Crypto Analysis Case Study – Three Arrows Capital: PART IV

By Rodrigo Zepeda, CEO, Storm-7 Consulting


In Part IV of this Three Arrows Capital (3AC) Case Study, we will set out an analysis of the reasons why I believe that the Monetary Authority of Singapore (MAS)
failed in its duty of supervisory capacity vis–vis the adequate, prudent, and timely supervision of the firm, and how this failure may have ultimately contributed to its collapse in
June 2022. In Part I, we identified that Three Arrows Capital Ptd. Ltd. (3AC
) was registered as a Registered Fund Management Company (RFMC) in Singapore in
August 2013.

The applicable Guidelines
on Licensing, Registration and Conduct of Business for Fund Management Companies
(Guideline No: SFA 04-G05), were those with an Issue Date of
7 August 2012 (MAS 2012 Guidelines). As part of its RFMC authorisation requirements, 3AC Singapore was required to serve only up to 30 qualified investors, and to manage assets of not more than
250 million Singapore Dollars (SGD). This amounts to 150 million or
$179.78 million (approximately $180 million).

On 30 June 2022, MAS published an Enforcement Action Media Release which stated that it had reprimanded 3AC Singapore for providing false information, and for exceeding its assets under management (AuM) threshold for an authorised RFMC (MAS
). MAS reported that 3AC Singapore broke the law for over one year
in total, between July 2020 and September 2020, and between
November 2020
and August 2021 (MAS
). In addition, MAS expressly stated that it had been investigating 3AC Singapores contraventions since
June 2021 (MAS

To facilitate this analysis, we will first set out an overview of investment fund regulatory frameworks relevant to the authorisation and supervision of investment funds in general. Thereafter, we will provide an overview of crypto asset risks and relevant
crypto fund risk management practices. We will also set out an evolutionary timeline of the crypto ecosystem and regulation in Singapore to provide operational context.

An Overview of Investment Fund Regulatory Frameworks

The general approach to regulating and supervising the operation of a range of types of investment funds has been very extensively developed in practice. From a high-level perspective, the G20 reforms that followed on from the
2008 to 2009 Great Financial Crisis (GFC) directly addressed detailed reforms designed to secure a more resilient global financial system. Here, we will use the reforms implemented within the European Union (EU) to illustrate the
general regulatory approach adopted.

In Europe, this took the form of GFC structural regulatory reforms that targeted complex and opaque financial instruments such as over-the-counter (OTC) derivatives, as well as a range of financial services firms, including investment funds. In particular,
the Alternative Investment Fund Managers Directive (Directive 2011/61/EU) (AIFMD) which took effect in
2011, sought to set out stringent regulatory requirements for hedge funds, investment funds, private equity funds, and other funds.

The provisions within the AIFMD covered a range of detailed operational requirements pertaining to key areas such as asset valuation; authorisation; capital requirements; conduct of business standards; delegation; depositaries; marketing; remuneration; reporting;
and transparency. As a result, the authorisation and supervision of investment funds in general across different jurisdictions, typically covers a range of requirements for funds covering these areas. This area is well understood.

The European Market Infrastructure Regulation (Regulation (EU) No 648/2012) (EMIR) took effect in
2012 and was enacted in order to mandate the clearing of OTC derivatives through central counterparties (CCPs); to implement derivatives reporting requirements; and to implement risk mitigation and collateral exchange requirements for OTC derivatives
that were not cleared. The EMIR was intended to mitigate credit risk, reduce operational risk, and enhance transparency within authorised firms.

There were masses of detailed standards developed to implement these market reforms, as well as thousands of publications dedicated to analysing and assessing in detail risks and operational requirements relating to the implementation of these new regulatory
frameworks in practice. These were available for all national regulatory authorities to draw upon, including MAS. These types of regulatory frameworks are very important.

This is because they have now become standardised in nature, and they provide a foundational framework from which it is possible to further analyse the potential risks arising from crypto investments undertaken by crypto investment firms and funds. For example,
a global securities markets risk outlook published in 2016, identified ways that investment funds could potentially impact financial stability, these were through the use of leverage, and their level of interconnectedness with banks or systemically
important infrastructures (OICV-IOSCO 2016, p. 81). It was noted that:

While the use of leverage and derivatives in the sector is generally constrained by regulation and therefore low, the use of derivatives can lead to knock-on effects via collateral and margin requirements
(OICV-IOSCO 2016, p. 81).

