作者:Amanda Gould
古尔德女士是宾夕法尼亚大学凯里法学院三年级法学学生。本研究由戴维·霍夫曼教授指导完成。
介绍
联邦法律要求进行大量现金或证券交易的投资经理和经纪交易商将这些资产存放在符合某些保管要求的实体中。[2]此类托管规则源于大萧条时期的混乱,最初有助于创建一个以投资者信任度高和流动性强为特征的金融市场。
最近,寻求交易“加密资产”的企业家抱怨托管规则体系阻碍了创新。[3] 高盛资产经理贾斯汀·施密特(Justin Schmidt)简明扼要地总结了这种沮丧情绪:
“客户经常问我‘你能保管我们的代币吗?’我说‘不,我们不能。’我们在拓展业务时必须考虑的一件事就是,从监管角度看,我们能做什么和不能做什么。” [4]
为何一套近百年历史的法律规则会引起如此大的争议?[5]我们能做些什么?本白皮书旨在详细探讨这些问题。
两个监护权问题
实际上有两个独立的“托管”问题。第一个问题是加密资产相关技术是否受联邦客户保护和法定托管要求的约束。我们称之为监管问题。
第二项调查是网络安全问题,探讨如何妥善保管数字资产,以防止黑客入侵和盗窃。也就是说,从公钥加密到传统的离线机制,哪些安全功能组合才能真正保证加密资产的安全,以及业界应如何在这个快速发展的领域中确定一套最佳实践。
网络安全问题与监管问题相关,因为(历史上)传统托管人(如银行)可靠地保证了客户资产的安全。但银行不是密码学专家。保证基于区块链和加密编码的数字资产的物理安全是一项比传统托管人习惯的更复杂的任务,并且超出了监管问题的范围,涉及对技术网络安全考虑的评估。
需要强调的是,从网络安全角度区分托管规则是否适用以及加密货币托管是什么样子,因为负责执行托管规则的机构——美国证券交易委员会——不是网络安全的仲裁者。该机构明显遵循行业自律来确定保护现金、证券和相关资产的最佳做法。
为了充分理解托管规则的复杂性,回顾现代金融中介背后的基本前提会很有帮助。因此,在深入探讨这两个问题之前,我们先简单了解一下证券中介机构。在我们研究的领域,它们有两种类型:中央证券存管机构和托管银行。
中央证券存管处
证券行业依靠中介机构来交易、结算和持有证券。从历史上看,发行公开股票的公司通过向每个股东提供纸质股票证书来实现这一目的。但 20 世纪 70 年代中期,交易量大、资本市场深度增强,使得买卖双方难以在每个交易日结束时手动交付纸质证书证券。该行业最终接受了建立能够进行计算机记录的单一、全国性证券清算所的想法。如今,证券不再以纸质证书的形式发行,而是以电子账簿的形式在称为中央证券存管处(“CSD”)的集中会计系统中发行。[6]
在这种制度下,存管机构取代投资者成为证券的注册(或“合法”)所有者。[7]注册所有者直接向发行公司持有股份。[8]对于存管机构而言,这涉及充当数百万证券全部发行的记录持有人和登记员。[9]存管机构采用会员制模式运作,只有满足特定监管、资本和技术要求的机构(即托管银行、经纪交易商和国际存管机构)才能使用其服务。[10]通过这些存管参与者协助的证券账户电子登记,投资者(“实际所有人”)可获得或转让证券。[11]
为了减少与实物转让证书相关的物流负担和运营风险,证券在存管处是非实物化的,因此交易结算需要通知存管处进行账簿变更以反映证券的新所有权。为了进行结算,存管处参与者在一天结束时将交易净额计入一个头寸,并将其提交给存管处的清算机构。[12]然后,清算机构匹配并验证参与者的结算指令,并通过借记或贷记参与者的证券账户来更新存管处账簿上的交易。[13]
托管银行
在证券中介机构的层级结构中,托管银行位于存管人和实际所有人之间。托管人与存管人的角色虽然密切相关,但两者的作用不同。存管人是一种市场工具,专注于确保证券发行的合法性并促进交易结算。[14]而托管银行则通过托管协议代表机构投资者和私人财富客户监控和服务证券。简而言之,存管人与发行人有关系,而托管人与投资者有关系。[15]
托管银行有两项主要职责。
首先,托管人通过提供必要的基础设施使客户参与全球金融市场,将发行人与投资者联系起来。[16]
其次,托管人采用实体和电子系统保护客户资产免遭投资顾问、基金经理或第三方盗窃或挪用。他们还通过隔离客户资产并将其标识为代表客户持有的证券账户,防止顾问或托管人本身破产或无力偿债。[17]
在这方面,托管服务以客户资产的实物保管为中心,通常将有形资产存放在金库和保险箱中。一旦证券在托管机构中非实物化,银行在实物保管资产方面的作用就转变为服务于资产记录所反映的法定权利。对于个人客户证券账户中的电子簿记记录,托管银行本质上是一种管理服务。[18]该服务包括分配证券的收入和股息支付、通知客户重大公司行动、提供代理投票以及有关客户持股重大事件的一般报告。[19]
了解了这些术语后,让我们回到监管 问题。
监管问题
托管安排的基本假设是,与负责管理这些资产的投资顾问相比,专门的第三方更有可能保护客户资产免遭欺诈和挪用。国会颁布了一系列法规,以建立保管客户证券、现金和类似投资的受托责任,所有这些法规都旨在遏制投资经理的不健全商业行为(他们的盗窃和滥用导致了 1929 年股市崩盘)。这些法规建立了保管客户证券、现金和类似投资的受托责任。[20]每项法规都颁布了类似但不同的托管要求,以保护基金和经理持有的客户资产。[21]托管法规通常将客户资产的监管权分配给一部分国家银行。这些托管银行必须遵守联邦规定的受托责任,从而为客户资产提供额外的保护。[22]
托管规则旨在通过强制中介机构控制资产,保护客户资产免受投资管理公司或投资顾问的非法活动侵害。[23]托管要求涵盖实物保管、第三方审计以及交易和结算报告。[24]
SEC 确认,首次代币发行中分发的许多数字代币相当于“投资合同”的发行和出售,因此符合联邦证券法对“证券”的定义。[25]因此,加密资产和相关平台(如钱包和交易所)几乎肯定会属于托管规则的范围。
要了解托管规则如何适用,我们首先看看今天如何购买、出售和持有加密资产。
交易加密资产
最简单的交易形式发生在“区块链上”,用户在自己的互联网设备上托管协议。这些点对点交易根据加密安全措施进行验证,并记录在区块链的分布式账本上。但由于直接在区块链上进行交易需要找到自己的交易伙伴并承担自行保管有价值代币的风险,因此大多数市场参与者通过用户友好的第三方中介生态系统购买、出售和持有加密资产。[26]对我们而言,最重要的是电子钱包和交易所提供的中介服务。[27]
钱包
电子钱包提供商只负责代表客户存储和保护公钥和私钥。[28]回想一下,区块链网络依靠公钥加密来验证代币所有权和交易真实性。代币所有者通过所有其他网络参与者都可以访问的公共地址来识别。
公共地址还对应着一个只有代币所有者知道的唯一私钥。[29]公共地址和私钥都是一串随机的字母数字代码。[30]它们共同构成了一个“数字签名”,该签名必须附在与公共地址相关的每笔交易上。持有私钥的人可以完全控制与该密钥相关的资产。由于区块链交易是即时的和不可撤销的,因此用户希望保密他们的私钥。私钥只生成一次,因此丢失私钥实际上会使与该地址相关的所有代币变得毫无价值。
为了降低跟踪这些极其有价值(但毫无意义)的文本字符串所带来的风险,第三方钱包服务应运而生,为公钥和私钥提供安全的存储解决方案。[31]钱包服务与各种区块链网络交互,以存储用户的公钥和私钥并监控账户余额。用户可以通过网站、移动应用程序或桌面客户端上便捷的界面,使用常规用户名和密码访问他们的钱包。[32]虽然私钥在钱包手中,但最终控制权还是在私钥持有者手中。[33]任何后续交易均由用户自行决定,因为服务提供商无法访问密钥(除非钱包服务与加密货币交易所相关联,这将在下面详细讨论)。
为了防止网络攻击,一些钱包服务可能会将私钥保存在闪存驱动器或定制的硬件设备上,以不连接到互联网的方式,并收取额外费用。[34]这种离线或“冷”存储与互联网连接的“热”存储之间的权衡是安全性与流动性之间的权衡。
