Qualified custodian. That’s a term that compliance and operations managers at registered investment fund advisors, not to mention the US Securities and Exchange Commission, are now grappling with, when it comes to the safekeeping of digital assets.
The reason is two-fold. For starters, it is unclear whether the SEC’s custody rule for RIAs investing in traditional assets applies to cryptocurrencies such as Bitcoin and Ether. Then, even if it does apply, the available service providers aren’t exactly household names. They are relative newcomers to the field, and not all fall under the SEC’s categories for a qualified custodian.
The requirement for registered investment advisors to hire a “qualified custodian” for securities or funds dates back to the pre-digital era before virtual assets such as Bitcoin and other cryptocurrencies existed. The SEC’s “custody rule” for registered investment advisors, outlined in the Investment Advisers Act of 1940, defines a qualified custodian as a bank, broker-dealer, trust company, futures commission merchant, or foreign financial institution. So far, the regulatory agency hasn’t classified Bitcoin, Ether or any other cryptocurrency as a security or a fund. Therefore, one could argue that RIAs don’t have to select a qualified custodian.
Would the SEC penalize an RIA for doing its own custody work or for selecting a firm that doesn’t meet the SEC’s definition of qualified custodian? Legal and compliance experts specializing in cryptocurrencies aren’t certain. There are plenty of crypto-funds — those dedicated to investing in cryptocurrencies and initial coin offerings — doing their own custody. However, they aren’t RIAs.
“The SEC’s custody rule doesn’t require the use of independent custodians, but there are additional requirements the RIA must adhere to when it or an affiliate hold digital assets,” explains Jesse Brown, a compliance associate with financial services consultancy Cordium in New York. Those extra steps include receiving internal control reports and surprise exams from an accountant certified by the Public Company Accounting Oversight Board.
Some attorneys tell FInOps that they would urge their RIA clients investing in digital assets to pick a qualified custodian to avoid the SEC setting policy after it has actually fined a firm. Even if the agency hadn’t already provided specific guidance for this situation, it could always justify its penalty under the guise of investor protection. The SEC hs frequently done so.
RIAs who ultimately decide to safekeep their own digital assets need to be extra careful. “They should consult with the SEC first,” cautions Verity Van Tassel Richards, an attorney with McDermott, Will Emery in New York, who spoke at a recent event hosted by the Accounting Blockchain Coalition. “The SEC hasn’t issued definitive guidance about custody of digital assets and seems open to talking about this issue.”
Yet the SEC wouldn’t respond to questions posed by FinOps Report about how it interprets its 1940 custody rule in terms of digital assets. Instead it referred the publication to a letter sent to the Securities Industry and Financial Services Authority and the Investment Company Institute earlier this year, which suggests that the SEC is still formulating its policy. “To the extent a fund plans to hold cryptocurrency directly, how would it satisfy the custody requirement of the 1940 Act and relevant rules?” questions Dalia Blass, the director of the SEC’s investment management division, the author of the letter.
The SEC is apparently so concerned about the self- custody of digital assets that it is examining crypto-funds, say media outlets. There are an estimated 220 crypto-focused hedge funds that manage at least US$3.5 billion in assets, according to Autonomous Research, a research firm which analyzes financial firms. Because many of the funds oversee less than US$150 million in assets, they aren’t required to register with the SEC and at best are only regulated by the state in which they are based.
RIAs won’t have an easy time selecting a custodian for digital assets. Among the well-known custodians for traditional assets, only State Street Bank has publicly announced that it is exploring the possibility of offering custody for digital assets to institutional investors.
In its January 2018 letter to SIFMA and the ICI, the SEC’s Blass says the agency doesn’t know of any custodians providing fund custodial services for cryptocurrencies. Yet some firms claim they fall into one of the SEC’s categories for a qualified custodian.
The Murray, Kentucky-based Kingdom Trust says it meets the SEC’s definition because it is registered as a trust company in South Dakota. The firm, which started off in 2009 as a custodian of alternative assets for retirement accounts, began to offer custody of digital assets in late 2016 through Silicon Valley tech upstart BitGo, which serves as its technology provider. In January 2018 BitGo announced it would take over Kingdom Trust but recently said it would scrap the deal in favor of building its own custody business as a trust company. BitGo, which already provides custodian services for Kracken, CME Group, Pantera Capital, The Royal Mint and UPbit, also just added crypto-backed loans provider Nexo to its client list.
