Regulation is a key factor in digital asset custody
- Future of Finance
- Jul 21, 2023
- 12 min read
We look at how:
the global arms race by jurisdictions to create sound frameworks and firms to collect “qualified custodian” status
Institutional money tends to be highly regulated, particularly the bigger pools of money
The headline story about regulation is that it is coming to the crypto custody world. There is a steady tide of entities acquiring rights to operate (and increasingly in multiple markets) and a strong trend among global regulators to establish structure to normalise crypto activities including custody (Germany, HK, MiCa) as these providers try to attain “qualified custodian” status.
There is a lot of confusion around the topic. Financial service regulations are complicated and frequently hard to understand. For people coming from the crypto world, it has been a steep learning curve. The “qualified custodian” label has become a mantra that solves all issues. In reality what different types of investors require for regulatory purposes varies enormously from virtually none for hedge funds for wealthy individuals to extremely high for ERISA governed US pension funds. The starting point is what does each investor type in each market need. What different things mean can be very slippery – registered and licensed can mean very thing different things.
The broader picture is however much more complex and interesting:
Registered? Licensed? Within the regulatory perimeter?
What’s a qualified custodian?
What do different investors require?
What is the SEC doing?
Country Level review
Registered? Licensed? Within the regulatory perimeter?
There has been a lot of confusion about what different providers are allowed to do, what regulators are actually approving and for whom, and what products are within the regulatory perimeter. This has been compounded by the great variance at a global level about how each country’s regulatory system is set up and exactly what each one means by different permissions: and by some custodians giving the impression their level of permission is wider than it really is and on occasion telling outright lies.
Looking at the UK as an example: “Cryptoasset businesses that intend to provide in-scope services while acting in the course of business carried on by them in the United Kingdom must be registered with the FCA before they begin”. “In-scope” business must comply with the MLR (Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017) and refers primarily to Cryptoassets Exchanges or Crypto Custodian Wallet Providers.
This is a much lower threshold of qualification than to be licensed for dealing in specified assets the main areas covered by the FCA (stocks, bonds, Collective Investment vehicles) but has still proven too high for some major firms (like Binance).
.
“Registered cryptoassets businesses should be careful to avoid using language that might give the impression that registration is a form of endorsement or recommendation”
Crypto products are unregulated and firms selling them must make this clear whether the firm is licensed or not (e.g., a licensed bank dealing in cryptoassets must make clients aware these are not regulated products or enjoying the related protections even though the firm selling it is a regulated entity).
In the UK there is a clear distinction between Security Tokens (or digital assets) whose requirements are the same as any security or bond in the London market (i.e., a specified investment). That said the FCA still has to approve such securities or trading facilities in that it is satisfied with the elements using cryptography and/or DLT.
An example is Archex, which is a licensed regulated Multilateral Trading Facility to trade security tokens. Archex also separately is a registered Cryptoasset exchange and custodian wallet provider: the latter are unlicensed products and outside the scope of the Financial Services Ombudsman (FSB) for complaints. Complaints against Archex, for any of its licensed activities can be taken to the FSB. By contrast Zodia Custody in London which has an impeccable ownership - Standard Chartered, Northern Trust and SBI – can offer investors no access to the FSB as it is dealing in unregulated products only.
This varies market by market. In Switzerland FINMA licenses both brokers and banks and follows the same approach as the UK – cryptocurrencies only need AMLA (Anti-Money Laundering) compliance while cryptoassets are treated as securities and subject to the full related licensing requirements. Licensed Banks and Broker-dealers are already AMLA compliant so can deal or custody cryptocurrencies. FINMA approval is required to offer a custody service for securities so a bank without a custody approval would need to go through that process: it’s not clear whether a bank/broker dealer with a securities custody licence would need new approval (“stapled”) or could just inform/seek FINMA consent or approval.
