GARP: Risk Management and Public Key Cryptography
Risk managers must consider all risks and make decisions based on complex, voluminous, fast-changing data, all while worrying about timeliness and accuracy. But there is a crypto tool that can help them meet this challenge, potentially yielding lower risk, higher returns and greater financial stability.
What is the central goal of risk management? A common wrong answer is, “To predict and prevent disaster.” The issue with this response is that at least half of risk management is maximizing opportunities, rather than minimizing dangers. It’s not about avoiding all risk, but, instead, selecting the optimal level of risk.
Another problem is that prediction is the domain of line decision makers. Risk managers focus on considering everything that might happen, rather than trying to guess what will happen. The most attention is on the scenarios line risk takers do not predict, and for which they might not be prepared. However, preventing any possibility of disaster means taking no risk, and with no risk, who needs anyone to manage it?
A sign of good risk management can be found in a common scene in fiction after some bad event. Someone says, “Well, we all knew the risks,” and everyone else nods sadly. Everyone knew the risks and agreed how they would be managed; everyone accepts the outcome, glumly, but without finger pointing or recriminations.
Being on the same page is key. When different stakeholders have different beliefs about risk levels and strategy, non-optimal decisions are made, and bad events lead to aftermaths that make things worse.
It’s not the job of the risk manager to decide if a new business is a good idea, a trade is shrewd, or an investment strategy is wise. Rather, it’s his or her job to understand the risks as well as possible; to design limits, mitigations and contingency plans to manage those risks; and to make sure all stakeholders have the same understandings about the risks and plans.
Even the best risk manager will misunderstand some risks and design imperfect strategies for them. Stakeholders will often disagree with each other about likely scenarios. But there’s no excuse for any risk manager to allow any stakeholder to misunderstand the risk manager’s view. It’s okay to be wrong (everyone is sometimes), but not to be unclear or deceptive.
A Three-Pronged Dilemma
Risk managers face three main problems. First, risk information can be voluminous, complex and fast-changing. Many stakeholders require succinct, simple indicators, and are not equipped to react to sudden changes.
Second, risk information is often proprietary. Stakeholders can view risk metrics computed from data, but often cannot be given access to the underlying raw data.
Third, even if all information is theoretically available to the risk manager, the timely information will have errors and the accurate information will often be delayed too late to be useful; moreover, it can be impossible to match up data from different sources.
These problems may be manageable most of the time, but in crises – when timely, accurate, reconciled information is essential for survival – key risk metrics are often useless.
How PKC Can Advance Risk Management
Public key cryptography (“PKC”) is a powerful tool for addressing these types of problems. Introduced in 1976, it underlies secure transactions and communications everywhere today.
In older private-key solutions, you needed a private session with your bank to share a secret password or other information used to secure subsequent communication. Contrastingly, the modern version of PKC allows you to communicate securely on the Internet with your bank, for example, so that even someone who intercepted all messages in both directions could neither learn your balance nor authorize transactions.
Recent advances in PKC and reductions in computer processing costs, moreover, have inspired innovators to develop novel solutions to risk management problems that promise to be far superior to traditional methods. I expect these to revolutionize the field over the next decade. However, there are many different approaches, and I have no crystal ball to tell me which ideas will win out and which will be discarded.
One example of how PKC could prove very helpful for risk management can be found in crowded trades executed by highly-levered institutions. If such a trade loses money, high leverage can force investors to exit suddenly, which can cause further losses and further fire sales.
The result can destabilize the financial system and lead to hedge fund blow-ups, prime brokerage failures and exchange insolvencies. Regulators, hedge funds, prime brokers (PBs), futures commission merchants (FCMs), exchanges and other stakeholders have an interest in managing this risk.
This problem is tractable because there is a reasonably small and well-defined universe of large stakeholders — regulators, large dealers, exchanges and large, highly-levered fund managers — and a limited number of areas of crowded trade concern. All stakeholders would benefit from both public knowledge of what crowded trades exist and private knowledge about which of their counterparties are exposed to them.
