Abstract: The custody of digital assets plays an essential role in the evolution of the digital asset industry. Fully compliant custody solutions for digital assets increase legal certainty and mainstream investor confidence that, in turn, helps build markets in digital assets. Once digital asset markets evolved, self-custody solutions help increase the decentralization of the digital asset market. This Article examines the evolving custody solutions for digital assets.
Citation: Wulf A. Kaal & Hayley A. Howe, Custody of Digital Assets, 63 Jurimetrics J. 169–95 (2023).
The growing consumer interest in digital assets and the digital asset market evolution ha triggered an avalanche of custody needs for digital assets. Custody of digital assets has become an increasingly pressing issue of the digital asset market. Key custody providers, such as BitGo, are becoming increasingly important players in the digital asset market. Furthermore, the institutional digital asset market is partially consolidating around custody solutions through mergers.
Reliable custody solutions are important for the proliferation of digital asset use in existing financial markets. Custody solutions increase digital asset ownership accessibility by increasing investor confidence that their assets are secure without engaging in the tedious process of self-custody. Without the ability to rely on proven custody providers, mainstream and legacy institutional investors are restrained from making digital asset investments for legal or business reasons. Most digital asset custody providers and digital asset exchanges require customers to surrender digital asset ownership to get access and trade. State and federal laws are evolving to allow more institutionalized custody services for retail customers, as discussed below. However, institutional custody solutions are still developing.
Despite the proliferation of custody solutions, users’ self-custody of digital assets is key for the decentralization of emerging blockchain networks. In other words, an increase in self-custody decreases the need for custody service providers. Existing decentralized finance (DeFi) trends seem to suggest that decentralized, non-custodial, deal platforms will have more innovation and better deals. This Article evaluates the tension between self-custody and custody solutions by emphasizing the need for custody solutions that comply with regulatory requirements.
The U.S. Securities and Exchange Commission (SEC) defines the term custody as “holding directly or indirectly, client funds or securities, or having any authority to obtain possession of them.” Custody generally describes possession or control of assets. Custody of tangible physical assets (e.g., real estate or chattel) can be established through physical possession—when the owner surrenders possession and control of the asset to a custody provider. However, the meaning of custody of an intangible digital asset is, on its face, less clear. Custody is typically associated with possession and control over a digital asset wallet and its asset, which typically means holding the private keys—the responsibility of keeping funds safe from cybersecurity threats.
For traditional assets, custody includes processing, settlement, and fund administration on behalf of the customers who own the assets but store the assets with the financial institutions. A custodian is a bank or other financial institution that provides safekeeping, transaction processing and settlement, asset servicing, record keeping, banking services, and securities administration for its customers. Examples of custody services that a national bank is permitted to perform include “escrow[ing] encryption keys used in connection with digital certificates” along with “provid[ing] secure web-based document storage, retrieval, and collaboration of documents, and files containing personal information or valuable confidential trade or business information.”
For traditional assets, Office of the Comptroller of the Currency (OCC) explains that “[t]he custody business developed from safekeeping and settlement services provided to customers for a fee.” Historically, traditional community banks served the local community through safeguarding customer deposits and lending to neighbors and small businesses. On the other hand, national banks have long provided safekeeping and custody services for a wide variety of customer assets, including both physical objects and electronic assets. According to Jonathan V. Gould, “‘Safekeeping’ implies the basic service of a bank holding on to an asset for a customer (e.g., gold or securities).” As the OCC states, those assets may be held by a custodial bank either on its own property, a sub-custodial property, or another secure location. Custodian banks provide trusted gateways for customers to trade in regulated securities and commodities markets.
Traditionally, financial institutions acting as custodians do not have legal ownership of a given asset but instead are tasked with holding and securing the asset, such as stocks, bonds, commodities, or other assets. As the U.S. Securities and Exchange Commission states: “Custody by investment advisers means holding client funds or securities, directly or indirectly, or having the authority to obtain possession of them.” A domestic custodian may “invest[] cash balances as directed, collect[] income, process[] corporate actions, price[] securities positions, and provide[] recordkeeping and reporting services.” As the OCC states, “A global custodian provides custody services for cross-border securities transactions. . . . such as executing foreign exchange transactions and processing tax refunds. Furthermore, the OCC explains:
[T]he custody business is a highly competitive and technology-dependent service. The ability to gather custody assets, effectively employ technology, and efficiently process large volumes of transactions is essential. This requires specialized knowledge and experience to manage the business and implement strong controls over transaction, credit, and compliance risks.
Without proper risk management in place, custodians will likely find themselves facing liability to their users or to regulators.
