What could be for the Future of testing

Key Insights From This Webinar

The work of bank and non-bank custodians in safekeeping digital assets on behalf of customers is gradually coming under increased regulatory supervision. This is probably helpful to the development of digital asset markets beyond cryptocurrencies, since safe custody has long been recognised as the key to unlocking institutional investment in the asset class (and, indeed, the engagement of corporate treasuries). 

A 2022 survey of asset managers, asset owners and hedge funds by Celent on behalf of BNY Mellon found 70 per cent of respondents would increase investment in digital assets if they could custody them with a traditional, regulated bank. The proportion wanting the same bank to provide integrated execution and trading services was only slightly smaller (63 per cent). (1)

This is the right way for institutional investors to be thinking. Tokenisation promises to extend digital asset investing far beyond its origins in native cryptocurrencies such as Bitcoin. The retail investors that dominate the buy-side in native cryptocurrencies almost always choose to custody at the exchange where they buy and sell or self-custody, eliminating the cost of an independent or intermediary custodian. But the risks of self-custody are starkly evident in the fact that the majority of hacks take place either at exchanges or at self-custody service providers. 

So the case for established, regulated, banking custodians makes itself. Yet the initial findings of a Future of Finance survey of 100 digital asset custodians include the discovery that less than one in 20 is an established regulated, well-capitalised financial institution. Which is why a series of regulatory initiatives on both sides of the Atlantic are likely to drive twin processes of concentration and consolidation in the digital asset custody industry.  

This consolidation is to some extent happening already. Cryptocurrency brokers and exchanges were have acquire digital asset custodians over the last 18 months or so. At the same time, virtually all the major global custodians have chosen to partner with one of limited range of digital asset custody vendors such as Fireblocks, Metaco and Copper. Bringing digital asset custody within the regulatory perimeter is bound to accelerate these decisions – and measures are being taken.

In the United States, the Office of the Comptroller of the Currency (OCC) has permitted national and federal savings banks to offer digital asset custody services, and neither the Federal Reserve Bank no the Federal Deposit Insurance Corporation (FDIC) has objected to other types of banks providing digital asset custody services, provided they let both regulators know.

But it is the Securities and Exchange Commission (SEC) that has made the most interesting move, in SEC Staff Accounting Bulletin 121 (SAB 121) of March 2022. It proposed that digital asset custodians put customer assets in custody on their balance sheet. This is a major departure from the off-balance sheet nature of traditional custody. 

The European Union (EU) has introduced a similar measure via the Markets in Crypto-assets Regulation (MiCAR), which not only requires digital asset custodians to register with the European Securities and Markets Authority (ESMA), meet capital requirements, agree written contracts with clients, appoint qualified managers, segregate client and proprietary assets and report to clients but make clients whole on any losses of their assets. 

The United Kingdom is not as advanced but the Financial Services and Markets Bill (FSMB) currently going through Parliament includes powers for the Financial Conduct Authority (FCA) to establish a supervisory regime for digital asset custodians. It is not yet clear if the FCA will follow the US and EU examples, but the FSMB does bring digital asset custody within the regulatory perimeter.

In Singapore, the leading digital asset market in Asia, the authorities have largely followed the United Kingdom example. Providers of digital asset services – including digital asset custody – are obliged to acquire a regulatory licence, whether they are based in Singapore or elsewhere.

Though making custodians assume the full risk of customer assets arguably increases rather than decreases risk by exposing customer assets to other activities of their chosen custodian and introduces a substantial capital and operating costs disincentive for the major regulated custodian banks to enter the business at all, the US and EU measures do mean that well-capitalised digital asset custodians will be more credible upholders of regulatory obligations than the alternative.

After all, the different nature of the risks of digital asset custody, by comparison with the traditional variety, already erect a barrier to entry. Chief among them is the fact that transactions are irreversible. A mistake, particularly with a smart contract, is likely to be irrecoverable. Irreversibility turns at least some digital assets into the equivalent of bearer instruments that are owned by whoever holds them. This risk alone presents significant technological, cyber-security and operational process and control challenges to digital asset custodians. 

But there are other novel risks. The electronic “bridges” between different blockchain protocols are insecure. Any asset is at risk of hostile takeover by a 51 per cent attack. The “oracles” on which smart contracts rely can deliver inaccurate or out-of-date information. Smart contracts, even when audited, can be hacked.  “Hard forks” put the integrity of any issue at risk. “Airdrops” can be fraudulent. And the Decentralised Autonomous Organisations (DAOs) that govern many digital assets are open to capture by minorities. 

However, for institutional investors in digital assets, it is precisely  the unusual nature of the risks that argues for the application of traditional custody disciplines. Chief among these is the separation of duties between trading platforms (such as exchanges), execution and market -making platforms (such as brokers and dealers) and custodians and (within the custody service) the strict segregation of customer assets from the assets of the service provider (not just by holding them in separate accounts but not using them to fund or enlarge the business of the custodian or its clients).

So it was more than  coincidental when the New York State Department of Financial Services (NYDFS) – the principal regulator of non-bank custodians in the United States – announced on 23 January 2023 that digital asset custodians must segregate customer assets from the corporate assets, whether they are held in separate or omnibus accounts; not borrow customer assets or lend them to third parties; properly risk-assess hold any third party sub-custodians used, and hold them to the same regulatory standards; and embody these obligations in the agreements that govern the relationship of the custodian with the customer.