Yet Kingdom Trust’s Chief Executive Officer Matt Jennings is quick to downplay the competitive threat. “Kingdom Trust was the leader in the digital asset custodial space long before contemplating this merger with BitGo,” he tells FinOps Report. “Kingdom Trust will continue to lead this space as the permier provider of custodial services and plans to release several new products very soon that will greatly expand the options for institutional investors seeking qualified custody and security of digital assets.”
There are other potential contenders for the business. Cryptocurrency exchanges Genesis and itBit are registered as trust companies in New York. CoinBase, the largest US cryptocurrency exchange, says it will also offer custody services. Now registered as a money transmitter, CoinBase has publicly said it wants to become an alternative trading platform and broker-dealer. Another possible candidate, the Secaucus, New Jersey-based newcomer Digital Asset Custody did not respond to emails seeking comment.
Xapo, a Palo-Alto, California based money transmitter, which provides custodial services for Bitcoin only, says that it has won plenty of business from institutional investors even though it technically isn’t a “qualified” custodian. The four-year old firm, founded by Argentine entrepreneur Wences Casares, has been marketing to pension plans, private funds, family offices and hedge funds. So far, it has amassed an estimated US$10 billion in Bitcoins under custody, according to media reports. Xapo, whose billionaire clients include Linkedin co-founder Reid Hoffman and former Wall Street trader Mike Novogratz, won’t confirm that figure.
“Bitcoin has not been classified by the SEC and frankly it’s hard to imagine that it would fit the definition of a security,” says Ted Rogers, Xapo’s president who was a panelist at the event hosted by the Accounting Blockchain Coalition in New York. “The SEC’s public comments so far seem to support the position that it isn’t.”
Rogers wouldn’t disclose the number of RIA’s using Xapo to safekeep their Bitcoin assets, but he acknowledges that many RIAs are concerned about falling afoul of the SEC’s narrow categories of qualified custodians. Meeting the definition, does give Kingdom Trust, Genesis and others a competitive edge.
Incorporated in Delaware as a money transmitter, Xapo’s US subsidiary is regulated by the US Treasury’s Financial Crimes Enforcement Network. So far, Xapo has been examined once by the Internal Revenue Service, FinCEN’s enforcement arm, and Rogers expects exams to occur at least every two years. Xapo’s Swiss subsidiary is overseen by the Swiss self-regulatory regulatory agency, the Financial Services Standards Authority. To level the playing field with US rivals by meeting the SEC’s definition of a qualified custodian, Xapo will be teaming up with a custodian bank to serve as the primary custodian with Xapo as the subcustodian.
Kingdom Trust might fall under the technical definition of a qualified custodian, but its rivals won’t hesitate to point out that South Dakota isn’t the toughest regulatory state. Kingdom Trust’s Jennings insists that isn’t so. The South Dakota Division of Banking subjects his firm to an exam every 12 to 18 months, he says.
How much clout that gives Kingdom Trust among RIAs, when it comes to safekeeping digital assets, can’t be determined. Jennings would not disclose the number of RIAs using Kingdom Trust to safeguard their digital assets, nor would he estimate what percentage of the US$12 billion in assets under custody reflects digital assets.
Chad Cascarilla, chief executive of the New York-based itBit, also would not disclose the value of digital assets his firm has under custody. However, he points to the fact that more than ten “well-known” registered investment advisors use itBit to safeguard their Bitcoin holdings as evidence that accreditation does matter. So does the legal entity offering it. “The status of a trust that is organized under New York banking law and the oversight of the New York Department of Financial Servics is the most rigorous among states,” says Cascarilla. ItBIt is subject to an annual regulatory exam of its policies and procedures. That onsite review, which includes testing of its security protocols, can last up to five weeks.
Operational Due Diligence
Digital currency experts say that the legal designation of the digital asset custodian should be only one of the criteria an RIA should use in the selection process. “What are the backgrounds of the directors of the firm, how will the firm segregate client assets so that clients can have ready access in the event of the service provider’s bankruptcy, and how will they protect assets from hacking are basic questions are the basic questions RIAs should ask,” says Will Coleman, director of technology advisory services at Cohen & Co, a Cleveland, Ohio-based accounting firm specializing in audits and tax issues for crypto-funds.
Van Tassel Richards also recommends that fund managers ask how long the service provider has been offering custody of digital assets, whether it has experienced any security breaches, whether it follows know-your-customer and anti-money laundering rules and whether it has received any legal opinion or SEC guidance. That legal opinion or guidance would indicate whether the service provider’s systems, policies and procedures meet the requirements of the agency’s custody rule.