The history and policy goals of custody of traditional assets provide insight into the priorities and foundations of existing custody solutions. Traditional assets are subject to specific regulatory requirements for custody solutions. For example, in the context of traditional stocks, custodians hold and secure the stock certificate and handle settlement services, recordkeeping, and foreign exchange transactions.
Before the 1930s, self-custody of assets was the traditional and most common form of custody. Self-custody was a fully decentralized system of bearer assets where “investors were responsible for securing the paper certificates that claimed rights to their investments.” As Virginia B. Morris and Stuart Z. Goldstein explain: [W]hen a corporation went public or a bond was issued, each purchaser received an elaborately designed . . . paper certificate in [the investor’s] name that detailed the issuer’s name, the date of issue, the number of shares, [and] the par value.” Also, Morris and Goldstein note that when selling a stock or bond, for “[a] purchaser [to] receive proof of ownership, a new certificate had to be issued.” Self-custody decreased in prevalence after the Stock Market Crash of 1929 when investors recognized how inherently uncertain, and thus risky, this system was.
The historical development of custody solutions for traditional assets was largely driven by financial institutions. During and after the 1930s, financial intermediaries such as trust companies functioned as custodians. In 1967, the Committee on Uniform Security Identification Procedures (CUSIP) added a unique identifying number to paper certificates toidentify the issuer, the issue a check digit, which helps the computer ensure that the CUSIP number was entered correctly. Morris and Goldstein note that today “[t]he CUSIP service is owned by the ABA [American Bankers Association] and administered by Standard & Poor’s Financial Services. Other numbering systems exist for international securities, with the most common being International Securities Identification Numbers (ISIN).”
The established system proved tedious and inefficient because of the extensive paperwork required to complete transactions. In order to sell, not only was physical issuance of a new certificate necessary, but, as Morris and Goldstein state, “[t]o sell, the owner endorsed and delivered the certificate to a broker, who delivered it to the buyer’s broker in exchange for payment.” The trust companies and intermediaries quickly became overwhelmed with changing ownership records and rom 1967 to 1970, a reported $400 million was lost or stolen in securities. Considering the incredible logistical difficulties resulting from the movement of physical assets, liquidity problems are likely to arise in financial markets.
The inefficiencies in custodial requirements for paperwork led to the introduction of the first central securities depository (CSD). CSDs provide the custody and recordkeeping services, enabling electronic transfer of ownership when investors buy and sell securities and initiate settlement. CSDs eliminated the physical movement and exchange of paper certificates by holding them in custody in a central location (i.e., immobilization). This approach arose because “CSDs provide safekeeping for securities immobilized in their vaults and electronic ownership records for those that are dematerialized.” Morris and Goldstein also note that “[u]sing book-entry accounting methods, a CSD updates ownership records electronically. Some CSDs record the names of the beneficial owners and others the names of only their member firms.”
The first CSD was the Depository Trust Company (DTC) created in 1973 as a subsidiary of the Depository Trust & Clearing Corporation (DTCC) to handle settlements. The DTC introduced a computerized book-entry system and was “the first set of centralized ledgers and certificates of clearing.” As Fidelity Digital Assets reports, “Eventually, depository functions throughout the United States would be consolidated into the DTCC.” Morris and Goldstein note that as of 2010, “DTC act[ed] as a CSD for virtually all US municipal securities, as well as the vast majority of equities and corporate bonds issued in the United States,” and it is “now the largest central securities depository in the world.” Morris and Goldstein also explain that
[i]n addition to its recordkeeping and custody services, [the DTC] provides a number of asset processing services. For example, it settles institutional trades directly, manages all phases of a security’s life cycle, and offers underwriting, interest, dividend, and corporate action services, including reorganization processing and tender offers for securities it holds in its custody.
The Employee Retirement Income Security Act of 1974 (ERISA) also changed the securities landscape. ERISA introduced substantial changes to the way U.S. pension funds invest and manage their assets, including a requirement for the planning of separate investment management and custody of plan assets. Subsequently, mutual fund investing took off in the 1980s, creating a global custody system.
As of 2018, custody had become very centralized. Four large banks (BNY Mellon, J.P. Morgan, State Street, and Citigroup) were the leading U.S.-based custody providers. At the end of the first quarter of 2018, these four banks had “approximately $114 trillion in assets under custody.” As Fidelity Digital Assets reports, “Recent trends suggest this highly concentrated model will continue, as ongoing barriers to entry have prevented other firms from challenging these incumbents.”
Like cash, securities are fungible. Investors hold interests in a DTC eligible security in one of three ways: street name, direct registration, or physical stock certificate, which is very cumbersome to trade and risky in case of loss. A problem with the DTCC was the “costly reconciliation processes between interconnected ledgers.” Morris and Goldstein report that as of 2010, “[b]etween 85% and 90% of all equities and corporate and municipal bonds that have been issued in paper form in the United States are immobilized by DTC.”
