BIS Crypto Report: Cryptocurrency Risks and DeFi Rules

BIS Crypto Report: Cryptocurrency Risks and Financial Stability Lessons

The Bank for International Settlements has published a landmark paper examining how cryptocurrencies and decentralised finance replicate — and often distort — the core functions of traditional financial systems. Released as BIS Papers No. 156 in April 2025, the report by Aquilina, Cornelli, Frost and Gambacorta offers the most comprehensive institutional analysis to date of cryptocurrency risks and their implications for global financial stability.

At its core, the BIS crypto report maps DeFi activities against six fundamental financial functions: payments, resource pooling, intertemporal value transfer, risk management, price discovery, and incentive alignment. The conclusion is sobering — while blockchain technology has delivered genuine innovation in settlement mechanics and programmable contracts, the crypto ecosystem remains largely self-referential and disconnected from serving the real economy at scale.

This matters because the growing interconnections between decentralised finance and traditional banking create new transmission channels for systemic risk. As Basel Committee capital standards now acknowledge, banks must actively identify and manage crypto-linked exposures before the next market stress event. Understanding how digital transformation reshapes financial services is essential context for grasping why the BIS report arrives at precisely this moment.

DeFi Regulation: Why Smart Contracts Demand New Oversight

The BIS crypto report makes a powerful case that decentralised finance introduces regulatory challenges fundamentally different from those in traditional markets. Smart contracts — self-executing code deployed on blockchains — automate lending, trading and insurance functions without the intermediaries that regulators traditionally supervise. This creates what the report calls a “governance vacuum” where neither developers, protocol operators, nor DAO token holders bear clear legal responsibility for failures.

The paper identifies several DeFi-specific market failures that existing regulatory frameworks struggle to address. Developer anonymity and pseudonymous governance reduce the reputational constraints that discipline traditional financial actors. Oracle dependencies — the reliance on external data feeds to trigger smart contract execution — introduce manipulation vectors that have no direct parallel in conventional markets. And the composability that DeFi enthusiasts celebrate as “money legos” creates fragility chains where a single protocol failure can cascade across dozens of interconnected applications.

To address these gaps, the BIS recommends treating protocol operation as a regulated financial activity. This means applying know-your-customer requirements to crypto on-ramps and off-ramps, mandating standardized disclosures for protocol risks and reserve compositions, and — most innovatively — embedding enforceable regulatory rules directly within smart contract code. Rather than relying solely on ex-post enforcement, this approach builds compliance into the infrastructure itself.

The implications extend beyond crypto-native platforms. As global regulatory frameworks evolve for emerging technologies, the BIS approach to DeFi regulation offers a template for balancing innovation with systemic protection — one that financial institutions and policymakers worldwide are already studying.

BIS Crypto Report Findings on Stablecoins and CBDCs

Perhaps the most consequential section of the BIS crypto report examines the dual trajectories of stablecoins and CBDCs. Fiat-backed stablecoins now account for over 90 percent of total stablecoin market capitalisation, functioning as the primary bridge between fiat currency and the crypto ecosystem. Their stability, however, is far less assured than their name suggests.

The report documents how stablecoins are affected by both crypto-specific shocks and mainstream monetary policy changes. When the US Federal Reserve adjusts interest rates, stablecoin flows respond — sometimes with outflows that test redemption mechanisms. The catastrophic collapse of algorithmic stablecoin TerraUSD in May 2022 demonstrated that poorly designed stability mechanisms can unravel within days, destroying billions in value and triggering contagion across the broader crypto market.

On the CBDC front, the BIS notes that three retail CBDCs are now live (in the Bahamas, Nigeria and Jamaica), with approximately 25 jurisdictions running retail CBDC pilots and a similar number testing wholesale tokenised-reserve systems. These central bank projects represent an institutional response to the payments innovation that stablecoins provide — but with the backing of sovereign monetary authority and proper regulatory frameworks.

The policy tension is clear: stablecoins offer convenience and speed but lack the systemic safeguards that CBDCs can provide. The BIS argues that large stablecoins should be regulated as deposit-like instruments, with mandatory reserve quality standards, regular independent audits, transparent disclosure of holdings, and guaranteed redemption rights. Without these protections, the next stablecoin crisis could transmit directly into the banking system through growing institutional exposure channels.

Decentralised Finance vs Traditional Finance: Functions and Frictions

The BIS report systematically compares how DeFi and traditional finance perform each of the six core financial functions, revealing both where crypto innovation adds value and where it creates new vulnerabilities. In payments, for instance, blockchain settlement offers programmability and near-instant finality — but at the cost of volatile transaction fees, limited throughput, and the absence of consumer protections like chargebacks.

