Mapping the current state of the industry

Per the UK Law Commission “Digital Assets: Consultation paper” we believe it is appropriate to draw a distinction between direct custody services (that is, holding crypto-tokens on behalf of or for the account of other persons and having capacity to exercise or terms of both its positive and negative aspects) and custodial or other technology-based services that do not involve a direct custody relationship – this is most notably where client assets are poled and held by Exchanges.

In this paper we split the types of custody provision along the lines of other papers but with some changes in approach.

Regulators (notably in the European Union, where assets in custody with broker-dealers lacked the protection they enjoyed in the United States20) have reinforced this change by laying obligations on third party custodians to segregate customer assets and take responsibility for any losses of cash or securities.

The cryptocurrency markets, by contrast, developed a different custodial structure. It consists of three distinct models.

The first is pure digital asset custodians that provide digital asset custody services to investors as a fiduciary that segregates client assets.

The second is providers of digital asset custody technology:

• that enable an investor to self-custody

• provide technology some level insourcing to digital asset custodians

The third is hybrids of the two, that is bank or non-bank custodians offering technology services as well.

There is an obvious explanation why cryptocurrency custody developed so differently from traditional custody.

The current segmentation reflects the origins of the industry where in the early days:

1. the technological ability to deliver secure custody of keys was the paramount issue

2. many early adopters (and the more adventurous end of the institutional market) wanted to self-custody either as matter of principle, in this brave new world, or out of caution that holding the private keys themselves was the only truly safe option.

At that point specialist technology companies that could provide highly secure safekeeping of private keys were compelling, whatever their lack of formal banking licenses and regulatory frameworks. And these technology-based custodians emerged in two forms: an independent digital asset custody service or a set of technological tools that customers could use to self-custody.

This combination has worked surprisingly well in practice, given that most providers had no capital, no established financial controls and no regulatory oversight.

Over time we think this section will provide more focus on the types of custodian and services offered. Technology will remain, but as a critical component but more to entities that are custodians serving end-clients, rather than an end in itself.  Institutional self-custody will be a much smaller piece of a much bigger market.

Technology vendors will develop products to support sectors of the market. Larger custodians may build or buy systems or components thereof. A survey of Technology vendors will remain highly relevant but have a different focus – already many of the big Tech vendors have a large slice of financial clients who are offering custody services to asset owners. The custodian buys-in whatever technology pieces they need but these are inputs to their business, not the business itself.

The segments:

Direct Custodians:

Directly secure the digital assets of others. They perform key management and assume the risks associated with the safe keeping of assets.

The key issue is how safe is my custodian? Custodians take on the primary role of managing and protecting a customer’s private key information. The issue of what is a qualified or regulated or licensed custodian is left to the next section, but the absolute issue is still relevant with or without regulation. Concerns about this are still very strong as per SEC Accounting 121 shows.

Direct custodians have full control, or control shared with designated client staff and processes, over the private keys of the assets in their care. They typically operate by collecting a percentage fee based on the amount of AuC, other forms of revenue include trading fees and withdrawal fees, and revenue from other forms of value added services they provide. The level of activity and range of services has typically been greater than for traditional custodians allowing a potentially higher margin on assets.

The reasons why institutions outsource their custody are the same in crypto as in traditional asset custody and the long-term universal trend to outsource functions that are not core businesses.

In traditional asset custody the custodian is: handling securities into up to 80 markets and dozens of sub-custody relationships or CSD memberships; dealing with corporate actions; tax issues per country; regulatory changes per country; selecting and running a sub-custody network; securities lending; maintaining up to date systems and cybersecurity. The list is endless, and most pension funds have small staffs. Why would you do this rather than hand over to a specialist doing this for hundreds of clients who also, under most regulations , effectively provides very broad guarantee against losses.

With crypto and digital assets, you face the same fundamental issues. There may be a greater variation with different blockchains rather than security types; country has made less difference but that is changing; the pace of  custody of software change and cyber risk is higher; the range of connected services (links to exchanges and trading) and products (staking, lending) is higher.

The newness and pace of change make this challenging even with a strong Tech vendor’s support. Regulators also have, and continue, to create many rules about what regulated entities have to do re custody.

