a16z: 5 Principles of Cryptocurrency Asset Custody
Cryptocurrency asset custody faces unique legal and operational risks.Original Title: Holding the future: Custody principles for a tokenized world
Original Authors: Scott Walker, Kate Dellolio, David Sverdlov, a16z
Original Compilation: Luffy, Foresight News
Registered Investment Advisors (RIAs) investing in crypto assets face the dilemma of unclear regulations and limited custody options. Complicating matters further, crypto assets carry ownership and transfer risks that differ from those of the assets RIAs have traditionally managed. RIAs' internal teams (operations, compliance, legal, etc.) are working hard to find third-party custodians that are willing and able to meet their expectations. Despite their efforts, they often struggle to find qualified custodians, resulting in RIAs having to hold these assets themselves. As a result, crypto asset custody faces unique legal and operational risks.
What the crypto industry needs is a principled approach to help professional investors protect crypto assets for their clients. In response to the recent information request from the U.S. Securities and Exchange Commission (SEC), we have formulated several principles that, if implemented, would extend the goals of the Investment Advisers Act custody rules to the new category of crypto assets.
How Crypto Asset Custody Differs
The control of traditional asset holders over their assets means that others do not have control. However, this is not the case with crypto assets, where multiple entities may have access to the private keys associated with a set of crypto assets.
Crypto assets often come with various intrinsic economic and governance rights that are critical to the assets. Traditional debt or securities can earn income "passively" (such as dividends or interest), and holders do not need to transfer the assets or take any further action after acquiring them. In contrast, holders of crypto assets may need to take action to unlock specific economic or governance rights associated with the assets. Depending on the capabilities of third-party custodians, RIAs may need to temporarily transfer these assets out of custody to unlock these rights. For example, certain crypto assets can earn returns through staking or yield farming, or holders may have voting rights on governance proposals for protocols or network upgrades. These differences from traditional assets present new challenges for crypto asset custody.
To facilitate tracking when self-custody is appropriate, we have developed this flowchart.
Principles
The principles we propose here aim to demystify custody for RIAs while retaining their responsibility to protect client assets. The market for qualified custodians focused on crypto assets (such as banks or broker-dealers) is extremely narrow; therefore, our primary focus is on whether custodial entities have the capability to provide the substantive protections we believe are necessary for the custody of crypto assets, rather than just their legal status as qualified custodians under the Investment Advisers Act.
We recommend that when substantial protective measures are not available from third-party custody solutions or do not support economic and governance rights, RIAs capable of meeting substantial protection requirements may consider self-custody as an option.
Our goal is not to expand the scope of custody rules beyond securities. These principles apply to crypto assets that are securities and establish standards for other asset types that meet RIAs' fiduciary duties. RIAs should seek to hold crypto assets that are not securities under similar conditions and document all custody practices for assets, including the reasons for significant differences in custody practices for different types of assets.
Principle 1: Legal Status Should Not Determine the Qualification of Crypto Asset Custodians
Legal status and the protective measures associated with specific legal statuses are important for custodians' clients, but they are not the only factors to consider when it comes to crypto asset custody. For example, federally chartered banks and broker-dealers are subject to custody regulations that provide strict protections for clients, but state-chartered trust companies and other third-party custodians can also offer similar levels of protection.
The registration of custodians should not be the sole determining factor for their eligibility to custody crypto asset securities. In the crypto space, the definition of "qualified custodians" should be broadened to include:
State-chartered trust companies (meaning they do not need to meet the definition of "bank" under the Investment Advisers Act, aside from being subject to oversight and examination by state or federal banking regulators);
Any entity registered under the (proposed) federal crypto market structure legislation;
Any other entity that can demonstrate compliance with stringent client protection standards, regardless of its registration status.
Principle 2: Crypto Asset Custodians Should Establish Appropriate Protective Measures
Regardless of the technological tools used, custodians should adopt certain protective measures around crypto asset custody. These measures include:
Separation of Powers: Crypto asset custodians should not be able to transfer crypto assets out without the cooperation of RIAs.
Asset Segregation: Crypto asset custodians should not mix any assets held for RIAs with assets held for other entities. However, registered broker-dealers may use a single omnibus wallet, provided they maintain up-to-date records of ownership for these assets and disclose this information to the relevant RIAs in a timely manner.
Custodial Hardware: Crypto asset custodians should not use any custodial hardware or other tools that pose security risks or are at risk of being compromised.
Audits: Crypto asset custodians should undergo financial and technical audits at least annually. Such audits should include:
Financial audits conducted by PCAOB-registered auditors:
Service Organization Control (SOC) 1 audits;
SOC 2 audits; and
Confirmation, measurement, and reporting of crypto assets from the perspective of holders;
Technical audits:
ISO 27001 certification;
Penetration testing; and
Disaster recovery procedures and business continuity planning tests.
Insurance: Crypto asset custodians should have sufficient insurance coverage, or if insurance cannot be obtained, should establish sufficient reserves.
Disclosure: Crypto asset custodians must provide RIAs with an annual list of key risks associated with their custody of crypto assets, along with relevant written oversight procedures and internal controls to mitigate these risks. Crypto asset custodians should assess this quarterly to determine if updates to disclosures are needed.
