Tether Reserves - Verify Then Trust

As Argued Below, Verification Should Come Before Trust

First post in this series here.

If you’re old enough or have access to the internet, you may recall a US politician who announced a major international agreement by quoting a Russian proverb “Trust, but Verify”.

If you think about it carefully, you might come to the contrary conclusion that one should verify first then trust.

Or as in the hadith relayed by al-Tirmidhi (2517) “ اعْقِلْهَا وَتَوَكَّلْ “ or “Tie your camel first and then trust in God”. 

The point of that hadith being that one has to take responsibility for one's affairs.

Wise words in all facets of life, including investments.

Even more so when the prior behaviour of the counterparty was less than would instill confidence.

As paragraphs 14-54 of the February 2021 settlement agreement between Tether et al and the NY State Attorney General revealed Tether had been less than candid in disclosing the fact the status of its reserves and that they were not always backed 1 to 1 with US dollars on deposit. 

In fact at times “reserves” were “held” in the form of loans to an affiliated company Bitfinex, whose own funds were frozen.

That’s not very comforting.

Nor is the fact that as per paragraph 57 of the settlement agreement, Tether was compelled to provide quarterly disclosure on its “reserves” for two years.

Shouldn’t a responsible fiduciary (and that’s the role that Tether assumed in issuing stablecoins) have been more (a) careful and (b) candid about the reserves?

That was as they say the “past”.

So how are Tether doing now?

Risk Disclosure

On Tether’s website here under the tab labeled “Risk Disclosure” you will find a set of risks outlined.

Missing is the fact that Tether’s reserves are subject to market risk. Why this isn’t mentioned is surprising. Well maybe not so surprising given their past behaviour.

Reserves Disclosure

Here is the link to Tether’s “disclosure” of its reserves as of 31 March 2021.

Some observations.

Some 75.85% of the “reserves” are grouped under the heading “cash & cash equivalents & other short term deposits & commercial paper”.

Now if we wanted to evaluate the reserves in terms of backing for tethers, we would want to know the amounts of each of these three components.

Why?

Because each of these three categories is likely to have differing liquidity.

Liquidity being the ability to sell a financial instrument quickly at face value or with a minimum deviation from face value. 

Why is liquidity important?  

Because if holders of tether want to exit and can't find buyers, if the reserves are insufficient, they won't get US$1 for each tether.  

Imagine a scenario in which a Techo-King or perhaps just a Techo-Prince tweets that CatCoin is the new investment meme of the day.

Also if the "market" thinks the reserves are inadequate, then the price of a tether should go below US$ 1. 

This could arise from liquidity or credit concerns about the "reserves".

Cash and cash equivalents are highly liquid, not subject to penalty or delay on withdrawal and typically maturities of three months from date of acquisition. Note that word – acquisition not date of the report.

This category would be likely to be realized at face value or very close.

You will note that roughly one-half of total reserves is in commercial paper (75.85% x 65.39%).

This amount is not included in “cash and cash equivalents” That means it does not have the characteristics described above.

As a consequence it is likely to be redeemed at less than face value prior to maturity.

The CP also bears the credit risk of the obligor/issuer on the CP.

And we have its amount.  It's almost 50% of reserves.

Some 18.36% is in “fiduciary” deposits. (Same calculation as above)

Since short-term deposits are listed as a separate category from cash and cash equivalents we can assume that some of the "fiduciary deposits" are not “cash and cash equivalents”. So less liquid.   

And likely to be redeemed for less than face value prior to maturity. That may reflect the penalty for early withdrawal on the deposit.  

But we don't know the amount that might be "cash equivalents".

You may derive “comfort” from seeing that these are “fiduciary” not “regular” deposits.

But all that means is that when placing the deposits, Tether acknowledged that it was acting on behalf of the owners of the deposits, presumably the owners of outstanding tether. 

However, these do not appear to be “trust” deposits, though we don’t know based on Tether’s incomplete disclosure.

Thus, the deposits are subject to the credit risk of the institution holding the deposits.  That is, they would be claims against the depository institution's estate in bankruptcy.

If they were trust assets, they would not.

And we don’t have any details on the depository institutions to get a sense of their credit risk. 