When an investor holds shares in street name, the investor’s name is listed on its brokerage firm’s books as beneficial owner and the investor has all the rights and risks associated with owning stock, but they do not hold the shares directly. The investor uses a brokerage firm who records the investor’s security position on their books. The DTC holds the securities that are registered in the DTC’s nominee name, “Cede & Co.,” which is “an acronym for CEntral DEpository [sic]” and is listed as the registered owner on the records of the issuer maintained by its transfer agent. As the DTCC states, “DTC holds legal title to the securities and the ultimate investor is the beneficial owner.” The DTCC also explains that “the brokerage firm’s name is listed in DTC’s ownership records.”
In describing the process, Morris and Goldstein state: “When you buy or sell your position, that position changes hands electronically through DTC’s book-entry accounting system, but the securities remain in DTC custody.” Furthermore, they explain:
When you sell stock you hold in street name, the shares are debited electronically from your broker’s account at DTC and credited to the DTC account of the brokerage firm whose client bought shares. Your brokerage firm updates its books to reflect the sale from your account, and the buyer’s brokerage firm updates the buyer’s account to reflect the purchase. But the physical certificate doesn’t have to be changed, since Cede & Co. continues to be the sole registered owner of the shares. Both you and the buyer receive electronic confirmations that detail the number of shares and the price of your transactions. In addition, as long as the buyer holds the shares, his or her brokerage firm provides proxy materials and regular account statements, which show the security’s value and dividends the issuer has paid that have been credited to the beneficial owner’s account.
Investors may also hold their shares via the direct registration system (DRS). Via the DRS, the investor can register her name and address, “as the owner of the securities, directly on the issuer’s books or the books of the issuer’s transfer agent.” An investor/owner can hold securities electronically in her own name via DRS and “is listed as the registered holder directly on the issuer’s books and records, maintained by its transfer agent.” As Morris and Goldstein explain: “The issuer or transfer agent sends all investor information, dividends, and other corporate communications, including proxy materials, directly to [the investor].” They also note that “[i]nvestors who use direct registration receive a statement from the transfer agent providing proof of ownership instead of a stock certificate.”
Via the DRS system, investors can use their DRS accounts to sell shares directly, but “transfer agents cannot provide a current price or limit price.” To sell shares at the market or limit price, Morris and Goldstein note that “the securities must usually be transferred electronically from your account with the issuer or its transfer agent to your broker/dealer through DTC.”
Two commonly used custody models for traditional assets are the segregated and omnibus models. The segregated model of custody predictably segregates client assets from custodian-owned assets and accounts for their private/public key groups at all levels. The omnibus model is the street name holding method described above. A broker-dealer consolidates client positions held at mutual fund companies into single omnibus accounts. As the DTCC Learning Center explains, “Broker-dealers maintain a separate account for each of their shareholders, but on the books of the mutual fund one account is maintained for all of those shareholders.” Additionally, Ria Bhutoria observes that in the digital asset sphere, “the omnibus model combines clients’ assets and spreads the assets across multiple digital asset private and public key pair groups. . . . and establishes client by client segregation at the books and records level.
Digital assets are unique in the way they are stored, which necessitates key innovations for custody providers. Financial transactions are recorded in a ledger that cannot be changed, only appended with new transactions. In a centralized system, a ledger’s data is stored in a single network. In a decentralized system, the database is shared by multiple participants, in multiple places. In a digital distributed ledger, data is stored across a network of decentralized nodes. This is the concept of the blockchain—a sequence of digital information (i.e., “blocks”) is stored consecutively in a transparent database that is maintained by multiple participants. Each block is a bundle of transaction data. Data is recorded in a numerical system such as binary, decimal, or hexadecimal code. Digital assets are stored on blockchains (also known as distributed ledgers). Through the use of decentralized digital ledger technology, a trusted intermediary is no longer needed and parties transact peer-to-peer.
Digital assets may represent a variety of underlying physical assets or no real physical assets at all. Bitcoin, for example, is a mere store of value that is not associated with any real-world physical asset. Some digital assets (non-fungible tokens (NFTs)) may be a representation of an underlying physical asset, such as a piece of art or half of a cow or other items. One other type of digital asset (known as utility tokens) represent rights to a network or use rights within a network. Another digital asset type that confers some right on the holder is the security token (stock-like). Security tokens represent the holder’s ownership of an asset.
There must be some way for the holder of a digital asset to exercise the rights associated with holding the asset. Every digital asset owner holds both a private and a public key. The respective public key on a given layer one solution is typically cryptographically derived from a specific private key. These keys are recorded on the blockchain’s base layer that validates and finalizes transactions.
