Original Title: Holding the future: Custody principles for a tokenized world

Original Authors: Scott Walker, Kate Dellolio, David Sverdlov

Original Translator: Luffy, Foresight News

Registered Investment Advisors (RIAs) investing in crypto assets face a dilemma of unclear regulations and limited asset custody options. What's even more complex is that crypto assets come with ownership and transfer risks different from the assets RIAs have been responsible for in the past. RIAs' internal teams (operations, compliance, legal, etc.) are striving to find third-party custodians willing and able to meet expectations. Despite their efforts, they struggle to find qualified custodians, leading RIAs to hold these assets themselves. Therefore, current crypto asset custody faces unique legal and operational risks.

What the crypto industry needs is a principled approach to help professional investors protect crypto assets. In response to the recent information request from the U.S. Securities and Exchange Commission (SEC), we have developed some principles that, if implemented, would extend the objectives of the Investment Advisers Act custody rule to the new asset class of crypto assets.

How Crypto Asset Custody Differs

While traditional asset ownership means that the holder has control over the asset with others having no control, this is not the case with crypto assets, where multiple entities may have access to the private keys associated with a set of crypto assets.

Crypto assets also typically come with various intrinsic economic and governance rights crucial to the assets. Traditional debt or securities can passively earn returns (such as dividends or interest), with the holder not needing to transfer the asset or take any further action upon receiving it. In contrast, crypto asset holders may need to take action to unlock specific benefits or governance rights associated with the assets. Depending on the custodian's capabilities, RIAs may need to temporarily move these assets out of custody to unlock these rights. For example, some crypto assets can earn returns through staking or yield farming, or have voting rights on protocol or network upgrade proposals. These differences from traditional assets pose new challenges to crypto asset custody.

To facilitate determining when self-custody is appropriate, we have created this flowchart.

Principles

The principles we present here aim to demystify custody for RIAs while upholding their responsibility to protect client assets. The market for qualified custodians of crypto assets (such as banks or broker-dealers) is extremely narrow at present; therefore, our primary focus is on whether the custodial entity has the ability to provide the substantive protective measures we believe are necessary for custody of crypto assets, rather than solely relying on the entity's legal status as a qualified custodian under the Investment Advisers Act.

We recommend that RIAs capable of meeting the substantive protective requirements may consider self-custody as an option when a third-party custodial solution that meets these requirements or supports economic and governance rights is unavailable.

Our goal is not to extend the scope of custody rules beyond securities. These principles apply to crypto assets that are considered securities and set standards for RIAs' fiduciary duties regarding other asset types. RIAs should seek to hold non-securities crypto assets under similar conditions and document custody practices for all assets, including reasons for significant differences in custody practices for different asset types.

Principle 1: Legal Status Should Not Determine the Qualification of a Crypto Asset Custodian

Legal status and the protective measures associated with a specific legal status are important to a custodian's clients, but when it comes to crypto asset custody, they are not the sole consideration. For example, federally chartered banks and broker-dealers are subject to custodial regulations that provide strict protection to clients, but state-chartered trust companies and other third-party custodians can also offer a similar level of protection.

A custodian's registration should not be the sole determining factor of whether it is qualified to custody crypto asset securities. In the crypto space, the scope of "qualified custodian" should be expanded to include:

- State-chartered trust companies (meaning they do not have to meet the "bank" definition standards under the Investment Advisers Act other than being subject to state or federal banking agency supervision and examination);

- Any entity registered under (proposed) federal crypto market structure legislation;

- Any other entity that can demonstrate adherence to rigorous client protection standards, regardless of its registration status.

Principle 2: Crypto Asset Custodians Should Establish Appropriate Protective Measures

Regardless of the technological tools used, custodians should implement certain protective measures around crypto asset custody. These measures include:

1. Segregation of Authority: A crypto asset custodian should not be able to withdraw crypto assets without the coordination of RIAs.

2. Asset Segregation: A crypto asset custodian should not commingle any assets held for RIAs with assets held for other entities. However, registered broker-dealers may use a single omnibus wallet, provided that they maintain up-to-date records of ownership of these assets and promptly disclose this to the relevant RIAs.

3. Hardware Custody: The cryptocurrency custodian shall not use any custody hardware or other tools that pose a security risk or are subject to compromise.

4. Auditing: The cryptocurrency custodian shall undergo at least annual financial and technical audits. Such audits shall include:

Financial audit conducted by a PCAOB-registered auditor:

Service Organization Control (SOC) 1 audit; SOC 2 audit; and confirmation, measurement, and reporting of cryptocurrency holdings from a holder's perspective;

Technical audit:

ISO 27001 certification; penetration testing; and testing of disaster recovery procedures and business continuity plans.

5. Insurance: The cryptocurrency custodian shall have sufficient insurance coverage, or if unable to obtain insurance, shall establish adequate reserves.

6. Disclosure: The cryptocurrency custodian must annually provide RIAs with a key risk list related to its custody of cryptocurrency assets, along with relevant written supervisory procedures and internal control measures to mitigate these risks. The cryptocurrency custodian shall review this quarterly to determine the need for disclosure updates.

