The carbon market suffered a blow on January 18 when news broke that up to €30 million ($41 million) worth of European Union Emissions Allowances (EUAs) had been stolen by hackers from Czech, Austrian and Greek registries, exposing the vulnerability of this emerging market.
Market analysts say this case of fraud is one of the worst this market has seen: "This incident is extremely bad. We've had attacks like this before and it seems to happen over and over again. Over time, the European Commission will have to fix problems like this or they will undermine the whole credibility of the system in the long run," says Stig Schjølset, senior carbon markets analyst at Oslo-based carbon advisory firm Point Carbon.
"It's much more significant than other incidents, considering the range of attacks and the size of the theft," says Simone Ruiz, European policy director at the International Emissions Trading Association (IETA). "Although they all happened at the same time, they are different types [of attack], which show several strategies are being used and the loopholes and gaps in the system are being systematically explored."
Regulators of the European Union's Emissions Trading System (EU ETS) halted trading of spot contracts in an attempt to stop the fraud. National registries remained closed across the 27 nations involved as Energy Risk went to press, as security issues at the registries were highlighted as the key risk. The registries now have to prove that they have implemented the relevant security checks, which they were advised to do a year ago, before they are allowed to reopen. Implementing the required upgrades to security systems in all the registries could take months, say experts.
Point Carbon's Schjølset says the impact on the €2 billion European carbon trading market has been minor as the majority of trading volumes are forward contracts, but the impact on market confidence could be more damaging. "In terms of reputation and trust in the system and credibility, this is extremely bad for the market," he says.
In the long term, the impact of this fraud on policy-makers' decision to embrace emissions trading as a system to tackle climate change could be damaged. "The problem is related to how the general public will see emissions trading as a useful tool to reduce emissions in Europe. That is where the long-term problems lie. If problems like these [fraudulent incidents] continue, policy-makers will look to other methods to tackle emission reductions," says Schjølset.
But the IETA's Ruiz disagrees: "Clearly its bad news, but it shouldn't affect the fact that carbon markets are the most cost-effective tool to address climate change. Also, the incidents only affect the spot market, which counts for less than a fifth of market volume. It is, however, a lesson to be learnt for those countries thinking of implementing an emissions trading scheme."
In Phase III of the EU ETS, a single common registry for the whole of Europe will be established, in a move that some analysts say will help tackle security issues.
But Ruiz is unsure that a single registry will help with the issue of tackling fraud in the carbon market. "It's not clear when this is going to happen, and now security requirements are heightened it could be delayed. At the same time, access to one registry means you have access to all the user accounts, which means security needs to be even tighter than it would need to be for current registries."
Some analysts are confident market confidence will be restored once the security updates are take place. "We now see the attacks have only been on the registries without security measures. For the UK registry, there have been no incidents of fraud. There will be quick fixes now," says Point Carbon's Schjølset.
Thomas Rassmuson, partner at UK carbon traders CF Partners says: "The security problems in the national registries are just normal challenges for a new financial market and an administration issue, rather than a sign of fundamental problems." He also says the damage will be limited.
However, in addition to security issues, there are other concerns about the handling of the stolen credits. The set-up of the carbon market means no-one is responsible for tracking stolen or missing certificates and there is no number to ring when an account has been raided.
For these reasons, the IETA's Ruiz says implementing stronger IT security will not solve the issue completely. "There are question marks over stolen allowances that are still in the market. There is no central list of stolen allowances that would allow participants to locate them and it is not clear who has to cover the loss. Hence people are reluctant to buy them and it creates confusion in the market," says Ruiz.
The theft is another incident in a string of fraudulent activity that has blighted the market in recent years, including missing trader intra-community fraud; fraud involving the issuance of recycled carbon credits back into the market; and fraud over the quality of the credits produced from emission reduction projects.
The week on Risk.net, March 10-16 2018Receive this by email