- IMD Business School
News Stories · Finance - Financial Regulation - Digital - Regulation

Metaco: Why you should stop hiding your crypto under the mattress 

For the sixth edition of the Fintech Chain Mail, we spoke to Adrien Treccani (CEO at Metaco) about providing security infrastructure for financial institutions entering the digital asset ecosystem.
December 2020

Digital assets come in many forms – payment tokens, securities tokens, utility tokens and smart contracts, for example. How is the ecosystem around digital assets evolving?

The hype and suspicion around cryptocurrencies have changed dramatically in the last four years.

The perception that cryptocurrencies are only used for buying drugs and hiring hitmen is changing. Bitcoin, ether and cryptos used to be persona non-grata in banking. In late 2017, JPMorgan’s CEO Jamie Dimon was quoted as saying: ‘if you’re stupid enough to buy it, you’ll pay the price for it one day’. It is always hard to visualize the future when you are in a widely adopted system, where everything works quite well, and there is established governance and regulation.

However, when you see the performance of this asset class and how mainstream it has become, not having pushed the Bitcoin narrative could be a reason for bankers to be fired in the next three years. There is now widespread interest from established players, from payments provider Square and software solutions provider MicroStrategy to incumbent banks like JPMorgan. Banks are going to have to re-adjust their offerings and reconsider their point of view on distributed ledger technology (DLT).

There is a greater appreciation for the fundamentals of DLT, but tokenization has taken a step back in terms of the expectations for speed of progress. Digital currencies led the asset tokenization trend and have been a disrupting factor in digital technologies. However, infrastructure, custodians, secondary markets and regulations are still lacking in many jurisdictions and dramatic changes in operational workflows are required for digital assets to take hold.

Do you think that central bank digital currencies have had an impact in driving the widespread acceptance of cryptocurrencies?

I would expect that as soon as CBCDs are launched in the economy, decentralized technologies will become even more relevant and realistic in a banking pipeline. The predicted seven to ten-year time frame for implementation of CBDCs has shortened. China has made considerable progress and with the introduction of Libra, now renamed Diem (not being so different from a central bank in principle), and the growing narrative around digitization, CBCD has become now an extremely tangible topic. CBDCs also have the potential to disrupt existing payment systems which are still significant revenue streams for banks. There would also be economic implications, such as the ability of central banks to set negative interest rates.

People do not invest in Bitcoin and Ethereum because they are extraordinary payment protocols: the user experience is not great. Bitcoin is an excellent inflation hedge and Ethereum is an incredible platform for building smart contracts which may be the future of decentralized finance. A stable coin is the last missing piece – a trustworthy, stable anchor to the traditional economy.

Metaco provides custody services for the storage and transfer of Bitcoin, Ether and other digital assets in highly secure wallets. How does secure custody differ for digital assets compared to traditional financial securities?

Digital assets by construction rely on cryptography. Securing digital assets such as Bitcoin, Ether, Libra, equity tokens, or CBCDs is all about securing secret keys.

What is a secret key? It is like an exceptionally long password. Solving this passcode is assumed to be impossible because there are so many combinations that it would be like guessing the number of atoms in the universe.

The ability to create a signature is exceptionally flexible and distributed because anybody can generate a random number. However, freedom comes with responsibility. If I write my key on a piece of paper and put it in a safe deposit encrypted with the password and I have an accident, lose my memory or die, there is no way to recover this password. If the keys to your crypto wallet get lost, stolen or destroyed you have no recourse and will lose your assets.

Many investors in these assets do not have the infrastructure capability, or willingness to implement the proper strategies around keys management. Metaco’s role goes beyond just storing keys securely, and covers governance (processes and controls) around the keys. A trading company needs to be able to conveniently access the keys to execute trades on client funds (e.g. buying or selling Bitcoin). However, a high level of trust is required for you to provide employees with access to the keys because mistakes are possible, and employees could be blackmailed or even corrupted.

It sounds like you are really dealing with delegation of authority and virtual identity here. How do you authenticate people’s identity now? Can you replace a private public key with biometrics, for instance? Is it under research and is it technically feasible?

Currently with our system, you have a random number that you use as a private key and you have a trusted device, your iPhone or a dedicated hardware device which stores the keys and then authenticates your biometrics and unlocks the key for signature.

