even in a private chain, such an obligation cannot easily be imposed on all members of the chain without fostering a certain sense of solidarity among them. It’s actually worthwhile considering whether it would technically make sense: the obligation to return assets applies when assets disappear (e.g. in the case of an intermediary or counterparty default). In a blockchain, however, the securities registered in the chain never (or should never) appear in the balance sheets of the participants. The only possible scenario then is assets being stolen from a securities wallet, and this issue has not been addressed (yet).
6. If an investor’s private key is stolen, what can they do (compared with an investor whose bank card is stolen, for example)?
Nothing, for the time being. And we need to be clear on that point. It’s like losing cash or it being stolen.
7. Does the fact that there are no accounts as such in blockchain mean that it isn’t possible to apply the same kind of audit scrutiny?
Strictly speaking, it isn’t possible to apply the same kind of audit scrutiny. But other controls should be used instead. Such as wallet security, for example.