Future of Finance


The changeable burden that regulation is about to lay on digital asset custodians

A transcript of the Future of Finance webinar with The changeable burden that regulation is about to lay on digital asset custodians, with Jack McDonald, CEO at Standard Custody and Trust Company; Yannick Cherel, Chief Compliance Officer and Money Laundering Reporting Officer at Zodia Custody; Barney Reynolds, Global Head of Shearman and Sterling’s financial services industry group; and Elizabeth Mathew, Head of Growth and Partnerships for Metamask Institutional.

Dominic Hobson  00:19: Hello, everybody. I’m Dominic Hobson, Co-founder of Future of Finance and welcome to our webinar, `The changeable burden that regulation is about to lay on digital asset custodians.’ That rather clumsy title reflects the fact that digital asset custody is about to be regulated rather more aggressively than it has been to date, but almost certainly not in quite the same way in every jurisdiction that matters. We see this already in the way different jurisdictions have approached making what the Financial Action Task Force (FATF) calls virtual asset service providers (or VASPs) comply with the Anti-Money Laundering (AML), Countering the Financing of Terrorism (CFT) and sanctions screening obligations which were laid on everybody in the digital assets industry way back in 2018. As a FATF report last summer disclosed, just 11 out of 98 jurisdictions which were surveyed have actually even started enforcement and supervisory measures on money laundering and sanctions screening. Now we have regulators in the United States telling digital asset custodians they must put client assets on the balance sheet. And their counterparts in the European Union (EU) are clearly thinking in a similar but slightly different way by asking digital asset custodians to accept full liability for any customer losses of digital assets. Now, those measures were decided long before FTX fell over. But that event has given retail investors at least a very sharp reminder of the need for independent, segregated custody of their digital assets. Institutional investors, of course, knew that already. A recent survey of asset managers, asset owners and hedge funds by Celent on behalf of BNY Mellon found 70 per cent of respondents agreeing that their trading of crypto assets, whatever that means, would increase if they could custody them with a recognised, highly rated financial institution. And even more of them (91 per cent) are interested in investing in tokenised assets. In other words, safe custody is the key to making a success of those progeny of the cryptocurrency revolution – namely, security tokens and fund tokens. At Future of Finance, we are conducting a survey of digital asset custodians and it’s already found more than 100 suppliers of the requisite digital asset custody services. They range enormously in terms of size, structure, services provided, techniques, geography, target clients, capital strengths and so on. But especially they vary in terms of their regulatory status. Now our purpose in that survey is to categorise the many different types of provider of digital asset custody services to understand what different types of investors should look for in a digital asset custodian; to grasp the unusual nature of the risks those digital assets represent; and to explain how digital asset custodians manage and mitigate those risks. Now, that will take time. But we can see already that less than one in 20 of those 100 providers we’ve found is actually an established, fully regulated and well-capitalised custodian bank. So whatever regulators want in this area, most digital asset custodians in business today are likely to lack the financial strength to meet a regulatory obligation, if one is laid upon them, to make investors whole in the event of a loss above a certain size. Yet almost all of those non-bank digital asset custodians are regulated in some way. So the question is, `Are these moves by regulators to require custodians to protect investors without limit a cunning plan to drive the custody of digital assets into the arms of regulated banks?’ If it is, might the plan backfire and actually drive regulated custodian banks out of the digital asset custody business?’ Either way – in the very week that BlackRock CEO Larry Fink attracted a lot of attention by declaring that the next generation for markets, the next generation for securities, will be tokenisation of securities – the future success and the future growth of the digital asset markets might just be being put at risk by some ill-thought-out regulatory moves. Now, there’s always a case for regulatory competition, and perhaps especially so in innovative fields such as digital assets, but if digital assets are to become an institutional industry on a global scale in the near term, I suspect it would help custodians to provide a good service at a reasonable price if there was some degree of regulatory convergence between the leading financial jurisdictions. Now to help us explore this topic, we’re joined by four experts in the field. Jack McDonald is CEO at Standard Custody and Trust Company, a Polysign subsidiary that provides institutional-grade custody for digital assets. Jack is a former president and CEO of Conifer Group, the fund administration business and prime brokerage business later sold to SS&C and Cowan Group respectively. Prior to Conifer, Jack held senior roles with Schroders and UBS. Yannick Cherel is Chief Compliance Officer and Money Laundering Reporting Officer at Zodia Custody, another institutional-grade digital asset custody service, provided in this case by Standard Chartered Bank in association with Northern Trust. Yannick joined Zodia in June this year after holding a variety of compliance roles at Standard Chartered and BNP Paribas. Barney Reynolds is Global Head of Shearman and Sterling’s financial services industry group, which advises financial institutions and infrastructures, governments and public bodies, including on financial markets regulation. Elizabeth Mathew is the Head of Growth and Partnerships for Metamask Institutional. In this role, she’s focused on solving how to connect every organisation on the planet to Web 3.0 in a safe, secure and compliant way. Prior to joining Consensys, Elizabeth spent nine years in fixed income sales, trading and structuring with Lehman Brothers and J.P. Morgan. As always, in addition to our panelists, we have you as well, our audience, and all five of us encourage everybody watching or listening to submit questions and comments throughout this webinar, by using the Q&A functionality at the bottom of the Zoom screen. I won’t be saving those questions and comments up to the end but will be putting them to the panelists as we go along, so you can be an integral part of this discussion right from the outset. But we’re going to begin with a short presentation by Barney Reynolds of Shearman and Sterling on the licensing of digital asset custodians in four major jurisdictions, to give us an idea of what obligations those licences entail those custodians meeting. Barney, I’d like now to hand over to you to begin your presentation.

06.57: What regulations are being laid on digital asset custodians in the major jurisdictions?

