By James Baty, US Capital Global
Is custody of digital securities different?
A custodian is a financial institution that holds customers’ securities for safekeeping in order to minimize the risk of their theft or loss, and facilitate their reporting and transfer. A custodian may hold securities in physical or electronic form. The emergence of digital securities suggests some potential differences, complications or improvements, but in the end custody of private securities is pretty much the same, whether analog or digital.
We’re focusing here on digital ‘private’ securities
In this article the focus is the custody of digital ‘private’ securities, and how it might be different, or the same, from non-digital. This is contrasted with public securities, which are mostly similar, but have some different requirements and issues of scale. Also ‘digital securities’ are different from cryptocurrencies, although they have similar technical issues and risks. It is relevant that many emerging ‘digital custodians’ for cryptocurrencies constitute an early development area that will also define some of the new custodian practices for digital securities. Of course, in reality most all securities are ‘digital’, in that the record of their ownership is maintained in some computer system, but in this discussion ‘digital securities’ are securities tokenized in some cryptographically secure data base (e.g., blockchain).
Remember digital securities are ‘securities’
In April of 2019 the SEC issued it’s ‘Framework for “Investment Contract” Analysis of Digital Assets’ which basically affirms the position that a security is a security, and an STO (Security Token Offering) represents an investment contract under the Howey rules. So a ‘digital security’ is a security, fully subject to all of the normal regulatory implications. These SEC regulations come into play anytime a company is selling securities to U.S. residents, or the company’s shareholders are U.S. residents. While other regimes may have somewhat different regulations, the global trend has been towards digital securities equivalent to traditional securities.
Who can custodian private securities?
Obviously, the buyer themselves may hold their private security, or the security may be held for the buyer by the Issuer, or a regulated person under a power of attorney (POA). An investor may hold their securities themselves (i.e.’self custody’) by personally taking delivery of stock certificates. But this is not very convenient when it comes time to sell, and there is the potential risk of loss. So historically owners of public and private securities rely on some form of custodian – a bank, broker dealer, investment advisor operating under the custody rule, or a licensed commercial custodian. The owner does not have to take physical delivery of the shares, and future transactions are not delayed by physical transfer. These custodians are subject to regulation and oversight. The custodian provides not only for safekeeping of assets, but supports trade processing and asset servicing, and importantly provides for regulatory compliance. While most investors use custodians primarily for convenience, other such as institutional investors are essentially required to use custodians. The four largest custody banks alone hold about $114 trillion in assets.
Is Custody of Digital Securities different? Perhaps a bit ….
In March of 2109, the SEC issued a letter on the issues of and requesting comment on how digital assets are affected by the custody rule. The questions asked include:
What challenges do investment advisers face in complying with the Custody Rule with respect to digital assets?
What considerations specific to the custody of digital assets should the staff evaluate when considering any amendments to the Custody Rule? For example, are there disclosures or records other than account statements that would similarly address the investor protection concerns underlying the Custody Rule’s requirement to deliver account statements?
To what extent can DLT (Digital Ledger Technology)be used more broadly for purposes of evidencing ownership of securities?
Can DLT be useful for custody and recordkeeping purposes for other types of assets, and not just digital asset securities?
What, if any, concerns are there about the use of DLT with respect to custody and recordkeeping?
In January of 2109 ESMA (the European Securities and Markets Authority issued its Advice on ‘Initial Coin Offerings and Crypto-Assets’. It stated…
First, ESMA believes that greater clarity around the types of services/activities that may qualify as custody/safekeeping services/activities under EU financial services rules in a DLT framework is needed.
ESMA’s preliminary view is that having control of private keys on behalf of clients could be the equivalent to custody/safekeeping services, and the existing requirements should apply to the providers of those services.
Meanwhile, there may be a need to consider some ‘technical’ changes to some requirements and/or to provide clarity on how to interpret them, as they may not be adapted to DLT technology.
Clearly the regulators want to survey the knowledge and practices around the custody of digital assets, but in general, they describe digital assets as subject to the same custody requirements as traditional assets.
Two key issues Risk and Key Security
One position taken by many STOs is that the shareowner holds the keys to the wallet containing the digital share, and this constitutes the equivalent of self-custody. But while trading one share is not very risky, there already have been some serious security issues around very large volume cryptocurrency transactions. What happens if you lose your USB stick ‘cold wallet’ with your keys? What happens if someone hacks the wallet you stored online? What happens if bad guys know you have the keys to lots of high-value shares stored on your laptop and just put a gun to your head to make you give them the keys? Thus, to avoid this sort of risk, and add some convenience, early cryptocurrency owners would just store their wallets online at the various exchanges.
That has left us with the legacy of many stories of loss of cryptocurrencies through fraud, hacking and error, including the infamous Mt. Gox exchange loss of 850,000 customer bitcoins valued at more than $450 million.
They subsequently closed under bankruptcy. It has been widely reported that a total of 4 million Bitcoins have been stolen to date and 2 million have been lost, or about $14.5 billion. While digitization through cryptographically secure transactions theoretically provides some additional security to the description and identity records of securities ownership and transfer, it also raises serious new risks of recovering lost assets.
A recent technical solution offered to improve key security is the proposal is to implement custodian services on ‘multi-signature’ tokens, where the custodian or transfer agent has an additional signature and the transaction scheme may require 1of2, 2of2, 2of3 signatures, etc. to transfer. Think of that lockbox at the bank – it takes two keys to open it, yours and the banks. And implementing multiple signatures on a digital security is sort of like that, or not. Depending on the implementation the multiple signature may allow either ‘key’ to unlock the security, or require both, or 2 of three keys… Multisignature wallet providers include Armory, Electrum, Coinbase, Bitgo and Coinb. At the extreme Coinb supports up to 15 keyholders per wallet. While superficially this seems like a solution to some of the problems of digital assets and offers additional features, it actually really complicates the situation – Essentially there is no legally distinguishable custodian of funds deposited into a shared wallet with multiple keyholders. And so, we see Coinbase (primarily a cryptocurrency exchange) which initially supporting multi-signature, has dropped support for multi-signature as it developed a separate regulated cold storage custody service (Coinbase Custody).
So is Digital Security Custody really different? Basically, no.
While there might be additional procedural issues to adopt in custody of digital private securities, there is no magic bullet that technically solves all problems, and digital private securities are subject to the same custody requirements of traditional securities. And in the realm of esoteric technical features, cold storage wallet providers (e.g.., Coinbase, Xapo, Vo1t) advertise that your offline crypto assets will be stored in a technical faraday cage that prevents any electronic signals from reaching your assets. But perhaps the real issue is to provide additional enhancements to traditional procedures. Koine offers a ‘Digital Airlock’ which uses hardware and network segmentation to secure client assets so that no staff has access to modify client standard settlement instructions or transfer assets.
In summary, a security is a security, and a digital security is subject to the same custody requirements as traditional securities. Their digital nature does not magically solve custody issues but instead creates some new challenges. The key issue is custodians providing operations and procedures that ensure the transactional security of digital assets.