What do regulators have to say about your custody arrangements?

Custodians have been obliged since 2019 to check that holders of cryptocurrencies and Stablecoins are not money launderers, terrorists or sanctions evaders. (1)  What impact have those obligations had on the day-to-day practice of digital asset custodians? 

Both traditional custodian banks and specialist digital asset custodians have recognised the need to comply with the Financial Action Task Force (FATF) obligations to run Anti Money Laundering (AML), Countering the Financing of Terrorism (CFT) and sanctions screening checks on cryptocurrency and Stablecoin transactions. Indeed, FinTechs are hiring individual experts from custodian banks to show them how to do customer and counterpart due diligence checks. After all, compliance with the FATF recommendations presents several challenges. One is that implementation varies between jurisdictions. Another is that jurisdictions update their guidelines continuously. And although the checking procedures are fundamentally the same across digital and traditional asset transactions, blockchain technology does pose novel challenges such as self-hosted digital wallets and anonymous wallet addresses. The irony of the need to check whether cryptocurrencies are being used by criminals – given that the initial promise of blockchain was a “trustless” alternative – is not lost on custodians of either kind.

What is the approach of regulators in the United Kingdom to digital asset custody?

The approach by the Financial Conduct Authority (FCA) is consistent but not yet complete. It is based on the existing requirements in the Client Asset Sourcebook (CASS) which sets the rules – record-keeping, segregation of assets, internal controls and so on - that regulated firms must follow when holding customer cash or assets. But the work of revision to accommodate digital assets in promised legislation will not be finalised for 18 to 24 months. Importantly, English law is less onerous than European Union (EU) law in terms of custodial liability if digital assets go missing, with a promise of a proportionate rather than total responsibility. Questions about liability for assets delegated to third party custodians remain open. There are also proposed requirements to maintain operational resilience, meet audit rules, and place the custody function in a separate entity. Two years is probably a realistic, if disappointingly lengthy, timetable to put an end to the current regulatory uncertainty surrounding digital asset custody in the United Kingdom.

Why do United Kingdom regulators move so slowly?

The speed at which regulators can move is constrained by laws which stipulate, for example, that consultations and pilot tests must be conducted (this is part of the logic that lies behind the regulatory sandboxes introduced in the United Kingdom in 2015 and 2024). In addition, the art of successful regulation is to preserve the safety and stability of financial markets without stifling innovation. Today, the United Kingdom government is asking regulators to encourage innovation, competition and growth but without a compensating assurance that, if something goes wrong, they will not be publicly named and shamed for failing to foresee and avert the problem that arose. That said, regulators in the United Kingdom are not adept at marketing, in terms of signalling to the world that London is open for digital asset business. Yet officials at the Bank of England are admired by other regulators around the world for their attention to detail, rigorous analysis and thoughtful approach to innovation. The United Kingdom is also leading Europe on the journey to a shorter settlement timetable and, by fostering collaboration between all parts of the securities industry, helping to ensure the transition to settling on trade date plus one day (T+1) is a comfortable one. Innovative legislation such as the Electronic Trade Documents Act and the Property (Digital Assets etc.) Bill also proves that the United Kingdom is building a corpus of law to underpin regulation of digital assets. Unfortunately, this innovative work is not being translated into a means of selling London as an international digital asset issuance, trading and custody centre. That failure to translate domestic thought leadership on reform of law and regulation to accommodate digital assets into a marketing campaign is a missed opportunity for the United Kingdom. The world is willing to follow a British lead in this area, but it is not being given.

Are regulators in the United Kingdom constraining innovation by the private sector?

Unlike the public sector, where personal compensation is not tied to the pace of new product development and distribution, banks are under pressure to innovate in pursuit of profit. However, the pace of innovation even by the private sector has slowed down. In the 1980s an innovation such as the first multicurrency Medium Term Note (MTN) took six months from conception to launch. Hybrid capital instruments for banks to comply with the capital adequacy rules of the Basel Committee on Banking Supervision (BCBS) were also agreed and launched within the same timetable. However, since the great financial crisis of 2007-08 - one of the causes of which was judged to be over-enthusiastic financial innovation - banks have introduced risk management and product development processes that prevent the rapid introduction into the market of new ideas.

Is the slow pace of regulatory change damaging the position of London as a digital assets centre?