As a result, we know that the use of leverage and counterparty interconnectedness is something that we may also need to be on the lookout for in crypto investment funds. This potential use of leverage and level of interconnectedness would be a risk that
arises in relation to traditional investments in complex opaque financial instruments such as derivatives, in much the same way as investments in complex opaque cryptocurrencies. Indeed, we saw in
Part II how 3AC was operating what I referred to as triple leveraged trading, which represented
a huge operational risk for the firm.

Consequently, if the use of leverage and cryptocurrencies is not constrained by regulation, then clearly such use needs to be analysed in order to identify the risks that arise. Otherwise, the use of leverage in crypto investments represents a risk
that remains unaddressed, unmitigated, and unsupervised. Such risks are in addition to the stated knock-on effects that may arise via collateral and margin requirements, which are applicable to both OTC derivatives
and cryptocurrencies. Under EMIR, these risks are addressed via either central clearing of OTC derivatives via CCPs, or via additional risk mitigation techniques employed when using non-cleared OTC derivatives.

So, for example, risks are addressed by requiring the use of high quality, liquid, margin (CCP cleared) and/or collateral (non-cleared), and the use of standardised haircuts, i.e., valuation discounts applied to take into account potential liquidity and
market risks in times of market volatility. If we know exactly how and why these risks are dealt with under EMIR, then we would logically look to see how these risks are dealt with when trading cryptocurrencies. As will be seen in
Part V, these are precisely the types of risks that arose in relation to crypto investments made by 3AC Singapore.

The use of the AIFMD/EMIR frameworks is therefore highly relevant and useful, precisely because they illustrate how the risks inherent in investments made by funds in complex and opaque OTC derivatives, can be effectively mitigated in practice. The same
types of investment risks can be analysed with respect to crypto asset investments. However, it should be noted that a supervision report published by the Swedish Financial Supervisory Authority (Finansinspektionen
(FI)) analysed crypto investment risks (FI 2021).

In that report, the FI took the view that financial instruments based on crypto assets were actually even riskier than many other high risk products such as derivatives (FI
, p. 17
). In theory, this meant that crypto asset investments might demand even more extensive risk management practices than those required for OTC derivatives under EMIR. The FI said that this was because they lacked intrinsic value; there was
no generally accepted reliable models for valuation; they were generally not subject to consumer protection regulation; and they were frequently used for money laundering and terrorist financing (FI
, p. 17

An Overview of Crypto Asset Risks and Crypto Fund Risk Management Practices

In its discussion of considerations to take into account with respect to regulating crypto asset funds, the Irish Funds association identified a number of key risks that arose relating to crypto assets (Irish
Funds 2022
, p. 22
). These included risks relating to:

(1) absence of protection;

(2) extreme price movements (e.g., price may not be backed by assets);

(3) fraud and malicious activities;

(4) hacks, operational risks, and security issues;

(5) market manipulation (e.g., crypto asset holdings may be highly concentrated thereby impacting prices and liquidity);

(6) misleading information; and

(7) product complexity (with features, such as leverage, that can increase the magnitude of losses in case of adverse price movements) (Irish
Funds 2022
, pp. 22-23

To address the challenges arising out of the fragmented nature of the crypto asset market, it was recommended that firms implement relevant operational adjustments to capture and manage risk (Irish
Funds 2022
, p. 25
). In practice, these would relate to a firms selection and connection with trading platforms; its assimilation of 24/7 trading and settlement cycles; and its tracking and assessment of fair value across multiple always on exchanges
operating in a volatile marketplace (Irish Funds 2022, p. 25).

The Standards Board for Alternative Investments (SBai) published more detailed guidance relating to operational due diligence (ODD) requirements in respect of crypto assets (SBai
). This provided guidance in relation to key ODD areas covering conflicts of interest; custody; regulatory risk; trade processes; and valuation and asset verification (SBai
, p. 1
). A more recent research study found that the rigor of ODD on crypto investments and asset managers had been increasing, as more institutional capital had ventured into the crypto space (Scharfman
, p. 44

In relation to risk management expectations regarding crypto assets, the Australian Prudential Regulation Authority (APRA) states that it expected all regulated entities to adopt a
prudent approach if they are undertaking activities associated with crypto assets (APRA
, p. 1
). This included ensuring that all risks were well understood and well managed before launching any material new initiatives (APRA
, p. 1
). Consequently, APRA expected firms to carry out appropriate due diligence and a comprehensive risk assessment prior to engaging in crypto asset activities, and to put in place appropriate risk mitigation actions (APRA
, p. 1