Consider this from the standpoint of a specific hedge fund. It holds its positions with multiple PBs, FCMs, custodians, exchanges and other intermediaries – largely so that no one can know its positions to either reverse engineer its strategies or to trade against the fund. Its counterparties impose limits or margin requirements based on the positions held with that counterparty, but would like to know that the hedge fund has capital to cover its aggregated positions over all counterparties. Everyone would also like to know if the positions of the one fund are matched by large gross exposures by all highly-levered funds.
To acquire the required knowledge, the hedge fund can run a “zero-knowledge proof” (ZKP) – a type of PKC – on its positions as part of its normal daily close. The output proves to the public that the fund’s positions comply with specified limits – e.g., that gross long economic exposure to any one equity is less than 10 times average daily volume, or that free cash is greater than twice total margin posted. The public cannot learn anything about the fund’s positions (that’s why it’s called zero-knowledge), except that its positions are within limits.
One point of this knowledge is to reduce risk in the financial system, as well as for individual entities. But the improved information could also be used to increase leverage limits and reduce leverage costs — resulting in both lower risk and higher returns for funds and profits for intermediaries.
The ZKP output can additionally be used by counterparties who have private keys to decrypt the position the fund claims with that counterparty. This prevents the fund from cheating by misrepresenting its positions for the ZKP. But this information remains with the counterparty (no one else can see it), which knows it anyway.
Of course, no one expects exact matches, as funds and counterparties have reconciliation issues every day. But any large or long-standing discrepancy would alert counterparties and regulators to treat the fund with caution, perhaps pulling leverage or cutting off relationships.
Using a tool called homomorphic encryption, the outputs from all highly levered investors can also be aggregated to see if there are any limit violations across all funds. These aggregate limits, of course, would be much larger than the limits for individual funds, and this information could be made public without any individual fund or individual counterparty exposure being revealed.
Knowing where the crowded trades are could cause counterparties to increase margin requirements or tighten limits, and regulators to prepare in case the trade blows up.
ZKP in Crypto: Shining Light on Risk Management Possibilities
I have little doubt that a system of this sort will be implemented within a few years. It’s not a challenging or novel technical problem, and it would be a major advance in financial system risk management. However, it relies on relatively new ideas and some advanced mathematics, so adoption will be slow. Traditional regulators and risk managers will want to see similar systems working well in other domains.
Cryptocurrencies are currently providing the proof of concept for ZKP in financial risk management. Crypto exchanges and stablecoins are offering customers ZKP of solvency – to show that the entity has on-chain crypto assets greater than or equal to customer liabilities.
This is simpler than the hedge fund/PB example above, because it merely adds up customer liabilities and compares to total assets. It’s also easier because on-chain crypto assets can be validated programmatically; you don’t need counterparties to compare the hedge fund’s claimed positions in the ZKP to the counterparties’ records of positions.
But the treatment of customer liabilities is similar: each customer can use a private key to check that their balance claimed in the ZKP matches the balance they see in their account. Of course, not all customers will check every day, but the large institutional customers that represent nearly all the liabilities will check as part of their daily processes, and some individual customers will check some of the time. If the crypto exchange leaves out enough customer accounts to make much difference, it will be caught pretty quickly.
Parting Thoughts
ZKPs are being used in financial risk management today, and have the potential to do great things within a few years, without any need for technical breakthroughs or large development costs. Other PKC technologies will be important as well.
If you’re working with any crypto entities, you’re probably already familiar with some of the ideas – and, if not, you should be. To get ahead of the curve, risk managers in traditional finance can start learning about PKC applications to risk management today.
Disclaimer: the author is an active investor in crypto projects and has investments that could be affected by decisions about use of PKC in risk management. In particular, he is an investor in and paid advisor to Raposa, a private company working on zero-knowledge risk management proofs.