In December 2020, the SEC issued a statement and request for comment regarding the custody of digital asset securities by broker-dealers. The Statement and request for comment sets forth suggestions for complying with the Customer Protection Rule and lists certain requirements that a broker-dealer could comply with to ensure that it would not be subject to an enforcement proceeding for violation of the Customer Protection Rule.
Two months later, in February 2021, the SEC Division of Examinations issued a risk alert focused on digital asset securities. These statements were the first hitting head on the topic of digital asset custody since an August 2019 joint statement by the SEC and FINRA on the custody of digital assets (see HERE) and October 2019 joint statement by the SEC, FinCEN and the CFTC (see HERE).
The SEC and FINRA have been discussing issues of custody related to tokens and digital assets for years. For example, issues surrounding the custody of digital assets have been continuously cited by the SEC as one of the reasons for the failure to approve a cryptocurrency ETF. The SEC defines a digital asset as an asset that is issued and/or transferred using distributed ledger or blockchain technology (“distributed ledger technology”), including, but not limited to, “virtual currencies,” “coins,” and “tokens.”
Any entity that transacts business in digital asset securities must comply with the federal securities laws. An entity that buys, sells, or otherwise transacts or is involved in effecting transactions in digital asset securities for customers will be required to register with the SEC as a broker-dealer and become a member of and comply with the rules of FINRA. Likewise, entities that make markets in securities (i.e., buy or sell for their own account) may also need to be registered as a broker-dealer. However, historical rules do not adequately cover the complex issues related to digital assets, including rules related to the loss or theft of a security.
Since the SEC issued its Section 21(a) Report on the DAO investigation, finding that digital assets and cryptocurrencies are, in most instances, securities, there has been a significant rise in the number of SEC applications for broker-dealer registration and membership applications with FINRA. There has also been a large increase in applications to FINRA by existing members to expand their business operations to include digital assets. On July 6, 2018, FINRA sent Regulatory Notice 18-20 to its members asking all FINRA member firms to notify FINRA if they engage in activities related to digital assets such as cryptocurrencies, virtual coins and tokens, and to continue to update FINRA on such activities through July 31, 2019. FINRA subsequently extended to the time to require firms to report activity through July 31, 2020.
Statement and Request for Comment
The SEC is looking into innovating the Customer Protection Rule to encompass digital assets. Broker-dealers that hold funds and securities must comply with Exchange Act Rule 15c3-3 (the “Customer Protection Rule”), which generally requires the broker to obtain and thereafter maintain physical possession or control over the customer’s fully paid and excess margin securities it carries for the account of customers. Where funds and securities are purely digital, consideration needs to be made over how they are accounted for and who has the obligation. In addition, certain activities and access levels could amount to “receiving, delivering, holding or controlling customer assets,” such as having access to a private key code for a customer.
The purpose of the Customer Protection Rule is to protect the customer funds, provide for processes in the event of a broker-dealer’s failure, and put systems in place so that the SEC can oversee and monitor business practices. Like attorney escrow accounts, a broker-dealer must keep the customer’s assets segregated from their own and properly labeled and tracked as that customer’s property.
To satisfy the Customer Protection Rule, most broker-dealers use a third party, such as the Depository Trust Company (DTC), a clearing firm or a transfer agent (for book entry or DRS securities) as the actual custodian of the securities. Using a third party creates a check and balance, eliminating the risk of comingling or the loss of the security in the event the broker-dealer fails, and allowing for the reversal or cancellation of a mistaken or unauthorized transaction. Simply, a broker-dealer’s employees, regulators, and outside auditors can contact these third parties to confirm that the broker-dealer is, in fact, holding the traditional securities reflected on its books and records and financial statements.