APRA also stated that it expected firms to apply robust risk management controls, that featured clear accountabilities, and relevant reporting to the Board on key risks associated with any new crypto asset ventures (APRA
, p. 2
). For investments in crypto assets, firms were required to identify and assess a range of prudential risks pertaining to key areas such as capital management; investment risk; operational risk; as well as other risks, e.g., implications
for liquidity management, market risk management, and large exposures measurement (APRA
, p. 4

The Evolution of the Crypto Ecosystem and Regulation in Singapore

In Part III
of this Case Study, we identified that the proliferation of blockchain and crypto technologies and investments in Singapore was widely noted in the media and dated back to at least
2015. Such developments arose in line with the Singapore Governments positioning of Singapore as a financial technology (FinTech) centre, and as a crypto hub for international commerce. In fact, in
January 2016 the Singapore FinTech Consortium highlighted the huge diversity of FinTech sectors that already existed at that point in Singapore (Singapore
FinTech Consortium 2016

Such FinTech sectors included: banking infrastructure; finance research/analytics; financial training; institutional investments; lending; payments/remittances; personal finance/wealth; and retail banking/investments (Singapore
FinTech Consortium 2016
, p. 17
). In 2017, MAS published A Guide to Digital Token Offerings, which provided guidance on the application of securities laws administered by MAS with respect to offers or issues of digital tokens (e.g., Initial
Coin Offering (ICO)) in Singapore (MAS

In August 2017, MAS published official guidance in the form of its Consumer Advisory on Investment Schemes Involving Digital Tokens (Including Virtual Currencies) (MAS
(August) 2017
). In this advice, it expressly identified risks that consumers should be looking out for when assessing ICOs and other investment schemes involving digital tokens (MAS
(August) 2017
). These included inter alia risks relating to:

(1) foreign and online operators;

(2) sellers without a proven track record;

(3) insufficient secondary market liquidity;

(4) highly speculative investments; and

(5) investments promising high returns (MAS (August) 2017).

In December 2017, MAS even expressly cautioned the public to act with extreme caution and understand the significant risks they take on if they choose to invest in cryptocurrencies (MAS
(December) 2017
). It expressly stated that MAS did not regulate cryptocurrencies and there were no regulatory safeguards for investments in cryptocurrencies in place (MAS
(December) 2017
). It further stated: Nor do MAS regulations extend to the safety and soundness of cryptocurrency intermediaries or the proper processing of cryptocurrency transactions (MAS
(December) 2017

Since then, a range of supranational and other organisations have published extensive and detailed guidance relating to
inter alia the crypto ecosystem and financial stability challenges; risks to financial stability from crypto assets; and risks pertaining to the prudential treatment of crypto asset exposures, to name but a few (Basel
Committee on Banking Supervision 2021
; International Monetary Fund 2021;
Financial Stability Board 2022).

Consequently, there existed detailed analysis and knowledge of the types of risks that could arise from investments in crypto assets, and from crypto investment firm operations. In addition, it was identified that in
2017 there were already approximately 167 hedge funds that were opened to invest in cryptocurrencies and ICOs, and that by mid-March 2018, there were over 220 crypto-focused funds that operated in the world (Sheng

So, by 2017/2018, crypto investment funds were already widely established, recognised, and in operation around the world. On
14 January 2019, the Parliament in Singapore passed the
Payment Services Act 2019 (No. 2 of 2019)
(PSA 2019), which sought to set out a new regulatory framework for the regulation of payment systems and payment services providers in Singapore (MAS
). This law took effect in January 2020.

The important point to note about this industry development is that in 2021 it was reported that although 170 companies had applied for a MAS licence under the PSA 2019, only three crypto firms had actually received the highly coveted licences (Chanjaroen,
Amin, Ossinger 2021
). Not only did MAS seek to extensively engage with applicant firms, but it was also noted that MAS had significantly boosted its resources to cope with high volumes of prospective services operators (Chanjaroen,
Amin, Ossinger 2021

So, at this time MAS had expressly expanded its internal resources so that it had sufficient personnel internally that were qualified enough to be able to carry out in-depth analysis of the operations of crypto firm applicants. On
17 January 2022, MAS issued new guidelines to discourage cryptocurrency trading by the general public in Singapore (MAS
(January) 2022
). The Guidelines on provision of digital payment token services to the public set out the expectation that digital payment token (DPT) service providers should not promote their DPT services to the general public in Singapore
(MAS (January) 2022).

The Failure of MAS in its Duty of Supervisory Capacity

To analyse the failure of MAS in its duty of supervisory capacity, I will put myself in the position of a MAS Investigation Officer (MAS IO) assigned this case, which would be close to identical to the way I would approach this situation if our firm
(Storm-7 Consulting) were called in as an external regulatory compliance consultancy firm. By
August 2018, 3AC Singapore had been operating for five years. It was an established investment fund that
should have had an effective compliance function in place that included compliance officers and a head of compliance.