Your iPhone recognizes your face, takes your fingerprints, and under certain conditions, it will authorize your passport to be used or it will approve a signature. This works well but it also means you must trust your device. If your device is compromised, somebody could potentially bypass your fingerprints and go straight to the key which is within the device.

A second approach is to relate your biometrics directly to your private key; to derive a private key from your fingerprint or your iris or your DNA. This is technically feasible – the same kind of technology that is used for fingerprint validation works here.

However, it would be best if you constantly changed your passwords, as you always assume that they will be compromised at some point – and obviously you cannot change your fingerprints or DNA. Even though it may sound practical not to have to remember or store any key, if the wrong person gets hold of your hair or if you leave a fingerprint on a glass of wine, you could be compromised for the rest of your life. In practice, such schemes are therefore not used.

You mentioned some of the scandals where cryptocurrencies have been hacked or stolen from retail clients. Can consumers consider the digital assets as being secure and how does Metaco and its solutions protect financial institutions and their clients from these incidents?

The blockchain protocol has proven to be extremely secure in the last ten years. Bitcoin has had one or two bugs in its early stage, the first in 2012/2013 with updates of the protocol (so-called forking). That was unexpected and there was uncertainty about the consequences for the cryptocurrencies. However, the last ten years have shown how resilient Bitcoin is, and I would say the same for some other cryptocurrencies on the market. Bitcoin now represents more than $200 billion in market capitalization and it is a public network which is fully exposed on the internet. It is under constant attack. It has been public for ten years, and though the rewards for successfully breaking it are huge, nobody has been able to.

What is less secure is the human machine interface, as we discussed. You still have Bitcoin holders and savers who interact with this ledger and need to demonstrate that they are the owners of these assets with the private key or digital signature. Institutional offerings were also weak in terms of how they secured the keys, and this has resulted in several hacks.

Our positioning at Metaco is to support banks in offering cryptos, distributed ledgers and tokens, so that investors have an alternative to storing Bitcoin on a USB stick sitting under a mattress. Our solution has been designed with institutional qualities with process designs resembling those for traditional assets, adjusted for cryptocurrencies and tokens. We provide a remarkably high level of security and governance around the keys, so there is no crucial point of failure of trust.

What are the benefits for companies and investors of tokenizing existing securities? How does Metaco manage the full lifecycle of asset tokens using smart contracts?

Although ICOs were first introduced around 2016, they are now perceived as a massive bubble. This was the first important use case for tokenization as early stage companies could bypass intermediary banks and raise funds with little friction, low costs, and limited regulation. Entrepreneurial ventures started raising funds which they would never have been able to get through traditional seed rounds. Given the number of scams, regulators have stepped in to protect consumers.

Tokenization is about expressing securities in a way that facilitates the functioning of the system (transparency, transferability, standards). The strength of open protocols like Ethereum is that they can enforce global standards for representing securities, their features (strike price of derivatives) and corporate actions.

Tokenized securities can be divided and transferred with no intermediary, and you can program features directly into your assets (e.g. dividend payments). This will reduce costs, inefficiencies, errors, and the increased transparency removes the need for trust.

Tokenization can democratize access to securities and decreasing the wealth gap. If you make it straightforward to tokenize real estate assets, precious metals, arts or collectibles, these assets can become accessible to investors with minimal initial capital investment.

How do you expect decentralized finance to evolve, especially with developments such as peer to peer lending?

It is an incredible field which is moving very quickly. Open standards and transparency (not imposed by regulators) have immense potential beyond finance. Companies could be replaced by distributed autonomous organizations. A limited liability company is simply a legal construct with governance structures where shareholders elect board members who in turn select the management team. Functions within these companies can be implemented in a smart contract, avoiding the frictions of setting up a company (lawyers, regulatory approvals).

In a digital entity, my shareholding can be represented by tokens on my phone. I can vote and get paid dividends from my phone and elect directors anonymously. There is no requirement for directors to be in a certain jurisdiction or to choose a governing legal system law. I can hire people, generate revenues, which are paid directly on-chain.

Interview conducted by Stephanie Hurry, Olabisi Ayodeji, Matteo Conti, Emon Goswami