The Polish regulations directly referring to blockchain will be joined on 19 September 2020 by the Regulation of the Council of Ministers of 9 March 2020 on Documents Connected with Banking Activities on IT Data Carriers. It expressly permits banks to store documents connected with banking activities on blockchain.
Under §5(2) of the new regulation, “A document may be stored in the form of a distributed and decentralised database. The bank shall operate the database in a manner ensuring the security and integrity of the documents contained in the database.” The phrase “distributed and decentralised database” used in this provision refers to blockchain, as is expressly stated in the justification to the draft of the regulation. Moreover, the identical phrase is used in other legal acts to refer to blockchain technology (e.g. in the provisions of the Commercial Companies Code devoted to the ledger of stockholders).
Inclusion in the regulation of an express reference to blockchain technology is an important step toward increased acceptance of this technology by the traditional financial sector. So far, some financial institutions have had doubts whether use of the technology was legal at all. The new regulation makes it clear that going forward, banks can use distributed ledger technology in their operations.
But the practical use of DLT will be possible only after a number of regulatory challenges connected with the technology are overcome.
Is blockchain outsourcing?
Here I would like to signal one of these challenges which I believe has not been fully appreciated. This is the application of outsourcing regulations to solutions involving the use of blockchain.
A financial institution deciding to use blockchain to store information or documents must determine to what extent it regards this as outsourcing. According to the European Banking Authority’s Guidelines on outsourcing arrangements, outsourcing means an arrangement between a financial institution and a service provider by which the service provider performs a process, service or activity that would otherwise be undertaken by the financial institution itself. In typical instances, where a bank uses the resources of an external supplier to store electronic documents (e.g. on external servers), it seems clear that this relationship can be regarded with high probability as outsourcing. This instance fundamentally differs from the use of blockchain only in the type and architecture of the technology used. Functionally, in both cases there is a situation where the bank uses resources external to its own for the purpose of storing documents. The bank has access to certain content, but the content is stored on infrastructure not found under the bank’s complete control.
Is blockchain cloud computing?
Another challenge is to determine whether the solutions used in blockchain will be covered by the Communication from the Office of the Polish Financial Supervision Authority (UKNF) on processing by supervised entities of information in cloud or hybrid computing. One of the conditions for applying this communication is the processing of information in cloud computing by KNF-supervised institutions. Cloud computing is defined in the communication as “a pool of shared, configurable computing resources (e.g. networks, servers, mass memory, applications, services), accessible ‘on demand’ by IT networks, which can be dynamically delivered or released with minimal inputs of administrative work and minimal involvement of their supplier.” This definition was probably not drafted with blockchain in mind, but it may aptly be asked whether blockchain can be understood as “cloud computing.” A “distributed and decentralised database,” as blockchain is defined by Polish regulations, is also in some sense “a computing resource available on demand.” This resource is maintained by nodes that are often also used for this purpose by cloud solutions.
If so, then what?
Treating the use of blockchain by financial institutions as regulated outsourcing would result in a practical inability to use many blockchain solutions, in particular so-called public blockchains. Applying the outsourcing regulations and the UKNF’s cloud computing communication to such solutions is by assumption impossible. First and foremost, the basis for the outsourcing must be a contract between the financial institution and the provider of outsourcing services. In the case of public blockchain, the supplier with whom such a contract should be concluded cannot be identified. Blockchain solutions are created on the basis of entirely different paradigms than traditional IT solutions. The outsourcing regulations are not adapted to them at all.
Faced with this, the inclusion in further regulations of express authorisation for financial institutions to use blockchain technology may prove entirely inadequate. Full exploitation of these technologies will not be possible until fundamental changes are made in the outsourcing regulations.
In seeking potential directions for these changes, we should note the approach presented in the EBA Guidelines on outsourcing arrangements. The guidelines state that as a general principle, the use of “global network infrastructures” should not be considered outsourcing. It seems to me it is time to start a discussion on whether at least some types of blockchains should be regarded as elements of “global network infrastructures.” As in the case of the internet, there are certain base layers of functioning of the network that we treat as a given, and do not apply the outsourcing regulations to them. (For example, we do not require banks to conclude outsourcing agreements with global points for exchange of internet traffic, even though the operators of these points participate to some degree in execution of the bank’s communications.) Similarly, in the case of public blockchains we could consider distinguishing base layers of technology whose use would not result in the need to apply the outsourcing regulations.