However, that is not the end of the story in Switzerland. VFQ, based in Zug, has held the function of an official FINMA-recognised Self-Regulatory Organisation (SRO) pursuant to the Anti-Money Laundering Act (AMLA) since 1998. Historically it has covered parabanking an umbrella term covering payments, asset managers, lawyers , trust companies. So, it has provided a natural home
to entities that deal with crypto but could not meet full FINMA licensing requirements (Bitcoin Suisse is the best known example).
That is just two countries. A common theme and this is true of most countries, is that the ability to comply with Money Laundering requirements is the minimum first regulatory step. The next step is whether this is a positive step to place an entity on an approved list or register or a negative one, not allowing entities that have not formally demonstrated MLR/AML capabilities to conduct business in their country or (another wrinkle) with customers based there.
What's a qualified custodian?
The term “qualified custodian” originates with the SEC rules governing where SEC registered investment advisors may custody their assets: typically; banks, broker-dealers, futures commission merchants or other entities that maintains client funds and securities in specific ways. As noted earlier the SEC has proposed a new rule mainly to respond to crypto asset issues.
Why does it matter so much? The answer is simple: regulated investors can only deposit assets in custodians that the investors’ regulators permit (which may be different for different asset classes). And regulated investors are what matters in global markets.
This is very specific per country and the investor entities involved. There are general trends globally the most important are:
Introducing rules to govern how crypto assets are custodied (probably with most focus on retail investor protection)
The treatment of Security Token custody as part of the securities framework with licensed broker-dealers or banks being allowed (or required to gain additional approval) to add these to custody of conventional securities.
Increasing efforts to create an overall framework for all Virtual Assets encompassing crypto and all other digital assets (security tokens and tokenised real assets) and linked to traditional securities.
What do different investors require?
The USA is probably the place to start for several reasons:
End-investors control large pools of money (see Table 4), especially out of the United States. These institutions dominate the conventional markets today. They are also the institutions that can turn tokenisation from an idea into a global reality.
The regulators (especially SEC but also the OCC) are taking an approach seemingly designed to make custody of digital assets very difficult in contrast to most parts of the world.
Generally, these pools of money entrust investment to one group of third parties (asset managers) and custody to another group of third parties (the global custodians). Few employ more than a handful of people and, barring a few exceptions, want to focus on setting investment goals and monitoring actuarial risks.
For many years now they have entrusted expansion by their asset managers into new markets or asset classes to their global custodian. They are not – unlike cryptocurrency investors – natural supports of “self-custody,” especially of operationally awkward new asset classes such as digital assets.
More importantly still, however enthusiastic end-investors are about digital assets, they face stringent constraints and controls over what sort of custodian they can appoint to safekeep their portfolios. This is best understood through the prism of the regulations that govern the custody appointments of the major American pools of money.
Why? Because the United States is home to the largest pools of investment capital in the world (see Table 4) and American regulators have long set the terms by which those pools of capital can be custodied at home and abroad.
The Employee Retirement Income Security Act of 1974 (ERISA) is the primary legislation that governs private corporate pension plans, of both the defined benefit and defined contribution kind. Most public sector pension funds in the United States also, by statute, follow ERISA guidance.
So as a pension fund you have adhere to what ERISA approves: for what assets you can buy and what custodians you can use. This is pretty straightforward with domestic assets sticking with SEC rules. Outside the US (and what does that mean with cryptoassets?) ERISA 404(b) is the governing rule: it obliges ERISA funds to use as custodians banks whose principal base of business is in the United States. This generally means appointing an American global custodian, which can use sub-custodians to hold assets abroad, but they must meet specific conditions.
ERISA puts an outside limit on what is the investment universe but individual plans charters and investment rules may limit choice further. Sometimes funds have quite idiosyncratic rules or tend to be conservative particularly union funds and state or local government.
Similarly, asset managers in the United States face comparable restrictions on their freedom of action to appoint custodians.
Between 1984 and 2001, the SEC added rules (Sections 17(f)5 and 17(f)7) to the 1940 Investment Company Act which set minimum standards for the custody of assets of American funds held in foreign jurisdictions with similar constraints to ERISA.