For resource pooling and lending, DeFi platforms like Aave and Compound have created efficient automated markets. Yet these rely overwhelmingly on over-collateralisation with volatile crypto assets. When prices fall sharply, forced liquidations trigger procyclical selling cascades — a pecuniary externality the report highlights as structurally more severe than in traditional margin lending because there is no central counterparty to absorb shocks.

Risk management in DeFi remains nascent. While decentralised insurance protocols exist, they cover only a fraction of ecosystem risks. The absence of credible backstops — no lender of last resort, no deposit insurance, no prudential supervision — means that systemic shocks in DeFi must be absorbed entirely by market participants. This asymmetry between innovation in revenue-generating activities and the underdevelopment of risk infrastructure is, the BIS argues, a defining vulnerability of the current crypto landscape.

Price discovery in DeFi has shown mixed results. Decentralised exchanges have grown significantly, but price formation still depends heavily on centralised exchange order books. The report cites evidence that DEX liquidity provision strategies have structural limitations compared to professional market-making in traditional venues, leading to wider spreads and less efficient price signals for less liquid tokens.

Stablecoin Risks and Policy: Transparency, Reserves and Run Dynamics

The BIS dedicates substantial analysis to stablecoin run dynamics, drawing parallels with traditional bank runs while highlighting crypto-specific amplification mechanisms. In a bank run, deposit insurance and central bank lending facilities provide backstops. In a stablecoin run, no such safety nets exist — and the speed of blockchain transactions means that redemption pressure can build from concern to crisis within hours rather than days.

The report identifies three categories of stablecoin risk. Fiat-backed stablecoins face reserve quality and liquidity risks — if reserves are invested in illiquid or risky assets, mass redemptions can trigger fire sales. Crypto-collateralised stablecoins face the additional vulnerability of collateral price volatility, creating reflexive feedback loops where falling crypto prices force liquidations that drive further price declines. Algorithmic stablecoins, which attempt to maintain their peg through supply adjustments without external collateral, have demonstrated the highest fragility — the TerraUSD collapse being the most prominent example.

The BIS policy prescription is comprehensive. For systemically important stablecoins, the report recommends reserve composition requirements limiting holdings to high-quality liquid assets, mandatory independent attestations published at regular intervals, transparent disclosure of redemption mechanisms and fees, regulatory authorization for issuers similar to bank licensing, and enforceable redemption guarantees. For algorithmic stablecoins, the report suggests particularly strict requirements or outright prohibition where failure could be systemic.

Cryptoisation Threatens Emerging Economies: Monetary Policy at Risk

One of the most geopolitically significant findings in the BIS crypto report concerns cryptoisation — the widespread adoption of cryptocurrencies or foreign-denominated stablecoins in place of domestic currency. While crypto adoption is a global phenomenon, the report finds its macroeconomic consequences are most severe in emerging market and developing economies (EMDEs) where institutional trust and financial infrastructure may be weaker.

Data from Chainalysis cited in the report shows India, Nigeria and Indonesia among the countries with the highest cryptocurrency adoption rates. In these economies, widespread crypto usage can undermine the central bank’s ability to transmit monetary policy through traditional channels. If a significant portion of savings and transactions occurs in Bitcoin or USD-denominated stablecoins, domestic interest rate adjustments lose their effectiveness in influencing spending and investment decisions.

The foreign exchange implications are equally concerning. Cryptoisation creates FX mismatch risks when households and businesses hold crypto assets but have obligations denominated in local currency. This exposure is compounded by crypto market volatility, which can create sudden wealth effects unrelated to domestic economic conditions. The BIS recommends that EMDE authorities consider capital flow management measures, pursue CBDC development to offer safe digital payment alternatives, and apply transaction restrictions where crypto substitution threatens monetary sovereignty.

Smart Contract Failures and Oracle Manipulation in DeFi

The operational risk profile of decentralised finance receives detailed treatment in the BIS report, with particular focus on two vectors: smart contract vulnerabilities and oracle manipulation. Smart contracts, once deployed to a blockchain, typically cannot be modified — meaning bugs or logical errors become permanent attack surfaces. The history of DeFi is littered with exploits where hackers identified and exploited code flaws to drain protocol funds, sometimes within minutes of discovering the vulnerability.

Oracle risk presents an equally fundamental challenge. Smart contracts execute based on external data — asset prices, interest rates, event outcomes — provided by oracle services. If an oracle can be manipulated or simply fails to deliver accurate data, smart contracts will execute incorrectly but irrevocably. The report notes that oracle manipulation has been used in numerous DeFi exploits, where attackers temporarily distort reported prices to trigger favourable contract executions before the data corrects.

The BIS recommends strengthening oracle security standards, establishing contingency mechanisms for oracle failure, and requiring protocols to implement circuit breakers that pause execution when data feeds show anomalous patterns. Combined with NIST cybersecurity framework best practices, these measures could significantly reduce the operational risk surface of DeFi applications.