无论如何,尽管最佳保管方案尚未确定,但毫无疑问,私钥的控制是首要问题。事实上,私钥本质上是真正的资产。它的内在属性和能力意味着没有办法真正地保护它,没有例外。例如,打印在一张纸上并锁在保险库中的钥匙仍然至少暴露在一双眼睛下(因此,一个能够将钥匙存入记忆的人脑或智能手机)。因此,私钥既是一种创新的安全功能,也是一种重大责任。
交易所
交易所是一个在线市场,用户可以将法定货币兑换成加密资产,或将一种加密资产换成另一种加密资产。交易所交易的各方可以转移加密资产,而无需在各自的设备上运行底层区块链协议。[35]此类交易发生在“链下”。[36]如果链下交易反映在公共账本上,它将显示为中介机构之间的交易,而不是买方和卖方之间的交易。[37]
虽然这些中心化交易所促进了全球大多数加密货币交易,但一些市场参与者正在转向“去中心化”交易所,因为这些交易所无需中介机构,从而降低了交易对手风险。[38]去中心化交易所支持跨区块链点对点交易,交易在区块链上结算,用户在整个交易过程中对其代币拥有唯一保管权。[39]然而,由于去中心化交易所尚属新兴事物,且采用程度有限,这些服务面临着流动性挑战、糟糕的客户支持和定价不确定性。
作为进入和退出市场的主要机制,交易所无疑对行业拥有巨大的权力和影响力。然而,交易所生态系统极其分散。目前有 200 多家活跃的交易所,每家交易所都支持不同的加密货币和法定货币与加密货币的配对。[40]平台独立设定其列出的每种货币的价格,这进一步加剧了这种分散性。 [41]通常,价格基于当前的交易量和客户供需,但确切的过程不透明,容易被操纵。[42]事实上,在一些最大的交易所中,比特币的价格相差高达 2,000 美元。[43]
如今,联邦法律规定,要在美国运营,平台必须获得州颁发的货币转移许可证,并遵守 FinCEN 反洗钱要求。[44]纽约州是第一个通过立法为从事虚拟货币交易的企业建立监管框架的州。[45]因此,所有在纽约州运营或涉及纽约居民的企业,如果要代表他人传输、控制、管理、交换或保管虚拟货币,都必须获得“BitLicense”。[46]但由于资源有限和审查流程繁琐,自 2015 年法规生效以来,纽约州只颁发了不到 20 个 BitLicense。[47]在此期间,其他州(尤其是怀俄明州)试图通过注册流程不太严格的法律来吸引区块链创新者。[48]
But in the absence of a central regulatory body, it is unclear what percentage of client assets are actually held on the exchanges and whether the assets are pooled or kept in separate client accounts. This business model is not burdened by tokens’ cryptographic security measures because exchanges net trades using internal balance sheets off-blockchain. The only transactions recorded on a blockchain are deposits and withdrawals between exchange’s wallet and the user’s third-party wallet.[49]
Unpacking the crypto ecosystem thus illustrates an important (and perhaps ironic) point. The dominant mechanism for participating in a market built on decentralization is through a series of centralized intermediaries.[50]
This inference may be of regulatory significance because intermediated markets necessarily impose some risk to investors. Though intermediaries support markets by lowering transaction costs and reducing information asymmetries, intermediary risk weighs these benefits against the possibility that the intermediary defaults or becomes insolvent, resulting in loss or damage to the investor.[51] Intermediaries in crypto asset transactions are no different. They perform many of the same market-enhancing functions as traditional financial intermediaries, but they are also beholden to similar types of credit and liquidity risk.[52]
The presence of centralized intermediaries in a largely decentralized ecosystem makes exchanges obvious targets for hacking. Since 2011, thieves have netted $1.6 billion in tokens in at least 56 cyberattacks on cryptocurrency exchanges.[53] The most notorious hack occurred in 2014 when Mt. Gox—the world’s largest bitcoin exchange at the time—was forced to halt withdrawals and file for bankruptcy after it lost 850,000 bitcoin worth approximately $450 million.[54] There were no protective measures in place to secure customer assets, so hundreds of creditors were forced to endure lengthy legal proceedings in an attempt to reclaim their coins.[55] Others simply cut their losses and moved on.[56]
在一个基本上去中心化的生态系统中存在着中心化的中介机构,这使得交易所成为明显的黑客目标。自 2011 年以来,至少有 56 起针对加密货币交易所的网络攻击,盗窃者共获得了价值 1.6 亿美元的代币。最臭名昭著的一次黑客攻击发生在 2014 年,当时世界上最大的比特币交易所 Mt. Gox 被迫停止提款,并在损失价值约 4.5 亿美元的 85 万比特币后申请破产。当时没有任何保护措施来保护客户资产,因此数百名债权人被迫忍受漫长的法律诉讼,试图取回他们的硬币。其他人则干脆减少损失并继续前进。
Which brings us back to a core tenant of federal securities laws: to protect client assets against inadvertent loss or theft by third-party intermediaries.
