Original Title: Holding the future: Custody principles for a tokenized world
Original Authors: Scott Walker, Kate Dellolio, David Sverdlov
Original Compilation: Luffy, Foresight News
Registered Investment Advisors (RIAs) investing in crypto assets face the dilemma of unclear regulations and limited custody options. Complicating matters further, crypto assets carry ownership and transfer risks that differ from those of the assets RIAs have traditionally managed. RIAs' internal teams (operations, compliance, legal, etc.) are working tirelessly to find third-party custodians that are willing and meet expectations; however, despite their efforts, they struggle to find qualified custodians, resulting in RIAs having to hold these assets themselves. Consequently, the current custody of crypto assets faces unique legal and operational risks.
What the crypto industry needs is a principled approach to help professional investors protect crypto assets for their clients. In response to the recent information request from the U.S. Securities and Exchange Commission (SEC), we have formulated several principles that, if implemented, would extend the goals of the Investment Advisers Act custody rules to the new category of crypto assets.
How Crypto Asset Custody Differs
The control of traditional asset holders over their assets means that others do not have control. However, this is not the case with crypto assets, where multiple entities may have access to the private keys associated with a set of crypto assets.
Crypto assets often come with various intrinsic economic and governance rights that are critical to the assets. Traditional debt or securities can earn returns "passively" (such as dividends or interest), and holders do not need to transfer the assets or take any further action after acquiring them. In contrast, holders of crypto assets may need to take action to unlock specific returns or governance rights associated with the assets. Depending on the capabilities of third-party custodians, RIAs may need to temporarily transfer these assets out of custody to unlock these rights. For example, certain crypto assets can earn returns through staking or yield farming, or holders may have voting rights on governance proposals for protocols or network upgrades. These differences from traditional assets present new challenges for crypto asset custody.
To facilitate tracking when self-custody is appropriate, we have developed this flowchart.
Principles
The principles we propose aim to demystify custody for RIAs while retaining their responsibility to protect client assets. The market for qualified custodians currently focused on crypto assets (such as banks or broker-dealers) is extremely narrow; therefore, our primary focus is on whether custodial entities have the capability to provide the substantive protections we believe are necessary for the custody of crypto assets, rather than merely their legal status as qualified custodians under the Investment Advisers Act.
We recommend that when third-party custodial solutions that meet substantive protection measures are unavailable or do not support economic and governance rights, RIAs capable of meeting substantive protection requirements may consider self-custody as an option.
Our goal is not to expand the scope of custody rules beyond securities. These principles apply to crypto assets that are classified as securities and set standards for other asset types to meet RIAs' fiduciary duties. RIAs should seek to hold crypto assets that are not classified as securities under similar conditions and document all custodial practices for assets, including the reasons for significant differences in custodial practices for different types of assets.
Principle 1: Legal Status Should Not Determine the Qualification of Crypto Asset Custodians
Legal status and the protections associated with specific legal statuses are important for custodians' clients, but they are not the only considerations when it comes to crypto asset custody. For example, federally chartered banks and broker-dealers are subject to custodial regulations that provide strict protections for clients, but state-chartered trust companies and other third-party custodians can also offer similar levels of protection.
The registration of custodians should not be the sole determining factor for their eligibility to custody crypto asset securities. In the crypto space, the definition of "qualified custodians" should be broadened to include:
State-chartered trust companies (meaning they do not need to meet the definition of "bank" under the Investment Advisers Act, in addition to being subject to oversight and examination by state or federal banking regulators);
Any entity registered under the (proposed) federal crypto market structure legislation;
Any other entity that can demonstrate compliance with strict client protection standards, regardless of its registration status.
Principle 2: Crypto Asset Custodians Should Establish Appropriate Protections
Regardless of the technological tools used, custodians should implement certain protective measures around crypto asset custody. These measures include:
Separation of Powers: Crypto asset custodians should not be able to transfer crypto assets out without the cooperation of RIAs.
Asset Segregation: Crypto asset custodians should not mix any assets held for RIAs with assets held for other entities. However, registered broker-dealers may use a single integrated wallet, provided they maintain up-to-date records of ownership for these assets and disclose this information to the relevant RIAs in a timely manner.
Custodial Hardware: Crypto asset custodians should not use any custodial hardware or other tools that pose security risks or are at risk of being compromised.
Audits: Crypto asset custodians should undergo financial and technical audits at least annually. Such audits should include:
Financial audits conducted by PCAOB-registered auditors;
Service Organization Control (SOC) 1 audits; SOC 2 audits; and confirmations, measurements, and disclosures of crypto assets from the holder's perspective;
Technical audits:
ISO 27001 certification; penetration testing; and disaster recovery and business continuity planning tests.
Insurance: Crypto asset custodians should have sufficient insurance coverage, or if insurance cannot be obtained, should establish adequate reserves.
Disclosure: Crypto asset custodians must provide RIAs with an annual list of key risks associated with their custody of crypto assets, along with relevant written supervisory procedures and internal controls to mitigate these risks. Crypto asset custodians should assess this quarterly to determine if updates to the disclosures are necessary.