The marketing of London as a clear, safe and stable jurisdiction for digital asset issuance and investing matters, especially now. In the light of the more positive approach that is likely to be taken towards the industry by the Trump administration in the United States, and the efforts made by several European jurisdictions to attract tokenised business, the United Kingdom needs to improve its competitive position in digital assets. On the face of it, taking two years to launch the digital gilt-edged issue (the Digital Gilt Instrument, or DIGIT) announced in November 2024 is reasonable. It will take time to research viable maturities – which investor wants to take a ten- or 20-year view of a novel instrument such as a digital gilt right from the outset? -  and choose the blockchain protocol and build the issuance, distribution, secondary market trading, custody and asset servicing infrastructure and systems. In addition, His Majesty’s Treasury and the Debt Management Office (DMO) have short-run financing needs, and they are being asked to make an investment in the short term that will yield rich dividends in the long run only. So, a degree of caution is understandable. Indeed, the DIGIT will be issued not by the DMO but as a pilot scheme within the Digital Securities Sandbox (DSS) launched in September 2024 by the Bank of England and the FCA. But caution should not freeze all initiative. It should not prevent the United Kingdom government from issuing a large, say, £2 billion, sovereign debt issue in fully digital form in the meantime. Or digitising the much simpler Treasury bill market, whose short-dated securities are generally held to term by investors so there is no need to develop a secondary market. Treasury bills could be digitised in just six months. Flagship issues of this kind would be bold statements of intent by the United Kingdom authorities.  They are also an invaluable opportunity for the industry (Gilt-edged market makers (GEMMs), inter-dealer brokers, exchanges, custodian banks, paying agents, central securities depositories, trading platforms and investors) to work with government (His Majesty’s Treasury, the Debt Management Office, the Bank of England and the FCA) in a collaborative task force to identify and solve technical issues ahead of the launch of a fully digitised gilt issuance, trading and custody programme.

Are the gilt-edged market makers (GEMMs) keen to participate or fearful of being disintermediated?

The GEMMs have an interesting perspective on digital gilts. Unlike the FinTech innovators, which are excited about promoting what their commercial offerings can bring to the markets, the GEMMs are asking themselves practical questions about how much of a digital gilt issue they can buy and how confident they are about selling it on to investors. The reason UK Finance has advocated a cross-industry task force to work on digital gilts is a belief that the more participants that have a material interest in developing digital gilt issuance, the better. A private placement with a handful of enthusiastic investors is easier to organise, but an issue which engages the GEMMs as well as investors would be more useful in terms of market development. As it happens, it was the GEMMs and the investors which first proposed to the government (via UK Finance) that the digital gilt programme begin with Treasury bills.

Is regulation of custody retarding the progress of token markets in the United Kingdom?

Yes. Asset managers willing to invest in tokenised securities on behalf of institutional clients must check that the global custodian services purchased by the client are adequate to the risk and capable of interacting with the blockchain on to which the tokenised securities are issued. This complicates the allocation of tokenised investments, which in turn inhibits the growth of a secondary market by narrowing distribution. Global custodian banks could alleviate this problem by developing or adopting solutions to the lack of interoperability between blockchains, and they do not need regulatory permission to do that. Another problem which could be relieved by regulators is their hostility to delegation of custody of digital assets, or sub-custody arrangements. Sub-custody is a standard feature of trading and investment in traditional asset markets but has yet to be accepted by regulators in the digital asset markets. The United Kingdom has an advantage in this area. Its traditional custody regulations accept that different rules will apply in different jurisdictions. So, they permit different approaches to be adopted when sub-custodians are appointed in jurisdictions where the local regulations do not accord neatly with United Kingdom requirements.

Have regulators in the United Kingdom failed to develop a sufficiently diverse eco-system for digital assets to thrive?  

“Crypto asset” firms that have applied to the FCA for registration under the Anti Money Laundering (AML), Countering the Financing of Terrorism (CFT) and sanctions screening regulations in the United Kingdom number just 46 registered entities and three formerly registered entities. The ranks of applicants have fallen sharply since the peak year of 2021 (see the Chart below). (2)  However, the low number of registered entities reflects the fact that the FCA initially rejected many applicants, which deterred future applicants. Nevertheless, this difficulty has encouraged entities to register in less meticulous markets such as Italy or Poland, where the numbers of registered entities are much higher. The United Kingdom would benefit from a more stable and predictable path to regulatory approvals in digital asset markets.

Are digital asset custodians being asked to assume too much risk? 

In April 2009, global custodian banks were shocked when a French court ruled that both Société Générale and RBC Dexia were liable for losses incurred by asset management clients because of the collapse of Lehman Brothers, even though the banks did not have the assets in custody at the time because they were controlled by Lehman Brothers as prime broker. However, European Union (EU) regulators later wrote such liabilities into hedge fund (the first iteration of the Alternative Investment Fund Managers Directive, or AIFMD, of 2011) and mutual fund (the fifth iteration of the Undertakings for Collective Investment in Transferable Securities Directive, or UCITS V, of 2014) regulations. Similar provision is made in the Markets in Crypto-Assets Regulation (MiCAR) regulation, where cryptocurrency custodians are liable to their clients for any loss of crypto-assets or access to those assets up to their market value. This liability is disagreeable to digital asset custodians, but it has the merit of providing the unambiguous regulatory clarity that digital asset market participants say they want. That said, custodial liability for customer losses does represent an obstacle to scaling digital asset markets.

What is the United States government approach to regulation of digital asset custody?