Barney Reynolds 06:57: Thank you, Dominic. So this is just a very brief overview of where we are and the answer is there’s not much regulation specific to crypto in the world – in the major jurisdictions – at the moment. Starting with the UK, Dominic has already mentioned that there’s a money laundering regime applicable to crypto asset businesses in most places in the world now. The UK is no exception, so I will cover this point in the context of the UK. In the UK, there are some regulations which essentially ensure that crypto asset businesses, including custodian wallet providers, fall within the money laundering regime and have to register with the [Financial Conduct Authority] FCA prior to providing services. Some businesses have been turned down for not meeting the requisite standards on that. There’s also a notification requirement and a power for the FCA to object to the acquisition of 25 per cent or more of such a business. As things stand in the general regulatory context, the Financial Services and Markets Act, through its Regulated Activities Order, provides for a regulatory regime for traditional financial assets for which a custody licence is required if wants to hold them. In the crypto context, the forthcoming Financial Services and Markets Act – which has just finished [its] third reading in the House of Commons – is going through Parliament. [It] is going to provide for a framework to be developed for real custodian wallet providers and crypto custodians. And so it allows the Treasury new powers to make provision for the regulation of digital settlement asset service providers – essentially, adding to the regime already in the Regulated Activities Order, which is a statutory instrument previously already made by the Treasury that I’ve mentioned. The Treasury are also allowed to, or empowered to, establish an FCA authorisation and supervision regime for payment services provided in respect to digital assets. And it’s intended to capture issuers of Stablecoins used for payments, and others providing related services such as wallet providers and custodians. And that is in accordance with an international agreement at the Committee on Payments and Market Infrastructures (CPMI) and the International Organisation of Securities Commissions (IOSCO), where basically the major states agreed that systemic Stablecoins should be subject to some form of payment type regulation. 

Go on to the next slide. In the [European Union] EU, we have the Markets in Crypto Assets Regulation (MiCAR), which is due to come into force in the first quarter of 2023, but with the licensing provisions not coming into effect for a further 18 months after that. And the way that’s constructed is to establish a licensing and supervisory regime for the provision of crypto asset services, including the custody administration of crypto assets on behalf of third parties. A [cryptoasset service provider] CASP authorised under MICAR has to have a registered office in an EU member-state. That’s a sort of magnetic pull set of provisions designed to pull business into the EU in crypto business. But for those familiar with the EU regime from [the second iteration of the Markets in Financial Instruments Directive] MiFID 2, [will notice] the familiar reverse solicitation carve-outs is consistent with the EU treaties and international practice where EU customers are allowed to reach out from under the umbrella of EU law of MiCAR and operate solely under the regulatory protections of the service providers (such as they are) from wherever in the world. There isn’t an equivalence regime for third party countries. Service providers-   for those familiar with that concept, [it] would have allowed the recognition of equivalent regimes elsewhere and access beyond reverse solicitation from elsewhere in the world. Significant CASPs, i.e., ones with over 15 million active users, basically have to notify their competent authority of that fact and their competent authority is an internal governance matter of EU. [National competent authorities] update [European Securities and Market Authority] ESMA and ESMA effectively coordinates, as it’s empowered to do, across the member-state regulators on that front. 

Next slide. In the US, just looking at the [Office of the Comptroller of the Currency] (OCC), the [Federal Reserve Bank] Fed and the [Federal Deposit Insurance Corporation] FDIC, the OCC has dealt with cryptocurrency custody services through interpretative letters essentially saying that the holding of unique cryptographic keys associated with a cryptocurrency is a form of traditional banking activity. So national banks and Federal Savings associations can provide a service like that, provided they manage the risks effectively and comply with the law. And then they also have to [according to] the second interpretative letter, show they have adequate controls in place to allow safe and sound conduct to the business. And in the third interpretative letter, there has to be a notification made to their supervisory office of the intention to engage in those activities. So there is some specific crypto-focused provisions. The Federal Reserve has a new requirement for all banking organisations it supervises to notify the Fed if they’re planning to engage in crypto asset related activities, including the custody of crypto/digital assets. And before doing so, they obviously have to check the law, see whether filings are required, [and] have appropriate systems and controls in place to be safe and sound. The FDIC requires prior notice where any FDIC-supervised institution seeks to engage in a crypto-related activity. 

Next slide. And then Singapore. There’s a Payment Services Act which is being amended  – is in the process of being amended – providing for digital payment token services. The provision of those in Singapore [is] to be licensed, including the custody of digital payments tokens, and that would include everything one might expect in terms of Bitcoin, Ether and so on. And then licensed entities are regulated for AML purposes but there are additional requirements for large institutions. And then there is the Financial Services and Markets Act, which is very similar to the UK one, with a bit of a loophole in it because, when it was transposed into Singapore, as some may know, the definition of contract for difference, which hinges on property of any description, the draftsperson in Singapore referenced it to other already regulated assets, such that under the current FSMA in Singapore, crypto derivatives are not regulated. It’s a very nuanced and high-level proposition, of course, and [there are] all sorts of qualifications to that, including under the Payment Services Amendment Act potentially, that that’s an interesting sort of glitch in the transposition, on that front. I think that’s probably enough to frame things. The 10,000 foot conclusion from this is there isn’t much specific crypto regulation. There are ways in which crypto businesses are caught under traditional regulation, if it fits into traditional constructs or it’s a security in the US or whatever, but for pure crypto the world’s main regulators and legislators need to develop a regime for crypto custody businesses. Dominic …

15.30: How do the risks of custodying digital assets differ from custodying traditional financial assets?

Dominic Hobson 15:30: Well, thank you, Barney, for that very helpful, quick review of the regulatory requirements. And I’m sure that our panellists will have some things to say about that. I’m sure the audience will have some questions to ask as well. But I’d like to – unless a panellist wants to say something immediately – move the discussion forward a bit by actually looking at custody as a service itself. As I said in my opening remarks, and as these various regulatory measures indicate, this is a bit different from traditional custody. The risks are different. I’ve been thinking a little bit about this and wondered what those different risks are. I have drawn up a little list of them here. The transactions are irreversible, for one thing. I’ve been in this industry long enough to know that reversing transactions is fairly commonplace practice in the traditional securities markets. So you can’t do that here. You have novel risks like bridges between the different blockchain protocols and these proved to be vulnerable to hacks. With blockchain-based networks, of course, you have to deal with the risk of a 51 per cent attack – i.e., a hostile takeover of the network which can be exploited to the financial advantage of people. You have “oracles” on which the spot smart contracts rely. Those may be delivering data which is inaccurate or, more likely, data which is late, and so an action is taken which is not strictly in accordance with the conditions of that smart contract. Smart contracts themselves, although they’re now being audited, are of course also open to malicious attacks of various kinds, because they are, after all, software code. You have hard forks, which potentially create whole new assets, which can undermine the integrity of the original issue. You have airdrops, these distributions of free digital assets to digital wallets. Those can clearly be, and have been in some cases, fraudulent. And last but not least – particularly in the DeFi area, the Decentralised Finance markets – you do have these flawed governance models, where disproportionate influence is wielded by a small class of token-holders. So my first question is to our digital asset custodians and perhaps Yannick you could deal with this first and then Jack, and I’m sure Liz would have some comments on this: `How do you go about analysing what these risks are? And how do you go about mitigating and managing them on behalf of your clients?’ Yannick you go first, and remember you’re on mute.