Custodial Jurisdictions: Crypto asset custodians should not custody crypto assets in any jurisdiction where local laws dictate that custodial assets will become part of the bankruptcy estate in the event of their bankruptcy.
Additionally, we recommend that crypto asset custodians implement protective measures related to the following processes at each stage:
Preparation Stage: Review and assess the crypto assets to be custodied, including the key generation process and transaction signing procedures, whether it is supported by open-source wallets or software, and the source of every piece of hardware and software used in the key management process.
Key Generation: Encryption technology should be used at all levels of this process, and multiple encryption keys should be required to generate private keys. The key generation process should be both "horizontal" (i.e., multiple encryption key holders at the same level) and "vertical" (i.e., multiple levels of encryption). Finally, quorum requirements should ensure the physical presence of certifiers.
Key Storage: Keys should never be stored in plaintext and should only be stored in encrypted form. Keys must be physically isolated by geographic location or different access personnel. If hardware security modules are used to store key copies, they must meet the security ratings of the Federal Information Processing Standards (FIPS). Strict physical isolation and authorization measures should be implemented. Crypto asset custodians should maintain at least two levels of encryption redundancy to ensure operational continuity in the event of natural disasters, power outages, or property damage.
Key Usage: Wallets should require authentication; in other words, they should verify the user's identity and only authorized parties should have access to the wallet. Wallets should use mature open-source cryptographic libraries. Another best practice is to avoid using a single key for multiple purposes. For example, keys should be stored separately for encryption and signing. Follow the "least privilege" principle, meaning that access to any asset, information, or operation should be limited to only those parties absolutely necessary for the system's operation in the event of a security breach.
Principle 3: Crypto Asset Custody Rules Should Allow Registered Investment Advisors to Exercise Economic or Governance Rights Related to Custodied Crypto Assets
Unless otherwise instructed by clients, RIAs should be able to exercise economic or governance rights related to custodied crypto assets. During the previous SEC administration, many RIAs adopted a conservative strategy of custoding all crypto assets with qualified custodians due to the uncertainty surrounding token classification. As mentioned earlier, the market for alternative custodians is limited, often resulting in only one qualified custodian willing to support a specific asset.
In these cases, RIAs may request to exercise economic or governance rights, but crypto asset custodians may choose not to provide these rights for various reasons. In turn, RIAs feel they lack the power to choose other third-party custodians or to self-custody to exercise these rights. These economic and governance rights include staking, yield farming, or voting.
Under this principle, we advocate that RIAs should select third-party crypto asset custodians that meet relevant protective measures so that RIAs can exercise economic or governance rights related to custodied crypto assets. If a third party cannot meet both requirements simultaneously, RIAs' temporary transfer of assets for self-custody to exercise economic or governance rights should not be viewed as a departure from custody.
All third-party custodians should make every effort to provide RIAs with the ability to exercise these rights while the assets are still under their custody and should take commercially reasonable actions to exercise any rights related to on-chain assets when authorized by RIAs.
Before transferring assets out of custody to exercise rights related to a specific crypto asset, RIAs or custodians must first determine in writing whether the rights can be exercised without transferring out of custody.
Principle 4: Crypto Asset Custody Rules Should Be Flexible to Achieve Best Execution
RIAs have a duty of best execution when trading assets. To this end, RIAs may transfer assets to crypto trading platforms to ensure the best execution of those assets, regardless of the status of the assets or custodians, provided that RIAs have taken necessary steps to ensure the security of the trading venue, or that RIAs have transferred crypto assets to entities regulated by that legislation after the finalization of crypto market structure legislation.
As long as RIAs determine that transferring crypto assets to a trading venue for best execution is prudent, such transfers should not be viewed as a departure from custody. This requires RIAs to reasonably determine that the venue is suitable for achieving best execution. If trades cannot be properly executed at that venue, the assets should be immediately returned to the crypto asset custodian.
Principle 5: In Certain Circumstances, RIAs Should Be Allowed to Self-Custody
While using third-party custody should remain the primary option for crypto assets, RIAs should be allowed to self-custody crypto assets in the following circumstances:
RIAs determine that they cannot find a third-party custodian that meets their required protective measures;
The RIAs' own custodial arrangements are at least as effective as the protections offered by available third-party custodians;
Self-custody is necessary to exercise any economic or governance rights related to the crypto assets.
When RIAs decide to self-custody crypto assets for these reasons, they must confirm annually that the circumstances justifying self-custody have not changed, disclose the self-custody situation to clients, and subject such crypto assets to the audit requirements of the Custody Rule.
The crypto asset custody approach based on these principles ensures that RIAs can adapt to the unique characteristics of crypto assets while fulfilling their fiduciary duties. By focusing on substantive protections rather than rigid classifications, these principles provide a pragmatic path forward for protecting client assets and unlocking asset functionalities. As the regulatory environment evolves, clear standards based on these protective measures will enable RIAs to manage crypto assets responsibly.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