Ironically, the leading global custodian banks – BNY Mellon, Citi, J.P. Morgan, State Street, Northern Trust  – all have “markets” arms and asset management businesses that, on the face of it, represent similar temptations to make use  of the digital assets of customers. The exculpatory explanation is that, unlike at, say, a cryptocurrency exchange, separate entities, separate managements and day-to-day Chinese walls separate the conflicted businesses from each other at a regulated financial institution. 

Cryptocurrency enthusiasts counter that the technology that underpins the digital asset markets is still insufficiently developed to be confident that the conflict-of-interest management techniques of the traditional securities markets can be applied without modification to such novel instruments. Though that liberal view does potentially leave investors open to exploitation while the technology develops, it does pose a dilemma for regulators. 

If the technical and infrastructural bases of the digital asset markets are still developing, there is a risk that any decisive regulatory moves will prove premature. Exactly this criticism is levelled at MICAR, whose provisions are based on a snapshot in time of digital assets markets that remain in a developmental flux. The same criticism can be made of the SEC requirement that digital asset custodians put customer assets on the balance sheet – it makes sense when assets are in custody at cryptocurrency exchanges, but quite the opposite when they are in custody at a regulated global custodian bank. Yet regulators must deal with risks to investor protection now rather than in the future. 

A further complexity, in a global industry, is jurisdictional differences. Even where there is international consensus among governments and regulators on how to proceed, measures are still implemented at the national level – even within the EU. Compliance with the Anti-Money Laundering (AML), Countering the Financing of Terrorism (CFT) and sanctions screening obligations published by the Financial Action Task Force (FATF), for example, is endorsed by 200 jurisdictions but implemented patchily if at all precisely because the obligations are implemented at the national level. 

At present, there is no cross-jurisdictional agreement even on such a fundamental issue as the legal differences between an asset-backed token (where both the token and the underlying asset must be custodied) and native tokens (where custody inheres in the possession of the asset itself). Yet, without it, regulators cannot even determine what it is that they are regulating, let alone the governance systems and controls required to mitigate and manage the risks it represents to investors.

It follows that reputable financial institutions cannot be expected to assume liability for a range of novel risks in the digital asset markets without legal as well as regulatory clarity. Take, for example, the basic question of who is authorised to instruct a custodian to move a digital asset. A smart contract might decide on the basis of inadequate or compromised data. If it is an individual that decides, their identity must be verified perhaps digitally. 

Regulators could be forgiven for saying they are not yet ready to rule on such issues, partly because their understanding is still limited and the technologies are not yet mature, but mainly because they will have to explain and defend their actions before a lay audience in the national parliament that is answerable to investors and consumers in their other guises as voters and taxpayers. It is easy to forget the political pressure on regulators, though it is frequently intense. 

And the most powerful argument for regulators to adopt a wait-and-see approach is the fact that tokenization has yet to take off. Once it does, it will reshape institutional-grade digital asset custody by making demands that do not occur in pure cryptocurrency markets (such as underlying assets), introducing new types of intermediary (such as transfer agents and data vendors) and broadening the reach of Non-Fungible Tokens (NFTs) to all manner of virtual properties in the emergent Web 3.0 economy. There is also a strong likelihood that the traditional stock exchanges will move into the market at scale. 

Issues currently in the background, such as safeguarding privacy, verifying digital identities and building scalable and interoperable digital assets networks, will become acute as the range of tokenised asset classes extends.  And regulators will be reliant on a relatively small class of market participants to understand market developments before they can even think about recruiting officers with the requisite knowledge to regulate what is happening. 

In educating regulators, and attracting customers, long-established global custodian banks have the advantages of entrenched revenues and institutional client bases, a command of operational processes and procedures, and a long history of managing compliance with complicated regulatory requirements. To these advantages, they are now adding technical expertise through technology partnerships. Acquisitions, perhaps of regulated non-bank custodians that have expertise and a new seam of clients, will almost certainly follow. In digital asset custody, the future feels increasingly backwards-looking. 

(1)  BNY Mellon and Celent, Migration to Digital Assets Accelerates, 2022 Survey of Global Institutional Clients, page 8. 

---

Dependable, institutional-grade custody services characterised by familiar processes, techniques and disciplines are the key to attracting institutional money to the digital asset markets, and especially the tokenised variety on which growth now depends. Market forces are already creating what is required, and in the long-term regulation will encourage this development. However, some premature efforts by regulators threaten actually to undermine progress. These missteps argue for a more patient approach by regulators that appreciates the fast-evolving digital asset markets have yet to attain equilibrium and that both understanding and expertise will remain in short supply. Dominic Hobson, co-founder of Future of Finance, moderated the discussion with Jack McDonald, CEO at Standard Custody and Trust Company; Yannick Cherel, Chief Compliance Officer and Money Laundering Reporting Officer at Zodia Custody; Barney Reynolds, Global Head of Shearman and Sterling’s financial services industry group; and Elizabeth Mathew, Head of Growth and Partnerships for Metamask Institutional.