The cryptocurrency exchange WazirX recently faced a security breach resulting in huge losses for its users. In this post, Nipuna Varman evaluates the ‘loss socialisation’ recovery plan that was initially put forth, comparing it to the practice of bank bailouts by the government – and highlights the need for regulation of digital assets in India.
One of India’s prominent cryptocurrency exchanges, WazirX, recently faced a security breach resulting in a loss of US$230 million. This is the biggest breach faced by any cryptocurrency exchange in India. In response, WazirX filed a police complaint and reported the incident to the Financial Intelligence Unit (FIU) under the Ministry of Finance and the Indian Computer Emergency Response Team (Cert-In) under the Ministry of Electronics and Information Technology.
Additionally, the firm had preliminarily proposed a recovery plan to reduce user disruptions. According to the plan, all users (including the ones not affected by the theft) would take a 45% haircut on their holdings (meaning that 45% of each user’s holding would be ‘locked’ so that they would not be able to withdraw or trade them). For the remaining 55%, the users were offered two options: one, where they could trade and hold their crypto assets but could not withdraw them – this would earn them priority in the recovery process; or two, where users could trade and withdraw their assets, but they would be on a low priority in the recovery process. WazirX stated that this approach aimed to ‘socialise the losses’ incurred due to the cyberattack. Here, the firm and its shareholders did not absorb any losses, but rather they were to be distributed among all users equally.
This move attracted a lot of criticism from industry leaders for putting business interests ahead of consumer welfare. The firm had clarified that the proposed approach was preliminary and was subject to feedback received from the users. Accordingly, due to pushback from users, this plan was dropped. More recently, the firm has decided to restructure and is seeking a white knight1 for capital infusion. This strategy will involve sharing profits with users and allowing withdrawals.
The loss socialisation plan, despite being withdrawn, is significant as it brings to focus two aspects of the issue – first, the imposition of losses on the users; and second, regulation of the digital assets landscape.
Socialisation of losses
‘Privatising profits and socialising losses’ refers to the practice where the profits from a business are distributed among shareholders while the public is made responsible for the losses incurred. Loss socialisation typically involves a government action where the taxpayers absorb the losses incurred by a firm. This may occur through practices like government bailout programmes or regulatory actions. In the case of WazirX, the aspect of government intervention is absent, and the losses were proposed to be absorbed by the users and not the taxpayers. Therefore, the WazirX proposal does not strictly fall within the definition of socialisation of losses. However, the term has been used to describe similar actions undertaken by other crypto exchanges in the past, such as Bitfinex. Conceptually, the socialising of losses in this context overlaps with the traditional definition in two ways. First, the firm and the shareholders do not absorb any losses. Second, the losses are equally distributed among a broad community.
Theoretically, most crypto exchanges function in a decentralised and self-regulated environment. Therefore, government intervention is limited, and the crypto exchange itself holds the power to socialise losses among users. Thus, the role of the exchange reflects the power dynamic, albeit within a private framework.
An analogy can be drawn between the WazirX proposal and bank bailouts where a government provides financial support to a failing financial institution – and, it can be argued, through taxpayer money. In both cases, the losses are not borne by the firm/bank, but by entities who do not partake in the decision-making process of the firm.
For bailouts, the rationale is that such an intervention could prevent financial instability where the cost of instability may be more for the taxpayers. Interestingly, the WazirX co-founder Nischal Shetty had similarly pointed out that if not for the loss socialisation plan, the other possible response to the breach would be to seek legal recourse. He argued that the latter approach could be time-consuming and may result in little to no recovery for the users.
One of the most significant criticisms of loss socialisation is that it creates a ‘moral hazard’. When the party responsible for the incurred losses does not bear the cost of the same, it creates a distorted incentive structure. The entity responsible is incentivised to take higher risks, which further increases the potential burden borne by the public. The aftermath of the 2008 Global Financial Crisis saw an increased conversation surrounding the institutions that are ‘too big to fail’ and the best practices to be adopted by countries to prevent such crises. As a response, the concept of ‘bail-in’ was introduced that placed the burden of absorbing losses incurred by a firm on its shareholders and creditors, thus aiming to exterminate the issue of moral hazard.
Over the years the concept of ‘bail-in’ has gained popularity. In 2011, the Financial Stability Board (FSB) published the ‘Key Attributes of Effective Resolution Regimes for Financial Institutions’, which set out the best practices to establish a framework for orderly resolution of matters pertaining to financial institutions, with bail-in being one of the “Key Attributes” recognised by the FSB.
The shift of conversation from bail-out (financial support provided by the government) to bail-in (losses absorbed by shareholders and creditors) showcases how firms dealing with consumer funds may be incentivised to ensure financial stability and consumer protection.
In the case of WazirX, the co-founder stated that user funds were not insured by the firm. It is often difficult for crypto exchanges to insure users’ funds as insurers are unable to assess the risk attached to these assets. There also is no legal requirement for crypto exchanges to maintain an insurance fund. Interestingly, CoinSwitch, another Indian crypto exchange, has stated that the crypto assets held by the firm are held in custodial wallets that are insured by ‘reputed providers’.
The lack of responsibility assumed by the firm indicates that a strategy to socialise losses not only disincentivises the firm from taking precautions but also from making recovery efforts as any recovered funds will not belong to the firm or its shareholders. Therefore, the users bear the burden of the cyberattack. This incident shows that a financial system that differentiates itself from the traditional framework by emphasising the significance of decentralisation and equity, may still impose losses and penalties on consumers for no fault of their own. The lack of any regulatory framework governing such a system is dangerous for the consumers and can lead to inefficient outcomes.
Need for a regulatory structure
It is pertinent to note that the regulation of digital assets in India is at a nascent stage. While there is no specific legislation in the country to this effect, the scope of other legislations has been expanded to include digital assets. For instance, the Prevention of Money Laundering Act, 2002 (PMLA) includes transactions related to digital assets, and the Income Tax Act, 1961 imposes a 30% tax on digital assets along with a 1% Tax Deducted at Source (TDS) on the sale of such assets. Under its G20 presidency in 2023, India presented its views in favour of a globally aligned regulatory framework for digital assets. Consequently, under the Presidency Note – as an input for ‘Roadmap on Establishing a Global Framework for Crypto Assets’ – India concurred with the guidelines put forth by the Financial Action Task Force (FATF), International Monetary Fund (IMF), and FSB.
More recently, it was reported that the Securities Exchange Board of India (SEBI) has recommended multiple regulators oversee the trading of cryptocurrencies. On the other hand, the Reserve Bank of India (RBI) imposes strict control over banks and other entities in relation to crypto transactions, indicating that they may not be in favour of legitimising this space. This leaves India’s policy and regulatory stance ambiguous. It aims to present policy suggestions and seek stakeholder comments and feedback on the same.
The case of WazirX makes it evident that there is a need for a clear policy and regulatory stance in the digital assets space. The lack of regulation has not prevented consumers from investing their money in this sector. There have been increasing instances of cyberattacks and theft of cryptocurrency globally, resulting in consumers incurring losses without effective resolution. Therefore, consumers remain exposed to several risks. In the face of regulatory uncertainty and the increasing relevance of the digital assets sector, it is important to prioritise consumer protection.
The views expressed in this post are solely those of the author, and do not necessarily reflect those of the I4I Editorial Board.
Note:
Comments will be held for moderation. Your contact information will not be made public.