The following sections evaluate how crypto assets and crypto service providers fit into the custody and customer protection requirements of three federal securities laws—the Investment Advisers Act of 1940 (“Advisers Act”), the Investment Company Act of 1940 (“1940 Act”), and the Securities Investor Protection Act of 1970 (“SIPA”).
Regulating Investment Advisers
An investment adviser is a person or firm receiving compensation for advising others about security investments.[57] Advisers managing more than $110 million in client assets, and for whom a valid exception does not apply, must register with the SEC and adhere to the regulations prescribed in the Advisers Act.[58]
The “Custody Rule,” section 206(4)-2 of the Advisers Act, governs investment advisers who hold “directly or indirectly, client funds or securities.”[59]
There are four main components to the Custody Rule.
First, advisers have a fiduciary obligation to maintain clients’ funds or securities with a “qualified custodian.”[60] Qualified custodians are banks, registered broker-dealers, registered futures commission merchants, or foreign financial institutions that customarily hold financial assets for customers.[61] The Custody Rule dictates that qualified custodians must segregate client assets into separate accounts or into accounts under the name of the investment adviser as agent or trustee for the client.[62]
Second, the investment adviser needs to notify clients of the custodian’s name and the manner in which the assets are being held.
Third, the adviser must have a reasonable belief that the custodian is periodically sending account statements directly to the client containing information about the funds and securities in custody.[63] This reporting requirement also applies to accounts held in clients’ names as well as to individual investors in pooled investment vehicles.[64]
Finally, the investment adviser must agree to an annual surprise audit by an independent public accountant.[65]
Regulating Investment Companies
Registered investment companies (e.g., mutual funds and exchange-traded funds (“ETFs”)) are held to a different set of custody provisions under Section 17(f) of the ’40 Act. Though there are permissible alternatives, investment companies overwhelmingly choose to protect fund “securities and similar investments” by utilizing the custody services of banks.[66]
Custodians under the ’40 Act perform essentially the same services as qualified custodians under the Advisers Act, including asset safekeeping and accounting, transaction settlement, dividend and interest receipt, payment of fund expenses, and corporate action monitoring.[67]
Like the Advisers Act Custody Rule, neither the ’40 Act nor the accompanying SEC rules provide for the manner in which a custodian bank must maintain custody of assets. Instead, fund directors negotiate custody agreements with banks to determine the appropriate operating and compliance procedures and limitations on liability.
A registered fund investing solely or partially in crypto assets deemed to be securities will almost certainly invoke the ’40 Act custody provisions.
Regulating Broker Dealers
Broker-dealers intermediate between buyers, sellers, and stock exchanges to facilitate the flow of securities.[68] Since broker-dealers are afforded some agency over their clients’ assets, they are required to register with the SEC and must meet certain financial responsibility requirements under SIPA.[69]
The “Customer Protection Rule” (Rule 15c3-3) is one such requirement. It is designed to guarantee that client funds and securities are properly safeguarded from the financial failure of a broker-dealer, making it the broker-dealer analogue to the Advisers Act and ’40 Act custody rules. The rule limits broker-dealers’ ability to use customer securities and cash to finance firm business pursuits and aims to ensure that broker-dealers maintain enough assets to satisfy customer claims in the event of insolvency.
The rule has two dimensions. First, broker-dealers must promptly obtain physical possession or control over customers’ fully-paid and excess margin securities.[70] Physical possession means securities are literally located with broker-dealer and that it has a sufficient number to satisfy all of its customers’ claims. Control is achieved through a custody agreement with one of several “control locations” specified in the rule, including banks as defined in Section 3(a)(6) of the Exchange Act.[71]
The second aspect of the Customer Protection Rule involves the creation of “Special Reserve Bank Accounts” for the exclusive benefit of customers (i.e., completely separate from the broker-dealer’s own bank account), with cash or qualified securities at least equal in value to the net cash owed to customers.[72]
Applying Investment Regulations to Crypto Asset Transactions
Consider, for example, a registered investment adviser who decides to incorporate crypto assets deemed to be securities into a client’s portfolio. The Custody Rule is triggered because the adviser now holds (directly or indirectly) client assets that are securities. This is the answer to the regulatory question for registered investment advisers. The Custody Rule applies. The question for the adviser then becomes, is my custodian capable of servicing crypto assets?
For most traditional bank custodians, the answer to this question is “no.” There are a number of reasons—many of which will be discussed in our evaluation of the cybersecurity question—why bank custodians are hesitant to offer their services to crypto assets. Broadly speaking, it is unclear what it means to have custody of a crypto asset in a way that both satisfies regulatory scrutiny and delivers on the safeguarding function.