Are they IFIs in Puerto Rico, Oz Bank and Trust, Panama, or HSBC?

Some 4.96% in Treasury Bills and Reverse Repo Notes (same calculation as above).

We don’t know if all these qualify as cash equivalents, but since they are a relatively small amount, let’s ignore them.

Let’s also assume that all “fiduciary deposits” qualify as cash equivalents, though this is unlikely to be the case.

On that basis the CP (49.6%) and the other categories (secured loans, bonds commodities, and other) equal almost 74% of total reserves.

The stability of Tether therefore rests on what are very likely to be less liquid assets. And some of which, e.g., CP and secured loans may not be susceptible to early redemption.

Discounted sales of these instruments might be possible depending on the identity of the obligors/issuers. 

But a wise investor wouldn’t count on it.

Attestation Report

Moore Cayman an accounting firm issued an “attestation report” on Tether management’s “assertions” about the reserves (the CRR).

Two things to note about this report.

First, Tether has not issued a financial statement for Tether “stablecoins”. 

Rather what we have are their “assertions”.

Note that many fund managers do issue financial statements on their funds.

If you’re following my advice to “verify”, you may well wonder why Tether didn’t issue a financial statement or its equivalent.

Cost control? Or some other motive?

Second, an ISAE 3000 Revised Assurance Engagement is not an audit.

Here is an AICPA paper which asserts that the typical “assurance” engagement under ISAE 3000 (Revised) is less rigorous than that required under AICPA Standards. Though you’d expect “exceptional” folks to hold that they are “exceptional”.

It is less than an audit.

Given the problems with audits, that ought to send a chill up the spine of the sentient.

We don’t even have the imperfect work of an audit to hang our “investment hat” on.

Luckily for Tether, the sentient segment appears to be highly underrepresented in their “investor” base.

It is very important for investors to understand the nature of MC’s work and report, particularly in terms of the valuation of the “reserves” that “back up” outstanding Tether “coins”.

So what do we have from MC?

It is almost certainly less than a “review” of financial statements in both scope and rigour.

Why?

Because Tether hasn’t issued a financial statement. Rather it has made what MC describes as “assertions”. 

If you're like me, you might find the use of the term "assertions" to inspire less than confidence in their contents.

I didn’t see enough detail to find “comfort” in MC's report because I don’t know what standards and principles the “assertions” were based on and what work MC did as part of its engagement.

In describing its conclusion on the financial information in the CRR. MC states that it is “based on our investigation of the balances stated herein”.

That’s rather short on detail.

• Did MC rely on Tether’s accounting records for the values?

• Or on account statements from third parties holding the assets?

• Did it send balance confirmations to which those third parties responded?

• On the US$ 5.3 billion in secured loans, did it review documentation on the nature and value of collateral? Did it check Tether’s procedures for determining credit impairment and needed loan loss provisions?

I suspect that it did not go much beyond the first step – accounting records and internal controls. I also hope that I am wrong.

All that being said, in their report MC did express an “emphasis of matter”.

This is typical accountant-speak for relatively important matters that do not change the accountant’s opinion or in this case “attestation”, but are significant enough that the accountant feels the need to bring them t to the attention of interested parties.

In my view the following is the key point from that section. Italics are mine.

Management’s accounting policy is to value assets and liabilities at historic cost plus any accrued interest and less any expected credit losses, or otherwise the redemption value where applicable. The realisable value of these assets and liabilities could be materially different if any key custodian or counterparty incurs credit losses or substantial illiquidity.

First the use of historic cost. One sells assets at market price if they are not held to maturity. 

Changes in interest rates can affect the value of financial instruments which is why the "cash equivalent" definition has 3 month maturity limit.

Second credit and liquidity risk. Note the comment about “realisable value” being potentially "materially different" that than shown on the report.

MC is waving a redflag here.

In the next post I’ll offer some unsolicited advice on what should be done. 

( الفاضي يعمل قاضي.  )

Tether: How Stable Are This Stablecoin’s “Reserves” ?

If You're Buying "Stable"coins, You Should Be
Reasonably Certain the Reserves are "Stable"

The 3 June FT Lex Column had a call-out box on Tether “Stablecoins/bitcoin: unTethered to reality”.

