Regulatory Questions

US regulators have focused recently on the challenges posed by the custody of digital assets. Traditional third party custody allows the broker dealer to comply with control standards established under the Customer Protection Rule.

To protect the client, the broker dealer must demonstrate that the assets are segregated under possession/control procedures that insulate the client from the risk of loss to theft, fraud or the failure of the broker dealer. FINRA has recently favorably compared the fifty years of successful implementation of the customer protection rule to the incidence of theft and diversion in the crypto asset market.

“Put simply, the Customer Protection Rule requires broker-dealers to safeguard customer assets and to keep customer assets separate from the firm’s assets, thus increasing the likelihood that customers’ securities and cash can be returned to them in the event of the broker-dealer’s failure.”

The challenge for digital asset custody is how to assure that the keys, digital signatures and any other means used to technically safeguard the digital assets preserve the essential customer protection delivered in the current model by third-party custody, preserving a locus of control over the client assets that is fully segregated from the broker.

In the case of digital assets, the challenge is that the control of the assets is done by means of cryptographic keys. Rather than assuring the assets are not diverted or commingled by combining client custodial agreement with broker dealer instructions, most cryptoassets currently rely on addresses and key exchanges. If the keys are duplicated or compromised, the assets can be diverted. If the keys are lost, the assets can be marooned and lost to the investor.

This challenge can ideally be met via a combination of technical and procedural solutions. For example, partial key sharing and partial key escrow could allow a user to store portions of their key with separate parties, with the presumption that anonymous subscription could make it impossible for the pieces to be assembled without the participation of the key owner. Alternatively keys could be escrowed with dual entry controls, such that the custodian service would only be able to access the key for recovery to the owner with the simultaneous request authorization of the owner, controlled for example by biometric access or some other unique authentication method.

This is not to suggest that solutions will be trivial. Regulators continue to work with broker dealers on defining alternatives for digital asset custody, but as yet there is no common industry standard that both meets the customer protection rule requirements and is straightforward to implement. That said, the potential benefits of the security, increased velocity of funds, and the reduced friction and inefficiency that digital securities offer, make this an important area of discovery going forward. The firms that solve this challenge first may enjoy first mover advantage in what promises to be a significant field in the financial industry.

One solution that has been explored is hardware secure modules (HSMs) such as Intel SGX. There are limitations to hardware security however: the HSM is a relatively brittle solution given that if a security defect is discovered, it may require physical hardware to be swapped out, which creates a greater logistical burden than a software patch.

Considerations for Digital Custody

Institutional clients with large value at risk will typically prefer and optimize for security over convenience. Securing the assets is paramount, but the security solution must not be so cumbersome as to negatively impact the ability to transact or settle in a rapid market. This can be a concern with cold storage and with multiple independent security controls

Diversity of solutions. Typically the asset owner or their custodian will attempt to use different forms of security from the exchange(s) and quite possibly the brokers with which they transact, in order to add a second line of defense against hack

In some cases the custodian may elect to use a combination of hot and cold storage: hot for transaction liquidity and speed of deployment, cold to protect against catastrophic loss in the event of a hack of the hot wallet. The liquidity needs of the client and their transaction patterns will impact the balances or UTXOs stored in each type of wallet.

Any hybrid solution is particularly vulnerable when assets are being transferred. Many of the hacks at exchanges have been done while wallet transfers were being processed.

Where is the locus of control: does the broker dealer have access to the digital security? Can the digital security be transferred or reassigned without the positive affirmation (by key exchange or digital signature) from the ultimate beneficiary? Can the key be duplicated? Since the traditional models presume effective control is equivalent to exclusive control, security methods that demonstrate that a controlling capability, such as a key, cannot be duplicated, are implied. This implication is not consistent with the way most key solutions are currently designed. Until this is resolved, there is a barrier to widespread adoption of digital securities that preserve existing investor protections.