Digital assets are unique in that the way they are issued, held, and transferred is different from other securities up to this point. One of the principal concerns with the custody of digital assets relates to cybersecurity. The issue is prolific for all companies, but even more so for those working with cyber assets. Another unique concern with digital assets relates to the ramifications if a broker-dealer or customer loses their “private key” necessary to transfer a client’s digital asset securities. If a private key is lost, there is no method for retrieving the information and the digital assets could be lost forever. Likewise, if digital assets are unintentionally or fraudulently transferred to an unknown or unintended address, there would be no meaningful recourse to invalidate the fraudulent transactions, recover or replace lost property, or correct errors.
In addition to these real-world issues, technical compliance with the Customer Protection Rule is not easy with digital assets. The rule requires that “not later than the next business day, a broker-dealer, as of the close of the preceding business day, shall determine the quantity of fully paid securities and excess margin securities in its possession or control and the quantity of such securities not in its possession or control.” If possession and control results from possession of a customer’s private key and the ability to transfer digital assets using the private key, it may be difficult to establish that no other party has a copy of the private key and could therefore also exercise possession and control over the assets. However, to satisfy the Rule’s requirements, a broker-dealer to solve this problem. In that regard, the SEC has made suggestions for controls and procedures that are discussed below.
With that said, the SEC realizes that it is only a matter of time before broker-dealers are providing a full set of functions with respect to digital assets, including maintaining custody of the assets in a way that addresses the unique attributes of digital asset securities and minimizes risk to investors and other market participants. In order to accomplish these goals, a broker-dealer would need to have policies and procedures in place to be able to assess a particular digital asset’s distributed ledger technology and to be able to protect the private keys of holders.
Moreover, the Customer Protection Rule only covers cash and securities. If a customer has digital assets held at a broker that are not securities (such as bitcoin), the potential liability from a cyber-theft or loss of those assets could be catastrophic to the broker-dealer and therefore all its customers. SIPC would not cover such a loss.
In a striking development since its 2019 statements, the SEC December 2020 statement asserts an outright position of support for innovation in the digital asset securities market to develop its infrastructure. The SEC further asserts that, for a period of five years, it will not initiate enforcement action against a broker-dealer that claims to have obtained and maintained physical possession or control of customer fully paid and excess margin digital asset securities for the purposes of the Customer Protection Rule. The five-year period is designed to provide market participants with an opportunity to develop practices and processes that will enhance their ability to demonstrate possession or control over digital asset securities. It also will provide the SEC with experience in overseeing broker-dealer custody of digital asset securities to inform further action in this area. The statement and SEC’s position related to enforcement, relate solely to the Customer Protection Rule and not other obligations of broker-dealers.
Enforcement Protection
The SEC states that it will not recommend enforcement proceedings against a broker-dealer related to the Customer Protection Rule when it holds and transacts business in digital assets, in the following circumstances:
- The broker-dealer has access to the digital asset securities and the capability to transfer them on the associated distributed ledger technology;
- The broker-dealer limits its business to dealing in, effecting transactions in, maintaining custody of, and/or operating an alternative trading system for digital asset securities. In this case, the broker-dealer may hold positions in traditional assets for purposes of meeting the firm’s minimum net capital requirements and for hedging. Although not required by the SEC for enforcement protection a broker-dealer could refuse to hold or engage in transactions involving non-security digital assets (such as cryptocurrencies and some NFTs);
- The broker-dealer establishes, maintains, and enforces reasonably designed written policies and procedures to conduct and document an analysis of whether a particular digital asset is a security offered and sold pursuant to an effective registration statement or an available exemption from registration, and whether the broker-dealer meets its requirements to comply with the federal securities laws with respect to effecting transactions in the digital asset security, before undertaking to effect transactions in and maintain custody of the digital asset security;
