Is the digital asset custody industry ready to grow up?

[JUL 2022]

A summary of the webinar of June 9 2022 entitled Is the digital asset custody industry ready to grow up?

SUMMARY

What can be done about crime in the cryptocurrency and DeFi industries?

According to Chainalysis, thieves stole $3.2 billion of cryptocurrency in 2021 and had stolen another $1.3 billion in the first quarter of 2022. Most of it thefts are no longer from cryptocurrency exchanges but from Decentralised Finance (DeFi) protocols. 97 per cent of thefts came from DeFi  protocols in the first quarter of 2022, against just 30 per cent in 2020. Chainalysis counts 527 cryptocurrency thefts since 2014- an average of 66 a year.

None of the fixes – tighter custody of private keys, reduced code vulnerability, greater emphasis on internal security processes, monitoring of potential defectors inside firms and of price manipulation, and the introduction of Know Your Client (KYC), Anti-Money Laundering (AML), Countering the Financing of Terrorism (CFT) and sanctions screening checks – have worked. The use of “bridges” between blockchain protocols seems to have introduced a new point of entry for criminals.

While the crimes need to be taken seriously and are being solved by the introduction of new techniques to police how investors interact with counterparties and smart contracts, such rapid innovation cycles are bound to create software vulnerabilities and attract bad actors. Crime will always be an arms race, but reducing its scale in cryptocurrency is a matter of time and technology.

Companies active in cryptocurrency and DeFi markets can still learn from the crime-fighting techniques developed in traditional finance (TradFi). They should also aim to minimise human interventions in transactions, since these touch-points are the primary source of the vulnerabilities.  

To read the relevant section of the transcript, click here

To watch the relevant section of the video recording, click here

Do institutional investors active in cryptocurrency and DeFi markets treat their custodians as insurance policies that will cover their losses?

Global custodian banks are often treated by asset owners as insurers of last resort against the loss of financial assets but the banks themselves do not see themselves the same way. Instead, banks look to provide safe custody for assets, mainly via processes and procedures rather than technology. 

In fact, liability for loss is a contentious issue for banks, as became evident in Europe, when the European Union (EU) introduced the Alternative Investment Fund Managers Directive (AIFMD) in 2013. That legislation made custodians liable to make investors whole even for loss of assets not within their control, but the control of prime brokers and central securities depositories (CSDs). The same logic was later extended to mutual funds via the fifth iteration of Undertakings for Collective Investment in Transferable Securities (UCITS V).

On the other hand, cryptocurrency custodians without much capital of their own are offering outright insurance policies, but they are confined mainly to assets in cold storage.

To read the relevant section of the transcript, click here

To watch the relevant section of the video recording, click here

Custodying digital assets is not just a case of monitoring entries in an electronic register but custody of the asset itself – so it is plausible that custodians could refuse to custody certain types of asset because they do not wish to assume the liability. How hard is that to do with clients, in practice?

Conventional global custodian banks are reluctant to assume liability for, say, the performance and integrity of a smart contract in a DeFi protocol. Logically, the liability should rest with the issuer. Custodians cannot safely custody assets that could be lost through the behaviour of a smart contract for which they are not responsible – and whose coding they cannot be expected to check. Even though tokenised assets are much more transparent than conventional financial assets, global custodian banks have never assessed securities one by one to see if they can safely be custodied. The idea of checking the smart contracts embedded in security tokens implies they would have to start doing that or at least start discriminating between digital assets they believe they can custody safely and those they believe they cannot. 

Pure cryptocurrency custodians can take a more expansive view of the problem because they do not yet incur the liabilities imposed on conventional custodian banks by regulations such as AIFMD, UCITS V and the client money and assets regime laid down by the Financial Conduct Authority (FCA) in the United Kingdom via its Client Assets Sourcebook (CASS). 

As AIFMD and UCITS V presaged, CSDs custodying digital assets face the additional challenge of establishing how liabilities for loss are divided between themselves and the custodian banks which operate accounts at the CSD on behalf of asset owners. The segregation of assets held within CSDs is part of the conventional answer to the challenge. On this point, experience from TradFi is helpful, though the novelties of digital assets – and especially the reality that the code of individual tokenised assets will vary, and so represent differential rates of risk – have the potential to complicate the relationship between CSDs (into which tokens will probably be issued wily-nilly) and custodian banks (which will be liable for assets lost, including assets held in a CSD which fails or is hacked).

To read the relevant section of the transcript, click here

To watch the relevant section of the video recording, click here

Are climate-friendly digital assets a contradiction in terms?

The energy consumption of cryptocurrency mining is a contentious issue of longstanding, which the mining industry has sought to address through greater use of renewable forms of energy, as well as less laborious methods of reaching a consensus. 

To read the relevant section of the transcript, click here

To watch the relevant section of the video recording, click here

How important as a source of competitive advantage are the different technical solutions to the custody of private keys?

Retaining safe custody of the private keys to a digital asset is the ne plus ultra of digital custody. The challenge is to combine a high level of security with high availability of the asset, especially for transfer.  

Cold storage sounds safe but still requires human intervention to, say, open the vault – and that introduces a vulnerability. The solution to this is a zero-trust operating model, in which nobody but the owner of the asset has the right to move it.  

Digital assets are most vulnerable when being transferred between wallets especially across blockchain protocols (when they are `in flight’ or crossing a `bridge’). This is an instance where conventional insurance can help.  

In practice, different investors and intermediaries make different demands in terms of the balance between security and availability. Their demands reflect their trading strategies, appetite for risk and regulatory obligations, and these require different private key custody services. 