In other words, the checks that regulators place on advisers and funds in the spirit of protecting investors (e.g., the use of qualified custodians, reporting requirements, and third-party audits) are at odds with what is necessary to physically keep crypto assets safe. The problem is unique to crypto because it is the only asset class to rely on public key cryptography to denote ownership and effect trades.
If, for instance, a custody agreement between an adviser (or fund) and bank custodian calls for the custodian to maintain physical possession of the public and private keys associated with a client’s crypto assets, what steps must the custodian take to ensure that the private key cannot be lost or stolen? [73] Would printing the private key on a piece of paper and storing it in a deposit box suffice? Should the custodian build its own proprietary wallet service? How will the custodian balance hot storage and cold storage? Or how about avoiding the headache of private keys entirely and opting to obtain the log-in information for the client’s preferred third-party wallet provider instead? Given these challenges, what level of liability is the custodian willing to accept in the custody agreement?
Current custody methods and centralized securities holdings are designed to protect against adviser theft, misappropriation, or inadvertent loss of assets. But it is unclear whether a custodian of crypto assets will be able to mitigate against adviser fraud given the practical difficultly of truly securing bearer instruments like private keys. An investment adviser who wants to transfer crypto assets out of custody may so and then abscond with the assets no matter how robust the security measures were while the asset was under the custodian’s supervision.[74]
The exact nuances of securing crypto assets, while related to custody, are not necessarily within the regulatory purview of the SEC. The Commission deferred to banks and financial industry SROs to implement acceptable standards for vaults back when stocks were in physical paper form, and again for CSDs and intermediated trading more recently. Thus, despite the implications new custody procedures may have on market integrity, the SEC has historically taken a hands-off approach in determining adequate safeguarding solutions.
But physically securing assets is only part of the equation. There is an inherent tension between the physical safekeeping and independent auditing requirements as applied to crypto assets. Today, bank custodians’ primary function is recordkeeping. Surprise audits are a reasonable mechanism for regulating firms in this space. But is the same principle true for banks holding crypto assets? Depending on the bank’s security features, this may involve bringing online assets typically housed in cold storage. If main objective for crypto custody is limiting access to private keys (because whoever has the private key controls the asset), is it counterproductive to expose private keys to accountants for auditing purposes when those keys were moved to cold storage specifically for the purpose of limiting misappropriation risk in the first place?[75]
Perhaps most importantly, how will the independent auditors very ownership of the crypto assets? This task may require technical expertise beyond that of traditional accounting firms. And even for an auditor with proficiency in blockchain technology, it may not be possible to determine that the private key held by the custodian actually represents an ownership interest in the crypto asset.[76]
Clearance and settlement will also be an issue. Recall, the intermediary holding system works, in large part, because securities are housed in a central depository with a limited number of market participants authorized to access the IT infrastructure that communicates with the depository. How should the financial industry approach the integration of assets capable of universal distribution into a system that relies on a single central database? The current system’s cohesiveness gives intermediaries the ability to settle cash and security transactions on a net basis daily. But, for example, if crypto assets are held in cold storage, daily settlement is probably not an option.[77] Given crypto assets’ high volatility, intermediary risk is compounded the longer it takes to effectuate settlement.
The biggest challenge for broker-dealers planning to service crypto asset trades is the requirement for physical possession or control over all client securities.[78] Taken literally, broker-dealers would need obtain—and safely store with a control location bank—the public and private keys for every customer trading in crypto.
But it is unclear how this would work in practice. Broker-dealers require significantly more liquidity than investment advisers and funds. Is it practical to think about custody in terms of securing individual private keys for firms that support thousands of trades each day? When broker-dealers execute trades for their customers, are the transactions memorialized on a blockchain or recorded on an internal balance sheet? And to the extent that certain tokens also count as qualified securities under the second arm of Rule 15c3-3, is a weekly tally for the reserve amount sufficient given the high volatility of crypto assets?
The liquidity needs also raise a question related to the relationship a broker-dealer may need to have with a crypto exchange. Since pricing varies by exchanges, how will broker-dealers determine the appropriate rate to quote their customers? As the primary mechanism for entering and exiting the crypto markets, will broker-dealers become dependent on crypto exchanges to satisfy liquidity? More likely, increasing trading volumes on crypto exchanges will lead to a push from regulators to have crypto exchanges register as national exchanges or alternative trading systems under the Exchange Act. That said, many of the largest crypto exchanges operate in countries outside the SEC’s jurisdiction.
The previous illustrations of the likely safekeeping challenges for bank custodians also apply for broker-dealers using banks as their control location.
The Cybersecurity Question
We noted earlier that custodian banks began as experts in physical safekeeping with vaults and safes. And although it is not brand new, the shift to immobilized decertificated securities and electronic book-entry settlement is a relatively recent endeavor. Now, bank custodians are suddenly being asked to adopt and become fluent in the nuances of crypto assets, public key cryptography, and blockchain technology. Admittedly, this is not their area of expertise.
Thus, as a threshold matter, regulators should consider whether bank custodians (and their partner securities intermediaries) are the right people for the job. In other words, does it make sense to task legacy financial institutions with developing the IT infrastructure necessary to make investing in digital assets possible on a grand scale? The unique characteristics of digital assets make this, in large part, a cybersecurity assignment.
To be sure, financial intermediaries are highly proficient in cybersecurity—evidenced by the digital network they created to facilitate secure trading and settlement among CSDs, custodians, clearing agencies, and national exchanges. But cybersecurity expertise and cryptography expertise are not one in the same. The existing financial market infrastructure was not designed with compatibility for cryptographically-coded assets in mind. To integrate crypto assets into the current systems would involve significant financial and human capital considerations.
