The European Securities and Markets Authority does not believe that distributed ledger technology poses a risk to regulatory objectives and is aiming to publish a paper on DLT this month.

Patrick Armstrong, senior risk analysis officer, innovation and products team at Esma, said in a speech at the Stock Exchange and Securities Conference at Oslo Børs that distributed ledger technology does not pose a risk to the three regulatory objectives of stability, protection and integrity.

Armstrong said Esma began examining distributed ledger technology in early 2013 when bitcoin became a widely known alternative payment service. By 2015, the regulator had set up a DLT Task Force made up of national regulators, and representatives of the European Commission and the European Central Bank.

In June last year, Esma published a discussion paper to collect feedback from the market on the potential uses, benefits and risks of DLT applied to securities markets, with a particular focus on post-trade activities.

“We are using the feedback to develop a position on the use of the technology in securities markets and assess whether a regulatory response to the DLT may be needed,” added Armstrong. “I expect our paper to be published later this month following the approval of our board of supervisors.”

Armstrong continued that the initial findings from Esma’s analysis is that DLT could bring a number of benefits to securities markets, including but not exclusively to post-trade processes, if a number of challenges are addressed.

He said: “Importantly, despite a number of interesting proofs of concept, DLT is still at an early stage and we remain unclear as to its capacity to overcome all of these challenges.”

In securities settlements, differences in the timing between the delivery of securities and delivery of funds introduces settlement risks between counterparties and/or their intermediaries, which becomes even more critical when the delivery of securities and the source of funding takes place on two different platforms.

“We anticipate that the early applications of DLT will focus on optimising existing processes under the current market structure,” he added. “Respondents to our discussion confirmed this belief arguing that they expect DLT to start small in low volumes, niche, relatively ‘simple’ and mostly unregulated markets, which is consistent with the early projects that we are seeing.”

For example, four international central securities depositories are building a blockchain prototype for cross-border mobilization of collateral which should be ready for regulatory scrutiny in the second quarter of this year. Deutsche Börse said in a statement this month that four international central securities depositaries in the Liquidity Alliance are developing LA Ledger in cooperation with the German exchange operator.

Last year SIX Securities Services, the post-trade infrastructure operator for the Swiss financial sector, and fintech provider Digital Asset Holdings announced plans to develop a proof of concept of distributed ledger technology with an initial prototype for securities lifecycle processing.

Digital Asset Holdings and DTCC, the US post-trade market infrastructure, are also developing and testing a distributed ledger solution to manage the clearing and settlement of US treasury, agency, and agency mortgage-backed repos. In addition exchange operator ASX is using Digital Asset Holdings to develop technology for clearing and settling Australian cash equities.

Armstrong said Esma has not identified major impediments in the current EU regulatory framework that would prevent the emergence of DLT. However, the legal certainty attached to DLT records or settlement finality may require clarification, in addition to broader legal issues such as contract law, insolvency law or competition law.

The European Union Agency for Network and Information Security warned in a report that financial services firms adopting blockchain need to make sure they address the security challenges from distributed ledger technology.

Enisa said that in decentralized, permissionless networks, where consensus is formed through majority, an attacker could control of a large enough portion of participating clients to tamper the validation of transactions, as has happened with Bitcoin, and re-use an asset which has already been spent.

The report said: “In a regulated, permissioned network, where consensus might be implemented under the regulator’s direction, any exploitation of the regulator’s capabilities would be even more and immediately severe.”

Enisa said the challenges created by the above could be mitigated by implementing a fixed-time notice period prior to regulator-issued major protocol updates being made effective. However, malicious activity would still be possible until the intrusion is detected.

Distributed Denial of Service attacks were also raised as a concern as rogue wallets could push large numbers of spam transactions to the network. In a permissioned ledger, it would be possible for nodes to agree to ignore or even block the issuer of such spam transactions. “However, if an attacker is able to control a large number of clients, they might be able to severely disrupt the network by pushing large volumes of irrelevant transactions,” added Enisa.

The agency also raised the issue of scalability as the need to store all data pertaining to a specific distributed ledger may grow to be unmanageable for individual end-users. For example, the Bitcoin blockchain has exceeded 90Gb, the Ethereum blockchain exceeds 10Gb.

“In terms of keeping a full copy of the database, this doesn’t look like a big number, but its growth is exponential and has grown for four years around 450%.” added Enisa. “The speed at which a given transaction is processed, in some implementations of the ledger, may not be sufficient or acceptable.”

Due to the high transaction volumes, financial institutions may struggle to maintain an ever-growing chain. In addition smart contracts are prone to any faults associated with code.

Enisa said: “A review by Peter Vessenes found that large numbers of template contracts available on the web for the Ethereum scripting system contained significant vulnerabilities to their operation.”

In June last year an attack on the Ethereum network led to more than $59m being stolen by an unknown source.