A recent roundtable hosted by the SEC’s crypto task force explored the complex and “incredibly thorny” issue of custody for crypto assets, particularly for broker-dealers and investment advisers. The discussion highlighted the challenges of applying traditional securities laws and rules, which were not designed for the nature of digital assets or blockchain tokens. Many participants agreed that addressing crypto custody is necessary to resolve other significant issues in the cryptocurrency market.
The Challenge of Applying Traditional Custody Rules
Under existing SEC rules, broker-dealers are prohibited from effecting transactions in securities unless they comply with custody rules. These rules generally require broker-dealers to maintain possession of customers’ fully paid and excess margin securities. Traditionally, possession meant holding a physical stock certificate in a vault. At the same time, control involved custody through a third party, such as a bank, another broker-dealer, or a clearing agency.
Applying “possess” or control” to digital assets presents significant difficulties. Digital assets are not physical, raising fundamental questions: Is physical possession or maintaining the proper standard for digital assets, or should another concept be considered?
Furthermore, Rule 15c3-3, the customer protection rule, does not apply to crypto assets that are not securities. This prompts further discussion about how broker-dealers should safeguard non-security assets held for customers.
Principles-Based vs. Rules-Based Regulation
A key theme throughout the discussion was whether to adopt a principles-based approach or a more prescriptive, rules-based approach to custody regulation.
Advocates for a principles-based model emphasized that technology is evolving rapidly. Specific technical regulations, such as how to store private keys, can become outdated and even cause harm by inhibiting the adoption of better technologies. A principles-based approach would focus on outcomes and accountability, allowing for flexibility in using the best available technical solutions. Effective laws, they argued, have often been technology-neutral and risk-based.
Others stressed the importance of combining principles and rules. The financial sector traditionally relies on a regulatory framework with rules to ensure soundness and safety. Many participants agreed that digital assets determined to be securities, such as those regulated by the SEC, fall under the SEC’s purview, guided by a framework of both principles and rules.
Jason Alagante of Fireblocks proposed focusing on qualitative, principles-based standards for SEC-registered firms engaged in digital asset custody. This model would transcend specific technologies and service providers, allowing investors to trust that their assets are secure, regardless of the method of custody.
Different Approaches to Custody
The discussion outlined several models for holding crypto assets:
- Third-Party Custody (Banks & Trust Companies): Many participants agreed that banks provide a strong custody option due to their regulatory scrutiny and standards in physical security, operational controls, fiduciary segregation of assets, compliance, and capital requirements. State-chartered trust companies could also serve as qualified custodians, pending further clarification from the SEC.
- Broker-Dealer Self-Custody: Questions were raised about whether broker-dealers should be allowed to custody customer assets directly, provided strict safeguards are in place. This differs from traditional crypto self-custody, as broker-dealers would be holding assets for others.
- End-User Self-Custody: Although not applicable to broker-dealer custody, self-custody remains a valuable option. Despite the original crypto ethos of self-sovereignty, many users prefer traditional custodians for convenience and peace of mind. Participants agreed on the importance of preserving the ability for users to self-custody their assets if they choose.
Ensuring Security and Control in Digital Custody
Regardless of the model, securing digital assets is critical:
- Safeguards and Controls: Custodial solutions should center on proof of existence and exclusive control, achieved through operational processes and technology.
- Key Management: Key generation, storage, and control are central. Private keys should be stored securely within systems, not in individual devices. Multi-party computation (MPC) was highlighted as a preferred method, offering protection against single points of failure.
- Proving Exclusive Control: Custodians must demonstrate exclusive control over private keys through documented and audited practices for key generation, storage, and use.
- Audits: Regular audits — both traditional (e.g., SOC audits) and crypto-specific technical audits — are critical for verifying that custody practices meet security standards.
- Assets at Rest vs. in Motion: Crypto assets are safest when held in a rest state. Movement increases the risk of theft. Strategies such as netting trades internally and segregating trading and custody assets were discussed as ways to mitigate risk.
Regulated Entities and the Need for Clarity
Participants emphasized that clarity, not necessarily more regulation, is needed. There is a strong need for the SEC to clarify which entities can qualify as appropriate custodians, particularly state-chartered trust companies. Some participants warned against restricting custody to entities with traditional licenses, which may not guarantee competence in crypto custody.
The focus should be on whether an entity meets specific standards — including audits, capital requirements, and supervisory exams — rather than on entity type alone.
Bankruptcy Remoteness and Investor Protection is a significant concern that the Securities Investor Protection Act addresses by protecting customer securities in broker-dealer insolvencies. Still, SIPA does not protect non-security digital assets. Expanding SIPA’s protections to digital assets could encourage regulated money to enter the crypto space.
Ensuring an orderly resolution of SIPA’s insolvency is crucial for protecting investors, but SIPA’s current asset classification framework complicates this for digital assets.
Lessons from Incidents
Real-world incidents provided essential lessons:
- Bybit Exploit: Highlighted that even traditional security measures like cold storage can fail if governance and internal controls are weak. It emphasized the need for digital-native security thinking.
- FTX Collapse: Underscored the importance of independent custody. If FTX had employed a qualified independent custodian, its fraudulent activities could have been detected or prevented.
These incidents stress the need for improved custody standards and experienced custodians.
Smart Contracts for Custody
Smart contracts offer potential for programmable custody, where assets are released only under specified conditions. However, control still ultimately rests with whoever holds the keys to the contract. While promising for some use cases, smart contracts are not a comprehensive solution for regulated custody today.
Disclosure and Customer Choice
Allowing customer choice in custody models highlights the role of disclosures. However, relying solely on disclosures is insufficient, as many retail customers may not fully understand technical custody risks. A principles-based bar for custody security, combined with clear disclosures, was recommended to strike a balance between flexibility and consumer protection.
International Perspectives
Other jurisdictions have often taken a more proactive, high-level approach to crypto regulation. Some participants expressed frustration that U.S. regulators are “leading from behind.” Early clarity from regulators abroad allowed Canada’s crypto to mature more quickly.
At the same time, cautionary tales — like Canada’s overly prescriptive storage rules — reinforced the risk of creating outdated regulations that do not keep pace with technology.
These are just highlights from the first session.
The SEC roundtable made clear that regulating crypto asset custody is a multifaceted challenge. A successful regulatory framework must be adaptable to technological innovation, ensure robust investor protection, provide clarity to market participants, and strike a balance between flexibility and enforceable standards. Crafting a rational and resilient regulatory structure for digital assets is urgent and necessary.