This is the first in a series of alerts about risk mitigation in the digital assets sector. This alert focuses on Cred Inc., a centralized cryptocurrency lender that filed for bankruptcy in November 2020. Cred’s bankruptcy highlights areas where crypto-lending companies should consider adoption of risk mitigation measures to safeguard against fraud. Furthermore, Cred’s experience highlights the risks inherent in financial products tied to volatile cryptocurrencies, where there is no “lender of last resort."[i]
Awareness and usage of cryptocurrencies has skyrocketed since 2017. Bitcoin (BTC), the largest cryptocurrency in terms of market cap, represents an innovative bundling of at least three key features: it is natively digital, decentralized, and trustless (peer-to-peer without a verifying intermediary). This fundamental financial innovation has spawned a nascent but burgeoning financial ecosystem that includes hundreds of alternate cryptocurrencies, along with exchanges, lenders, asset managers, and custodians serving both retail customers and institutions. Recently, the industry has seen a surge of activity on Ethereum, the second-largest cryptocurrency network by market cap, which serves as an open platform for developers around the world to build decentralized applications. DeFi (decentralized finance) applications range from simple lending apps to complex derivatives platforms.
Cryptocurrencies, due to their cash-like, anonymizing features and their fundamentally borderless nature, have caught the watchful eye of government regulators across the globe for over a decade. In the US, regulators such as the Securities and Exchange Commission, the Commodity Futures Trading Commission, the Office of the Comptroller of the Currency, and the Financial Crimes Enforcement Network have issued some guidance and rules affecting cryptocurrencies, stablecoins, and related financial schemes. The regulators are primarily looking at the activities of the different actors within the cryptocurrency ecosystem and attempting to align them with the requirements of traditional financial institutions. Activity at the state level has been uneven, with some states adopting measures to attract investment in such technologies, while others have been less welcoming, for example restricting the issuance of licenses to businesses that deal with cryptoassets.
Cryptocurrency and related technologies are exciting innovations but often carry risks. Today’s DeFi apps are mostly unregulated, often unaudited, and, like many of the initial coin offerings of 2017-2018, attractive to fraudsters. Centralized cryptocurrency companies are not immune to risks either, as poor controls and security practices can lead to fraud, Ponzi schemes, and hacks, resulting in the leak of customers’ personally identifiable information or the direct loss of funds. Finally, cryptocurrencies are subject to currency risk due to their extreme volatility relative to other assets, such as sovereign fiat currencies.
Cred Inc., and Crypto Lending
Founded in 2018, Cred describes itself as a “global financial services platform” and “licensed lender” that delivers lending and borrowing services to customers in approximately 140 countries. Cred’s primary financial product, “Cred Earn,” enables customers to earn interest of 4%-10% on their cryptocurrency holdings by issuing what many perceive as an unsecured lending contract. Under the hood, retail customers agree to lending terms and then transfer their crypto via the Cred portal to e-wallets managed by a third-party provider, while high net worth (HNW) individuals transfer their crypto directly to Cred. Cred lends the crypto to a variety of customer segments, including asset managers, crypto mining companies, and other third parties, who leverage the crypto to earn yield through arbitrage trading and other financial vehicles. Every three months, customers receive interest paid in dollars or stablecoins. Movement of funds is enabled through a variety of relationships Cred maintains with commercial banks, crypto exchanges, and OTC firms.
Cred claimed to lend its customers’ digital assets on a “fully collateralized and guaranteed basis” with “comprehensive insurance” enabled by custodial partners who are some of the largest BTC custodians in the world.[ii] However, an estimated $140 million in customer and investor funds are now lost or at risk, including $115 million owed to holders of Cred Earn notes.[iii] According to public reports, Cred may not have properly vetted third parties or managed its liquidity risk and seems to have ignored red flags raised by employees along the way.
A Liquidity Crisis and Fabricated Third Parties
At the time of filing, Cred held $136 million in liabilities, including customer deposits, compared to $68 million in assets.[iv] According to the filing, the primary driver of Cred’s unfavorable financial situation was the rise in BTC’s price, which spiked 200% in USD terms from a low of $4,944.70 on March 16, 2020, to $14,783.98 as of November 9, 2020. This negatively impacted Cred’s balance sheet since customer deposits, in the form of cryptocurrency like Bitcoin, are a liability on Cred’s balance sheet.[v] Second, Cred suffered a hack, leading to the freezing of customer cryptocurrency funds while law enforcement works to recover the lost assets.[vi] Most important was the “material loss [of funds] connected with the onboarding of a fraudulent asset manager…” and his misappropriation of 800 BTC ($15.6 million as of December 3, 2020).[vii] These three factors enumerated by the CEO in the bankruptcy filings seem only a partial telling of the story, as detailed below.