We previously identified that its only overriding authorisation requirement was to ensure that it did not exceed the RFMC AuM threshold. To this end, under the MAS
Guidelines on Risk Management Practices Internal Controls
, compliance officers were required to report to the 3AC Singapore board on any material compliance violations, and the status of any actions being taken (Cavenagh
Law LLP 2019
). Furthermore, the head of compliance was expected to inform the chair of the board directly in the event of any major non-compliance by management, or material non-compliance by the firm (Cavenagh
Law LLP 2019

As a Fund Management Company (FMC), 3AC Singapore was required to notify MAS immediately if it breached its RFMC AuM threshold licensing requirement, and to take immediate steps to rectify such a breach (MAS
2012 Guidelines
, p. 10
). We know that MAS started investigating 3AC Singapores contraventions in
June 2021, and that the firms first breach of its authorised RFMC threshold of
$180 million occurred in July 2020 (MAS
). This should have immediately put MAS on notice.

As MAS IO, I would ask myself why was it that 3AC Singapore breached its authorised RFMC threshold one year prior, but had still failed to notify MAS? I would ask myself, was this a technical error or oversight, or were there failures in its internal compliance
function? The fact that I was investigating several potential contraventions would tend to indicate that it could be a failure in its compliance function. The initial focus of the investigation, however, should have been on the valuation of its assets, because
this was the only overriding authorisation requirement for 3AC Singapore.

In addition, the investigation should have been time sensitive. If I believed that 3AC Singapore had breached its authorised RFMC AuM threshold, this could mean that it was operating on an unlicensed basis, i.e., it should have been adhering to much stricter
licensing requirements for a Licensed FMC (LFMC). We saw in Part III that there is a huge
difference in the operational requirements for LFMCs compared to a RFMC. In practice, the MAS objectives of supervision include securing a stable financial system; securing safe and sound financial intermediaries; and securing fair, efficient and transparent
organised markets (MAS
, p. 4

Two oversight functions of MAS are authorisation and supervision (MAS
, pp.19-20
). Taken together, these mean that the initial priority should have been to identify as soon as possible whether the breach of the authorised RFMC AuM threshold represented a potential market risk and/or even systemic risk. Was this an
AuM threshold breach of $1 million, or a breach of $50 million? The difference could be crucial to the integrity of organised markets in Singapore, that is why it should have represented a time-sensitive matter.

In Part II, we saw that a crypto investment firm using a 10:1 leverage ratio, could use
$50 million to control a $500 million crypto trade. So, an AuM threshold breach of even
$10 million could mean that in reality such breach actually controlled
$100 million
of crypto investments, not just $10 million. In Part III
we were quickly able to work out that an RFMC was not required to hold any risk-based capital (RBC), and that 3AC Singapore was only required to hold
$180,000 in capital, i.e., 1/1000 of its total capital investment limit.

So, for me, as a MAS IO, this represents a red flag warning. If 3AC Singapore was operating with a significant excess of AuM, it would mean that it had internal compliance and risk management functions specifically designed to manage risk at much lower risk
levels, that were actually being used to manage risk at much higher risk levels. That is a big problem. For example, if 3AC Singapore was utilising leverage in its investment strategies, this could mean that it was exposing its market counterparties to significant
non-disclosed risks.

There could be potential contagion risks arising because of the level of interconnectedness existing between market counterparties, as well as knock-on effects through the use of collateral and lending practices. As MAS IO, I would immediately prioritise
finding out if the RFMC AuM threshold breach gave rise to any potential counterparty, market, or systemic risks. As MAS IO my initial immediate focus would have been on:

(1) identifying why the RFMC AuM threshold breach (or breaches) arose;

(2) if they represented potential counterparty, market, or systemic risks;

(3) why 3AC Singapore failed to immediately notify MAS of such material technical breaches;  

(4) whether 3AC Singapore operations and regulatory status should be temporarily suspended, and

(5) whether 3AC Singapore should be required to register as a LFMC.

These would have been primary priority issues because 3AC Singapore operations could have disclosed relevant counterparty, market, or systemic risks. Secondary priority issues would have been investigating 3AC Singapores compliance, risk management, and
valuation functions. As MAS IO, I know exactly what I am looking for and how to go about such investigation because the general investment fund regulatory approach has been set out in the AIFMD/EMIR frameworks, as well as a range of MAS guidance.