7. Custody Jurisdiction: The cryptocurrency custodian shall not custody cryptocurrency assets in any jurisdiction where local laws mandate that custodied assets would become part of the custodian's estate in case of its bankruptcy.

Additionally, we recommend that the cryptocurrency custodian implement protective measures related to the following processes at each stage:

Preparation Stage: Review and assess the cryptocurrency assets to be custodied, including the key generation process and transaction signing procedures, whether it is supported by open-source wallets or software, and the source of every piece of hardware and software used in the key management process.

Key Generation: Encryption technology should be used at various levels of this process, and multiple encryption keys are required to generate a private key. The key generation process should be both "horizontal" (i.e., multiple key holders at the same level) and "vertical" (i.e., multiple levels of encryption). Lastly, the legal quorum requirement should also ensure the actual presence of certifiers.

Key Storage: Keys should never be stored in plain text and must only be stored in encrypted form. Keys must be physically isolated either by geographic location or different access personnel. If hardware security modules are used to store key copies, they must comply with Federal Information Processing Standards (FIPS) security ratings. Strict physical isolation and authorization measures should be implemented. The cryptocurrency custodian should maintain at least two levels of encryption redundancy to ensure operations can continue in the event of a natural disaster, power outage, or property damage.

Key Usage: Wallets should require authentication; in other words, they should verify the user's identity and only allow authorized parties to access the wallet. Wallets should use established open-source cryptographic libraries. Another best practice is to avoid using one key for multiple purposes. For example, keys should be kept separate for encryption and signing. Follow the principle of least privilege, meaning that in the event of a security breach, access to any asset, information, or operation should be limited to only the parties absolutely necessary for the system to function.

Principle 3: Custody Rules for Crypto Assets Should Allow Registered Investment Advisors to Exercise Economic or Governance Rights Related to Custodied Crypto Assets

Unless otherwise instructed by the client, RIAs should be able to exercise economic or governance rights related to custodied crypto assets. During the previous SEC administration, given the uncertainty around token classification, many RIAs adopted a conservative strategy of custoding all crypto assets with qualified custodians. As mentioned earlier, the available custodian market is limited, often resulting in only one qualified custodian willing to support a particular asset.

In these cases, RIAs may request to exercise economic or governance rights, but the crypto asset custodian may choose not to provide these rights for various reasons. In turn, RIAs may feel they lack the power to choose other third-party custodians or to self-custody to exercise these rights. These economic and governance rights include staking, yield farming, or voting.

Under this principle, we argue that RIAs should choose third-party crypto asset custodians that comply with relevant safeguards so that RIAs can exercise economic or governance rights related to custodied crypto assets. If a third party cannot meet both of these requirements simultaneously, RIAs temporarily moving assets out for self-custody to exercise economic or governance rights should not be considered a breach of custody.

All third-party custodians should make best efforts to enable RIAs to exercise these rights while the assets are still under their custody and, when authorized by RIAs, take commercially reasonable actions to exercise any rights related to on-chain assets.

Prior to moving assets out of custody to exercise rights related to a specific crypto asset, RIAs or custodians must first determine in writing whether the right can be exercised without moving the assets out of custody.

Principle 4: Custody Rules for Crypto Assets Should Be Flexible to Achieve Best Execution

RIAs have a best execution obligation when trading assets. To achieve this, RIAs may transfer assets to a crypto trading platform to ensure best execution of that asset, regardless of the asset's or custodian's status, provided that RIAs have taken necessary steps to ensure the security of the trading venue, or RIAs have transferred the crypto assets to an entity regulated by the final legislation on crypto market structure.

As long as RIAs determine that transferring cryptographic assets to an exchange for best execution is a wise move, this transfer should not be considered a departure from custody. This requires RIAs to reasonably determine that the exchange is fit for best execution. If a trade cannot be properly executed on that exchange, the assets should be promptly returned to the cryptographic asset custodian.

Principle 5: In specific circumstances, RIAs should be allowed to self-custody

While third-party custody should still be the primary choice for cryptographic assets, RIAs should be allowed to self-custody cryptographic assets in the following circumstances:

· RIAs determine that they cannot find a third-party custodian that meets their required security measures;

· RIAs' self-custody arrangement is at least as effective as the protection measures available from third-party custodians;

· Self-custody is necessary for exercising any economic or governance rights associated with cryptographic assets.

When RIAs decide to self-custody cryptographic assets for these reasons, RIAs must annually confirm that the circumstances for reasonable self-custody have not changed, disclose the self-custody situation to clients, and subject such cryptographic assets to the audit requirements of the Custody Rules.

Based on these principles, the cryptographic asset custody approach ensures that RIAs can fulfill their fiduciary responsibilities while accommodating the unique features of cryptographic assets. By focusing on substantive protection rather than rigid classification, these principles provide a practical path forward to protect client assets and unlock asset functionality. As the regulatory environment evolves, clear standards based on these protection measures will enable RIAs to manage cryptographic assets responsibly.

Original Article Link

Welcome to join the official BlockBeats community:

Telegram Subscription Group: https://t.me/theblockbeats

Telegram Discussion Group: https://t.me/BlockBeats_App

Official Twitter Account: https://twitter.com/BlockBeatsAsia