Citing information published by Tether, Lex noted that only 2.94% of the value of outstanding Tethers is backed by pure cash.

The remainder is “backed” by a variety of instruments:

• commercial paper (49.6%),

• short term deposits (18.36%),

• Treasury Bills and reverse repo notes (4.96%)

• secured loans (12.55%),

• corporate bonds, funds, and precious metals (9.96%), and

• other investments (1.64%), which include “digital tokens”

No real disclosure on the other items, except that “secured” loans weren’t to affiliates.

The lack of disclosure is troubling as will be discussed in the next post.

Lex dryly noted that not all of Tether’s reserves were held in risk free assets.

Indeed!

That directly impacts stability.

If the reserves are subject to volatility, then so is the value of the “stablecoin”.

So much for the “stable” in “stablecoin”.

But there’s a bit more here to think about.

This is quite a diverse set of assets.

1. What is Tether’s overall investment objective and strategy? It sure doesn’t look like “preservation of capital”.

2. How does this collection of assets achieve the objective and strategy?

3. What are the required criteria for investments, e.g., asset class, industry, individual investor or counterparty characteristics (credit grade, etc), tenor, etc?

4. Is Tether’s management capable of designing, executing, monitoring, and adjusting the strategy and portfolio as needed? They are by all accounts either certified tech geniuses or perhaps self-certified tech geniuses. But are they really financial geniuses as well?

5. If not, is Tether using third parties? If so, how are these selected?

6. Who are they? Goldman Sachs or Oz at Crypto Capital in Panama? What additional risk do these third parties pose in addition to obligor and counterparty risks?

7. Given the “diversity” of assets in the reserves, it might also be worthwhile to ask if any of these were used to purchase Tether. That is, has a customer or have customers bought Tether with any of the “reserve” assets rather than with cash.

8. If you’ve read paragraph 38 of the settlement agreement with the NYS AG, you’ll notice that in October 2018 Bitfinex “repaid” US$ 400 million in loans from Tether via the “redemption of 400 million tethers”. That is, via a non cash transation. It doesn’t seem likely that these were clients’ Tethers, assuming no sketchy dealing by Bitfinex. So were they Bitfinex’s own Tethers? And, if so, how did it obtain them?

It the next post we’ll look a bit more into other issues surrounding the valuation of the reserves.

Taking Responsibility A Key Step to Minimizing Ransomware Successes

If You Don't Answer Your Phone, 
Calls are not "Overdue", They're Ignored

Saturday's FT "Big Read" The cyber threat to America's beef discussed expert reaction to the ransomware attack on JBS.

I'm going to use quotes from that article to outline two acceptances of responsibility that are necessary, but not necessarily sufficient, to fix the problem.

Step 1: Corporate acceptance of responsibility (a) for its past failures and (b) to fix the problem.

The first quote.

Beyond the political posturing, analysts and cyber security experts say companies, government and other entities must treat the hack as an overdue wake-up call to not only develop adequate defences but also to develop a unified approach to dealing with the soaring number of attacks.

Sorry this is neither “overdue” nor a “wake up call”.

Let’s call it precisely what it is.

It is a failure to heed numerous warnings given over more than several years.

Until corporate managements admit that fact and take responsibility to act responsibly, there will be no solution to the problem.

The CISA (Cybersecurity and Infrastructure Security Agency) was founded in November 2018 (roughly three years ago). They published an alert on a ransomware attack on a pipeline in February 2020 (let’s call that one year ago).

The National Protection and Programs Directorate (NPPD) was set up under the DHS’s umbrella in 2008 with the mission of protecting the USA’s critical physical and cyber infrastructure. (That would be thirteen years ago).

If you look at the CISA website here, you will find a list of resources, including alerts, tips, training and webinars.

Notice that the first “alert” dates from 2009. (That would be twelve years ago).

And then there is the FBI’s ic3 unit which has antecedents back to 2000. And has issued warnings on ransomware for many years. Here’s one example from 2019.

Or maybe this memo from the DOJ in 2015.

Overdue?

The only thing “overdue” is the response to the warnings.