Yannick Cherel 18:08: That’s a good one. Thank you, Dominic. I think I would go with the [inaudible] risk, as you mentioned, but I think the one I would like to be very particular and precise [about] this time is maybe what we have seen on the recent events of the FTX collapse and so on. Fundamentally, I believe that many market participants now recognise that the segregation of duties between the custodians and the market infrastructure is clearly in the interests [of investors]. It is an important risk is not sufficient to [inaudible]. And I think it is extremely important that you cannot have the asset custodied by the same entity who also provides the pricing and the execution and the management of the trade. It could have catastrophic consequences with the commingling of the assets of the clients and the assets of the service [providers]. So I think the segregation for me is key. And that’s the reason why traditional custodians – and, actually, custodians in digital assets – could offer this truly independent safeguard. So I think that’s one of the risks we can have. We can talk about technically how we [manage] this risk, etc. but I think that’s, to me, the most important thing nowadays – and the markets have shown the importance of that.

Dominic Hobson 19.39:So the importance of being independent. Jack, you look ready to [speak].

Jack Mcdonald 19.45: I would increase the drumroll on the point Yannick made. I think that’s of critical importance. That’s why we set up our business to be exclusively focused on custody, and not have a complementary, quote unquote, “markets business” that trades and makes markets and lends and borrows and rehypothecates client assets, etc. Chairman [Gary] Gensler here at the [Securities and Exchange Commission] SEC has been vocal about the importance of segregating those duties. And we believe that that is certainly going to come home to roost as regulation comes into the space. The other risk factor that I think is perhaps the most important – and you touched on that a little bit, Dominic – [is] with the irreversibility of the transactions is that many of the digital assets, certainly cryptocurrencies, are really bearer instruments. And so if you think about that, in many ways, it’s a step back to the past where there was a stock certificate and whoever on that certificate had rights to the asset. In the same way, cryptocurrencies are bearer instruments. And the technology required to protect those is really the crux of what many of us in this industry have built in terms of our technology offering. Because it’s of a digital nature, it’s open to all sorts of threat vectors that you articulated. And so that really requires a significant amount of resources and building out [of] the technology. I don’t think this is the right forum for talking about how we do that. But essentially, you’ve got an alphanumeric key that is your proof of ownership. And what we do is shard that key up and secure it in a number of different ways – biometrics, blockchain technology, hardware, software, etc. And keeping that safe.

Dominic Hobson 21.29: Thanks, Jack. Liz, perhaps some thoughts from you? I may have done you a huge injustice earlier in claiming that your focus is really on the DeFi area. But you’ve heard what Yannick said about the importance of being independent. You’ve heard Jack talk a little bit about the actual techniques you use to keep customer assets safe as an independent custodian. You’re operating with a slightly different set of institutional clients. Did all that sound a bit strange to you? And maybe tell us a little bit about the type of clients you’re acting for? And how you’re managing and mitigating risks for them?

Elizabeth Mathew 22:04: Absolutely. Thanks, Dominic. Representing Metamask Institutional as a platform in this discussion, I have been in the fortunate position of speaking to over 50 digital asset custodians in the last two years. Since the beginning of DeFi, somehow we’ve been in a position to be able to delve into the nuances of key management solutions and governance policies and multi-user permissions and segregations of roles and responsibilities with practically everyone that is seriously looking to solve for that for their customers. So, on one hand, the retail wallet is about empowering the end-user to essentially take custody and ownership of your assets, without having to rely on an intermediary to do that. On the institutional side, things are more complex. There are operational controls and regulations that need to be abided by. And that was the original premise, whereby we decided to create the separate product line, but [MetaMask Institutional] MMI, while it [enables] the more simple, younger organisation to be self-custodial using the platform, we are right now integrated with 11 custodians globally that are actively thinking about topics around the security and permissions. You are correct in saying that there is no standardisation, right now, in how you think about each of these aspects. We think it’s still so early. When I hear Barney’s presentation, and some of the comments made, when you think about institutional allocation to Web 3.0, this is so early we’re almost in a sandbox environment. We’re not at a stage to be able to say, `This is a whole solution that can be used by a fiduciary agent to act on behalf of an entity that is looking to do the things that they are used to doing in traditional financial market infrastructure.’ The comment about the importance of segregating markets-related operations [from] custody is an extremely important one. But, yet, when you look at the largest global custodians in the world, they all have markets operations, they’re all providing leverage and hypothecate [customer assets], and [provide] repo services. So maybe this is a way whereby we react and say, `We don’t understand this well enough; the customers don’t understand this well enough.’ And so let’s begin like that. But when you turn around and see – [and] I see plenty of examples in traditional markets, – where that’s not the case at all. So I take a slightly different approach in that it is still very early. This technology is rapidly maturing. Bridges, for example, are extremely fragile. So it’s tough to regulate a technology that is so nascent, where the business use-case has not been validated sufficiently enough. And organisations that are showing up to experiment are not sure if they will continue to do what they’re trying to do. I also see that the kinds of customers that digital asset custodians are trying to cater to vary significantly from what the traditional customer segment is for [a] traditional custodian. And you are seeing a merging of what ownership looks like. How do we benefit from the bearer [model of ownership]? [With] the digital scarcity and the bearer qualities of a digital asset token we are seeing not only the trading and investment community show up, but we are seeing [household name] brands [show up]. Traditionally, companies that are great at community engagement, show up to decide, `How do we think about digital ownership and community engagement?’ In the same way as funders are thinking about `How do we create the most efficient distribution capabilities for financial products?’ Things are blurring. So my response to questions that require so much thought and clarity on what we’re doing would be that it’s still very early, and we’re still in a sandbox stage.

