Banks and Financial Market Infrastructures (FMIs) have approached blockchain technology with both excitement and caution in recent years. They have been discouraged by regulators from engaging with permissionless blockchains. Many financial institutions have spent large amounts of time and money developing digital asset capabilities on highly permissioned and proprietary alternatives. Not without irony, they have then wondered why these solutions have failed to scale and failed to keep up with rapid innovations elsewhere in the ecosystem.
Blackrock’s decision last year to issue its BUIDL money market fund on Ethereum, a leading permissionless blockchain, materially shifted market dynamics. Following JP Morgan’s recent announcement that they will deploy JPMD on Base, another permissionless blockchain, regulators will be scrambling to fix their outdated frameworks on the risks and benefits of blockchains in the financial system.
Having written a white paper on the role of permissioned and permissionless blockchains in the financial system of the future, Fireblocks was invited to host and take part in discussions on the subject at the Point Zero Forum in May this year. Here are some of our key takeaways.
The Regulatory Mismatch
Banks that wish to engage with permissionless blockchains face a complex web of requirements, many of which were written without a nuanced consideration for distributed infrastructure. There are essentially three regulatory frameworks that impact the use of permissionless blockchains:
- privacy laws, like GDPR;
- capital requirements, like Basel III;
- operational resilience rules, like DORA; and
- anti-money laundering frameworks, like the FATF standard.
The Challenge with Basel III
Last year, the Basel Committee on Banking Supervision published its revised standard for the prudential treatment of cryptoasset exposure on banks’ balance sheets. While the standard does not explicitly penalize the use of blockchains, it places an emphasis on banks knowing and evaluating all of the node operators on a network. In effect, it means that any tokenized asset (e.g. a security—or even stablecoin on a decentralized or permissionless blockchain—can be subject to a “technology risk add-on”, giving it the maximum possible risk weight of 1250%, and making it maximally expensive for a bank to keep on its balance sheet. And it caps a bank’s total exposure to such assets to just 2% of tier 1 capital.
That makes holding shares of S&P 500 firms on a decentralized blockchain about 12 times more expensive than holding the same asset in a non-tokenized form—surely an unintended consequence of a regulation that is supposed to maintain tech neutrality! Perversely, it also makes it around 15 times more expensive than offering a loan to the crypto startup that issued the token (c. 85% for an unrated SME loan).
What GDPR Misses About Blockchain
Privacy regulations such as GDPR introduce their own constraints. Because blockchain addresses could be treated as personal data, the immutability of decentralized ledgers creates tension with legal rights like erasure and data minimization. The European Data Governance Board recently opined that if all GDPR rights are to be protected on permissionless blockchains, someone—potentially a node operator—would need to assume the role of data controller. In this view, exercising the right to deletion could require the ability to erase entire blockchains, given the immutability of the data—a fundamental misalignment with how the technology works.
Clarifying DORA’s Expectations
Operational frameworks such as DORA provide no clear guidance on how institutions can meet resilience and continuity requirements when using decentralized networks. In its latest consultation, to which we and many industry peers contributed, the EU flagged the lack of clear mapping over from DORA requirements to permissionless blockchain use.
These regulatory barriers to blockchain in finance are discouraging banks from adopting infrastructure already embraced by other sectors of the financial system.
How Banks Can Benefit from Permissionless Blockchains
JPMorgan’s recently-announced plans to launch JPMD, a deposit token, on the public permissionless blockchain Base illustrates the shift in thinking following the US administration’s pivot towards digital assets. It demonstrates how regulated financial institutions can reap benefits from permissionless blockchains while applying institution-level governance, in this case issuing JPMD as a highly-permissioned token.
More broadly, decentralized and permissionless blockchains offer a range of benefits that make them attractive for financial innovation:
- Trust through Decentralization: By distributing control across a global network of nodes, decentralized blockchains eliminate the need for central intermediaries, enhancing transparency, accountability, and resilience. This “trust-by-design” model underpins security and institutional confidence.