As previously referred to, public and private keys have several distinguishable features. The private key is the key to any form of ownership rights over digital assets through the wallet in which they are held. Anyone with knowledge of the private key gains the ability to establish ownership of all assets associated with the public address and may do what they want with those assets.
In contrast, a public key can be seen as the public facing digital identity of a user who owns a given digital asset by controlling the related private key to the wallet in which the digital asset is stored. The public key is the key the holder will share with others to receive additional digital assets. As its name suggests, this key is shared publicly. As Fidelity Digital Assets states, [A] a public key is shared with parties to the transaction, which functions as a destination address for receiving funds.”
Protection and safeguarding the private key to a given wallet through secure custodial arrangements is a primary goal of any wallet owner. Accordingly, public and private key management is foundational to any custodial arrangement. The key management process determines how digital assets are held and secured.
The private key represents ownership of the asset and is a unique, large alphanumeric string. As Fidelity Digital Assets notes, “Private keys are used to confirm that the owner of a digital asset is in fact who he or she claims to be via cryptographic digital signature technology. The asset’s wallet generates the private key and assigns the key to transactions originating from that wallet. The private key may only partially be compared with a password in that it is never shared publicly and is entirely specific to the holder. However, private keys are distinguishable from a password in that a private key is immutable—it cannot be reset. If a user loses their private key or if the private key is stolen, access to the digital asset may be lost. Thus, private key management is critical to security.
As Gould observed, “[T]he right to a particular unit of digital asset is transferred from party to party through the use of unique cryptographic keys.” Signatures determine the execution of access rights to a given wallet and the digital assets therein. Through a signature, a digital asset may be transferred from one wallet to another. The private key owner of a wallet needs to execute her access rights to the wallet through the private key or other access rights to execute a signature.
The quality of custody solutions for digital assets depends on the extent to which they are capable of keeping digital assets safe. A custody provider needs to demonstrate vigorous security measures (discussed in Part II), which include robust technological protections over technology, cybersecurity, and operations. Distinctions of custodial safekeeping revolve around hot storage of keys versus cold storage of keys.
As has been established, if individuals lose their private keys, they lose access to their funds. Thus, individuals will either store their wallets on cold storage (using an offline hardware wallet) or hot storage (an online wallet provider). A wallet is custodial when a trusted third party controls the user’s private keys and associated funds. In general, web-based custodial wallets are used most frequently despite alternative options. A wallet is non-custodial when only the user controls their private keys. In a sense, the private key provides access to the self-custody wallet solution in which any digital assets are held.
Hot storage self-custody generically refers to users keeping digital assets in wallets that are stored and accessible online. Users have access to such hot wallets via their private keys. Hot storage ensures the easy access and quick transferability of digital asset but is also subject to possible asset security issues in the form of cyberattacks o issues with keeping private keys safe. In August 2022, the prominent Solana ecosystem was hacked with funds amounting to approximately $8 million drained from approximately 8,000 hot wallets.
Hot wallet custody solutions are particularly important in the digital asset space because of the unique relationship between custody and exchanges. The main function of digital asset exchanges is to provide liquidity—not to provide custody. Cryptocurrency exchanges typically store digital assets or private keys in hot storage, that is in wallets that are connected to the Internet. While registered legacy stock exchanges facilitate trading but do not take custody of traded securities users o cryptocurrency exchanges are typically required to hand over their assets to the exchange. Most cryptocurrency exchanges are centralized, so maintained by a third-party intermediary who is responsible for conducting all trades and transactions. These centralized cryptocurrency exchanges require users to hand over their assets to the exchange, who then acts as a custodian and essentially issues IOUs for users to trade with on the platform. When a wallet provider/exchange has custody of a digital asset, this gives them full control over transactions. As such, a hack of a digital asset exchange is akin to robbing a bank—where one obtains valuable cryptocurrencies that they may cash out.
As of February 24, 2023 according to CoinMarketCap.com, 237 centralized cryptocurrency exchanges and 310 decentralized exchanges were operational. As of 2017, Fidelity Digital Assets reported that “73 percent of digital asset exchanges take custody of private keys while 23 percent let users maintain control over their keys.” Between 2011 and 2018, Steven Russolillo and Eun-Young Jeong reported that “there have been 56 cyberattacks directed at cryptocurrency exchanges, initial coin offerings and other digital-currency platforms around the world . . . bringing the total of hacking-related losses to $1.63 billion.” Furthermore, Garrick Hileman and Michel Rauchs observed that “[o]nly 53% of small custodial exchanges have a written policy outlining what happens to customer funds in the event of a security breach resulting in the loss of customer funds, compared to 78% of large custodial exchanges.