The alternative would require custodians to depart from decades of established custodial practices to rely on third-party technology.[79] Third-party custodians are digitally-native custody startups established specifically to safeguard digital assets. A handful of custody startups are technically qualified custodians (though not approved by the SEC).[80]
The startups leveraged a workaround in the definition of “bank” under the Advisers Act and the ’40 Act which allows them to register as state-chartered limited purpose trust companies and meet the definition of a custodian under both Acts. Section 202(a)(2) of the Advisers Act and Section 2(a)(5) of the ’40 Act, define “bank” to include, among other entities,
“a trust company…doing business under the laws of any State or of the United States…[which] consists of receiving deposits or exercising fiduciary powers similar to those permitted to national banks…and which is supervised and examined by state or federal authority having supervision over banks or saving associations…”[81]
Assessing whether a state-chartered trust company qualifies under this definition turns on the interpretation of “fiduciary powers” for the purposes of that state’s banking oversight function. Notably, New York trust company fiduciary powers include acting as a custodian.[82] Indeed, two of the largest custody startups—Coinbase Custody and Gemini—are registered as New York State-chartered limited purpose trust companies.[83] Receiving a state trust charter provides the benefit of avoiding multistate money transmitter licensing and may allow the company to operate in other U.S. states.
The SEC’s unwillingness to recognize these entities as valid custodians likely stems from the fact that the ’40 Act exempts from the definition of a “bank” trust companies operating solely for the purpose of evading the requirements of the Act.[84]
Undeterred, the startups pitch institutional investors on their proprietary security technology, best-in-class policy controls, and broad wallet and token support.[85] There is very little explanation of what these features mean in practice (presumably to keep the integrity of the security solutions). Many of the biggest custody startups also operate exchanges and provide wallet services. Their marketing materials describe internal protocols designed to avoid conflicts of interest between the various lines of business. But without regulatory oversight there is no way to know the legitimacy of their services.[86]
Ultimately, every meaningful exploration into the cybersecurity challenges surrounding crypto assets begins and ends with the private key. Anyone with a moment’s exposure to the key has the ability to control the asset. And no matter how extensive a custodian’s labyrinth of passwords, wallets, hard-drives, locks, or vaults may be, securing private keys against intrinsic and extrinsic threats is essentially an impossible task.
We consider the cybersecurity question independent from the custody considerations because the need for stronger cybersecurity controls is pervasive. While the crypto industry remains extremely susceptible to bad actors (hackers stole $1 billion in crypto assets from exchanges and personal wallets in 2018), the threats affecting these networks and entities cannot be remedied by a custodian.[87]
If blockchain-based assets and conventional intermediaries are to coexist, the pressing question for regulators is twofold. Broadly, are regulators comfortable integrating assets with an inherent misappropriation risk into our financial systems? And if so, are they willing to merge “custody” with “cybersecurity” in defining safeguarding mechanisms for financial institutions holding crypto assets, thus deviating from the longstanding practice of deferring to industry SROs for custody implementation?
Footnotes
[1] Rachel Wolfson, Custodial Solutions Are the Latest Innovation in Cryptocurrency Ecosystem As Seen By Coinbase and Others, Forbes (Sept. 20, 2018), https://www.forbes.com/sites/rachelwolfson/2018/09/20/custodial-solutions-are-latest-innovation-in-cryptocurrency-ecosystem-as-seen-by-coinbase-and-others/#58bb831e171c.
[2] See 15 U.S.C. § 78aaa (2018); 15 U.S.C. § 80a-1 (2018); 15 U.S.C. § 80b (2018).
[3] See Olga Kharif and Sonali Basak, Regulated Crypto Custody is (Almost) Here. It’s a Game Changer., Bloomberg (June 18, 2018 5:00 AM), https://www.bloomberg.com/news/articles/2018-06-18/regulated-crypto-custody-is-almost-here-it-s-a-game-changer.
[4] Vildana Hajric, Goldman Says Regulatory Hurdles Prevent Holding of Crypto Assets, Bloomberg (Nov. 27, 2018 3:02 PM), https://www.bloomberg.com/news/articles/2018-11-27/goldman-says-regulatory-hurdles-prevent-holding-of-crypto-assets.
[5] See Kharif, supra note 3; see also Rachel Wolfson, Custodial Solutions Are the Latest Innovation in Cryptocurrency Ecosystem As Seen By Coinbase and Others, Forbes (Sept. 20, 2018), https://www.forbes.com/sites/rachelwolfson/2018/09/20/custodial-solutions-are-latest-innovation-in-cryptocurrency-ecosystem-as-seen-by-coinbase-and-others/#58bb831e171c.
[6] See U.S. Dep’t of the Treasury, Comptroller of the Currency, Administrator of National Banks, Custody Services: Comptroller’s Handbook 74 (2002), https://www.occ.gov/publications/publications-by-type/comptrollers-handbook/custody-services/pub-ch-custody-services.pdf.
[7] Issuer Restrictions or Prohibitions on Ownership by Securities Intermediaries, Exchange Act Release No. 34-50758A, 70 Fed. Reg. 70862, n.21 (Mar. 15, 2005), available at https://www.sec.gov/rules/final/34-50758a.htm#P68_22198.
[8] What is a “Registered” Owner? What is a “Beneficial” Owner?, Investor.gov, https://www.investor.gov/research-before-you-invest/research/shareholder-voting/what-%E2%80%9Cregistered%E2%80%9D-owner-what-%E2%80%9Cbeneficial%E2%80%9D.
[9] See The Clearing House, The Custody Services of Banks 4 (2016), https://www.davispolk.com/files/20160728_tch_white_paper_the_custody_services_of_banks.pdf.
[10] See The Clearing House, supra note 9, at 12.
[11] See Charles W. Mooney Jr., Global Standards for Securities Holding Infrastructures: A Soft Law/Fintech Model for Reform 2 (Faculty Scholarship at Penn Carey Law, 2019), https://scholarship.law.upenn.edu/cgi/viewcontent.cgi?article=3046&context=faculty_scholarship.
[12] Issuer Restrictions or Prohibitions on Ownership by Securities Intermediaries, Exchange Act Release No. 34-50758A, 70 Fed. Reg. 70862, n.27 (Mar. 15, 2005), available at https://www.sec.gov/rules/final/34-50758a.htm#P68_22198.
[13] See The Clearing House, supra note 9, at 15.