CISA also offers a free checkup service (no “death panels” as far as I know) for governmental entities and private companies that operate critical infrastructure:

1. Weekly vulnerability penetration scans

2. Web application scanning

3. Phishing campaign assessment

4. Remote penetration testing

It would be interesting to know how many private sector firms operating critical infrastructure have availed themselves of this service. And if not, why not?

Beyond efforts by the USG to ring the tocsin of alarm, the media has reported on the risks of hacking and ransomware for some time.

NYT Feb 2020, NYT 2017.

Or Fox News 2018. (Port of San Diego) Fox News 2018. (City of Atlanta incident -note this was described as a wake-up call).

I’m not a computer or cyber security expert, but even I knew of the risks to national security from hacking before Solar Winds and JBS. Or reliance on foreign manufactured components in computers, telecommunication systems, etc.

That’s not to brag, any moderately sentient person who reads the news should be able to figure this out, even one like me who focuses primarily on matters financial.

Captains of industry might well be expected to have even greater sources of information as well as staff who might fill in any gaps in their attention spans.

Additionally there are the firms who make a living in this field who have weighed in on the risks. Here’s a link to one. They mention the first ransomware attack as taking place in 1989. (That would be thirty-two years ago).

Another quote from the FT article.

The alleged perpetrators of the JBS attack have long been known to cyber security experts. Since February alone, the Russia-linked REvil group has been connected to almost 100 targeted ransomware attacks, according to cyber security specialists ZeroFOX.

Step 2: Government acceptance of responsibility to impose rigorous standards on entities critical to national security and enforce penalties on them for failure.

The second quote.

"Once again the notion that ransomware is a national security threat is ringing true. We need a fundamentally different approach to security,” says Sanjay Aurora, Asia-Pacific managing director for UK AI company Darktrace.

Indeed a new approach is needed.

That fundamentally different approach to security would involve abandoning naive beliefs about market efficiency. The market hasn’t solved this problem and isn’t going to.

The simple reason?

Corporations don’t want to spend the money directly or indirectly (the time).

Governments need to impose comprehensive and rigorous security requirements with substantial monetary penalties for failures to implement them.

Legislation that was passed and regulations issued regarding Business Continuity or Disaster Plans can provide a precedent.

The cybersecurity laws should allow in extremis the replacement of management and the cancellation of licenses/permits to conduct critical infrastructure business.

Note the dual approach to achieve the goal by threatening the single most important priority of each of the two key parties

• management’s retention of its sinecures and

• the value of shareholders’ investments.

That doesn’t mean if a company critical to national security were successfully hacked that it would necessarily be fined, its management removed, or the business turned over to another party.

What it should mean is that if a company hadn’t taken reasonable precautions, say to protect the operating system of its pipeline, then the hammer would come down in line with the severity of its failures. ​

There May Sometimes Be Second Acts in American Lives, aber in Deutschland gibt es mehr als 2

Act 1

 

Act 2

In Deutschland der Hof (meister)

The Absolute Wrong Way to Stop Ransomware and Hacking

 

Just when I thought the idiocy on this topic had reached its pinnacle, I was proven wrong yet again.

See today’s FT “White House implores businesses to strengthen ransomware defence”

The word “implores” particularly set me off.

Then I thought a bit more and remembered—or at least I think I do—how this sort of decisive approach has been successful in the past.

Here are just two examples:

1. Following an appeal from the SEC a few years back, the incidence of financial fraud and market manipulation in the USA has dropped dramatically. As has insider trading.
2. After both my wife and I implored the little ones who live with us to eat healthy for their own good, we’re no longer asked for cookies or ice cream. Both grandmothers have reskilled and are now bringing vegetables when they visit.

While there has been no reaction yet, I’m confident that my letter to the President Biden and Senator McConnell is about to usher in an era of bipartisanship not seen since “peace guided the planets and love steered the stars”.

Naysayers out there might comment that business with few exceptions has been asleep at the switch so long now, that it’s almost certain that they don’t have a clue where the switch is. Or what it does. Or how to operate it.

Or that imploring the habitually somnolent and negligent to “take action”--particularly when the action involves spending money—has not proven to be particularly efficacious.

They’re wrong as demonstrated above.

Though I will admit that it seems strange to call the addressees on the memo business “leaders”.

One final note.