As of late 2020, decentralized exchanges (DEXs) are a new development that do not require users to give up control over their funds to an intermediary or custodian. In lieu of an intermediary organization, DEXs implement self-executing smart contracts that are able to facilitate user trades. Uniswap is a leading DEX, whose growth rate during and since 2020 is unprecedented. Uniswap is designed to prioritize self-custody and to function without any trusted intermediaries. The Cryptopedia Staff report that typically “DEXs take on a non-custodial framework.” Therefore, the impact of the DEX growth rate on digital asset custody providers remain unclear. If anything, the DEX growth rate may be an early indicator of increasing decentralized self-custody reliance by digital asset retail users. Mainstream institutional investor adoption of digital assets, in turn, may not materialize via self-custody and DEXs.
Cold storage provides an alternative approach to hot storage. Unlike hot storage, in cold storage the digital assets and associate private keys are stored in wallets that are not connected to the Internet. Thus, cold storage has several benefits. For one, cold storage custody solutions are much more secure and resistant to cyberattacks. However, hacks of cold storage are not unheard of (although no funds were stolen).
A key downside of cold storage involves the lack of accessibility of the stored digital assets. Removing digital assets from cold storage to liquidate is subject to technological uncertainty. First, cold storage requires addressing connectivity and recognition of cold storage device concerns. Timing is another issue. In some cases, it can take many hours or even days for investors to obtain control of digital assets that are stored in cold storage devices. The timing makes it especially difficult to use cold storage security for dynamic trading strategies.
Cold storage solutions also raise the issue of control by company employees. Unlike hot storage solutions where multi-signature (multi-sig) wallets are common and allow multiple parties only to act together to gain access to the hot wallet, cold wallets do not have the multi-sig feature typically. Accordingly, the person who acts as an agent to a corporation and who hold the assets on behalf of the company may be the only access point to the corporate assets. This brings with it significant insecurity and may not be suitable to any treasury management system.
Institutional investors are less likely to engage in digital asset investments if the custody solutions for digital assets are underdeveloped. Institutional investors’ concerns for client safety have generated an unprecedented demand for custodial services. As Fidelity Custody Assets reports, “[I]nstitutional investors are finding it difficult to commit fully to digital assets until there is a reliable and respected custody solution.” Additionally, Anna Buczak notes that “a cryptocurrency custody service is a secure, off-chain storage solution for cryptocurrencies. . . . [T]hese services are usually designed for institutional investors.”
Accordingly, institutional custody solutions for digital assets need to be equally robust as those provided for traditional assets. As discussed below, institutions face specific regulatory, market/network, security, and client challenges. For example, Fidelity Custody Assets notes that “institutions must work with a custodian that can demonstrate a significant track record and experience in safeguarding client assets.” When individual digital assets are involved, using private keys or maintaining passphrases is too cumbersome for institutional investors. Thus, institutional investors must seek out alternative safety methods that allow their firm to operate efficiently without compromising the security of individual assets.
Before the OCC decision of July 2020 (discussed in the next Section), digital asset custody was “the province of specialist firms . . . [who] typically needed a state license, such as a trust charter, to service large investors.” Various states provided specialized state-backed regulatory solutions for digital asset companies. More recently, several states have introduced more digital asset-friendly legislation. This legislation is friendlier to digital assets as it can evolve to allow more institutionalized custody services for retail customers.
Money transmitters are regulated under federal and state law. Money transmitters register under the federal Bank Secrecy Act (BSA) and are licensed under state law. In 2013, the Financial Crimes Enforcement Network (FinCEN) announced money transmission laws would not distinguish between fiat currency and digital assets. For example, Paul Vigna notes that “Coinbase is registered as a money services business with [FinCEN] . . . and also has a specialized [N.Y. state] license for crypto businesses, called the BitLicense, from the DFS.
In many states, the trust charter obviates the requirement for a trust holder to also obtain a state money-transmitter license. State trust charters are non-FDIC-insured, nondepository trust companies. State-chartered trust companies can be qualified custodians as a “simplified version of banking, with much higher physical, technical and financial security relative to traditional financial institutions,” with tailored digital custody services to different customer needs so that users can seamlessly use both digital dollar (and future CBDCs) as well as cryptocurrencies.
However, state laws governing trust charter requirements are inconsistent. For example, while a typical legal obligation of a trust company is the fiduciary duty, custody providers do not by default owe a fiduciary duty to their users. A fiduciary duty’s presence, or lack thereof, can impact its legal status. Some states will allow digital asset firms to use the trust charter without requiring a recognition of the fiduciary duty. Other states require that these companies implement a strict fiduciary duty to avoid any attempts to co-opt the trust charter, especially if their main practice is not related to traditional trust services. This is demonstrated by Gemini, a prominent custody provider, which obtained a trust charter from the New York State Department of Financial Services in 2015. When it tried to expand to Washington, the state required Gemini to acknowledge it had a fiduciary duty to its customers when it requested trust recognition. This required the company to change its user agreement to state that for every consumer that entrusts them with fiat currency, “we will be performing as a fiduciary.” Accordingly, the trust charter is not suitable for digital asset firms in all states.