Tech providers support for :

• Self-Custody

• Custodians

Self-Custody supported by Tech providers:

Vendors provide software and hardware solutions that enable their customers to self-custody. While there are certain clear benefits to operating with a licensed direct custodian, for certain firms the need to control risk internally and concerns about trusting what are, from a broader perspective, small undercapitalised fintech startups. Even the “establishment” firms like BitGo are barely ten years old. In that context the cost of investing to develop policies, hire or train staff, and building or buying systems may seem a wiser choice.

These providers are not regulated and do not provide regulated services. They provide software/hardware, training and sometimes staff under contract to help operate the customer’s custody requirements. They do not or should not have control of either customer private keys or funds.

These companies offer a range of software (MPC and multi-sig) and hardware (HSM) solutions and services that allow for customers to secure their digital assets without transferring ownership of the private keys.  

The explosion of Web3 services also offers a rich vein of potential of clients who may need applications for new or differently configured business models that most direct custodians will struggle to integrate with their “legacy” infrastructure in a timely manner if at all (if such a term can be used in digital asset custody).

However high-quality or cutting-edge the products and services of technology providers there are downsides. The largest of which is that, just as with other forms of self-custody, the end customer bears the risk of properly maintaining and backing up their keys and/or key shards.        

Custody supported by Tech providers:

Direct custodians now and in the future will need to make build or buy decisions around hardware and software systems.

Crypto custody has been so much about crypto that building your own systems has been an industry norm.:

• The entrance of established bank custodians who may not want to develop these systems from scratch. BNY Mellon  the world’s largest custodian with over $ 40 trillion in AuC is partnered with Fireblocks to create its initial system. We do not think anyone would describe this as BNY Mellon “self-custody”: it’s a major custodian insourcing the technology.

• Over time custodians will make these decisions to build or buy their whole custody system or to build the core system but to outsource specialised areas ( particular HSM , a staking or key management structure). Security will likely play a role as may the size of the AuC base – the bigger the more revenue to spread technology build costs over. A sign of the mutability of this issue was the State Street/Copper which was announced and dissolved within a year. State Street the number two global custodian behind BNY Mellon chose a different path.

Typically, technology providers operate by charging subscription and plan fees, as well as revenue from value added services.        

Hybrid:

Providers that offer both direct custody and self-custody technology solutions. The majority of this category is simply companies that provide both direct custody and technology based solutions.

The entry of the banks has complicated the market structure because banks are not only offering custodial services but also technology services (including asset tokenisation services).

The current market structure, is depicted in Figure 1. Non-bank hybrids include firms such as NASDAQ - an exchange that became a technology company but also offers custody and, in some markets, CSD services.

Chart 1

As Figure 1 also shows, the proportion of bank custodians recorded in the Future of Finance database has increased since 2022 from a quarter to over forty percent including hybrids, while non-bank custodians including hybrids have shrunk from 44% to 38%. Technology companies fell in percentage terms but were steady in numbers.

Chart 2

At present, the state of that contest is hard to measure in terms of AuC, because the majority of digital asset custodians do not disclose the figures.

We were surprised to be able to produce any analytical important information on AuC but data on a number of names where something was available.

In total we gathered some type of data from 24 names with $ 420 billion in AuC for custodians directly and Tech companies indirectly. This is purely crypto tokens with no security tokens or digital assets.

Caveats abound as you would expect which we will note below. The interesting example available of hard data is Coinbase. The Q4 2021 data ,which is still out there as the only information generally reported in studies ,was at would be very inflated given price moves. Coinbase however had $ 90 billion AuC at end Q3 2021 but $ 124 bn at the end of Q1 2023 which was a surprising result (and is an SEC 10-Q of an NYSE listed firm). The numbers were much higher than expected and are more than 10% of all cryptocurrencies.

Table 1

This bias towards regulated custodians is evident also in the performance of Coinbase since the events of 2022 shook the confidence of investors.