Beyond individual protocol failures, the report emphasizes that composability — the interconnection of multiple protocols in a single transaction chain — transforms isolated vulnerabilities into systemic risks. A flash loan exploit on one protocol can simultaneously affect lending platforms, exchanges, and yield aggregators that depend on the same liquidity pools or price feeds, creating contagion pathways that are difficult to predict or contain.

Contain vs Regulate: The BIS Crypto Report Policy Framework

The BIS report’s policy framework rests on two complementary pillars: containment and regulation. Containment aims to protect the traditional financial system from crypto-originated shocks by requiring banks and supervised institutions to identify, measure and limit their crypto exposures. Regulation aims to address market failures within the crypto ecosystem itself through disclosure requirements, operational standards, and activity-based supervision.

On containment, the report endorses the Basel Committee’s prudential standards for crypto exposures, which require banks to hold capital against crypto holdings based on their risk characteristics. Banks must also plan for contingent liquidity needs arising from crypto-linked business lines and demonstrate the ability to withstand sudden market dislocations in stress testing scenarios.

On regulation, the BIS advocates a functional approach — regulating activities rather than entities. Whether a lending function is performed by a bank or a DeFi protocol, it should be subject to equivalent risk management standards. This “same activity, same risk, same regulation” principle addresses the arbitrage opportunity that currently allows crypto platforms to perform banking-like functions without banking-like oversight. Understanding how institutional risk management frameworks operate provides valuable context for this regulatory philosophy.

Critically, the BIS rejects blanket bans as both impractical and counterproductive. Banning crypto in one jurisdiction simply pushes activity to less regulated venues while forfeiting the ability to shape the ecosystem’s development. Instead, international coordination through bodies like the Financial Stability Board and Basel Committee offers the best path to prevent regulatory arbitrage while allowing beneficial innovation to continue.

CBDCs, Tokenisation and the Future of Decentralised Finance

The final analytical section of the BIS report examines how central bank digital currencies and real-world asset tokenisation will reshape the relationship between DeFi and traditional finance. With over 25 jurisdictions now piloting retail CBDCs and a comparable number testing wholesale tokenised-reserve systems, the institutional infrastructure for digital money is being built at unprecedented speed.

The report examines several CBDC design choices with financial stability implications. Intermediated models, where commercial banks distribute and manage CBDC accounts, preserve the existing banking structure while adding digital functionality. Direct models, where the central bank operates accounts directly, offer greater financial inclusion but risk disintermediating banks. Hybrid approaches attempt to balance these trade-offs. The choice between account-based and token-based CBDCs, and between distributed ledger and centralised infrastructure, carries additional implications for privacy, resilience, and cross-border interoperability.

Asset tokenisation — the representation of traditional financial assets like bonds, equities and real estate on blockchain infrastructure — represents perhaps the most significant bridge between DeFi and TradFi. As tokenised assets grow, DeFi protocols will increasingly hold and trade claims on real-world economic value, deepening the channels through which crypto market disruptions could affect the broader economy. The BIS urges regulators to ensure that market infrastructures handling tokenised assets are robustly supervised and that settlement systems maintain integrity across both on-chain and off-chain components.

What Banks Must Do: Prudential Approaches to Cryptocurrency Risks

The BIS report concludes with actionable guidance for banking institutions navigating the crypto landscape. The message is clear: passive monitoring is no longer sufficient. Banks must build institutional capacity to understand, measure and manage cryptocurrency risks across their operations — from direct trading desk exposures to indirect risks arising from client activities and counterparty relationships.

Specific recommendations include implementing comprehensive crypto exposure identification across all business lines, developing stress testing scenarios that account for crypto market correlations and contagion channels, ensuring capital and liquidity buffers adequately reflect the volatility and liquidity characteristics of crypto assets, building operational resilience against smart contract dependencies and blockchain settlement risks, and training compliance teams on the unique AML and sanctions challenges posed by pseudonymous blockchain transactions.

For Financial Stability Board members and national supervisors, the report recommends allocating dedicated supervisory resources to crypto oversight, developing legal frameworks that can accommodate decentralised governance structures, participating in international standard-setting to prevent regulatory fragmentation, and monitoring crypto adoption patterns for early warning signals of systemic risk accumulation.

The overarching lesson from the BIS crypto report is that cryptocurrency risks cannot be wished away through inaction or eliminated through prohibition. They must be managed through intelligent, coordinated regulation that protects financial stability while preserving the space for genuine technological innovation. As the boundaries between DeFi and traditional finance continue to blur, the institutions that invest now in understanding and managing these risks will be best positioned for the digital financial future.