In addition, as we saw, there is extensive information available in relation to crypto asset risks, and crypto fund risk management practices. We also saw that I can also draw upon extensive and detailed guidance from supranational institutions relating
to the crypto ecosystem, financial stability challenges and risks, and risks arising from the prudential treatment of crypto asset exposures.

As Singapore had previously intentionally positioned itself as a FinTech centre and crypto hub, it had assumed responsibility for equipping itself with the knowledge and expertise required to effectively regulate crypto investment firms. In fact, we saw
from the range of official guidance that MAS knew and understood the risks of crypto investments, and it even extensively warned the public of such risks. There is no way that MAS can argue that it was understaffed because we saw that it had specifically significantly
boosted its resources to cope with high volumes of crypto firm applications.

Out of 170 PSA 2019 licence applications, MAS had only granted three crypto firm licences. This unequivocally demonstrates that it carried out extremely detailed due diligence and analysis of crypto firm operations. This is what does not make sense. If this
is the approach that MAS adopts to due diligence and analysis of crypto firm operations, why were the extensive problems in compliance, valuation, and risk management functions within 3AC Singapore not identified?

As we will see in the next Part V of this Case Study, the compliance management and risk management practices of 3AC Singapore were shambolic. These are not something that would have simply arisen overnight. From the facts we know they certainly
arose in 2022, because from May 2022 to June 2022 they led to the firms failure. In my professional experience, they do not seem like the type of practices that would have quickly been adopted over the space of just
4 months (i.e., January 2022April 2022).

So, I believe that given 3AC Singapores failure to notify MAS dated back to
July 2020
, it is highly probable that they were something that could have been identified in
2021. The MAS reprimand of 3AC Singapore was published on 30 June 2022, which meant that MAS was still investigating 3AC Singapore in
2022. This meant in theory, MAS should have been able to discover significant problems that existed with the firms internal compliance, risk management, asset valuation, and reporting functions.

If I were a MAS IO, I believe they are something that I would have been able to identify if I had investigated the firm, and I was present conducting an investigation at their offices over the course of
one month. So, the real question is why did it take MAS one year
to conduct an investigation? 3AC Singapore had consistently featured in the media around the world, and MAS had specifically positioned itself as a crypto investment firm regulator. It should have understood that crypto investments gave rise to unique risks
that need to be regularly monitored and supervised. Given the unique nature of its crypto investments, this meant that any investigation of 3AC Singapore should have been sufficiently adequate and prudent in nature.

Consequently, as a MAS IO, the potential misuse of leverage, complex crypto investments, and complex crypto lending practices is something that I would have, and should have, been on the lookout for. If there were potential issues or problems with internal
compliance and risk management functions of a crypto investment fund, other risks that I should have been on the lookout for were the use of crypto leverage from unregulated firms; the use of low quality crypto margin; the use of minimal, or lack of, apposite
crypto margin haircuts; and potential market and liquidity risks.

MAS commenced its investigation in June 2021 and published its reprimand notice in
June 2022. That is one year in which MAS investigated 3AC Singapore but failed to suspend 3AC Singapore operations, and it failed to require 3AC Singapore to register as a LFMC. This is despite the fact that 3AC Singapore broke the law by breaching
its RFMC AuM threshold for one year in total. In reality, when MAS confirmed that 3AC Singapore breached its AuM threshold between
November 2020 and August 2021 (10 months), that is the exact point at which it should have immediately required 3AC Singapore to register as a LFMC.

In practice, this would have required 3AC Singapore to implement highly extensive, and much more stringent, compliance and risk management requirements, including much higher RBC and capital obligations. It would also have required much more stringent and
detailed risk management requirements pertaining to the use of leverage in crypto trades and investments, which was likely one of the primary causes of the ultimate failure of 3AC Singapore. I believe that if 3AC Singapore had been required to implement these
huge operational changes, it is possible the firm would not have failed, or alternatively that its losses would not have been so massive.

If as MAS IO, I would had conducted a proper extensive and thorough examination of 3AC Singapores practices, the likelihood is that I would have easily found sufficient evidence to require me to order 3AC Singapore to register as a LFMC. That is why I believe
that MAS failed in its duty of supervisory capacity vis–vis the adequate, prudent, and timely supervision of 3AC Singapore. It is also why I believe that if 3AC Singapore had been required to register as a LFMC by MAS, the new operational requirements
imposed on the firm may have prevented its collapse, or at the very least, mitigated the financial impact of its collapse, and the collapse of other market firms in
June 2022.

To be continued.