In 2019, Wyoming introduced the special purpose depository institution (SPDI) model. SPDIs focus on fiduciary activities, safekeeping, asset management, and servicing. Permitted SPDI purposes under Wyoming’s H.B. 74 include business cash management and operational accounts. Wyoming law distinguishes SPDIs from custody banks. Custody banks focus on storing assets, fiduciary management, securities transactions, commodities markets, and customer bank accounts. SPDIs can obtain insurance from the Federal Deposit Insurance Corporation (FDIC), but they are not required to because they are prohibited from making loans with customer deposits of fiat currency. As Csilla Brimer states, “State chartered SPDIs completely eliminate some of the legal hurdles that burdens technological advances—such as the reluctance of the existing banking sector to change/tailor AML/BSA compliance processes in order to accommodate the global & censorship resistant nature of cryptocurrencies.”
In 2011, Kraken, a cryptocurrency exchange, was established. In September 2020, Kraken formed the world’s first SPDI, Kraken Bank, under Wyoming state law. This bank was the very first company based in digital assets that obtained a bank charter and legitimized their banking practices under both state and federal law regarding the processing of said digital assets. As an SPDI, Kraken Bank is able to do business as “a fully independent bank” in the United States. Another Wyoming digital asset bank was Avanti, which became Custodia.
In July 2020, the OCC began permitting national banks and federal savings associations to offer cryptocurrency custody services to customers. Verified and credible managerial practices must be implemented by the institution to mitigate the inherent risks associated with custody services as required by the OCC. The risks are described as follows:
[T]he OCC assesses banking risk relative to its impact on capital and earnings. From a supervisory perspective, risk is the potential that events, expected or unexpected, may have an adverse impact on a bank’s capital or earnings. . . . The primary risks associated with custody services are; transaction, compliance, credit, strategic, and reputation.
The first type of risk, transaction/operation risk, refers to “the current and prospective risk to earnings or capital from fraud, error, and the inability to deliver products or services, maintain a competitive position, and manage information.” Due to the incredible volume of transactions that occur on any given day, the amount of unavoidable transaction risk tends to be higher for custody services. Operational risks can affect the confidentiality, availability, or integrity of information or information systems.
As the OCC states,
[E]rrors in corporate action, settlement, foreign exchange (FX), and operating (suspense) account processing are common causes of losses attributable to custody activities. . . . The risks may be magnified in a global custody operation where transactions occur around the clock in a variety of different markets. A global custodian must consider a variety of additional factors including differing market rules and conventions, the degree of automation in the foreign market, different types of securities, capital or currency restrictions, and the availability and communication of timely and accurate information.
Additional risks in the digital asset space include key generation and management. For example, virtual currencies are noted for their “highly unpredictable value,” “increased risk of market manipulation,” “difficult to cash out investments,” “conflicts of interest,” and “limited protection from fraud.”
To mitigate transactional/operational risk, custodians should implement “[e]ffective internal controls [that] include safeguarding assets under custody, producing reliable financial reports, and complying with laws and regulations.” Information security infrastructure and controls to mitigate hacking, theft, and fraud need to be enhanced when maintaining custody of digital assets because of their unique technical characteristics. Notably, it has been estimated that custodial service providers spend nearly half as many of their combined human and financial resources (roughly six to ten percent of available resources) on IT security compared to non-custodial service providers (roughly eleven to twenty percent of available resources). In general, non-custodial systems are less costly and are able to be implemented more quickly than their counterparts.
IT security includes design and implementation of proper cybersecurity controls (also known as safeguards or risk management practices). Significant risk areas should be protected both to prevent a risk from occurring and to detect either that a preventive control failed or that a risk materialized. Every risk should have a preventative and detective control and there should be appropriate layers of controls so that if some fail, others will still be there to reduce the risk. This might include a control to detect process failures. An organization’s ability to cope with threats and reduce risk increases with levels of security strength.
Administrative controls are typically process oriented and relate to the establishment of policies and procedures. Some risk management processes “may need to be tailored in the context of digital custody.” Duties to initiate and approve transactions should be segregated. Specialized digital custody audit procedures for verifying the bank maintains access controls for a cryptographic key will differ from the procedures used for physical assets. There are approximately 15–50 bugs per 1,000 lines of code.
dentity management, authentication, and access control should be on “a need-to-know basis.” Technically and logically, to maintain data integrity, procedures should be in place that govern how to change data stored or transmitted on organization servers.