Can the transfer agent role be eliminated? If the assignment of ownership rights requires positive affirmation from the ultimate beneficiary, and the method of assignment is unique and cannot be duplicated, then it is possible than the use of a transfer agent could be eliminated. However, there are significant technical challenges to achieve this outcome.

Risks

The custodian in traditional securities markets fulfils several important risk management functions for the asset owner. These risk management functions need to be met by equivalent capabilities in the world of digital tokenized assets:

Counterparty risk

Lending risk (hypothecation and re-hypothecation)

Commingling of assets and traceability

In addition the custodian service may help manage additional risks that are unique to smart contracts and digital securities:

Key theft or appropriation

Key loss

Unexpected logical paths and coding errors

Challenges to Success

In addition to these risks, there are a host of core capabilities that will need to evolve to a level of certainty and surety that can meet the mandate of the regulators. Each of these will need to not only evolve independently, but also with a level of integration necessary to assure a coherent, integrated whole.

These challenges include:

Identity and participation. How will participants be uniquely identified and tied to their digital signatures? How will addresses and nodes be established and assigned?

Governance and dispute resolution. What methods of consensus and voting will be used to direct the marketplace? How will voting rights be established? How will disputes be resolved?

Legal authority and enforceability. How will the smart contract logic automating the digital securities be tied to a choice of governing law? How will differences of interpretation be arbitrated? Will each smart contract require a separate legal agreement to be referred to in the event of an unexpected outcome from the coded logic?

How will the custodial networks communicate with other networks, including marketplaces and exchanges that may not be based on distributed ledgers? What messaging standards and technical solutions (such as guaranteed delivery or broadcast channels) will be necessary?

How will designers of new automated solutions assure they are in synch with evolving legal standards and existing business logic? Can the incorporation of existing single-party business logic into complex multi-party logical systems accelerate the evolution of new logical models?

How will technical solutions based on atomic swap and near-real-time settlement evolve to accommodate the liquidity saving benefits of deferred and net settlement? How will borrowing, lending and collateralization models best be supported?

Does the digital asset meet the definition of security for SIPA protection to apply?

If the digital asset claims rights to future appreciation in value or future cash flow, then the asset is likely to be classed as a security. Utility tokens, whose value is in the services/utility they fund and provide access to, may not be digital securities and may well not extend SIPA protection

Is it possible to establish that the broker dealer has possession or control of a digital asset security?

How are the keys protected? Can a key be duplicated? How is key escrow handled, and does access to keys require four eyes verification?

Is the distributed ledger the authoritative record of share ownership?

Is the ledger the sole system of record, or are there alternative means of ownership? Where a native digital security may be able to prove single authoritative record status by virtue of a complete chain of ownership since inception, a tokenized conventional asset may not. Where the asset has for example been tokenized, rematerialized and then subsequently tokenized again, the complete chain of provenance may not be preserved. Furthermore, the method for tokenizing a conventional asset must prevent double spending,

In such a case, the issuer of the token would have an obligation to prove that the asset cannot be removed from custody if it has been associated with a corresponding token. Otherwise a duplication of share ownership and double spending could occur.

Do broker dealers or execution facilities need to use a transfer agent as a proposed “control location” for purposes of the possession or control requirements under the Customer Protection Rule? For example, would such a role be mandated when the issuer or a transfer agent maintains a traditional single master security holder list, but also publishes as a courtesy the ownership record using distributed ledger technology?

Notes:

The United States financial responsibility rules include:

Rule 15c3–1 (the net capital rule)

Rule 15c3–3 (the customer protection rule)

Rule 17a-3 (the record making rule)

Rule 17a-4 (the record retention rule)

Rule 17a-5 (the financial reporting rule)

Rule 17a-13 (the quarterly securities count rule)

Further Reading

FINRA’s Joint Statement on Broker-Dealer Custody of Digital Asset Securities

The SEC’s Statement on Digital Asset Securities Issuance and Trading

The SEC’s Statement on Engaging on Non-DVP Custodial Practices and Digital Assets