Yannick Cherel 27:35: If I may, I would like to comment on two points, Dominic, if you will allow me. I just want to recall what Jack was mentioning about the importance of having the security maintenance – I think that’s very important. And I think custodians are not only going to safeguard the digital assets but are going to be also responsible for the security maintenance. It’s a complex and it’s built on [inaudible]. The Financial Times in September mentioned that over US$6.2 billion worth of digital assets has been hacked by scammers etc. That’s clearly something which would be, I would say, a digital asset custodian best in class if he can provide the security measures. That will be the right answer in addition to the segregation [of the assets]. And I think that’s [an issue] where Jack will also go into. Jack, I do agree on this point that you mentioned. The only thing I will say is I think we have to be extremely careful [about] the institutional clients [as a ] target. They will move to the digital asset of cryptocurrency when they have a proven set of clarifications from the regulations. It’s extremely important. The regulators try to clarify a little bit who we regulate. We know there is some debate: `Is a crypto a security? Is it e-money?’ So it’s very important because the user will go with a reputable custodian only if the custodian has the same risk-averse appetite, the same control framework, and more or less the same regulation requirements and obligations. And I think it’s an important choreography. So, yes, you are right, there are various actors who are interesting, and potentially the product and the response might vary, but actually, for the reason we just tried to illuminate here, the security aspect but also the regulatory framework is going to bring or to stop the initiatives of investment from the large institutional [investors]. You do have corporates who are interested from a treasury perspective. But, again, they want you to have the same security as when they are doing the traditional banking payments that they have today.

30:07: Cryptocurrency exchanges are criticised for custodying as well as trading the digital assets of customers but don’t the major traditional custodian banks also have trading businesses?

Dominic Hobson 30:07: And Yannick, what about Liz’s point about the major global custodians? [They] actually have the same conflict of interest which we were criticising the digital exchanges for [having]. Coinbase? You trade on there, and then you custody with them. I’m challenging you on that one. And I’m also challenging you on something else, which Barney didn’t raise, but which I did bring up in my opening remarks – this SEC letter saying you’ve got to put these digital assets on your balance sheet. Coinbase went ahead and did that. Now, that was a huge departure from the normal global custody industry, [where] these are client assets [and] they don’t appear on your balance sheet. That’s the attraction of the industry. It’s an off-balance sheet industry. What are your thoughts on those two questions? Because you’re associated with these global custodian banks that have execution desks, treasury management desks, sec[urities] lending desks, collateral management [desks], even asset management arms and so on – are you not in exactly the same position as the digital exchanges?

Yannick Cherel 31.09: I would say, coming from the banking industry, and especially from the global custodian industry, I would say that I don’t really share that view, because actually, you have a clear segregation of duty between the custodians and what we call the front office, which is all the market practices and so on. Although it may be under the same umbrella, the same entity, it’s clearly separate business units, separate departments, and clearly separate managements. And there is clearly a Chinese wall between both products – if you see that as a product. So yes, you could have BNP Paribas doing both things, but there will be separate entities – securities services, and different [entities for the other businesses]. 

Jack Mcdonald 31:54: I just want to add a very critical distinction here, Dominic, to that point about global custodian banks. Let’s just take a BNY Mellon or State Street. Yes, to Liz’s point, they offer custody, trading, collateral management. However, they’re not exchanges. That’s the big difference here. Coinbase is an exchange. And I’m not speaking ill of Coinbase but they’re an exchange and a custodian. Gemini [is] an exchange and a custodian. Binance [is] an exchange and a custodian. And in the case of Coinbase, at least some of their accounts, or customer accounts, are held in an omnibus account at the exchange, doing self-custody. That’s where you start to get into the fundamental differences with [Traditional Finance] TradFi. The New York Stock Exchange is not a custodian. BNY Mellon is not an exchange. A fundamentally different segregation of duties. That segregation of duties does not exist in the digital asset arena.

32:51: What will be the impact of the SEC advice in SAB 121 that digital asset custodians put client assets on their balance sheets?

Dominic Hobson 32:51: And Jack, do you have a view on this SEC letter saying, `Stick these assets on your balance sheet please?’ Am I barking up an irrelevant tree by asking that question?

Jack Mcdonald 33:01: Well, I have a view on most things here in this [area].

Dominic Hobson 33:05: Okay, give us a view on this then.

Jack Mcdonald 33:06: I think you’re referring to [Staff Accounting Bulletin] SAB 121. And I think it is going to, at least in the near to medium term, be a real deterrent for the large global custodial banks getting into the space just because it becomes impractical. I think it’s something that, as education increases and regulators get more comfortable with the space, that that may be chipped away with. But right now I view it as a deterrent for the big global custodial banks to get into this space. It just simply does not scale. And so it’ll be interesting to see how this develops. But for all intents and purposes, I think it’s going to be a retardant to the large sell-side firms really getting into the space in a meaningful way.

Yannick Cherel 33:52: I completely share your view, Jack, on this. I think [inaudible] is working on this to try to see how practically and operationally it could happen. But I think it’s clearly going to bring a lot of costs and capital requirements, which will potentially just simply not be feasible, for exactly the reason that Jack mentioned. Today, you don’t ask the custodian –  the traditional fund and asset custodian – to reflect on their balance sheet the securities that they have.

34:24: What point have global regulatory initiatives in cryptocurrency reached and how should we expect them to evolve from this point on? 