That is in the USA but other jurisdictions - the EU with UCITs is most important _ have similar restrictions especially on collective Investment vehicles.
Such formal and informal restrictions are almost certain to delay institutional adoption of digital assets. A fund may have a major real estate allocation but be unable, on account of investment restrictions embedded in its charter, to invest in those same assets in tokenised real estate form. After all, even the move by American funds and asset managers to invest outside the United States took decades to become established.
In the short term, the formal and informal restrictions will be felt most keenly by those newer digital asset custodians that emerged from the cryptocurrency markets.
Already American pension funds place assets with a narrow range of custodians, especially outside the United States.
The established global custodian banks – BNY Mellon, Citi, J.P. Morgan, State Street, Northern Trust and others - are clearly best-placed to exploit the opportunity as institutional funds move into the digital asset markets, not only because they have a relationship with the funds already but because regulations give them an additional advantage.
As Joseph Chalom, Managing Director and Head of Strategic Ecosystem Partnerships at BlackRock, has put it: “We go to jail if we don't know who we are trading with; we can only participate in ecosystems who are well regulated and understood." (1)
Of the new crop of digital asset custodians only those owned by established firms (such as Fidelity Digital) or licensed by the NYDFS (such as the publicly listed Coinbase, the ten-year-old BitGo or the always institutional-grade provider Standard Custody & Trust) as special purpose trust companies have a chance of competing with the banks.
What is the SEC doing?
In the United States, the recent behaviour of regulators is bound to encourage this innate conservatism.
In June 2023 the SEC charged Coinbase with operating its trading platform as an unregistered national securities exchange, broker, and clearing agency. The SEC also charged Coinbase for failing to register its “staking” service. (2)
Earlier, in February 2023, the SEC had issued a Wells Notice to the Paxos Trust Company, informing the company of the substance of the charges that it was recommending for legal action. Yet no digital asset service provider has tried harder to achieve full regulatory status than Paxos.
The company secured a State trust company charter from the NYDFS in 2015. In April 2021 it received preliminary conditional approval from the Office of the Comptroller of the Currency (OCC) to establish a national trust bank. (3) In October 2021, Paxos applied to the SEC for a clearing agency license so it can settle securities on a blockchain network. In July 2022, the company became the first Stablecoin issuer to disclose the reserves underpinning a Stablecoin. (4) In November 2022, Paxos received a licence from the Monetary Authority of Singapore (MAS) to offer digital payment token services. (5)
Measures taken against established and reputable digital asset firms are consistent with an increasingly aggressive approach to digital assets in general and cryptocurrencies in particular on the part of some American regulators.
Measures taken against established and reputable digital asset firms are consistent with an increasingly aggressive approach to digital assets in general and cryptocurrencies in particular on the part of some American regulators.
In fact, it is not hyperbolic to say that the SEC has embarked on a path – probably inadvertently - that will make it impossible for anyone to offer regulated digital asset custody.
In March 2022, SEC Staff Accounting Bulletin No. 121 (SAB 121) prescribed how digital assets held in custody on behalf of customers should be shown on the financial statements of entities registered with the SEC.
SAB 121 requires digital asset custodians to show customer assets held in a fiduciary custody basis on their balance sheet. This treatment of custody assets is unprecedented in the history of custody, an industry whose commercial economics rest on the fact that it is an off-balance sheet, fee-earning business. The SEC justified such a dramatic change on the grounds that digital assets pose new risks.
The net effect once digital asset custody begins to scale would be to make it extremely difficult even for large, regulated banks to provide a digital asset custody service.
The five largest global custodians, all of them American, have a collective AuC of US$154.1 billion (see Table 2) and total balance sheet footings of less than a twentieth of that figure (US$6.9 trillion). Unaltered, SAB 121 will make it impossible for the leading global custodian banks to custody digital assets, let alone the smaller digital asset custodians that have emerged from the cryptocurrency markets.
But SAB 121 is not the only obstacle set by the SEC. The regulator is also proposing changes to the Investment Advisors Act of 1940 - legislation that applies to all investment advisers registered with the SEC – to change how investment advisers safeguard client assets.