Systems should be protected against denial of service (DoS) or similar attacks to maintain availability. Distributed Denial of Service (DDoS) attacks have been increasing in frequency and duration over the last year against cryptocurrencies. Over $2 billion of cryptocurrency has been lost because of hacks and exploits in the first half of 2022 (this is higher than the amount lost during the year of 2021).
A good industry practice is to perform reserve audits on digital assets or to implement proof-of-reserves programs. Reserves audits are necessary and more important when proof-of-reserves programs are not in place. The transparent nature of the blockchain means multiple options to show reserves. Reserve audits can be performed by independent third parties as done with traditional asset classes.
Alternatively, proof-of-reserves programs can be implemented on-chain. In 2020, the Cambridge Centre for Alternative Finance’s annual survey of digital asset companies reported that fifty-four percent of surveyed custodial service providers indicated that they performed an “externally-led” audit of their digital asset reserves over a twelve-month period, with most providers likely to be operating out of Europe or the Asian-Pacific (APAC) region. The report noted this is a twenty-four percentage point decline compared to their 2018 sample. The Center suggested firms may feel a decrease in scrutiny relative to 2018 after Tether, a stablecoin who was expected to keep 100 percent reserves, was discovered not to have done so. The Center also observed that “59% of firms indicate[d] that they had their [digital asset] reserves audited by an independent comptroller over the past 12 months, primarily based out of Europe (35%) and APAC (31%).”
The second type of risk to consider is compliance risk. The first layer of compliance risk is compliance with all relevant laws and regulations. Custody providers should conduct legal analysis to ensure the activities are conducted consistent with all applicable laws. SEC-registered brokers are required to comply with the SEC’s custody protections, which are designed to protect against the loss or theft of an asset. The Customer Protection Rule requires segregating customer assets from the broker's assets. So long as the broker is not holding the securities, it will generally not need to comply with the custody rule. As the OCC states: “A national bank should consult with OCC supervisors as appropriate prior to engaging in cryptocurrency custody activities.” The OCC makes the recommendation because “[d]ifferent cryptocurrencies may also be subject to different OCC regulations and guidance outside of the custody context, as well as non-OCC regulations.” Provisions of the Investment Company Act of 1940 may also need to be considered. Further, 17 C.F.R. § 275.206(4)-2(a) outlines safeguarding procedures for investment advisers, which could open custodians up to liability. An exception to the rule is if a qualified custodian maintains the assets according to 17 C.F.R. § 275.206(4)-2(a)(1)(i) or (ii). Five percent of cryptoasset servicers were qualified custodians. Other laws and regulations that may be of interest include ERISA, Reg D, Regulation U, and others.
Digital assets and cryptocurrencies are by their nature riskier and add a second level of laws and regulations to worry about. Thus, processes such as “Know-Your-Customer” (KYC) and anti-money laundering (AML) rules are important in the digital asset space. The May 2019 FinCEN guidance regarding Bank Secrecy Act stated most cryptoasset businesses qualify as money transmitters and must comply with AML/KYC regulations (with the exemption of non-custodial wallets, decentralized exchanges that do not settle trades, and certain infrastructure providers (e.g., DApp developers, cloud miners)). Not only is AML/KYC compliance important to protect cybersecurity, but regulators are starting to enforce these regulations via significant monetary penalty.
The second layer of compliance risk is individual account risk. Before accepting an account as a client, custodians must analyze individual account risks, including “the customer’s needs and wants,” the account’s operational needs, and “whether the contemplated duties are within its capabilities and are consistent with all applicable law.”
Custodians not only need to ensure they are in general compliance with relevant laws and regulations, but custodians should make sure to be well insured to account for any losses. Like commercial banks, The Clearing House reports that “[c]ustodians are chartered as banks and accept insured and uninsured deposits.” Forty-six percent of service providers surveyed as discussed above reported not being insured against any risks. Insurance plans primarily insure against cybercrimes, professional errors, hazards, and loss or theft of private keys.
The third type of risk is credit risk. As the Clearing House explains, “Credit risk is the current and prospective risk to earnings or capital arising from an obligor’s failure to meet the terms of any contract with the bank or otherwise to perform as agreed. Credit risk is found in all activities that depend on counterparty, issuer, or borrower performance.” Fortunately, this risk is relatively low in digital asset transactions because transactions are made instantaneously.
Other considerations include strategic and reputation risk. With regard to strategic risk, digital assets are viewed as a high risk by the banking industry. Reputational risk has been considered the top strategic business risk. As the Clearing house observes, “Custodians are also exposed to liquidity risk, which is the risk of loss from an actual or perceived inability to meet cash and collateral obligations.”