Barney Reynolds 34:24: It seems to me, from a legal and regulatory perspective, it’s at odds with where we’re trying to get to, in terms of designing a legal and regulatory framework that matches what the market seeks to do but enhances the safety for the satisfaction of governments and regulators. Essentially, it’s the task at hand. And trying to put what is an inherently incredibly quickly scalable asset on people’s balance sheets will effectively mean that the business is dispersed. And I think that intrinsically makes it more risky. Plus, if it’s on someone’s balance sheet, and they’re doing other bits of business then that potentially exposes it to other bits of business. I’m not saying any of the people doing it now are doing those things. I think it is possible to be an exchange and have a custody business in an affiliate. There are possible ways through a lot of these issues. In a way, we’re reinventing the wheel on stuff in the financial regulatory world that people have been thinking about for generations and have their sophisticated solutions to. So, as I see it, we’re in the second [stage] or beginnings of the third stage of a three-stage process. The first stage was, `This is all very complicated.’  Lots of smart people were innovating away and writing computer programmes, and it was a `trust us’ phenomenon. And out of all the thousands of businesses out there, there are some that clearly merit that trust. There are some where it’s more questionable. And the issue with that is that the user doesn’t quite know because these relationships involve technologies which are opaque, and activities on the part of the service provider which are inherently opaque and difficult to audit and verify, [and so] the ‘trust us’ proposition only takes you so far. And we’re getting to the limits of that. It’s been isolated to a large degree from the financial markets, which has ensured, so far at least, that the ripples are not being felt, or that the waves are not crashing inside the walls, rather, of the system in a way that seems alarming. So, so far, so good. The second phase, which we’re either in or emerging from, is regulatory arbitrage and competition, which in fact existed in the global arena, particularly even till 2007-08, after which the EU scheme was amended to eradicate that so far as possible by introducing the [European Supervisory Authorities] ESAs, these advisory agencies, to try and harmonise interpretations and avoid arbitrage within the EU. And that’s ongoing work in progress within the EU. And then, internationally, there is the [Financial Stability Board] FSB efforts on systemic risks. But I think, nevertheless, there’s an element in which countries are beauty-parading their regulatory schemes. But the third wave is a mature system, where it is thoughtfully regulated. The question then is, `How do you do it?’ I think we need to differentiate or parse through all the different types of thing that one is looking at. And there it does require discussion, with the folks like the ones here, to get it right. But I nevertheless would say I think there’s a difference legally between tokens, which represent an underlying asset, where you are custodying the token and the underlying asset, and immobilising it, and then something where the token is the asset. And then I think there’s a difference between a service which is the custody, if you like, of a private key, from a service where the actual asset becomes that and [whoever] it is registered in the name of effectively comes under the ownership of the custodian. So I think those are some basic legal distinctions which would then ripple through the design of any scheme. And it’s [in] real-time that the regulators, as I’ve mentioned, [need to be] looking at doing this. Particularly the [United Kingdom] UK are going next. The EU have not really done original thinking from it. They’ve taken MiFID 2 and the Prospectus Directive and tweaked [them] for what was thought to be a crypto industry a little while back. Now, by the time it comes into effect, I think it’s going to be out of date. So this requires, because it’s developing so quickly, some real-time thinking. And the US, of course, are engaged in the same thinking as well. In terms of the issues then, at the moment we’ve got extensive liability around all the issues you raised, Dominic, which are very concerning issues being addressed through contractual terms, largely on standard forms, and [which are] to some degree negotiable. Now, the regulators, when they come in, will seek to determine what they’re regulating, which goes to the point I made about tokens and the underlying and the security keys and so on. They will determine who they’re regulating and where, so I think there’s going to be much more interest in governance, and systems and controls, which will have to be largely within a single legal jurisdiction, where the people aren’t generally, because regulators don’t like regulating something where the key people are somewhere else. And I think they’re going to have to get to grips with these risks. And that will involve prescribing certain contractual terms, it will involve prescribing certain processes, and verification processes in particular, it seems to me. Because a lot of this is beyond [what regulators can accomplish]. I don’t think one could expect the regulators themselves to be able to verify this. And then finally, all the supervision, which is missing from the dialogue at the moment. But no regulatory regime is credible unless there are very, very high-end supervisors in a significant number, with all the necessary disciplinary knowledge to be able to know enough of what they’re doing to do it credibly. And unless there’s that, this is a paper tiger. So all that all will be being put into place. And then the final piece of the jigsaw puzzle, which I’m sure will need to be thought through – and of course this will be designed by the regulators after listening to the industry and looking at what’s going on, not by the industry, because the fox cub won’t be allowed to design the hen house, as it were – [is that] the regulators will want to ensure, because they’re accountable to parliaments and then taxpayers, that businesses can fail safely, because in the financial services world, businesses like in any other industry sector, can fail. And that means looking at asset protection. And that’s not just the custody piece but, in particular, the identity verification of who’s been able to give instructions to the custodian. Because you could end up in the same place that, you had no custodian, if there is insufficient discipline around who can give instructions and [that those] people are the only ones able to give instructions to move the assets. So I think it’s a very heavy lift, because it involves applying a lot of traditional ways of thinking to a new environment. A lot of thinking is going on. But there seems emerging all the time – the point you may make about bridges and oracles and so on – novel points to which there needs to be a solution that’s objectively satisfactory to people who aren’t in the tech world, but nevertheless is verified by people who are. Throwing up these problems is great. I think the solutions are going to be designed in a way that is to the satisfaction of the regulators who then are in a position to explain them in sufficient simplicity to people not in the industry – in their parliaments – so that representatives of the people feel comfortable that this is actually credible. At that point, I actually think this is a reverse solicitation business, largely. And it’ll be one single legal and regulatory regime that is trusted throughout the world. And that trust will be earned only, not on the basis in fact largely of the rules written on the page, but because of the people that implement it day-to-day and apply it being sufficiently thoughtful and nuanced in how they do it, but nevertheless sufficiently accurate.

42:41: Do developments in the digital asset markets, and in particular the divide between cryptocurrencies and tokenised assets, mean practice is running ahead of regulation or that regulation is dictating practice? 

Dominic Hobson 42:41: Thanks, Barney. Can I pick up one of the one of the threads which Barney has identified there, which is there is this risk that regulation and what is happening in the marketplace are falling out of joint, and they are falling out of joint in a very fragmented way across a number of jurisdictions. But there is also this process of convergence going on. We’ve seen crypto brokers and crypto exchanges acquiring digital asset custodians over the last 18 months or so. At the same time, we’ve seen all the major – or virtually all the major – global custodians starting to work with vendors of digital asset custody technology – with the Fireblocks and Metacos and Coppers of the world. So clearly they are doing that because they see a client demand to buy digital assets. But I suspect those digital assets are probably quite a narrow class. If we’re talking here of cryptocurrencies in particular, they might be just in Bitcoin and Ether but not much beyond that. Do we think here that there is a convergence going on at the business end, which is not being matched by what’s happening on the regulatory side? In other words, cryptocurrencies are still out there unregulated, whereas tokens are being found to be securities and being regulated as such. Is  that a fissure which we need to be concerned about? Jack?