Custody Jurisdictions: Crypto asset custodians should not custody crypto assets in any jurisdiction where local laws dictate that custodial assets become part of the bankruptcy estate upon their bankruptcy.
Additionally, we recommend that crypto asset custodians implement protective measures related to the following processes at each stage:
Preparation Stage: Review and assess the crypto assets to be custodied, including the key generation process and transaction signing procedures, whether it is supported by open-source wallets or software, and the sources of every piece of hardware and software used in the key management process.
Key Generation: Cryptographic techniques should be used at all levels of this process, and multiple cryptographic keys should be required to generate a private key. The key generation process should be both "horizontal" (i.e., multiple cryptographic key holders at the same level) and "vertical" (i.e., multiple levels of encryption). Finally, quorum requirements should ensure the actual presence of authorized personnel.
Key Storage: Keys should never be stored in plaintext and should only be stored in encrypted form. Keys must be physically isolated by geographic location or different access personnel. If hardware security modules are used to store key copies, they must meet the security ratings of the Federal Information Processing Standards (FIPS). Strict physical isolation and authorization measures should be implemented. Crypto asset custodians should maintain at least two levels of encryption redundancy to ensure operations can continue in the event of natural disasters, power outages, or property damage.
Key Usage: Wallets should require authentication; in other words, they should verify the user's identity, and only authorized parties should have access to the wallets. Wallets should use mature open-source cryptographic libraries. Another best practice is to avoid using a single key for multiple purposes. For example, keys should be saved separately for encryption and signing. Follow the "least privilege" principle, meaning that access to any asset, information, or operation should be limited to only those parties absolutely necessary for the system's operation in the event of a security breach.
Principle 3: Crypto Asset Custody Rules Should Allow Registered Investment Advisors to Exercise Economic or Governance Rights Related to Custodied Crypto Assets
Unless otherwise instructed by clients, RIAs should be able to exercise economic or governance rights related to custodied crypto assets. During the previous SEC administration, many RIAs adopted a conservative strategy of custoding all crypto assets with qualified custodians due to the uncertainty surrounding token classifications. As mentioned earlier, the market for available custodians is limited, often resulting in only one qualified custodian willing to support a specific asset.
In these cases, RIAs may request to exercise economic or governance rights, but crypto asset custodians may choose not to provide these rights for various reasons. In turn, RIAs feel they lack the power to choose other third-party custodians or to self-custody to exercise these rights. These economic and governance rights include staking, yield farming, or voting.
Under this principle, we advocate that RIAs should select third-party crypto asset custodians that meet the relevant protective measures so that RIAs can exercise economic or governance rights related to custodied crypto assets. If a third party cannot meet both requirements simultaneously, RIAs' actions to temporarily transfer assets out for self-custody to exercise economic or governance rights should not be viewed as a departure from custody.
All third-party custodians should make every effort to provide RIAs with the ability to exercise these rights while the assets are still under their custody and should take commercially reasonable actions to exercise any rights related to on-chain assets when authorized by RIAs.
Before transferring assets out of custody to exercise rights related to a specific crypto asset, RIAs or custodians must first determine in writing whether the rights can be exercised without transferring the assets out of custody.
Principle 4: Crypto Asset Custody Rules Should Be Flexible to Achieve Best Execution
RIAs have a duty of best execution when trading assets. To this end, RIAs may transfer assets to crypto trading platforms to ensure the best execution of those assets, regardless of the status of the assets or custodians, provided that RIAs have taken necessary steps to ensure the security of the trading venue, or that RIAs have transferred crypto assets to entities regulated by that legislation after the finalization of crypto market structure legislation.
As long as RIAs determine that transferring crypto assets to a trading venue for best execution is a prudent move, such transfers should not be viewed as a departure from custody. This requires RIAs to reasonably determine that the venue is suitable for achieving best execution. If trades cannot be properly executed at that venue, the assets should be immediately returned to the crypto asset custodian.
Principle 5: In Certain Circumstances, RIAs Should Be Allowed to Self-Custody
While using third-party custody should remain the primary option for crypto assets, RIAs should be allowed to self-custody crypto assets in the following circumstances:
RIAs determine that they cannot find a third-party custodian that meets their required protective measures;
The RIA's own custodial arrangements are at least as effective as the protective measures available from third-party custodians;
Self-custody is necessary to exercise any economic or governance rights related to the crypto assets.
When RIAs decide to self-custody crypto assets for these reasons, they must confirm annually that the circumstances justifying self-custody have not changed, disclose the self-custody situation to clients, and subject such crypto assets to the audit requirements of the Custody Rule.
The crypto asset custody approach based on these principles ensures that RIAs can adapt to the unique characteristics of crypto assets while fulfilling their fiduciary duties. By focusing on substantive protections rather than rigid classifications, these principles provide a pragmatic path forward for protecting client assets and unlocking asset functionalities. As the regulatory environment evolves, clear standards based on these protective measures will enable RIAs to manage crypto assets responsibly.
