A GRC Analysis of FTX Implosion
I try to avoid writing about the cryptocurrency business because it’s such an isolated field, led by oddballs and filled with esoteric operations not really relevant to compliance professionals here in the non-crypto world. The bankruptcy of crypto exchange FTX, however, is an exception — a story that’s flat-out crazy, with compliance lessons galore.
For those who haven’t been following along, the abridged version is this. FTX was a high-flying crypto exchange, led by founder and supposed wunderkind Sam Bankman-Fried. As recently as the start of this year, FTX had a valuation of $32 billion and raced to build itself into a mainstream trading platform for retail investors. (Remember that weird Super Bowl commercial with Larry David? That was FTX.)
Over the summer, however, several investments that Bankman-Fried had made in other crypto firms went sideways. So did investments made by Alameda Research, a sister firm Bankman-Fried had co-founded that dabbled in high-risk cryptocurrency trading. FTX transferred some $10 billion in assets, including customer deposits, into Alameda to keep it afloat.
By this fall, FTX was trying to raise fresh capital; investors weren’t interested. The downfall arrived last week, when rival cryptocurrency firm Binance dumped its holdings of an FTX cryptocurrency. That led to a run on FTX by other customers, panicky to withdraw their holdings before FTX stumbled into bankruptcy — which it did, on Friday. Bankman-Fried resigned and dashed off the Bahamas, where FTX nominally had its headquarters.
Now, as everyone sifts through the details of FTX’s bankruptcy filing and employees tell their tales, come the allegations of fraud and mismanagement. At least $1 billion of those customer assets transferred into Alameda are now missing. A hacker may have penetrated FTX’s defenses Friday night and asbconded with $473 million. Other reports put the stolen funds at $515 million.
What observations can the rest of us make here about poor compliance, governance, risk management? Pull up a chair.
Allegations of Weak Internal Control
Among the many examinations of what went wrong at FTX is a superb in-depth article from Reuters published on Friday. That article describes a meeting Bankman-Fried held a meeting with senior FTX executives on Nov. 6, where he shared a spreadsheet showing that of the $10 billion in FTX customer assets previously moved into Alameda, $1 billion to $2 billion of that sum “were no longer accounted for among Alameda’s assets.”
What stopped me short, however, were the next several paragraphs:
I shared those paragraphs with several auditor friends, who hit the roof. If true, such allegations are an astonishing lapse of internal control. Specifically they are a lapse of IT general controls: the controls that are supposed to govern how employees can manipulate corporate IT applications. In companies of any appreciable size, senior management should never have administrative access to re-write the company’s “ITGCs.”
We’ve talked about the importance of IT general controls many times before on this blog. The COSO framework for effective internal control addresses them in Principle 11, saying, “The organization selects and develops general control activities over technology to support the achievement of objectives.”
IT general controls play — or at least, they’re supposed to play — a vital role in the crypto world because technology itself plays such a vital role in the crypto world. Crypto is a whole financial system that exists as nothing more than a collection of code. Contrast that to the traditional banking world, which still uses hard cash, physical branches, and even paper records every day.
So of course crypto firms need strong IT general controls. Those are the instruments that prevent the technology from being bent toward nefarious purposes. That’s true in all modern corporate organizations, of course; but it’s especially true in crypto. FTX and its missing billions are the case in point.
One obvious question, then: What happened to those IT general controls? Which auditor didn’t catch that the controls were weak?
According to the Financial Times, two audit firms that have done work for FTX are Armanino and Prager Metis. We do know that FTX says it underwent a financial audit; Bankman-Fried said so on Twitter in 2021. But those audit opinions were never made public, and we don’t know for sure that either Armanino or Prager were the auditors involved.
We also don’t know whether the audit (whoever did it, and assuming it happened at all) simply looked at the financial disclosures, or included a deeper audit of internal controls over financial reporting. FTX isn’t a publicly traded company, so it doesn’t need a fully integrated audit of ICFR as required by the Sarbanes-Oxley Act.
A modern business can’t prosper without robust, durable technology. But that means IT general controls need just as much attention, to assure that the technology doesn’t contain cracks that could drive the business into the ditch. So far, that’s exactly where FTX ended up.
Failures of Risk and Governance
Poor internal controls aren’t the only issue lurking in FTX’s downfall. The Reuters exposé also details a failure of due diligence that speaks volumes about how FTX raced through its hyper-growth phase in 2020 and 2021, before crashing to the ground this year.
Go back to Binance — yes, that Binance, the one that dumped its FTX holdings last week and drove a stake through FTX’s financial heart. In the late 2010s, Binance and FTX shared coworking space in Hong Kong and the two groups became friendly. In 2019 Binance founder Changpeng Zhao bought a 20 percent stake in FTX for $100 million.
Except, Zhao is a somewhat mysterious figure: born in China and raised in Canada, Zhao launched Binance in China before relocating the business to Singapore ahead of a government crackdown on crypto. The company itself is under suspicion from regulators around the world. Any self-respecting compliance officer would look at Zhao’s file and say, “Every bit of due diligence we can find on this one.”
FTX, however, took a rather different approach. In 2021 the company was applying for an operating license in Gibraltar, and needed to include information about its major shareholders — including Zhao, still owning that 20 percent stake. Zhao, however, stonewalled FTX lawyers for several months. Finally Bankman-Fried bought out Zhao’s stake for $2 billion; which then cleared the path for Gibraltar regulators to issue the needed license.
A wiser approach would have been to perform better due diligence on Zhao much earlier, so Bankman-Fried would know better than to get involved with such a high-risk third party in the first place. (In 2019, with the crypto market flying high, FTX certainly could have found $100 million from other, more reliable sources.)
A more mature CEO, or a company with a stronger, wiser board to act as a check against said CEO, would have known to do all that. They would have known to govern themselves, their business partners, and their technology more effectively. Instead, the world had just another bunch of misfits day-tripping through their libertarian fantasies of a regulation-free world. I suspect they won’t be the last we see as the crypto world meets its reckoning with reality.
One final, ironic point: when Bankman-Fried bought out Zhao for $2 billion, he paid much of that amount in FTX’s own cryptocurrency. That was the currency Zhao dumped last week, launching the crisis that killed FTX and sent Bankman-Fried into seclusion.
Bahamas law enforcement opened a criminal probe into FTX over the weekend.