Central to Cred’s business model was moKredit, a Shanghai-based lending service. According to CoinDesk, Cred converted depositors’ cryptocurrency to yuan and then lent those funds to moKredit. Reportedly, moKredit, whose website is no longer active, advertised a “play-first, pay-later” business model to gamers, provisioning small lines of credit in the form of digital tokens. It seems Cred lent customer funds to moKredit to finance its own micro-lending activities. Over the course of 2020, Cred lent $39 million to moKredit, which promised to generate between 15%-24% in annual interest for Cred.[viii] During the COVID 19-induced market crash of March 2020, Cred tried to call back $10 million from moKredit but the highly leveraged Chinese lender was unable to repay. The bankruptcy filing states Cred subsequently renegotiated loan repayment terms with moKredit, a claim disputed by former employees.[ix] According to the firm’s former head of capital markets, Cred did not attempt to recoup these funds, and the investment committee’s requests to do so were consistently “rejected by the CEO.”[x]
The filing documents indicate that in February 2020, Cred invested 800 BTC of Cred’s funds into an entity called Quantcoin. The investment was allegedly administered by Kingdom Trust, a custodial service for institutional investors of crypto. When Cred contacted Kingdom Trust to recoup its funds, the latter entity claimed it had no open accounts with Cred and no knowledge of the individual who had been providing updates to Cred. According to former employees, the management team was aware of the apparent fraud and loss of funds in August, but employees were told to continue accepting deposits from new clients. After the fraud was announced, Cred froze its assets and fired three employees. This was followed by a series of lawsuits and counter lawsuits between Cred’s CEO and the executive allegedly responsible for the Quantcoin investment, including a claim the latter took over $2 million in BTC and USDC (Circle’s USD-denominated stablecoin) and transferred them to his own wallet.
It appears the bankruptcy filing omits further losses based on total liabilities outstanding. Only $53 million of Cred’s $140 million in outstanding liabilities are accounted for when totaling the $39 million loan to moKredit, the equivalent of $12 million BTC lost to Quantcoin, and the equivalent of $2 million “stolen” BTC. This suggests $80 million-$90 million in liabilities driven by the upward price movement of Bitcoin and/or other losses not divulged in the bankruptcy filings.[xi]
The illustration below is a high-level conceptual model of Cred’s money flows, highlighting key risks to consumers and investors.
While new technology may offer cutting-edge investment and financial opportunities, there are standard elements critical to any compliance program, which might prove even more important when dealing with new asset classes, new technology, and new market participants:
Strong governance. All institutions should have a compliance committee with a charter that clearly outlines the mandate, responsibilities, meeting frequency, and the way it collects information, including records retention. Also critical are actions in accordance with company policy and procedures by the leadership team to set the proper tone of compliance; implementing mechanisms that demonstrate concerns from all employees matter and will be given serious consideration; and a training program to ensure all company employees and officers understand their roles and responsibilities with respect to compliance.
Effective due diligence process. When followed, an appropriate due diligence program for their counterparties and business partners, as well as clients, helps entities mitigate many types of risks and avoid costly pitfalls. For instance, risk-based pre-investment due diligence steps could be based on the investment amount, the location of the recipient entity, the nature of the products/services it offers, nature of the investment, and similar considerations. Entities should apply the criteria consistently and document the results, regardless of the outcome. More importantly, if exceptions to the process are made, documentation on the reason for and the approver(s) of the exception must be created and retained.
Ongoing risk assessments. The fast-paced and volatile digital assets environment requires properly designed risk management programs. Entities should avoid trying to adapt generic risk assessments. For example, if a cryptocurrency lender attempts to repurpose the risk assessment of a payments provider, it will quickly find its risk assessments do not produce helpful results to inform its strategies and refine controls. A fraud risk assessment will help identify vulnerable areas on which to focus resources.
Regulatory change management. The regulatory environment for lending practices in the digital assets space is not clear and may change rapidly, notably in states that have not defined the legal status of Bitcoin and other digital assets. While many regulators are trying to allow financial institutions to innovate, regulators will likely continue to prioritize the protection of investors and financial consumers.
[i] This represents the first bankruptcy case involving a US-based cryptocurrency lender and is sure to surface several issues in nascent stages of regulatory definition, including the legal status of cryptocurrency, the valuation of claims denominated in cryptocurrency and stablecoins, and the jurisdictional oversight of securities and lending platforms.
[iii] CoinDesk reports that $114 million of Cred’s $136 million in reported liabilities is owed to the 500-1,000 holders of Cred Earn notes.
[iv] According to Cred’s Pro-Forma Asset and Liability statement filed along with its Chapter 11 filing, this includes $114.6 million in Customer Deposits and $20.8 million in Customer Collateral, both tied to the price of Bitcoin (accessed November 28, 2020).
[v] Conversely, Cred’s investments were denominated in dollars and did not benefit from BTC’s price increase. The market crash in March also impacted Cred as the crash of BTC value of over 50% severely limited their cash reserves. To stop the loss, one of Cred’s founders allegedly gave Cred a loan of 300 BTC, around $5.8 million at today’s prices. According to employees familiar with the matter, the loan was given without formal terms. The former head of capital markets for Cred also claimed that said founder was paying interest on this personal loan with corporate and customer assets.
[vi] The hack is noted, without specifics, in the Declaration of Drew McManigle, CEO of MACCO Restructuring, which is the advisory firm retained by Cred during the bankruptcy filings and restructuring (Case 20-12836-JTD Doc 16, Filed 11/09/20). Cred cited a “fraudulent incident” in an announcement via Twitter on October 28, 2020, following the hack. Whether this was perpetuated by an external malicious actor or insiders is still a matter of speculation.
[vii] Reporting by Crypto.com.
[viii] Reporting by Crypto.com.
[ix] Former Cred employees who spoke to Crypto.com stated Cred’s CEO allegedly put moKredit “on a long leash,” effectively allowing them to send back whatever they wanted, when they wanted.
[x] Employees have reported the CEO gave moKredit “a long leash” with respect to its repayment schedule, possibly due to its ownership by one of Cred’s founders.
[xi] According to Cryptobriefing.com, an email from the “ExCredCrew” indicated Cred’s CEO omitted a specific loss in the bankruptcy filings that is alleged to be “even greater than the… [fraudulent asset manager] and Quantcoin situations combined.”