As of January 2023, fifty-six active trust banks exist. The CFPB has specific consumer protection enforcement authority, which enforces compliance with enumerated financial consumer protection laws for the financial companies designated by the Dodd-Frank Act. The CFBP’s Taskforce on Federal Consumer Financial Law recommended federal charters or licenses to non-bank FinTech companies engaged in payments, remittances, or lending services, to clarify the authority of the OCC. The Taskforce stated that charters or licenses should provide that these institutions are governed by the regulations of their home states, even when providing services to consumers located in other states, similar to the National Bank Act’s treatment of federally chartered banks.
The OCC grants national charters to companies engaged in lending, payments, or deposit taking and agrees that the nation needs federal charters for fintechs to effectively, efficiently, and safely serve the financial needs of consumers across the nation under a single uniform set of rules. As Nikhilesh De reported, “Becoming an OCC-regulated trust is one way crypto exchanges can operate nationwide without needing to secure state-level licenses in each of the 49 different U.S. states (Montana doesn’t have a licensing requirement).” Formation of a full bank requires Federal Deposit Insurance Corporation (FDIC) and Federal Reserve approvals. One way to do this is by, as a state bank or state trust company, applying to convert into a national bank under 12 U.S.C. § 35. Subsequently, with OCC approval a non-depository public trust company organized under state law may to convert to a national bank under 12 C.F.R. § 5.24.
Anchorage Trust offers custody services primarily to institutional investors and a limited number of high-net-worth individuals that transact in digital assets and cryptocurrencies, including but not limited to certain tokenized securities and cryptocurrencies such as Bitcoin, Bitcoin Cash, Ethereum, Zcash, and Filecoin. Anchorage also performs fiduciary custody of digital assets and fiat currency, on-chain governance services, staking services, and settlement services. Since then, Protego and Paxos are two more nationally chartered digital asset banks.
Dozens of start-ups and established firms are developing ways to secure digital assets, but to date, few have focused on the unique challenges of institutional investors. NYDIG promotes itself as providing institutional digital asset custody services. U.S. Bank is looking into working with a crypto custodian. The CryptoCurrency Certification Consortium (C4) spearheaded a group of researchers, security auditors, and company principals to introduce a standardized methodology for securing private keys. Creating a digital vault has also been suggested.
Custody solutions are particularly important to the proliferation of digital assets. Multi-signature wallets and a combination of hot and cold storage solutions are advisable. While the majority of cryptocurrency spot exchanges require ownership to be surrendered to transact, DEXs are introducing the ability for users to transact without exposing private keys to vulnerability.
State and federal laws are evolving to allow more institutionalized custody services for retail customers, most notably as state trust charters are evolving to national trust charter approvals for digital asset banks.
From the perspective of decentralization, the application of current legacy rules around custody of traditional assets is inconsistent with decentralization foundations. The very nature of decentralized system mandates the avoidance and eradication of intermediaries for business transactions. Owners of digital assets can rely on the cryptography of the wallet and of each transaction to avoid reliance on trusted third parties. Without it, single points of failure, rent-seeking behaviors, and other suboptimal outcomes of legacy system are inevitably seeping back into decentralized solutions. Delegation of rights to custody providers is only an incremental step to centralization via delegation to third party investment managers. This becomes a floodgate issue, as each level of investment discretion over digital assets exacerbates the centralization concerns and compounds the rent seeking suboptimalities.
The realities of decentralization and decentralized self-custody would require investment advisers to simply provide digital asset investment advice via fee without taking custody of digital assets. However, the expectations of legacy customers involve typically custodial solutions that may mandate continuous experimentation with digital asset custody solutions within the existing legal framework and the evolving legal legacy framework for digital asset custody solutions.
At the same time, decentralized self-custody of digital assets is here to stay. Collective non-custodial DeFi investment clubs are already emerging where collective decision making in a non-custodial investment setting is a reality. These kinds of experimentation enable decentralized self-custody solutions that are combined with cutting edge DeFi projects and non-custodial investment clubs that are based on staking unpooled non-custodial assets on deals. Once a deal finds substantial funding it may move forward through smart contracts with staked assets that are released when the deal is fully funded without any pooling or custody.
Until these self-custodial investment deals become mainstream in DeFi, custody solutions for mainstream adoption will remain an issue that is looking for a solution. Ultimately, these two trends will run parallel until both centralized custody solutions and decentralized non-custodial deal platforms are more established. The existing trends in DeFi seem to suggest that the decentralized non-custodial deal platforms will have more innovation and better deals. Only time will tell. For now, the evolution of custody solutions for digital assets remain essential for mainstream adoption.