[14] See Sophia Green, Rules of Engagement Become Blurry, Financial Times (Feb. 1, 2009), https://www.ft.com/content/9fef8092-ef07-11dd-bbb5-0000779fd2ac
[15] Id.
[16] See The Clearing House, supra note 9, at iii.
[17] Assets held by a bank under a custodial agreement are not the bank’s assets. If the custodian were to become insolvent, the beneficial owner’s ownership interest in the underlying security would be protected because security entitlements are separate from the custodian’s estate. And unlike broker-dealers, who may exercise discretion over client assets, custodian banks cannot use assets on the client’s behalf or for their own purposes. Any decisions to buy or sell securities are made solely by the beneficial owner. The custodian’s role is limited to holding securities in client accounts and processing client-initiated transactions. See The Clearing House, supra note 9, at vi.
[18] See id. at 3.
[19] Id.
[20] See 15 U.S.C. § 80a-1 (2018); 15 U.S.C. § 80b (2018).
[21] The SEC also generated custody rules for managers and funds under its rulemaking authority set forth in the Investment Advisers and Investment Company Acts of 1940, respectively. See 17 C.F.R. § 270.17f1-7 (2018); 17 C.F.R. § 275.206(4)-2 (2018).
[22] See 12 CFR § 9.13 (2010).
[23] See Jesse Kanach et al., Crypto Fundamentals: Custody and Why the Legal Issues Surrounding it Matter 12 (2018), https://www.perkinscoie.com/images/content/2/0/v3/200992/Crypto-Fundamentals-Trust-Quarterly-Review.pdf [hereinafter Crypto Fundamentals].
[24] Id.
[25] See Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934: The DAO (July 25, 2017), https://www.sec.gov/litigation/investreport/34-81207.pdf.
[26] See Immaculate Dadiso Motsi-Omoijiade, Financial Intermediation in Cryptocurrency, in Handbook of Blockchain, Digital Finance, and Inclusion 207, 209 (David Lee Kuo Chuen ed., 2017) [hereinafter Financial Intermediation in Cryptocurrency Markets].
[27] Id. at 209.
[28] Id. at 214.
[29] See Kevin Werbach, The Blockchain and the New Architecture of Trust 40 (Sandra Braman ed., 2018).
[30] Id. at 40.
[31] See Noelle Acheson, How to Store Your Bitcoin, Coindesk (Jan. 20, 2018), https://www.coindesk.com/information/how-to-store-your-bitcoins.
[32] Wallets come in a variety of formats and there are advantages and vulnerabilities with each wallet type. At a high level, wallets can be divided into five categories, desktop, mobile, online, paper, and hardware wallets. Desktop wallets are software that is downloaded locally on a user’s computer. Similarly, mobile wallets operate through a mobile app on a smartphone. Online wallets are cloud-based services that may be accessed from any internet-enabled device at any location. Paper wallets generally thought to be the least secure as they consist of writing down the private key on a piece of paper and storing it somewhere the user deems safe. Finally, hardware wallets are specialized devices akin to a USB thumb-drive. These devices store private keys offline and may be connected to an internet-enabled device whenever the user needs to initiate a transaction with their tokens. See Noelle Acheson, How to Store Your Bitcoin, Coindesk (Jan. 20, 2018), https://www.coindesk.com/information/how-to-store-your-bitcoins.
[33] See Financial Intermediation in Cryptocurrency Markets, supra note 26, at 215.
[34] See Financial Intermediation in Cryptocurrency Markets, supra note 26, at 215.
[35] See Dennis Chu, Note, Broker-Dealers for Virtual Currency: Regulating Cryptocurrency Wallets and Exchanges, 118 Colum. L. Rev. 2323, 2328 (2018).
[36] Sarah J. Hughes & Stephen T. Middlebrook, Advancing a Framework for Regulating Cryptocurrency Payments Intermediaries, 32 Yale J. on Reg. 495, 497 (2015), http://www.cs.yale.edu/homes/jf/Hughes.pdf.
[37] Id. at 497-98.
[38] Lindsay X. Yin, Deconstructing Decentralized Exchanges, Stan. J. Blockchain L. & Pol’y (2015), https://stanford-jblp.pubpub.org/pub/deconstructing-dex.
[39] Id.
[40] Based on data from CoinMarketCap.com, a token and exchange aggregator website. See Top Cryptocurrency Exchanges by Trading Volume, CoinMarketCap.com, https://coinmarketcap.com/rankings/exchanges/reported/3 (last visited Feb. 28, 2019); Sara Hansen, Guide to Top Cryptocurrency Exchanges, Forbes (June 20, 2018), https://www.forbes.com/sites/sarahhansen/2018/06/20/forbes-guide-to-cryptocurrency-exchanges/#59813ce82572.
[41] See Hansen, supra note 40.
[42] See Kira Egorova, Crypto Exchanges, Explained, Cointelegraph (Jul. 10, 2018), https://cointelegraph.com/explained/crypto-exchanges-explained.
[43] See Stan Higgins, As Bitcoin Soars, Prices Diverge Wildly Across Exchanges, Coindesk (Dec. 7, 2017), https://www.coindesk.com/bitcoin-soars-prices-diverge-wildly-across-exchanges.
[44] See Dechert LLP, Financial Services Quarterly Report, JDSupra (Apr. 18, 2019), https://www.jdsupra.com/legalnews/financial-services-quarterly-report-13678/; see also Coinbase, Legal, https://www.coinbase.com/legal/licenses.
[45] Press Release, N.Y. State Dep’t Fin. Services, NYDFS BitLicense is First Comprehensive Regulatory Framework for Firms Dealing in Virtual Currency Such as Bitcoin (Sept. 22, 2015), https://www.dfs.ny.gov/reports_and_publications/press_releases/pr1509221.
[46] N.Y. State Dep’t Fin. Services, BitLicense Frequently Asked Questions (2019), https://www.dfs.ny.gov/apps_and_licensing/virtual_currency_businesses/bitlicense_faqs.