A new Rule 223-1 would apply Rule 206(4)-2, known as the “custody rule,” to all client assets, not just securities and funds, and so embrace digital assets in particular.
Advisers would have to place the assets in bankruptcy-remote accounts with a custodian prepared to indemnify clients for any losses occasioned by their own negligence. Clearly, these provisions would erect another barrier to entry and success for the less established digital asset custodians. (6)
Importantly, the definition of an acceptable custodian is restricted to American banks or savings associations (including trust companies), broker-dealers registered with the SEC, futures commission merchants (FCMs) registered with the Commodity Futures Trading Commission (CFTC) and certain types of foreign financial institutions licensed to offer services in the United States.
Considered purely in domestic terms, the revised “custody rule” is no more than a logical attempt by the SEC to extend a longstanding American concept of a “qualified custodian” - an idea embodied in Section 17(f)5 and Section 404(b) - to cryptocurrencies and, by extension, digital assets as a whole.
The term “qualified custodian” has gained traction because it expresses a simple idea (that regulated investors must only custody assets with custodians that the regulators permit) and addresses directly a major trend that is gathering pace (the irruption of institutional investors into the digital asset markets).
The difficulty is that “regulated investors” are not an undifferentiated mass.
The intensity of regulation has always varies enormously from hedge funds, via insurers, to pension funds. Different investors need different levels of protection, and regulation has always recognised that. That complexity is multiplied when regulations in other jurisdictions must be taken into account.
But American regulation in particular seems set on a path that refuses to recognise the complexities. The change in the “custody rule” might so narrow the definition of a “qualified” custodian that only federally chartered banks will be able to provide a service.
Of the non-traditional providers, a restriction of “qualified custodians” to federally chartered banks would leave only Anchorage Digital Bank of the non-traditional providers in the field at all. The cryptocurrency exchanges that offer services, and the digital asset custodians licensed by the NYDFS, will not “qualify” to provide a service.
As it happens, the OCC that licensed Anchorage Digital Bank in the first place is also now reconsidering its earlier willingness to licence digital asset custodians.
Though it approved the application of Anchorage Digital Bank to establish a national trust bank in April 2022. It gave conditional approval to Paxos to do the same in April 2021, but in March 2023 it allowed the Paxos application to expire. Protego Trust Company also received conditional approval in 2021 but that lapsed in February 2023.
So, it is noteworthy that in June 2023, four months after the SEC published the proposed revisions to the “custody rule” and just a week after the SEC sued Coinbase for operating an unregistered trading platform, BlackRock actually chose Coinbase as the custodian for its proposed Bitcoin ETF.
While sophisticated asset managers such as BlackRock are always less conservative than pension funds, this looked like a bold decision. But it may be that BlackRock had less choice than the roster of digital asset custodians might suggest. The safekeeping and servicing of digital assets requires a different set of capabilities than most traditional custodians currently possess.
A more comprehensive take on the proposed changes to the Investment Advisors Act is provided by Polygon in the next section.
Country Level review of Regulatory Authorities and Business permissions (Cryptocurrencies)
The table below is a summary level of the basic regulatory authorities in the largest global capital markets for Cryptocurrencies. Security Tokens are covered under the existing securities regulations in each of these markets.
(2) https://www.sec.gov/news/press-release/2023-102. See page [TK] below for further discussion of “staking.”
(3) Office of the Comptroller of the Currency (OCC), OCC Conditionally Approves Chartering of Paxos National Trust, news release, 23 April 2021. This expired on 31 March 2023).
(4) Paxos press release, Paxos Leads Digital Asset Industry by Becoming First Issuer to Disclose Full Monthly Reserve Holdings Backing USDP and BUSD Regulated Stablecoins, 8 July 2022.
(5) Paxos Press Release, Paxos is the first US-Based Blockchain Infrastructure Platform to Secure Regulatory Oversight in Key Financial Hubs of New York and Singapore, 2 November 2022.