The publicly listed cryptocurrency exchange saw the value of its AuC increase from US$80 billion at the time FTX failed in November 2022 to US$129 billion by the end of the first quarter of 2023 (see Chart 1). US$129 billion was equivalent to more than a tenth of the total value of the cryptocurrency markets at 31 March 2023.

The most prominent of these developments in the cryptocurrency market - a shift towards pure third-party custodians, and especially regulated ones, coupled with a shift towards transparent and regulated cryptocurrency exchanges – suggests digital asset custody is moving away from the original cryptocurrency model.

In that original model, the technological ability to deliver secure custody of private keys was the paramount issue, and self-custody of the private keys using technological tools supplied by specialist vendors was the only truly safe option. In other words, self-custody is on the wane.

This is not to suggest that self-custody supported by technology providers will disappear altogether. Certain firms will always prefer to control cryptocurrency risk internally instead of trusting their assets to under-capitalised specialists with limited track records (even BitGo is barely ten years old). That means buying systems from technology vendors and hiring people to operate them.

The vendors are not regulated and do not provide regulated services. All they provide is technology, training and sometimes staff under contract to help operate a system on behalf of a customer. They do not – and should not - have control of either customer private keys or customer funds. (21)

Self-custody is nevertheless likely to remain a minority choice. No matter how compelling the technology offered by vendors turn out to be, in any form of self-custody the end-customer bears the risk of properly maintaining the security of their private keys.

Why? Because direct custodians directly secure the digital assets of customers in much the same way as conventional global custodians.

The direct custodians that operate the cryptocurrency markets today have full control - or least control shared with designated client staff and processes - over the private keys of the assets of customers that are in their care.

They operate by collecting an ad valorem fee on AuC, supplemented by trading and withdrawal fees plus revenue from other services they provide. In short, their business model is the same as that of a traditional custodian.

This makes it familiar to institutional investors embarking on digital asset investing. And the reasons why institutions will want to outsource their digital asset custody needs to direct custodians are also much the same as those which drive their use of traditional custodian banks in the securities markets today: it is better to let a specialist third party handle the operational complexities.

Instead of the complexities of settling trades or reclaiming tax or collecting dividends in 80 markets around the world like a traditional global custodian, a digital asset custodian will grapple with the difficulties of settling trades and collecting entitlements on assets traded on dozens of different blockchain protocols.

Institutional investors can also count on direct custodians to make technology choices on their behalf. Established global custodians entering the digital asset custody market have already shown they do not want to always develop the necessary systems in-house.

BNY Mellon, the largest global custodian in the world, has established a partnership with technology vendor Fireblocks to create its initial system.

However, there are other paths. A sign of the mutability of this issue was the partnership between State Street and technology vendor Copper, which was announced and dissolved within a year.

The destination of the institutional digital asset custody industry is not yet clear, but it is becoming clearer, and it can be see already that the dominant model will be more like the securities markets of 2000 past than the cryptocurrency markets of 2018.

Chart 3

The data from our survey participants on who Digital asset custodians view as Target Clients, provides quite a clear picture.

100% of respondents chose Institutional asset managers as a target: they are huge assets holders but as yet have little in digital assets and may be more open to approach. 

The high numbers for Hedge Funds, Family Offices and Wealth managers reflects how active these players have been to date.

Equally interesting are some of the choices getting less focus:

Pension funds: these are the entities that actually employ custodians for a very large piece of AuC globally. Asset managers choose the custodian of their own Funds: they do not choose the custodians of the large separate  accounts they manage such as pension and endowment funds. However, reaching pension funds is a notoriously difficult process and they are very cautious.

Insurers: Are one of the largest holders of assets globally so the low priority is striking.

This may reflect a view that insurers are conservative in their approach to asset class expansion.  The larger insurance groups also often have separate asset manager arms that manage internal as well  as third party assets; so some of the Institutional asset manager focus may capture Insurers.

(1) Another potential client group for these vendors is firms capitalising on the structural shift from Web 2.0 (characterised by closed platforms owned by centralized Big Tech firms creating value by monetizing data) to Web 3.0 (characterised by open platforms owned by users creating value by trading peer-to-peer). They need peer-to-peer applications that third party digital asset custodians may struggle to deliver.

Mapping