Jack Mcdonald 44:05: It’s an excellent question. And I think it’s reflective of a broader view that the large traditional institutions have on both the buy- and the sell side, around the future of tokenisation and digitisation of assets. It really has nothing to do with cryptocurrencies, other than sharing the underlying technology upon which the crypto industry exists – namely, blockchain technology or distributed ledger technology. We own, in addition to our custody business, the leading fund administrator in the digital asset space, MG Stover & Co. And we have a third project called Atomicnet, which is building a cross-chain atomic settlement network. And that affords us the opportunity to talk to a lot of global asset servicing firms and large asset managers, And that view on the future of tokenisation is only increasing in velocity. And I think that’s what you’re seeing when you read the news about these alliances being formed with the Fireblocks and Coppers and Metacos of the world. I think there’s a consensus view that cryptocurrency may or may not, which might sound oxymoronic, but may or may not have a future role to play. But Stablecoins, yes. Tokenisation, yes. Underlying technology that will have a profound impact on the operating system of capital markets going forward, yes. And so these organisations are building infrastructure anticipating that, and it’s much less about whether or not Bitcoin and Ethereum have a meaningful, long-term place in an institutional client portfolio.

45:45: What sorts of digital assets are institutional investors looking to put into custody?

Dominic Hobson 45:45: Liz …. Before I put this question to Liz, I just remind the audience, do feel free to send questions and comments to us. We’ll be disappointed if we don’t hear from you. And bear in mind, we’re into our last 15 minutes of this discussion. So, if you’re burning to ask a question, now’s a good time to do it. But, Liz, as Jack points out, we bandy around this term `digital assets’ but it covers a whole host of things – cryptocurrencies, native tokens, asset-backed tokens, Stablecoins, and perhaps eventually [Central Bank Digital Currencies] CBDCs. But in the kinds of businesses, the kinds of organisations that you are talking to, to sell your services to, what are the digital assets that they are looking to invest in? Is it very, very focused on the native token world in DeFi? Or are people looking for combinations of asset-backed, native tokens, Stablecoins, cryptocurrencies? What assets are they looking to custody with you?

Elizabeth Mathew 46:41: I’ll remind you again. MMI is not a custodial service. We are a platform that integrates with several custodians. In short, to answer your question, we see demand from customers to do both. So how do we think about the security and the operational controls of a portfolio of native crypto assets? As well, as the question comes around, `Well, if I’m going to issue this token that is a security token, it is going to be registered with a transfer agent, and we’ll have a broker-dealer. Can any of the custodians that are available on Metamask Institutional today custody those?’  And that question is rarely one about the technology. We can support all [Ethereum Request for Comment] ERC tokens, be they fungible or non-fungible. But it is more a question of, `Is the custodian licensed and regulated to be able to take custody of that security token?’ That tends to be one of the discussions, but I do agree with Jack’s sentiment that the broader discussion is around, `Can the blockchain technology be used as a more efficient distribution mechanism to engage with audiences?’ This could be for financial products; this could be for engagement with brands. And that’s where you start seeing … Nike has announced using our solution with BitGo on Polygon to engage with their audience. And similarly, we’re seeing high profile brands do the same. And so, to me, [with] this technology [it] doesn’t matter what the underlying is. It is some form of ownership, be it fungible or non-fungible, be it giving some kind of rights to being a part of a community. But, at the end of the day, the technological advances that need to be built to secure operational control and asset integrity and thinking about the novel security threats that are specific to handling tokens on this rail, no doubt have to be solved. And what we tend to focus on at this point is less about jurisdictional coverage, because it often feels like there are just some basic things that need to be put in place to empower an organisation to know what they’re doing, what are they about to sign. How do they monitor what they’re doing in Web 3.0? That just needs to be solved for, technologically, before the business use-case can be developed in the discussions around security tokens, and the consortias forming around that. With various underlyings, it’s been a point of discussion for several years. In 2017-18, we almost always began with private permissioned and a discussion around consortias. Now the discussion is around, `Well, let’s look at experimenting on different blockchains, be it a Layer 1 or a Layer 2. But how do we solve for security, privacy, scalability, the scalability of identity, the portability of your identity that is established one time in a books-and-records way? But then how do we create a design framework for this to be able to travel across various innovations in Web 3.0?’ These are some of the challenges that we think about, and that absolutely need [resolution]. I guess, coming back to my original answer, we see both. However, it’s still so early. And there are still so many, just basic non-functional requirements that need to be thought through.

Barney Reynolds 51:06: And to the satisfaction of the regulators. That’s the final bit of the jigsaw puzzle, because without that none of this is going to be buttressed. There might be people prepared around the world in some places to write rules for it, but doesn’t mean anything unless it’s actually backed up. And that will involve verification, including by specialists that can invasively test and stress test that technology to make sure it does what it says on the tin under all circumstances. And that, to be credible, it’s going to be have to be done by I would imagine a very small number of people in the world who have the credibility to verify that point. And then, obviously, the question is, could anyone change it without your knowledge? And so there may need to be an ongoing verification process. And then there’s the valuation of these assets. Has anyone to keep track of those? How do you keep track of making sure that records are okay, or can the owner, somehow, through the blockchain, look in through some separate independent process to verify the custodian? Quis custodiet, ipsos custodes [“Who will guard the guardians?”].  Who is going to check that they have still got what they think they have, or do they just rely on the custodian? And is there anyone that’s trusted sufficiently for very large amounts? And I think this is going to drive more industry convergence, because I don’t think there are enough people with the credibility to keep producing propositions that fly, quite aside from whether or not people are prepared to use them. The other aspect of what you’re saying, which I think is relevant, is this is the financialisation of the world in a way because all of the legal entitlements in the world can be packaged up and tokenised and traded. And they can be traded under a single legal jurisdiction and regulatory jurisdiction. I don’t think we’re going to need to wait for the whole world to agree on a single rule book. I don’t think it’s ever going to happen in our lifetimes, if at all. I think it’s going to be different. It’ll be consumer-driven. But this financialisation involves nuanced analysis across each new product area, to see what needs adjusting to regulate that, because the answer for property interest won’t necessarily be there. [Property interests] which are then traded on a register won’t necessarily be the same as the answer for things that are unregistered, Things that have an objective value that can be verified on a genuine exchange that’s regulated as such, versus something that’s OTC and genuinely OTC and not benchmarked or benchmarkable. And will there be OTC or is it possible then to join up the all the trades and gather that data so that, in fact, you don’t need an exchange? You just look at the pricing of trades.