[47] See Jimmy Aki, Bitstamp Receives New York BitLicense, Bitcoin Magazine (Apr. 10, 2019), https://bitcoinmagazine.com/articles/bitstamp-receives-new-york-bitlicense/ (describing Bitsamp as the recipient of New York Department of Financial Service’s nineteenth BitLicense); Jen Wieczner, Inside New York’s BitLicense Bottleneck: An ‘Absolute Failure?’, Fortune (May 25, 2018), http://fortune.com/2018/05/25/bitcoin-cryptocurrency-new-york-bitlicense/.
[48] See Caitlin Long, What Do Wyoming’s 13 New Blockchain Laws Mean?, Forbes (Mar. 4, 2019), https://www.forbes.com/sites/caitlinlong/2019/03/04/what-do-wyomings-new-blockchain-laws-mean/#3b8ed7435fde.
[49] See Nirupama Devi Bahaskar & David Lee Kuo Chuen, Bitcoin Exchanges, in Handbook of Digital Currency 560 (David Lee Kuo Chuen ed., 2015).
[50] There are a handful of decentralized exchanges that substitute the escrow service of centralized exchanges for a series of smart contracts that pull crypto assets directly from users’ personal wallets. However, decentralized exchanges harbor their own challenges, and low adoption has led to liquidity issues. See Loi Lou, Solving the Liquidity Challenge of Decentralized Exchanges, Coindesk (Aug. 13, 2017), https://www.coindesk.com/solving-liquidity-challenge-decentralized-exchanges.
[51] See Charles W. Mooney Jr., Global Standards for Securities Holding Infrastructures: A Soft Law/Fintech Model for Reform 3 (Faculty Scholarship at Penn Carey Law, 2019), https://scholarship.law.upenn.edu/cgi/viewcontent.cgi?article=3046&context=faculty_scholarship.
[52] See Sarah J. Hughes & Stephen T. Middlebrook, Advancing a Framework for Regulating Cryptocurrency Payments Intermediaries, 32 Yale J. on Reg. 495, 497 (2015), http://www.cs.yale.edu/homes/jf/Hughes.pdf.
[53] Steven Russolillo & Eun-Young Jeong, Cryptocurrency Exchanges Are Getting Hacked Because It’s Easy, Wall St. J. (July 16, 2018 1:14 AM), https://www.wsj.com/articles/why-cryptocurrency-exchange-hacks-keep-happening-1531656000.
[54] Nathaniel Popper, Mt. Gox Creditors Seek Trillions Where There are Only Millions, N.Y. Times: DealBook (May 25, 2016), https://www.nytimes.com/2016/05/26/business/dealbook/mt-gox-creditors-seek-trillions-where-there-are-only-millions.html.
[55] Id.
[56] Id. In an odd twist, after Mt. Gox defaulted, its CEO “found” 200,000 bitcoins on an old wallet. Due to the drawn-out bankruptcy proceedings, the 200,000 bitcoins appreciated in value to more than $1 billion during the 2017 bitcoin rally and the creditors were subsequently repaid. See Adrianne Jeffries, Inside the Bizarre Upside-Down Bankruptcy of Mt. Gox, The Verge (Mar. 22, 2018), https://www.theverge.com/2018/3/22/17151430/bankruptcy-mt-gox-liabilities-bitcoin.
[57] See 17 CFR 275.202(a)(11) (2018).
[58] Investment Advisers, FINRA, http://www.finra.org/investors/investment-advisers.
[59] 17 C.F.R. § 275.206(4)-2 (2018).
[60] Staff of the Inv. Adviser Reg. Off., Regulation of Investment Advisers by the U.S. Securities and Exchange Commission 33 (2013), https://www.sec.gov/about/offices/oia/oia_investman/rplaze-042012.pdf.
[61] See 17 C.F.R. § 275.206(4)-2(d)(6)(i)-(iv) (2018).
[62] The Off. of Invest. Educ. and Advoc., Investor Bulletin: Custody of Your Investment Assets (2013), https://www.sec.gov/investor/alerts/bulletincustody.htm.
[63] Staff of the Sec. Exch. Comm’n Division of Inv. Mgmt., Information for Newly-Registered Investment Advisers (2010), https://www.sec.gov/divisions/investment/advoverview.htm.
[64] Id.
[65] See The Off. of Invest. Educ. and Advoc., supra note 62.
[66] A permissible bank custodian under the ’40 Act is a bank with at least $500,000 in aggregate capital, surplus, and undivided profits. See 17 C.F.R. §270.17f (2018).
[67] See 1 Regulation of Investment Companies § 8.02 (2019). An alternative to bank custody is “self-custody” in which a registered fund may keep client securities and similar investments with a bank or other depository whose operations are supervised by federal or state authorities. The fund’s assets must be physically segregated from other assets held by the bank and are subject to verification by an independent accountant three or more times per year.
[68] Press Release, U.S. Sec. and Exch. Comm’n, SEC Adopts Amendments to Financial Responsibility Rules for Broker-Dealers (July 31, 2013), https://www.investor.gov/additional-resources/news-alerts/press-releases/sec-adopts-amendments-financial-responsibility-rules.
[69] Id.
[70] See 17 C.F.R. § 240.15c3-3(b)(1) (2018). Excess margin securities in a customer account are those securities with a market value greater than 140 percent of the customer’s debit balance. See Key SEC Financial Responsibility Rules 137, https://www.sec.gov/about/offices/oia/oia_market/key_rules.pdf.
[71] 15 U.S.C. §78c-3(a)(6) (2018).
[72] Once a week, the broker-dealer is required to add up the total credit items it owes customers and subtract outstanding debits. If the credits exceed the debits, the broker-dealer is must deposit the net amount into the reserve account. Those funds cannot be used for the proprietary activities of the firm. See In the Matter of Merrill Lynch, Pierce, Fenner & Smith Inc., Exchange Act Release No. 78141 (June 23, 2016), https://www.sec.gov/litigation/admin/2016/34-78141.pdf.
[73] We discuss digitally-native alternative custody solutions in “The Cybersecurity Question” section. These entities have received approval as custodians by registering as state-chartered trust companies.
