Digital Assets Discussion: Consequences of the Proposed Safeguarding Rule for Crypto Asset Custody

June 28, 2023
15:32 minutes

On this Ropes & Gray podcast, asset management attorneys Melissa Bender and Charlie Humphreville discuss the SEC’s proposed amendments to Rule 206(4)-2 under the Investment Advisers Act of 1940, the so-called “custody rule,” and how they will impact registered investment advisers that hold and invest in crypto assets. Ropes & Gray has a number of resources regarding the proposed changes to the custody rule and how they will impact registered advisers. If you would like to learn more about these matters please contact your usual Ropes & Gray attorney contacts.


Melissa Bender: Hello and welcome to today’s Ropes & Gray podcast. I’m Melissa Bender, a partner in the asset management group and co-head of the private funds practice. Today, we’ll discuss how the SEC’s proposed amendments to Rule 206(4)-2 under the Investment Advisers Act of 1940, the so-called “custody rule,” will impact registered investment advisers (or RIAs) that hold and invest in crypto assets. With me today is Charlie Humphreville, counsel in the asset management group.

Charlie Humphreville: Thanks, Melissa. On February 15, 2023, the SEC published proposed Rule 223-1, which would amend and supplement the current Advisers Act custody rule. The proposed rule would represent something of a sea change in the rules and requirements applicable to RIAs’ safeguarding of client assets. Today, we will try to focus on those changes that will have the greatest impacts on advisers dealing in crypto assets, but there are numerous other changes that will impact registered advisers generally. We encourage listeners to visit our website at for more information.

One change contained in the proposed rule that will have a major effect on crypto is the scope of assets covered. Seizing on language in the Dodd–Frank Act that has largely been overlooked since its adoption, the proposed rule would require RIAs to hold all “client assets” with a qualified custodian. Under the current rule, advisers are only required to hold “funds and securities” with a qualified custodian.

For this purpose, “assets” is defined very broadly—it includes “funds, securities and other positions.” The release expressly states that crypto assets fall within the new “assets” definition, even in instances where crypto assets are neither funds nor securities.

Melissa Bender: That’s big. Under the current rule, many RIAs have taken the position that only crypto assets that are securities are subject to the custody rule—for instance, permitting BTC and ETH to be self-custodied or held with a third-party that does not qualify as a qualified custodian. The SEC would now regulate the safeguarding of all crypto assets. Of course, crypto assets tend to vary from traditional securities in significant ways related to custody. In particular, “possession or control” of crypto assets differs from equity and other securities, which raises significant uncertainty around the requirements of the amended rule.

The proposed amendments would expand, or clarify, the definition of “custody.” Among other clarifications, the release states that custody turns on “possession or control” of the assets. Specifically, a custodian will be deemed to have custody of an asset where it is required to participate in any “change of beneficial ownership” of the asset. Presumably, a qualified custodian would have “possession or control” of a crypto asset if it generates and maintains private keys for the wallets holding the crypto assets.

The amended definition of custody could also permit new forms of compliant custody arrangements for crypto assets, such as key sharding or multi-signature arrangements, where one or more custodians hold a necessary piece or authorization required to assign the crypto assets and effect a change of beneficial ownership. It’s not hard to imagine a scenario where a wallet is subject to a two-of-three signing arrangement, whether via sharding or a multi-signature arrangement such as that offered by FireBlocks, where the RIA holds one signing key and the other two are held by one or more qualified custodians.

Charlie Humphreville: It’s possible, though, that the SEC takes a different interpretation given its focus on custodians having to demonstrate “exclusive” control over assets. The SEC might interpret control to mean that a custodian must have an absolute, or exclusive, right to transfer crypto assets for it to be deemed to have custody—rather than simply a veto right. In that case, key sharding and multi-signature arrangements may not satisfy the amended rule. We are hopeful that this is not the case, as there would appear to be no client or investor benefit to requiring a custodian to have sole authority to cause a transfer, rather than having a right to block any transfer.

The Commission is also struggling with the concept of “exclusive” control of crypto assets in another context. The SEC requested comment on the challenges of demonstrating exclusive possession or control of crypto assets—this time meaning evidence that no other person or entity has the private keys associated with the custodian’s wallets. The proposing release asks commenters whether it is possible to demonstrate exclusive possession or control of crypto assets at all. At a very technical level, as the SEC knows, it is not possible to prove that no other person has the custodian’s private keys. “Proving the negative” is a well-worn logical fallacy. However, that should not be the end of the road.

