Podcast: Cryptocurrency Custody Considerations
In this Ropes & Gray podcast, asset management partner Melissa Bender and counsel Ed Baer and Charlie Humphreville discuss the various considerations that an investor should take into account when engaging a custodian to hold cryptocurrencies or digital assets such as Bitcoin or Ether.
Ed Baer: Hello, and thank you for joining us today on this Ropes & Gray podcast. I'm Ed Baer, a counsel in the San Francisco office. Joining me today are my colleagues Melissa Bender, a partner in our San Francisco and Silicon Valley offices, and Charlie Humphreville, a counsel in our New York office (by way of Seattle). Today, we’re going to talk about considerations that an investor should take into account when engaging a custodian to hold cryptocurrencies or digital assets such as Bitcoin or Ether. For several years, we in the Ropes & Gray asset management practice group have been working with managers and institutional investors who have been looking to expand their investments into cryptocurrencies and digital assets. One of the things that has come up time and again is the types of information an investor should consider when entering into a cryptocurrency custody arrangement. In this podcast, we will share some insights we’ve gleaned from our work in this space. To kick us off, I’m going to ask Charlie to tell us how crypto custody works. Charlie?
Charlie Humphreville: Thanks Ed. Perhaps the first operational due diligence question a manager will want to explore with potential custodians is how they operationalize the storage of digital assets. Any reputable provider of custodial services for digital assets will use a combination of hot and cold wallets, but how those wallets are managed will vary from custodian-to-custodian. At the highest level, a wallet is simply a public address at which the ownership of digital assets is recorded on the relevant blockchain. And what makes a wallet hot or cold is how the private key associated with that wallet is stored. In either case, the security of these keys is the primary function of a custodian, and a custodian’s failure to effectively protect those private keys will render everything else we are going to talk about today moot, so it’s of primary importance.
Hot wallets are often described as “connected to the internet.” In practice, this actually means that the private key associated with the wallet’s public address is stored on a computer connected to the internet. The advantage of a hot wallet is it allows an accountholder to transfer its digital assets without advance notice and with high frequency. The downside though, is that by being stored on a connected machine, the private keys are susceptible to hackers, malware, and other threats. Regardless of how much or whether a manager expects to use hot wallets, they should still understand how any potential custodian ensures the security of private keys to hot wallets. Custodians may, for good reason, be reluctant to share the details about their security procedures, but they should be able to explain their approach.
A cold wallet, then, is a wallet for which the private key is stored on a computer or other device that’s not connected to the internet – therefore, it should be more secure. The consequence of storing private keys offline though, is that moving assets out of a cold wallet requires an additional step by which the private key is input to initiate the transfer, typically by one or more employees at the custodian – that introduces some latency into the process. Most importantly, managers should discuss with potential custodians how they manage the physical security of their cold wallets. For instance, how and where are cold wallet keys stored and what safeguards are in place to prevent, for instance, a rogue employees from stealing digital assets from cold wallets? The timing on which a custodian will guarantee transfers out of a cold wallet can vary greatly, so managers should also consider whether they are comfortable with those SLAs.
Another consideration is a manager’s ability to monitor its holdings, whether in a hot wallet or a cold wallet. As a general matter, a custodian should hold each of its client’s assets in separate hot or cold wallets, as opposed to holding all of its client assets in one omnibus account or wallet, as is typical for custodians of cash and traditional assets. As a result, custodians should provide their customers with the public addresses of their hot and cold wallets, so inflows and outflows from those addresses can be independently monitored. Custodians should also provide regular reporting on accounts.
To trade digital assets held at a custodian, managers will have, essentially, two options: either to trade directly from the account, for instance, in OTC trades with a market maker, or to trade on an exchange or other trading venue. In addition to securely storing digital assets, custodians may also provide access to an exchange or trading platform, and may have relationships with market makers. Some custodians provide that functionality through an affiliate that operates an exchange or trading platform, while others may have partnerships with unaffiliated trading venues. Managers that intend to make use of those relationships should diligence the relevant exchanges or platforms with the same or greater scrutiny as they use for the custodian itself.
Perhaps the most important thing to know when evaluating a relationship with a trading venue or exchange is: will digital assets need to be transferred to an account controlled by the exchange prior to trading? If so, the protections afforded by the custodian will be lost as soon as the assets leave the custodial account and land in the exchange account. In that case, the exchange would effectively also serve as a custodian, and all of the issues we have and will discuss later today would need to be considered for the exchange as well. Assuming that the manager is satisfied by the nature of a custodian’s relationship with an exchange or trading venue, the manager will want to understand what digital assets and pairings can be traded on the exchange – it can vary greatly.
In addition, managers should consider how they will convert their fiat currency into digital assets. Can the custodian facilitate those types of transactions? What about the connected exchanges? What currencies can be converted? Further, if cash balances will be held at a custodian or on an exchange, are those balances subject to any regulatory protections, like FDIC insurance? A manager may also want to understand whether the custodian offers any other cash management for balances held in fiat currencies. And, finally, and I don’t mean to open a can of worms, but managers may want to understand whether any exchange that they’ll utilize has secured any necessary licenses and registrations from applicable regulatory bodies. Although as of yet, there has been little enforcement against unlicensed digital assets exchanges in the U.S., there is no guarantee that this trend is going to continue.
I’m going to hand it off now to Melissa to talk a bit about the regulatory landscape for custody firms.