If you’ve been inspired by this blogpost and want to establish peace in the Middle East, on the Korean Peninsula, or in the Gulf, please feel free to direct your own memo imploring the parties to take action.

I won’t mind.

I had intended to do all those things myself.

But currently I am focused on learning Romulan to write the memo that will "fix” any dangers to our way of life from UFOs. I think we’re not far enough into the season that it would be the Borg.

Kumbaya!

Bonus Gratuitous Snark

Some further thoughts that occurred to me after I first posted the above.

Additional rather sad conclusions that have to be drawn from this episode.

First, the memo contains 5 recommendations for action that might charitably be described as the blindingly obvious.  Things equivalent to lock your doors, don't run with scissors.

Hardly, the sort of advice that captains of industry should need to receive for two reasons.

• The advice given isn't rocket or computer science.  Just common sense steps. 
• The warning should not be necessary, they should know this already.

If they missed either or both of these points, it's pretty clear that they need to step aside for those with the aptitude and attitude required to do the job.

The memo is a damning assessment of the calibre of our business tycoons. 

Though to be fair that assessment is supported by successful ransomware attacks on companies who did not lock their doors, etc. and the woeful lack of preparation at other firms as noted in my earlier post.

Second, but it's not just the captains of industry who are in for criticism.  

What does it say about the US Government? 

As my mentor used to say "you can tell you're in a third world country, when problems are addressed through rhetoric rather than concrete action".  

Lithuania: Supervisory Challenges on (Non Bank) PI & EMI Payment Activity in Centrolink

Hang On, Speedy

As highlighted in the previous post, following explosive growth, in 2020 non bank PI & EMI accounted for

• 86% of the number of transactions in Centrolink

• 69% of the total value of all transactions, and

• represented 87% of Centrolink participants.

What are the specific risk characteristics of PI & EMI business that pose challenges for the authorities?

1. Explosive growth in number and aggregate value of transactions

2. Non bank entities predominate

3. Centrolink transactions are now primarily “offshore” business in two senses:

• In the majority of cases, both sides of the payment are “outside” Lithuania, e.g., the by-order party and the beneficiary

• Up to 70% of PI & EMI clients are from offshore centers

4. Customer vetting may be inadequate given “remote” CDD (customer due diligence)

5. Centrolink is an attractive gateway to 36 countries in Europe.

6. Risk issues thus transcend Lithuania’s borders.

I don’t need to say much about the issue of explosive growth.

The more trees in the forest, the harder to find Robin or any other hoods.

As regards non bank FI’s perceived greater risk, some general comments.

The failure of a large bank or group of banks poses a systemic risk to the financial system and economy.

In contrast the failure of a money exchange firm or a payments processor (think PI or EMI) is likely to have much less of an impact.

As a result, banks are more strictly regulated and more strictly monitored than other FIs.

Non-bank FI policies and procedures, internal control systems, etc. are often less rigorous and less rigorously implemented.

Part of this is due to less developed and onerous regulations on them. No need to have as elaborate structures as banks.

Economics and size also have an impact.

The fact that monitoring is often “lighter” can also play a role: no one is watching.

We can use the 2020 Lithuanian National Risk Assessment of Money Laundering and Terrorist Financing (NRA) to assess the risks outlined above.

Page numbers below refer to the NRA unless another document is cited.

Let’s start by looking at potential weaknesses in PI/EMI policies and procedures and implementation thereof.

Weakness in PI and EMI Licensees AML/CFT Risk Assessments and Monitoring

According to the NRA (page 38)

Due to the fact that many of the clients are non-resident or from offshore countries, the companies have difficulties to identify the clients in reliable and independent sources. The due diligence and transaction monitoring systems are less effective than the ones used in the banking sector, as most of the businesses are new and focus on increasing clients’ portfolio instead of AML/CFT regulatory compliance. Most institutions have not yet performed organization-wide risks assessments to identify the risks based on five factors (geographies, customers, products or services, delivery channels, other qualitative risks). Next to that, not all institutions perform the retrospective transaction monitoring.

Wide ranging deficiencies across a critical set of control areas.

“Suspiciously” Low Volumes of Suspicious Transaction Reports (STRs)

The data in the annual reports of the Ministry of Interior’s Financial Crimes Investigate Service Money Laundering and Terrorist Financing Prevention Board (ML&TFPB) is more detailed and current than that in the NRA. So I’ll use that information.