- The broker-dealer establishes, maintains, and enforces reasonably designed written policies and procedures to conduct and document an assessment of the characteristics of a digital asset security’s distributed ledger technology and associated network prior to undertaking to maintain custody of the digital asset security and at reasonable intervals thereafter. Such a review should include an examination of: (i) performance (i.e., does it work and will it continue to work as intended); (ii) transaction speed and throughput; (iii) scalability; (iv) resiliency (can it absorb the impact of a problem in one or more parts of its system and continue processing transactions without data loss or corruption); (v) security and relevant consensus mechanism (can it detect and defend against malicious attacks); (vi) complexity (can it be understood, maintained and improved); (vii) extensibility (can it have new functions added); and (viii) visibility (are its associated code, standards, applications, and data publicly available and well documented);
- The broker dealer will not maintain custody of a digital asset security if the firm is aware of any material security or operational problems or weaknesses with the distributed ledger technology and associated network used to access and transfer the digital asset security, or is aware of other material risks posed to the broker-dealer’s business by the digital asset security;
- The broker-dealer establishes, maintains, and enforces reasonably designed written policies, procedures, and controls that are consistent with industry best practices to demonstrate the broker-dealer has exclusive control over the digital asset securities it holds in custody and to protect against the theft, loss, and unauthorized and accidental use of the private keys necessary to access and transfer the digital asset securities the broker-dealer holds in custody. These policies and procedures should address: (i) the on-boarding of a digital asset security such that the broker-dealer can associate the digital asset security to a private key over which it can reasonably demonstrate exclusive physical possession or control; (ii) the processes, software and hardware systems, and any other formats or systems utilized to create, store, or use private keys and any security or operational vulnerabilities of those systems and formats; (iii) the establishment of private key generation processes that are secure and produce a cryptographically strong private key that is compatible with the distributed ledger technology and associated network and that is not susceptible to being discovered by unauthorized persons during the generation process or thereafter; (iv) measures to protect private keys from being used to make an unauthorized or accidental transfer of a digital asset security held in custody by the broker-dealer; and (v) measures that protect private keys from being corrupted, lost or destroyed, that back-up the private key in a manner that does not compromise the security of the private key, and that otherwise preserve the ability of the firm to access and transfer a digital asset security it holds in the event a facility, software, or hardware system, or other format or system on which the private keys are stored and/or used is disrupted or destroyed;
- The broker-dealer establishes, maintains, and enforces reasonably designed written policies, procedures, and arrangements to: (i) the steps and responses to events such as blockchain malfunctions, attacks, hard forks and airdrops; (ii) to allow the broker-dealer to comply with a court-ordered freeze or seizure; and (iii) to allow the transfer of the digital asset securities held by it to another special-purpose broker-dealer, a trustee, receiver, liquidator, a person performing a similar function, or another appropriate person, in the event the broker-dealer can no longer continue as a going concern and self-liquidates or is subject to a formal bankruptcy, receivership, liquidation, or similar proceeding;
- The broker-dealer provides written disclosures to prospective customers, including: (i) explaining how SIPA defines securities and that digital assets, even those that are investment contracts under Howey may be excluded from the definition and therefore not covered by SIPC in the event of a loss; (ii) a description of the risks of fraud, manipulation, theft, and loss associated with digital asset securities; (iii) a description of the risks relating to valuation, price volatility, and liquidity associated with digital asset securities; and (iv) a description of the processes, software and hardware systems, and any other formats or systems utilized by the broker-dealer to create, store, or use the private keys and protect them from loss, theft, or unauthorized or accidental use; and
- The broker-dealer enters into a written agreement with each customer that sets forth the terms and conditions for receiving, purchasing, holding, safekeeping, selling, transferring, exchanging, custodying, liquidating, and otherwise transacting in digital asset securities on behalf of the customer.
Request for Comments
The SEC also specifically requests comments on:
- What are industry best practices with respect to protecting against theft, loss, and unauthorized or accidental use of private keys necessary for accessing and transferring digital asset securities? What are industry best practices for generating, safekeeping, and using private keys?
- What are industry best practices to address events that could affect a broker-dealer’s custody of digital asset securities such as a hard fork, airdrop, or 51% attack?