Melissa Bender: Thanks, Charlie. As a threshold matter, it’s important to note that there a couple of different areas of regulatory oversight to be considered. First, there is a question of what regulatory obligations the person buying and holding the digital assets may be subject to. In particular, managers that need to comply with the custody rules under the Advisers Act will need to be mindful of the requirements under those rules and, in particular, the obligation that a “qualified custodian” maintains client funds and securities in accordance with those rules. This presents the question of who is a “qualified custodian.” While various types of regulated entities meet the definition of a “qualified custodian,” very commonly in the crypto space we see custodians looking to fall within the definition of a “bank” under Section 202(a)(2) of the Advisers Act. Without getting too far into the weeds, “banks” include various types of state banking institutions, savings associations, or trust companies, where a substantial portion of the business consists of receiving deposits or exercising fiduciary powers similar to those permitted to national banks under the authority of the Comptroller of the Currency. Additionally, these institutions need to be supervised and examined by a State authority having supervision over banks or savings associations, and may not operated for the purpose of evading the provisions of the Advisers Act.
As you can see, this is actually a fairly fact-intensive analysis. As a result, when engaging a custodian, a manager subject to the custody rules will need to specifically diligence whether the custodian is “qualified custodian” and seek related contractual assurances. Importantly, there is no one-size-fits-all answer to how custodians of digital assets meet the “qualified custodian” test and the types of comfort they may be willing to provide on this front. Even where a manager or investor is not subject to the custody rules, it is important to conduct due diligence on a custodian to understand to what extent the custodian may be subject to regulatory oversight and to vet other reputational and operational issues. For example, you’ll want to confirm whether the custodian has experienced personnel in important operations and compliance posts. Speaking with existing client references would also be a prudent due diligence step.
Ed, this takes us to some other important reputational considerations such as a firm’s financial resources, insurance coverage and audit oversight. Could you talk to us a little bit about each of those items before we wrap up?
Ed Baer: Sure. The question of financial resources is an interesting one. Since most crypto custody firms are relatively newly-established, it makes sense to look at the financial resources available to them. This means considering the resources of the founders, as well as any capital available to them from investment partners. These firms should have financial reports that they make available to clients and regulators, and you should request a copy of the financials as part of your diligence process. Another point worth noting is that as cryptocurrencies have gone more mainstream, some larger, more-established firms have entered the market. With more options, there will be more competition, which should weed out the organizations that are underfunded.
Now I’m going to talk a little bit about another topic that’s related to financial resources, and that’s insurance. There have been many high-profile hacks and thefts of cryptocurrencies over the years, so it makes sense to consider whether your custodian maintains insurance. As Charlie explained, however, the first line of defense is to ensure that your assets are adequately stored and maintained. In many of the hacks and thefts that you’ve read about, the assets (or more accurately, the private keys) were not stored properly. But bad things sometimes happen even where your custodian does things correctly. We think that you should ask for information not only about the amount of available insurance coverage, but also about who’s providing the insurance and what the insurance covers. For example, does the insurance cover the loss or theft of your crypto assets, or just losses arising from misconduct by the custodian’s employees? In addition, does insurance cover assets held only in cold storage, or also assets held either in a “hot” wallet or collectively with the custodian’s other clients?
While it is not possible to properly “kick the tires” on all of a custodian’s operational processes, it’s worth asking them to provide evidence that their processes have been designed appropriately and are functioning effectively. What many custodians are doing is obtaining special reports—known as SOC 1 and SOC 2 audits—that provide a measure of assurance to clients and regulators that appropriate controls are in place. While a SOC 1 Audit is focused on internal controls related to financial reporting, a SOC 2 Audit is focused on information and IT security identified in one of five trust services categories: security (which is a required evaluation), confidentiality, information privacy, processing integrity and availability. SOC 1 and SOC 2s come in two types. A Type 1 Report provides a snapshot of a service organization’s internal controls at a single point in time or “as of” date. A Type 2 Report is a review of a service organization’s internal controls over a period of time, typically 6 or 12 months, and involves a more in-depth review of controls and additional testing of their operating effectiveness. As part of your diligence process, you should ask whether the custodian has SOC reports available.
Melissa Bender: Thanks, Ed. As more and more clients are investing in cryptocurrencies and digital assets, we continue to stress that holding these assets is simply not the same as holding stocks and bonds. A few key takeaway to consider are: First, the assets themselves are different because the custodians hold the private keys to access the assets rather than the assets themselves. Second, because this an emerging asset class, the regulators and custodians are still feeling their way, so there is a significant amount of uncertainty and no clearly established industry “best practices.” Third, given the volatility and dynamics of the underlying assets and rapidly-evolving custody and regulatory practices, it is important to carefully monitor who is holding your cryptocurrencies and digital assets. Overall, the best approach is to do your homework. Make sure you understand how the custodian will store your assets, how it is regulated, whether it has insurance and adequate controls in place, and whether it provides access to trading. We hope that the considerations we outlined are useful in helping you think about how to safely store cryptocurrencies and digital assets. And of course, we can help you navigate any of the topics we’ve discussed – please don't hesitate to get in touch.
Thank you, Ed and Charlie, for joining me today for this discussion, and thank you to our listeners. For more information on the topics that we discussed or other topics of interest to the asset management community, please visit our website at www.ropesgray.com. You can also subscribe and listen to this series wherever you regularly listen to podcasts, including on Apple, Google, and Spotify. Thanks again for listening.