When it comes to attracting institutional investors, secure digital custody plus self-sovereign digital identities (SSIDs)  – by which ownership of an asset can be tied to the digital identity of the owners – are likely to prove the most effective combination. 

To read the relevant section of the transcript, click here

To watch the relevant section of the video recording, click here

Why are retail investors neglectful of custody – is it too difficult for them to access an effective custody service?

Cost is an important consideration for retail investors. However, the cryptocurrency industry is developing safer custody services for retail investors at a more attractive price point, especially as they move into DeFi protocols, including MPC and hardware wallets.

To read the relevant section of the transcript, click here

To watch the relevant section of the video recording, click here

Regulatory compliance is seen in TradFi as a large and unwelcome cost. So is it a mistake to welcome regulation of the cryptocurrency industry?

Some civil law jurisdictions (such as Switzerland) have changed the law to help digital asset markets (if not cryptocurrencies specifically) develop within a regulatory framework, though legacy regulatory obligations also tend to continue to apply. Regulation can be expected to adapt in the light of experience, especially as regulators become more comfortable with the risks and uncertainties – and that requires practitioners to engage with them actively. Technology can also play an important role in lightening the burden of regulation.

To read the relevant section of the transcript, click here

To watch the relevant section of the video recording, click here

CB Insights says venture capitalists have invested US$1 billion in digital asset custody providers in 2022. What is the growth they are betting on?  

There is second wave of venture capital investing in cryptocurrency and digital asset custody services – the first was in 2018 – because venture capital investors are excited about the ability of tokenisation to open up massive but less liquid asset classes such as privately placed equity and debt, fine art, music rights, collectibles and real estate. They see a sound custodial infrastructure as central to enabling that explosion of interest to happen. 

To read the relevant section of the transcript, click here

To watch the relevant section of the video recording, click here

Why have traditional global custodians been so slow to enter the crypto-currency or digital assets custody business?

Traditional custodian banks such as BNY Mellon, Citi, Standard Chartered and State Street are now getting involved in cryptocurrency custody through joint ventures and technology partnerships but are far outweighed by dozens of FinTechs and technology vendors also attacking the space.

However, head-to-head competition between traditional banks and digital custodian start-ups is not occurring. Instead, they are collaborating, because the start-ups have the technology and the custodian banks have the institutional clients that can help the market grow.

One inhibitor for traditional banks is that custody is a more capacious concept for them than it is for a start-up.  For a global custodian, “custody” also encompasses fund accounting, asset servicing, risk management, performance measurement and other services. 

For traditional banks, custody is also regulated from the client as well as the service provider perspective. For some clients of custodian banks, cryptocurrencies are not eligible assets. Mutual fund managers in the EU, for example, are barred by UCITS regulations from investing in cryptocurrencies – though an institutional quality custody service could encourage regulators to change the rules.

To read the relevant section of the transcript, click here

To watch the relevant section of the video recording, click here

Are developments in the DeFi market an opportunity for traditional institutional custodians or something to be wary of?

For institutional custodians – whether they are banks or start-ups – DeFi is potentially large income opportunity. Established service providers (such as SDX) are already offering cryptocurrency staking opportunities for clients, though so far in straightforward cryptocurrency transaction block validation rather than DeFi protocols. 

Regulated entities servicing institutional clients are now entering the DeFi market, as a natural evolution of the services they provide and the development of the investment appetites of their clients. 

In managing the risks for their clients, custodians need to assess digital assets carefully, diversify the liquidity pools they access, understand the smart contracts they are interacting with, draw up lists of eligible tokens and Dapp URLs, conduct due diligence on the (anonymous) counterparties, gather data to share with clients and mitigate the risks of crossing `bridges’ between Blockchain protocols.  

Banks in particular have to do all this without breaching regulatory (and fiduciary) obligations that do not necessarily apply to pure digital custodians, so it is not easy. In DeFi, even the products let alone the providers, are not fully regulated. In addition, regulators do not yet understand DeFi and its technological foundations, though their understanding is improving all the time. This regulatory uncertainty remains an obstacle to institutional participation in DeFi at scale. 

To read the relevant section of the transcript, click here

To watch the relevant section of the video recording, click here

Is custody now the logical route into digital assets for ambitious and talented capital markets professionals?

There is – or ought to be – strong demand from FinTechs active in the cryptocurrency and DeFi markets for experienced custody professionals. 

To read the relevant section of the transcript, click here

To watch the relevant section of the video recording, click here

Which of the global custodian banks, the exchanges, the technology vendors and the digital custody start-ups is going to “win” the race to dominate digital asset custody in the long term?

In terms of eventual outcomes, the twin extremes are that the traditional industry migrates to Blockchain (and nothing really changes) or the traditional industry is displaced by networks of permissionless networks (in which everything changes).  

If the existing infrastructure is displaced, some believe traditional custodians and CSDs will be reduced to, at best, being network `orchestrators,’ by which is meant governing access to networks that are private though permissionless, including by FinTechs that do not wish to be regulated themselves. 

On the other hand, displacement of the status quo would also create demand for new types of services such as smart contract auditing, which custodians and CSDs could potentially provide. They will likely earn revenue from a variety of services rather than rely (as traditional institutions do today) on settlement, safekeeping and asset servicing.

Though it is too soon to `pick winners,’ institutions both new and old will succeed only if they enable the digital future to be realised. Indeed, the most probable long term outcome is a compromise between the extreme positions, in which the need to safekeep private keys transforms the nature of custody but the disciplined processes and procedures and fail-safes of TradFi custody are also adopted.

To read the relevant section of the transcript, click here

To watch the relevant section of the video recording, click here

If you would like more information or we can assist in any way or you would like to join future discussions please email Wendy Gallagher on wendy.gallagher@futureoffinance.biz