- Open, Accessible and Inclusive Finance: These infrastructures have a common language and global standards, enabling institutions to collaborate easily, removing entry barriers and enabling inclusive access to digital financial services globally, particularly in underserved or underbanked regions, without reliance on centralized gatekeepers.
- Continuous Innovation and Resilience: The synergy between a burgeoning developer community, substantial venture funding, and active retail participation has fostered unprecedented creativity and technological advancement.
- Programmability and Composability: Permissionless blockchains enable smart contract deployment and integration across decentralized applications, supporting programmable finance and modular system design.
Taken together, these attributes position permissionless blockchains as essential infrastructure for the future of finance, combining openness with institutional-grade functionality.
Toward Regulatory Nuance
Permissionless blockchains are not completely free of risk. To create a level playing field for banks while addressing these challenges, policymakers must adopt a more sophisticated and differentiated approach within existing risk frameworks.
Regulatory frameworks should:
- Clearly distinguish between operational, financial and conduct risks, and use the correct framework to address the identified risk. For example, concerns around money laundering (compliance/conduct) are very separate from concerns around a 51% attack (technology/operational)—and arguably neither belong in the capital (prudential) framework, leading many to argue that the 1250% capital charge is misplaced.
- Distinguish between the blockchain infrastructure and the applications built on top of it: regulatory scrutiny should focus on how banks use the network, not the network’s permission model alone.
- Recognize that governance, identity, and compliance controls can be embedded at the token or application layer. These mechanisms provide operational safeguards that meet regulatory expectations and can offer meaningful risk mitigation.
- Evaluate blockchain usage based on real-world controls rather than theoretical assumptions. Just because a ledger is open does not mean it lacks discipline. Risk frameworks should reflect how the technology is actually deployed and monitored.
- Classify blockchain adoption as a technology risk rather than a prudential exposure. Banks already manage other forms of infrastructure risk—distributed networks should be no different.
These adjustments would not create a free pass for banks, but they would offer a clearer path forward, guided by proportionate policy that reflects how modern financial systems actually operate.
Conclusion: Time to Reframe the Risk Lens
As permissionless infrastructure becomes more integrated into financial markets, the focus must shift to how banks can participate safely, predictably, and at scale.
Regulatory clarity isn’t just about reducing risk—it’s about enabling progress. Institutions operating under frameworks that reflect today’s technology will be better equipped to serve clients, manage liquidity, and drive innovation.
A well-regulated, institutionally-viable permissionless ecosystem is already taking shape. Banks are increasingly engaged and looking for a more sophisticated approach from regulators to support innovation while mitigating risks. The digital asset industry is ready to help
For a deeper dive into the strategic and technical considerations of integrating decentralized blockchain infrastructure, explore our white paper: Permissioned and Permissionless Blockchains in Tomorrow’s Financial System. And if you’re exploring how to build the right foundation for your digital asset strategy, we’re here to help.
Frequently Asked Questions About Banks and Public Blockchains
Can banks use public blockchains like Ethereum?
Yes, but current regulations often make it prohibitively expensive or operationally complex to operate at scale. Frameworks like Basel III impose high capital requirements unless node operators are fully known and evaluated—something not feasible on most public networks.What’s the difference between permissioned and permissionless blockchains?
Permissioned blockchains restrict who can validate transactions and access the network, making them easier to control. Permissionless blockchains are open to anyone, offering greater transparency, composability, and innovation potential—but raising regulatory concerns that need to be addressed.Why are tokenized assets on public blockchains so costly for banks under Basel III?
Basel III applies a 1250% risk weight to assets on public chains if the underlying infrastructure isn’t fully understood or deemed compliant. This makes holding some of these assets 10-15 times more expensive than off-chain equivalents.What are the main regulatory hurdles banks face with blockchain adoption?
Capital requirements (Basel III), data privacy laws (GDPR), and operational resilience standards (DORA) all currently lack the nuance to differentiate between responsible blockchain use and high-risk exposure.How can banks safely adopt permissionless infrastructure?
By using tokens and applications with embedded compliance controls, robust identity layers, and governance mechanisms. The key is not the openness of the blockchain, but how the institution interacts with it.