Elizabeth Mathew 53:53: I think that the technology needs to be built first to be verified. It’s still being built. And I think that’s the big disconnect I have here in terms of some of the questions and considerations. [They] are for things that just haven’t been built yet. I could go and ask 20 custodians today about what is their definition of true self-custody, and each of them will come back with different answers of what true self-custody means.

Barney Reynolds 54:29: Right. But someone’s asked a question, which goes to the heart of it all, which is, `Would people trust a crypto custodian quickly enough and sufficiently enough to go with a pure crypto custodian on the basis of a perception of a greater understanding and knowledge of the business? Or are they effectively going to gravitate back to well-known traditional custodians but who have developed … ’

54:58: What competitive advantages do traditional custodians have over new entrants?

Dominic Hobson 54:58: Let me ask that question in full because it’s a good one from [Anonymised]: `What do you think are your competitive advantages in comparison to other digital asset custody platforms under development by traditional market infrastructures and exchanges? This is considering that these market infrastructures and exchanges have built trust and business relationship for decades now, and therefore offer easier access to institutional sell- and buy-side players.’ I guess, Yannick, your answer to that would be that you’ve grown out of the traditional establishment.

Yannick Cherel 55:29: It’s a good question and there are multiple angles to respond to these questions. I think you can have the angle from, I would say, compliance and trust [inaudible] the custodians, because clearly you want to partner with, you want to put your asset with a reputable entity, because you need to satisfy also your own risk management framework. So I think a bank, a traditional finance or traditional custodian’s DNA, mindset, [is] being very familiar with all the regulations, all the licensing, all the legal aspects, is clearly going to give you a certain trust in this investment. So I think clearly traditional finance, who has built a technology, who has embraced the blockchain technology and the crypto asset, digital [asset], but having this DNA, is clearly a good asset. I think it’s also [good] from a cyber-security perspective. We are just touching a little bit that the customer is not only [a] digital asset, but also [there is] the security aspect. And I think it’s important to have someone who has regulation reference[s] with [a] control base [inaudible], auditable, certified internationally. So we can talk about [International Standards Organisation] ISO standard and all these kinds of things. And again, traditional finance, banking custodians will be extremely familiar with that, with the process [and] will clearly understand [it]. So, to me, if I look only from these two angles, you clearly have the answers. And potentially this is why you have seen, as you mentioned initially, BNY Mellon partnering with Fireblocks or Standard Chartered building [the] Zodia partnership. That’s clearly the answers to that, because we are strongly believing that we’re bringing the good, and what Barney was mentioning, we have decades of regulation, of structuring, of management and from [inaudible] because clearly we have experience of bad things in traditional finance. So we try to not repeat that in this new eco-system. But at the same time, we want to embrace digital technology. So I think this is why, clearly, I do believe that traditional bankers or custodians embracing and being extremely innovative and understanding the [Distributed Ledger Technology] DLT and blockchain will be the right source for that. That’s my view.

Jack Mcdonald 57:50:  We share that view around the DNA of traditional finance in our offering, which is critical. What I would add is the two differentiators that do not exist with the traditional players relative to our offering is the expertise around this asset class. We’ve been doing it for years, and it just doesn’t exist at the large organisations today. And third of all, the regulatory footprint. We’re heavily regulated by New York, in our case, the New York Department of Financial Services [NYDFS]. We’ve got many, many state money transmitter licenses; we’re registered with [The Financial Crimes Enforcement Network] FINCEN, as a money services business. And so that should give confidence to institutions to use a service provider like Standard Custody, because we’re regulated, we’ve got the expertise, and we’ve certainly got the security in terms of the product that we’ve built.

Yannick Cherel 58:39: I ask you to speak the same language. So I think the proper thing is you speak the same language. And that’s extremely important when you discuss with institutionals, and you don’t have this background experience or this background understanding of what an institution wants, and what are their requirements and obligations to their own regulations. That’s where you’re going to have a conflict.

Dominic Hobson 59:03: But, Jack, could I ask you if you’re, as Barney said, the OCC has authorised. banks do this business. You’re not a bank, as far as I know. But you are regulated by the NYDFS, you’ve got these money transmission licenses … If I was if I was a customer of your organisation, what are the benefits which the way you are regulated confers on me? What are you allowed to do? And why is it good for me as a customer?

Jack Mcdonald 59.26:I’m mindful of the time here. So, very quickly, the OCC, the federal bank regulator, has only allowed three charters for digital assets. And they’ve really curtailed those mandates. So while that is an option, it’s not really an option today, for most. So that then puts you into a State situation by being a trust company bank. From a regulatory standpoint, we’re a qualified custodian in the US. There’s an Investment Advisor Act of 1940 that requires any manager of more than US$150 million of fiduciary capital to use a qualified custodian – either a broker-dealer, a futures commission merchant, or a trust bank. The first two are not options, so regulators have not given out licences to do that. That puts you, other than these very few selected by the OCC, in the quadrant of a State bank regulator. If you manage more than US$150 million, you have to use a qualified custodian. And that really narrows it. So if you wanted to use State Street or Citibank or Goldman Sachs, it’s not available. Even if they wanted to do it, which is unclear, they can’t do it today.

Dominic Hobson 1:00:33: Unfortunately, our time is almost up. But I’d like to put [Anonymous’s] question to you, which for some reason has now disappeared, where has it gone? Hosted custody versus self-custody are different services – this is definitely one for you, Liz … Both hosted custodians and self-hosted technology are being reviewed, invested in or bought by leading banks. Building takes time. Regulation takes time. The same commentary about regulation said today could have been said two years ago. I quite agree with that. So what’s good enough?