[74] See Debevoise & Plimpton, Custody of Digital Assets: Centralized Safekeeping of Decentralized Assets Under the Investment Advisers Act 10 (2018), https://www.debevoise.com/~/media/files/insights/publications/2018/12/20181217_custody_of_digital_assets.pdf. To be sure, the advent of multi-signature (“multi-sig”) wallets has partially solved for this. The contents held in a multi-sig wallet remain inaccessible unless multiple authorized parties each correctly input in their corresponding private key. Additional security layers may be enforced through smart contract multi-sig wallets such as limiting transfers to pre-designated wallets or the frequency of transfers in a given timeframe. See Thomas Kerin, The Year of Multisig: How is it Doing So Far?, Coindesk (May 17, 2014), https://www.coindesk.com/year-multisig-so-far.
[75] See Debevoise & Plimpton, supra note 74, at 9.
[76] However, there are startups doing this kind of work specifically for the blockchain industry. For example, Elliptic is a cryptocurrency analytics and intelligence firm that specializes in auditing crypto exchanges for anti-money laundering compliance and forensic and investigative services. See What We Do, Elliptic, https://www.elliptic.co/what-we-do.
[77] One exchange has started integrating its platform with cold storage, meaning its customers may more readily transact with assets maintained offline. See Ana Alexandre, Coinbase Custody Conducts First OTC Trade From Cold Storage, Cointelegraph (Mar. 13, 2019), https://cointelegraph.com/news/coinbase-custody-conducts-first-otc-trade-from-cold-storage.
[78] 17 C.F.R. § 240.15c3-3(b)(1) (2018).
[79] See Jesse Kanach et al., Crypto Fundamentals: Custody and Why the Legal Issues Surrounding it Matter 15 (2018), https://www.perkinscoie.com/images/content/2/0/v3/200992/Crypto-Fundamentals-Trust-Quarterly-Review.pdf.
[80] Press Release, U.S. Sec. and Exch. Comm’n, SEC Suspends Trading in Company for Making False Cryptocurrency-Related Claims about SEC Regulation and Registration (Oct. 22, 2018), https://www.investor.gov/additional-resources/news-alerts/press-releases/sec-suspends-trading-company-making-false (“The SEC does not endorse or qualify custodians for cryptocurrency, and investors should use vigilance when considering an investment in an initial coin offering … .”) (internal quotations omitted).
[81] 15 U.S.C. § 80a-17(f )(1) (2018). See also § 80a-26(a)(1) (2018); § 80a-2(a)(5)(C) (2018); 15 U.S.C. 80b-2(a)(2) (2018).
[82] See New York State Department of Financial Services, Information and Procedure for the Organization of a Trust Company for the Limited Purpose of Exercising Fiduciary Powers (last visited April 18, 2019), https://www.dfs.ny.gov/apps_and_licensing/banks_and_trusts/procedure_certificate_merit_trust_comp.
[83] See Beyond Enterprise-Grade Security, Digital Asset Custody Company, https://digitalassetcustody.com/security; Custody Agreement, Gemini (Nov. 19, 2018), https://gemini.com/custody-agreement/, see also Crypto Asset Custody for Intuitions, Coinbase Custody, https://custody.coinbase.com/.
[84] 15 U.S.C. § 80a-2(a)(5)(C) (2018).
[85] See, e.g., Custody Services, Gemini (Nov. 19, 2018), https://gemini.com/custody-services/; see also Crypto Asset Custody for Intuitions, supra note 83.
[86] On the other end of the spectrum, a few traditional custody providers and investment managers announced plans to launch divisions designed to facilitate cryptocurrency transactions and provide custody for the assets. The announcements for these initiatives coincided with the late-2017 bitcoin rally, and subsequent information about their progress has been limited. See Anna Irrera, Fidelity Launches New Company for Trading and Storing Cryptocurrencies, Reuters (Oct. 15, 2018), https://www.reuters.com/article/us-crypto-currencies-fidelity-advisor/fidelity-launches-new-company-for-trading-and-storing-cryptocurrencies-idUSKCN1MP21X?il=0; Hugh Son, Dakin Campbell & Sonali Basak, Goldman is Setting Up a Cryptocurrency Trading Desk, Bloomberg (Dec. 21, 2017), https://www.bloomberg.com/news/articles/2017-12-21/goldman-is-said-to-be-building-a-cryptocurrency-trading-desk.
[87] See Matthew Leising, Crypto’s Billion-Dollar Theft Problem Prompts Safer Way to Trade, Bloomberg (Jan. 16, 2019), https://www.bloomberg.com/news/articles/2019-01-16/crypto-s-billion-dollar-theft-problem-prompts-safer-way-to-trade.
[88] Jesse Kanach et al., Crypto Fundamentals: Custody and Why the Legal Issues Surrounding it Matter 15 (2018), https://www.perkinscoie.com/images/content/2/0/v3/200992/Crypto-Fundamentals-Trust-Quarterly-Review.pdf.
[89] Leslie Ankney, Why Custodians are Coming to Crypto, Forbes (Mar. 14, 2019, 03:20 PM), https://www.forbes.com/sites/leslieankney/2019/03/14/why-custodians-are-coming-to-crypto/#687fd3b22845.
[90] Kate Rooney, Companies Race to Solve Bitcoin’s Security Problem Despite Slumping Prices, CNBC (Sept. 12, 2018), https://www.cnbc.com/2018/09/13/companies-race-to-solve-bitcoins-custody-problem-despite-slumping-prices.html.
[91] Kate Rooney, Companies Race to Solve Bitcoin’s Security Problem Despite Slumping Prices, CNBC (Sept. 12, 2018), https://www.cnbc.com/2018/09/13/companies-race-to-solve-bitcoins-custody-problem-despite-slumping-prices.html.
[92] Olga Kharif and Sonali Basak, Regulated Crypto Custody is (Almost) Here. It’s a Game Changer., Bloomberg (June 18, 2018 5:00 AM), https://www.bloomberg.com/news/articles/2018-06-18/regulated-crypto-custody-is-almost-here-it-s-a-game-changer.
