Our report on the Post-Trade Infrastructure for the Carbon Market earlier this year drew attention to the vulnerabilities in the settlement infrastructure for the carbon market. These have been illustrated again in recent weeks by the way the Trojan virus called “Nimkey” has infiltrated certain European emissions registries.
This resulted in the German emissions registry closing down. Initially the registry was going to close from 26 November until 3 December, which would have taken the registry offline on 1 December, a key date when many futures contracts expire. Subsequently, the registry managed to re-open for limited access on 29 November. The Dutch and Belgian registries also suspended access temporarily while investigating the effects of the virus.
One victim of the attack appears to have been the Romanian subsidiary of the Swiss cement manufacturer, Holcim. As a result of the Trojan attack, 1.6 mn units (valued at about €22 million) were stolen from its account in the Romanian registry. 600,000 units were subsequently traced to an account in Liechtenstein, but the remaining 1 million remain unaccounted for. However, the recovery of stolen units is problematic. BlueNext, the French exchange, commented, “Under French law, assuming the EUAs in an account were acquired in accordance with the law, the trades associated with them remain firm”. Thus, the absence of a clear legal framework for emissions trading in Europe will hamper the recovery of stolen units.
This is another indication that while the authorities responsible for the carbon market infrastructure have been slow to realise that emissions units are easily transferable assets with a high value, crooks and fraudsters have been quick off the mark to take advantage of weaknesses in the system. It is unrealistic for the EU Commission’s Director-General for Climate Action to claim, as he did on 3 December “the Commission has no indication that this unauthorised access is due to insufficient security requirements in the EU ETS registry system.”
There is no other financial market where it would be possible to steal millions of euros worth of assets from a system and the system operator to claim that their system security is adequate. Indeed, one of the companies that had units stolen from the German registry as a result of phishing attacks in January this year is suing the German registry for €1.1mn, claiming that the security measures put in place were not sufficiently robust and the response time of the carbon registry – in informing account holders of the phishing attack – was not swift enough.
There must be a risk that this series of failures in the infrastructure for the carbon market will undermine confidence in the “trade” part of the “Cap and Trade” approach to controlling climate change, with serious consequences for the overall policy.