For over a decade, PCAOB accounting firms have audited pooled investment vehicles that “self-custody” crypto assets and have issued those vehicles unqualified financial statements. While those procedures vary from auditor to auditor, ownership and control over self-custodied crypto assets is typically confirmed by some combination of the following:

  1. Demonstration of control over the wallet (for instance, by the vehicle signing a message or “microtransaction” with the related private key).
  2. Audit of the wallet creation process and private key security controls to ensure that the private keys are never exposed to unnecessary risk of loss. This might include a SOC 1 or SOC 2 report.
  3. Audit engagement controls (for instance, requiring that all vehicles advised by the same adviser or general partner be audited by the same firm, to avoid the same crypto assets being attributed to different pools).

We would hope that qualified custodians are permitted to demonstrate “possession or control” over crypto assets based on the same or similar procedures.

Melissa Bender: I think it is fair to say that a lot is still unsettled.

Now that we’ve covered the scope of the proposed rule, it is worth talking through how these changes would apply to various players in the crypto asset space. As of today, many RIAs trade crypto assets on centralized exchanges like Coinbase. If the custody rule is amended as proposed by the SEC, that may no longer be permitted. Of course, the SEC has numerous ongoing enforcement actions against centralized platforms that might separately make centralized exchanges unavailable in the United States, but that’s a topic for another podcast. Because customers of centralized exchanges must pre-fund trades (in other words, deposit tokens onto the exchange in order to trade), the proposed rule would prohibit the use of centralized crypto asset exchanges—and decentralized exchanges that require prefunding—by RIAs, unless the exchange operator is a qualified custodian. Currently, we are not aware of any centralized crypto asset exchange that would meet the requirements of a qualified custodian. Because of the proposed expanded scope of the custody rule, this prohibition would apply to all pre-funded crypto asset exchanges, including those only listing BTC, ETH and other “non-security” crypto assets, and even a custodial exchange that facilitates trading in NFTs.

On the other hand, the proposed rule would seemingly not prohibit trading or swapping on decentralized platforms where pre-funding of transactions is not required. That assumes that assets are traded out of, and into, an account with a qualified custodian. We were initially puzzled by this, as it seemed unlikely that the SEC would intentionally drive crypto asset markets onto decentralized exchanges. Even if trading on decentralized exchanges might comply with the amended rule, decentralized exchanges raise other, potentially more material, risks to client assets.

Charlie Humphreville: However, in mid-April, the SEC reopened the comment period on its outstanding proposed rule governing securities exchanges and alternative trading systems (or ATSs), and clarified that that rule would apply to centralized and decentralized crypto asset exchanges. It remains unclear whether any decentralized exchanges would be able to comply with the rule.

The SEC also specifically asked commenters for more information on how settlement on decentralized exchanges works, so we may see more on decentralized exchanges in the final custody rule.

Aside from the centralized and decentralized crypto asset exchanges, RIAs may have a few other options for executing trades in crypto assets. As the SEC notes in the proposing release, there are a handful of currently-compliant ATSs that provide non-custodial trading of crypto assets. In this model, the ATS matches orders from buyers and sellers, then the buyers and sellers settle the trade either directly or through their respective custodians. This is functionally identical to how most smart-contract-based decentralized exchanges work. These existing ATSs are not widely used though—it is unclear whether these venues can facilitate the volume and speed of trading crypto asset investors have come to expect.

Melissa Bender: RIAs aren’t likely to find things better overseas. Foreign financial institutions (or FFIs) that are qualified custodians under the Advisers Act would become subject to numerous new and onerous requirements under the proposed rule. For example, the SEC or an RIA would need to be able to enforce judgments against the FFI. Also, the FFI would need to be regulated by a foreign government or regulatory agency as a banking institution, trust company or other financial institution that holds customer assets, and those assets must be protected in the event of insolvency. Non-U.S. centralized crypto asset exchanges don’t currently comply with these requirements and, in all likelihood, will not elect to do so. Options for non-U.S. qualified custodians of crypto assets may also be reduced, perhaps completely, upon adoption of the proposed rule.

The proposed rule adds a variety of other new obligations on qualified custodians. We encourage you to visit our website to learn more.

Charlie Humphreville: Clearly, RIAs and qualified custodians will need to be ready for some significant adjustments to their existing practices if this rule is enacted in anything like its current form. While we can’t cover every consideration under the proposed rule in this podcast, there are a few other topics we should discuss.

One question is how an RIA would comply with the proposed rule if it wants to invest in crypto assets that are not supported by a qualified custodian. The SEC requested comment on several topics related to this question. First, whether an RIA should be permitted to custody such an asset in line with the safeguarding standards of the proposed rule. Second, whether these unsupported assets should be treated like physical assets or privately held securities. And third, whether an RIA would effectively be prohibited from holding those assets on behalf of clients. As currently drafted, there is no clear course of action for how an RIA would be able to invest in and custody the potentially thousands of crypto assets that are unsupported by qualified custodians.