Breadth of digital assets covered and security provisions will likely also differentiate service providers, says Rogers. Kingdom Trust provides custody services for Bitcoin, Ether and other cryptocurrencies, while Xapo says it has no intention of expanding beyond Bitcoin. itBit says it plans to expand its reach beyond Bitcoin to other cryptocurrencies.
All of the digital asset custodians use similar phrasing when discussing their ultra-tight security measures, which aim to safeguard private keys — or access to client assets. Those extra precautions come at a steep cost for clients. Whereas traditional custodians might charge only one or two basis points for safekeeping services, digital custodians could charge anywhere from 50 to 100 basis points, RIAs tell FinOps.
Xapo, Kingdom Trust and itBit would not discuss their fees. All say that to mitigate the potential for hacking, they hold the private keys — or signatures for access — to the digital assets they safekeep offline or outside of any network. Xapo, Kingdom Trust, and itBit would not disclose how many employees hold those keys or who they are.
“We store the private keys to the assets at multiple vaults, in multiple undisclosed locations and our security protocols require multiple signers from multiple locations and multiple institutions to sign off on transactions,” explains Kingdom Trust’s Jennings, a former real-estate investor. It could take up to 24 bours to withdraw or deposit any digital assets with Kingdom Trust.
Rogers says that Xapo keeps the private keys to over 95 percent of the Bitcoins under custody at multiple underground vaults across the globe, including one in a decommissioned Swiss military bunker. Signatures by multiple private keys are required for any transactions to occur — a process which could take up to two days to complete. To ensure clients can access some their assets more quickly, Xapo also stores private keys to a small amount of Bitcoins online with Xapo employees overseeing those transactions.
The extraordinary security steps reduce the potential for digital assets to be stolen by either an insider or hacker to close to nil, say digital asset custodians. However, it can happen, as evidenced by the breach in 2016 of cryptocurrency exchange Bitfinex. Bitfinex, used BitGo’s software as its security platform, but BitGo denied responsibility for the hacking, which resulted in Bitfinex’s losing about US$70 million of Bitcoins.
RIAs can’t count on the comfort of their digital asset custodian’s insurance policy. Jennings says that Kingdom Trust is working with a large unnamed insurance provider to provide such a policy, but would not discuss what the policy would cover. Carascilla says that itBit will offer insurance to customers upon request. However, that insurance would only compensate a customer due to the loss of an asset from a catastrophic natural disaster, not a hacker.
Xapo’s Rogers says that his firm no longer buys insurance to compensate clients for potential asset loss because of “irrational” risk premiums. Instead, Xapo relies on a separate reserve fund of its own Bitcoins to cover client assets. “It is difficult for insurance firms to effectively calculate the risk of loss beause the Bitcoin industry is so new,” notes Rogers. So far, Xapo has not used its reserve fund to compensate any clients.
Just as important as not losing one’s assets is having access to one’s assets. Rogers acknowledges that there have been cases where Xapo held up a fund manager’s transfer of Bitcoin to its own private wallet. However, he insists that the need to follow rigorous security procedures and verify the identity of th fund manager, not technology flaws, were the cause of the delay. The fund manager did eventually receive the assets within an undisclosed time.
Given that digital asset custodians use different terminology than traditional custodians in describing their asset-protection services, registered investment advisors might have a hard time understanding just what they are buying. Coleman recommends that compliance managers at RIAs ask legal and auditing firms specializing in cryptocurrency and blockchain for referrals on service providers they have worked with.
Another safeguard: asking the custodian whether it has received any third-party certification of its policies and procedures for financial reporting and systems. Such certifications known as “SOCs”, short for service organization controls, come in three categories. Xapo has won a SOC I and SOC II Type 1 certifications while itBit is working on a SOC I certification and Kingdom Trust is working on a SOC II certification. The SOC I certification covers financial reporting while SOC II also incorporates rigorous operating procedures for security, processing integrity and data privacy.
All of the extra diligence RIAs perform to pick the right digital asset custodian might not be enough to ward off a potential conflict with the SEC. “RIAs who select a qualified custodian’s can’t always depend on the custodian to safekeep all of the digital assets,” cautions Daniel Viola, a parter in charge of the crypto and regulatory practices at the law firm of Sadis & Goldberg in New York. The reason: the custodian may only be willing to safekeep some of the types of digital assets the RIA is holding.
What then? The RIA may be back to the self-custody option for the rest of its crypto-assets. That leaves the RIA subject to even further regulatory scrutiny on its policies and procedures. Transferring the assets to a remote cold-storage wallet is what Rogers recommends.