- What are the processes, software and hardware systems, or other formats or systems that are currently available to broker-dealers to create, store, or use private keys and protect them from loss, theft, or unauthorized or accidental use?
- What are accepted practices (or model language) with respect to disclosing the risks of digital asset securities and the use of private keys? Have these practices or the model language been utilized with customers?
- Should the SEC expand this position in the future to include other businesses such as traditional securities and/or non-security digital assets? Should this position be expanded to include the use of non-security digital assets as a means of payment for digital asset securities, such as by incorporating a de minimis threshold for non-security digital assets?
- What differences are there in the clearance and settlement of traditional securities and digital assets that could lead to higher or lower clearance and settlement risks for digital assets as compared to traditional securities?
- What specific benefits and/or risks are implicated in a broker-dealer operating a digital asset alternative trading system that the Commission should consider for any future measures it may take?
SEC Risk Alert
In February 2021, the SEC Division of Examinations issued a risk alert focused on digital asset securities. The risk alert highlights observations made by SEC staff during examinations of investment advisers, broker-dealers, and transfer agents regarding digital asset securities that may assist firms in developing and enhancing their compliance practices. These observations also provide a view of future regulatory focus in examinations.
Specifically related to investment advisers that are managing digital assets securities, either directly or through pooled vehicles, the SEC will focus on:
- Portfolio management – whether digital assets are classified as securities; due diligence including that the adviser understands the digital assets, wallets and other devices or software used in the network; Evaluation and mitigation of risks related to trading venues and trade execution or settlement facilities, including KYC/AML procedures; management of risks and complexities associated with forks and airdrops; and fulfillment of fiduciary duties.
- Books and Records – are advisers keeping accurate books and records. Digital asset trading platforms vary in reliability and consistency with regard to order execution, settlement methods, and post-trade recordation and notification, which an adviser should consider when designing its recordkeeping practices.
- Custody – unauthorized transactions, including theft of digital assets; controls around safekeeping of assets; business continuity plans where personnel have access to private keys; how the adviser evaluates harm due to loss of private keys; reliability of software; storage of digital assets; and security procedures for software and hardware wallets.
- Disclosures – disclosure to investors regarding the unique risks of digital assets.
- Pricing Client Portfolios – valuation methods for digital assets.
- Registration Issues – how the investment adviser calculates its regulatory assets under management and characterizes digital assets in pooled vehicles.
Specifically related to broker-dealers that are transacting in digital assets securities, the SEC will focus on:
- Safekeeping of funds and operations – considering unique safety and custody issues of digital assets.
- Registration requirements – including activities by affiliates.
- Anti-money laundering – general AML procedures that take into account digital assets including routine searches to check against the Specially Designated Nationals list maintained by the Office of Foreign Assets Control (“OFAC”) at the U.S. Department of the Treasury.
- Offerings – including disclosure and due diligence obligations.
- Disclosure of conflicts of interest – including compliance policies and procedures.
- Outside Business Activities – FINRA-member broker-dealers must evaluate the activities of their registered persons to determine whether such activity constitutes outside business activities or an outside securities activity and therefore should be subjected to the approval, supervision, and recordation of the broker-dealer.
Specifically related to National Securities Exchanges that are transacting in digital assets securities, the SEC will focus on:
- Exchange Registration – the staff will examine platforms that facilitate trading in Digital Asset Securities and review whether they meet the definition of an exchange.
- Compliance with Regulation ATS – Examinations will include a review of whether an ATS that trades Digital Asset Securities is operating in compliance with Regulation ATS, including, among other things, whether the ATS has accurately and timely disclosed information on Form ATS and Form ATS-R, and has adequate safeguards and procedures to protect confidential subscriber trading information.
Finally, related to transfer agents that are transacting in digital assets securities, the SEC will focus on:
- Compliance with Transfer Agent Rules – the staff will focus on prompt and accurate clearance and settlement of securities transactions.