Elizabeth Mathew 1:01:09:  We don’t think that any [technology] stack answers every use-case. And so that’s why we want to be able to give the widest range of key management solutions for organisations and Web 3.0. I think the nuance here is that the kind of custody stack that Jack described so well, without getting into the jargon, is one where the customer is still in complete control of the assets, based on whoever is authorised to give instructions for the transfer. It isn’t as simplistic as custody models in the past, where collateral can be then be lent out and there is no clear understanding of ultimately who the owners are. And so this technology affords us far more control of digital ownership. And then you get into the nuances of self-hosted or third party-hosted and who has operational controls for the assets. So I have dropped my email address in there. You know, we have 12 on the platform today, and several more in the pipeline. So we’re more than happy to give you an agnostic overview of the different solutions out there in the market.

1:02:27: No digital assets have been stolen from a digital asset custodian. Is there not actually a problem that needs solving?

Dominic Hobson 1:02:27: Okay, [Anonymous], that’s an invitation to get in touch with Liz. We’re going to have to stop in a minute. But I’d like to ask each of you a rather naughty question before I let you go, which is this. When I was researching this topic, and thinking about it, it struck me that actually, even in the cryptocurrency industry, which has been characterised by theft, hacks, frauds, often on a gigantic scale, as far as I know I don’t think any digital asset has actually been stolen from out of custody. The industry has actually proved surprisingly robust in protecting customer assets. So, Yannick, are we worrying about something which doesn’t really need to be to be worried about? Are regulators worrying about something that doesn’t need to be worried about?

Yannick Cherel 1:03:15: No. I think we need to be worried about it for various reasons. As I said, if you look at what’s happening, the hacking when you confuse and you commingle the assets, and you don’t have this clear ownership, and what Jack was mentioning, between acting as an exchange and being a custodian. This is where you have the risk of your assets being lost because of a hack, or because of a fraud from a CEO who has an ego that is potentially bigger than anyone else. The point is, if you have real custodians as we described, then, if you have a secure environment with the right protocols, again, audited, certified  etc., yes, you will clearly prevent, normally, as much as possible, the loss of assets, while granting the ownership (what Liz was mentioning about the technology) because we clearly continue to give the ownership to the real owner of the asset. And that’s where the traditional finance doesn’t provide. And that’s to me [is] the biggest thing. Now, the question is, of course, everything is traceable, meaning that the regulator is expecting also more [inaudible] and more actions to prevent financial crime, for instance. And therefore, it requires much more energy, it requires a certain risk-based approach, because we cannot always stress about what is traceable. I think this is something where the regulator is maybe not enough clear yet. It’s a risk-based approach that we do in traditional finance. It’s not because of blockchain or this full traceability that the risk is canceled. I think that’s where we need to be worried about. Otherwise you will kill the innovation.

Dominic Hobson 1:05:02: So what about that, Jack? Yannick is saying it’s all about process, compliance, control procedures, and actually not a technical issue at all, the safe custody of digital assets.

Jack Mcdonald 1:05:17: I think it’s clearly both. We spend an enormous amount of time with our regulator educating them about our technology and about our offering. And because of the digital nature of the asset class that we’re discussing, technology is embedded in every part of what we do. There’s a human process, there’s a workflow, but so much of it is technology-driven that the regulators are going to have to get their heads around it. And as to the hack question, the majority of hacks that have taken place over the last couple of years have happened either at exchanges or at self-custodial venues. They are not happening, certainly, at regulated third party custodians.

Dominic Hobson 1:05:53: Thanks, Jack. Liz, a last word for you. You’re trying to build this eco-system. Am I right to think that, from a technical point of view, this is not something that needs to be worried about. It’s much more about what types of people you admit to your eco-system, and what their processes, their procedures and their audit controls and the rest of it are?

Elizabeth Mathew 1:06:17: Yes, certainly, the aspect you talk about, the due diligence, just the operational excellence of the actors involved, [is important]. But I will highlight that there are unique security threats specific to this asset class and technology. I’m reminded of the time where a fund that was just getting set up by mistake sent a high value asset to a destination that they were not originally intending to send to. The destination was not even an individual’s or an organisation’s wallet address. It was a smart contract. And so even though there was an attempt to reach out to the creators of the smart contract to say, `Can you just please send this back to the senders?’ it was not possible because that particular smart contract call was not supported. And there you had a loss of assets overnight, and no one could do anything about it. So there are mistakes that can happen. And there is a lot that needs to be done about not just the hacks but just making sure there aren’t mistakes – user mistakes. There’s a responsibility that comes when you say you are in complete control of all your assets. So there’s still a considerable amount of work that needs to be done in terms of the regulations, the operational framework, and what’s built to make this truly bulletproof as a solution.

Yannick Cherel 1:07:59: Actually, real custodians with real address management will also prevent this kind of example you mentioned, of the wrong address. Because if you have detection scenarios, if you have certain behaviour rules, you could potentially prevent that because, absolutely right, you are the owner of the assets, or you are also the owner of the stake. So having third-party custodians makes you a little bit more secure on that aspect, because you will have a kind of four eyes, proper controls underneath. So that’s really important.

Dominic Hobson 1:08:29: Okay, thanks Yannick. We must stop in a bit. But the last word from you, Barney. From everything which you’ve heard, do you feel that regulation and regulators understand and are proceeding in the right direction in this area?

Barney Reynolds 1:08:43: I do. I think they’re proceeding apace. It needs to be considered. And all of the specific nuances of digital custody need to be picked up and addressed in rules and then subjected to supervision. So what Jack’s describing with [inaudible] is a start, I think we need to evolve that across the world, in the major jurisdictions, and find ways in which things can be verified to the satisfaction of regulators. It’s great that things haven’t gone wrong, if your research is right, Dominic, so far. But I don’t think in regulation of something of this importance, we can take that much comfort from that, unfortunately.

Dominic Hobson 1:09:31: Thank you, but I think we will now really have to stop there. We run out of time a little bit. I’d like to thank our panelists. Jack McDonald from Standard Custody and Trust Company; Yannick Cherel from Zodia Custody; Barney Reynolds from Shearman & Sterling; and Liz Mathew from MetaMask Institutional.