Here is a link to the 2018 Annual Report. Here is the 2019 Annual Report.

And here is the 2020 Annual Report.

The tables below are based on data from these three reports.

If you know anything about STRs, you’ve probably heard that FI’s prepare these primarily for CYA purposes and generate excessive numbers that overwhelm the authorities’ ability to make use of them.

These statements are often correct.

So why am I focused on the number of STRs?

I’m not.

Rather I want to compare 

• STRs from the PI & EMI sector to that from banks and  
• STRs of each sector as percentage of transactions processed by that sector.

When a particular segment of FI’s has a relatively low number of STRs or scores low on the above two metrics, it’s not unreasonable to assume that that segment’s transaction monitoring procedures are less than robust.

If a particular institution scores low on all three measures, that’s also a red flag in most cases.

These metrics are not conclusive. There may be very good reasons for differences.

At first blush the data seems to show definite progress. The PI & EMI sector is filing more reports. Fantastic growth! 2020 is more than 18x 2018.

Their percentage of total STRs is increasing smartly.

But as a percent of the number of transactions not so good.

As a percentage of transaction made, in 2020 banks submitted 3.5x the number of STRs that the PI & EMI institutions did!

As outlined above, the PI & EMI sector certainly appears to be conducting more risky business than the banks.

It’s, therefore, not unreasonable to expect that would have a higher percent than they do.

Their actual performance confirms NRA’s assessment of weakness in the PI/EMI AML/CFT.

Let’s turn to a feature in regulations that poses a risk.

Remote KYC/CDD Allowed for PI and EMI Licensees (page 38)

PI and EMI licensees are allowed to conduct “remote” know your customer/customer due diligence.

That is, the client need not be present in Lithuania. Approval is by review of documents submitted.

This is an even greater KYC issue because PI and EMI entities’ clients are primarily non residents.

And up to 70% of them are from offshore centers. (page 38).

That is a rather large red flag.

Adding to the risk is the fact that 97% of the value of all EMI and PI transactions in 2019 was conducted for legal entities not natural persons. (page 6 of the 2019 PI and EMI Activity Review).

Positively identifying the UBOs of private companies is a difficult endeavour, even more so for those formed in offshore jurisdictions.

In contrast, Lithuanian banks have been de-risking their exposure to foreign clients by reducing foreign client relationships and deposits.

As of 2020, Lithuanian banks had the lowest percentage of foreign corporate and natural person customers’ deposits in the Baltic region at 2.5% compared to Latvia (20,3%) and Estonia (7.3%). (Page 7 and 8).

Risks Associated with SEPA

Based on the average amount of 2020 Centrolink transactions (banks Euros 3,841 and the PI & EMI institutions Euros 1,423) and the ACH/BACS-like nature of Centrolink, you might well wonder if there is a real risk of significant illicit transactions.

To the first point, these are arithmetic averages. There could quite well be some fairly large value transactions among the 95.2 million total transactions processed in 2020.

To the second, while Centrolink processes Direct Debits and Direct Credits—that are likely to be small “ticket” items—it also processes payments similar to typical bank transfers.

There are two types of these transfers:

1. A SEPA Instant Credit Transfer subject to a SEPA system limit of Euros 100,000 for each separate transaction. With promised completion (delivery to the beneficiary’s bank) 10 seconds after release! Note this timing doesn’t apply in all 36 of SEPA countries.

2. A SEPA Credit Transfer subject to a SEPA system limit of Euros 999,999,999,99. These transactions are completed at the earliest next business day after receipt.

Each bank sets its own SICT and SCT limit for each customer both for individual as well as aggregate transactions. That would include Centrolink DP’s for IDP’s they accepted as clients.

SCT limits of Euros 1 billion are likely to be rare indeed. And not just in Lithuania.

SCIT and SCT “straight” payments and likely transactions limits make it possible to move significant amounts through Centrolink into the SEPA.

Monitoring systems to detect suspicious transactions would therefore be in competition with the creativity of illicit actors to disguise them. 

The offshore nature of Lithuania payment activity makes this a harder “race”.