In 2022-23 the Securities and Exchange Commission (SEC) introduced changes that increased costs and risks for specialist digital asset custodians and deterred global custodian banks from offering digital asset custody services at all. In March 2022, SEC Staff Accounting Bulletin No. 121 (SAB 121) prescribed that digital assets held in custody on behalf of customers should be shown on the balance sheet - an unprecedented requirement for a previously off-balance sheet business. In February 2023 the SEC proposed revisions to the “custody rule” embedded in the Investment Advisers Act of 1940. The revisions insisted asset managers work with “qualified” custodians that can pass a suitability test only. They would also oblige custodians to segregate customer and proprietary assets, including the client cash banks use to fund their business and earn net interest margin. The revisions further proposed to widen custodial liability for losses of customer assets to include discretionary investment management decisions, such as credit, short positions, collateral and derivative contracts; previously out-of-scope assets such as real estate, commodities, syndicated loans and privately managed funds; and assets in custody with third parties such as sub-custodians and central securities depositories (CSDs). At the same time, the Office of the Comptroller of the Currency (OCC) reversed its previous policy of issuing banking licences to specialist digital asset custodians, retarding their evolution. These various measures have had a chilling effect on digital asset custody in the United States. SAB 121 prompted one global custodian bank to abandon its plans to launch digital asset custody services altogether. However, another, BNY, argued successfully for an exemption from SAB 121. Peers are likely to follow the BNY example, and industry expectations are rising that SAB 121 will be withdrawn in its entirety. (3) The fate of the proposed changes to the “custody rule” is yet to be decided. The SEC remains formally committed to making changes. The industry is hopeful an SEC answerable to a Trump administration and a Republican Congress will adopt a less forceful stance.

Is regulatory competition between jurisdictions helpful for digital asset custodians?

No. With major financial jurisdictions such as the United States, United Kingdom, Germany, France, Luxembourg and Singapore adopting different approaches to the regulation of digital assets, global custodian banks face a legal and regulatory environment that was already fragmented and is now fragmenting even further. Every custodian remains answerable to their primary regulator in their country of origin, which creates a further risk that primary regulatory obligations fall out of joint with local regulatory opportunities. Fragmentation also creates a potential loss of clarity about which law will apply if assets go missing or there is some other breach of a custody contract. Custodian banks are operating on a global scale, but law and regulation are not. In essence, the lack of technological and operational interoperability in the digital assets industry is matched by an equal lack of legal interoperability. As a result, outcomes to the same issues are bound to vary between jurisdictions. For example, the Basel Committee on Banking Supervision (BCBS) capital rules for holding cryptocurrencies and Stablecoins are based on the conviction that public blockchains are more dangerous than private blockchains, but regulators in certain jurisdictions (including the United Kingdom) do not share that view. Regulatory divergences of this kind are not going to be reduced (or arrested) because assets are digital rather than conventional.

Is the United States ceding legal and regulatory leadership of the global custody industry to the EU?

Historically, the United States has shaped the evolution of the global custody industry, notably through Sections 17(f) 5 (which obliges American asset managers to hold assets abroad with custodians that meet certain criteria only) and 17(f)7 (which obliges global custodians to manage the risks of customer assets held in CSDs) of the Investment Company Act of 1940. But the passage of MiCAR, and the renewed commitment of the European Commission to the Capital Markets Union (CMU), suggests the EU can shape the regulatory environment of the digital asset custody industry on a global as well as a regional basis. Certainly, EU regulations are followed closely by foreign regulators and often adapted by them. However, national implementations of EU law mean the European markets themselves are yet to be harmonised, because national regulatory authorities guard their prerogatives jealously. It follows that regulatory divergence is likely to remain a persistent feature of the European marketplace, which in turn makes it difficult for European regulators to assume global leadership. That said, the pioneering of difficult regulatory areas by the European Commission does ensure that EU initiatives are widely monitored and partially imitated around the world.

(1) In 2019 the Financial Action Task Force (FATF) “Travel Rule” required custodians to disclose customers’ personally identifiable information in cryptocurrency and Stablecoin transactions. Not every jurisdiction has implemented the obligations or implemented them in the same way. A 2024 report by FATF (Virtual Assets: Targeted Update on Implementation of the FATF Standards on VAs and VASPs, June 2024) found 75 per cent of 130 countries were either partially or not compliant at all with the crucial Anti Money Laundering (AML), Countering the Financing of Terrorism (CFT) and sanctions screening Recommendation 15. At the national level, advice evolves continuously. The European Banking Authority (EBA), for example, has published updated versions of its original AML and CFT guidelines of 2017 in 2021, 2023 and 2024.

(2) https://register.fca.org.uk/s/search?predefined=CA

(3) On 23 January 2025, subsequent to the Future of Finance event, the SEC confirmed in Staff Accounting Bulletin 122 (SAB 122) that it was rescinding the guidance in SAB 121