Melissa Bender: This raises another issue. Even where crypto assets can be maintained with a qualified custodian, RIAs should be aware that there may be certain rights or benefits associated with those crypto assets that it or its clients may not receive. A qualified custodian may choose not to support airdrops or forks generally, including because the new crypto asset cannot be custodied by the custodian. Further, certain crypto assets, such as DAO tokens, held with a qualified custodian may have voting rights that can only be exercised by the qualified custodian as the “holder of record” by virtue of its control over the private key. Qualified custodians may be unwilling or unable to exercise these voting rights.

Charlie Humphreville: Finally, and by no means the least consequential question raised by the proposed rule, is its application to staking. Staking has become an increasingly popular way for crypto investors to earn passive income on their crypto assets. And the SEC is keenly aware of crypto staking, as evidenced by recent enforcement actions. Still, the proposed rule raises more questions than answers as it relates to staking. Surprisingly, the SEC did not offer any questions for comment related to staking, leaving the amended rule’s application to these activities uncertain.

Staking platforms can vary greatly and the application of the revised custody rule may differ from platform to platform. That being said, there are some core concepts that apply across staking arrangements and blockchain protocols that are likely to influence treatment under the rule. For instance, an RIA considering a staking arrangement should consider whether the staking arrangement is custodial or non-custodial and whether a qualified custodian will remain in “possession or control” of the crypto assets.

In a custodial arrangement, the crypto assets are transferred to, or deposited with, a third-party staking service provider that operates the validator nodes and stakes using the pooled assets of all depositors. In this case, the staking service controls all of the private keys related to the wallet in which the assets are held. Unless the staking service operator is a qualified custodian, these arrangements would violate the proposed rule.

In a non-custodial arrangement, control over the crypto assets themselves is not transferred to a third-party staking service—instead, only a specially generated “staking key” would be assigned to the service. The holder of the private “transfer” key associated with the crypto asset could terminate the delegation to the staking service, or remove the crypto assets from the staking arrangement, at any time, subject to the blockchain protocol’s unbonding period. In this case, if a qualified custodian delegates solely staking authority to a third-party that operates validator nodes, but the assets themselves are not transferred to the third party’s wallet, we would expect the arrangement to satisfy the requirements of the amended custody rule—of course, assuming that the transfer key is retained by a qualified custodian. This arrangement would not permit the staking entity to transfer or misappropriate the crypto assets, so the custody risks that the rule seeks to minimize are not present.

Melissa Bender: There is a lot to unpack here. For instance, might the SEC treat slashing that occurs due to mistakes or bad acts by a validator node operator as giving it “control” over the staked assets, effectively undermining non-custodial staking arrangements? Could the SEC view this as “the ability or authority to effect a change of beneficial ownership” of the staked assets, and, therefore, custody?

The answer is unclear, but it’s important to remember that there is no incentive for the validator to cause a slashing event, because they benefit solely from the proper operation of the validator node. And again, this isn’t really the type of risk the custody rule intends to protect against.

Another critical feature of a staking arrangement is whether rewards are deposited to the wallet of the holder of the transfer keys or to the wallet of the staking service or third-party node operator. Staking rewards may, for certain crypto assets and arrangements, be deposited directly into the staker’s wallet. This would presumably comply with the amended custody rule if that wallet was controlled by a qualified custodian. However, if staking rewards are deposited to a wallet controlled by the staking service, compliance with the custody rule would likely depend on whether the staking service is operated by the qualified custodian.

Ultimately, the SEC has signaled pretty clear hostility towards staking in general, so it is hard to be optimistic about how the SEC would resolve these ambiguities.

Charlie Humphreville: Thanks, Melissa. The proposed rule, once enacted, would require RIAs to come into compliance with the rule’s requirements within a one-year to 18-month transition period (depending on the RIA’s assets under management). The 60-day comment period on this proposed rule closed on May 8, and the SEC received a large number of comment letters from investors, custodians, law firms and other service providers, and members of Congress.

Melissa Bender: Thank you very much, Charlie, for this discussion, and thank you to our listeners. Please visit our website at, or feel free, of course, to reach out to any of us at Ropes & Gray via email or phone for more information. You can also subscribe to this Ropes & Gray series wherever you typically listen to podcasts, including on Apple and Spotify. Thanks.

Subscribe to RopesTalk Podcast