Institutional Crypto Custody for Hedge Funds

Michael Hall
Sep 6, 2018 · 6 min read

This is a short(ish) note on the challenges of the custody of crypto assets in an institutional environment, specifically looking at hedge funds, where multiple investors entrust the safekeeping of their crypto to one party, a custodian.

The irrevocability of blockchain transactions

Custody of crypto assets has one big difference compared to fiat asset custody: The irrevocability of a blockchain transaction. Erroneous or fraudulent fiat transactions can be repudiated or reversed by a bank, but block chain transactions are irrevocable and can only be reversed by a new transaction in the opposite direction initiated by the owner of the destination private address key. Should a criminal steal fiat, the owner of the account to which it was sent can be identified, the account frozen and in most cases, the money recovered. Identifying even the owners of blockchain addresses can be very difficult and reversing transactions from blockchain addresses associated with fraud has been challenging and in many cases impossible.

Institutional custody should separate the functions of owner and trader

Many services have been built for custody of individual investors’ crypto currency, however institutional custody solutions are scarce. The main difference between retail and institutional custody is that in retail custody the crypto assets belong to one person whereas in the case of institutional custody, the assets are held on behalf of a group of people, none of whom may trust the others to look after their assets and all of whom look to the custodian to safe keep their assets. In the institutional solution the investment manager can trade assets on an exchange but not make transactions to move or transfer them to other owners.

Institutional Custody should be both secure and fast

The custodian assumes a role of central trusted party. When a custodian is looking after the crypto assets of a group one would expect more frequent movements of funds than for just one person. When the custodian is holding crypto assets for a hedge fund to use when trading on multiple exchanges then the movements become far more frequent. The time taken to move crypto assets in order to take advantage of market opportunities should also be measured in hours not days. Hence a custodian for a crypto investment fund not only has to store the crypto securely but also has to frequently, rapidly and securely move it around between various counter-parties.

Role of the Investment Manager in a hedge fund

The role of the Investment Manager (IM) changes significantly around the launch of a hedge fund. Prior to launch the IM selects the custodian, administrator, accountants, lawyers, and directors of the fund and even chooses its name. The IM or associated companies will market the fund to potential investors. Once the fund is launched the IM takes a subordinate role to the investors who then own the fund. Although the IM has selected the custodian, once the fund is operating the custodian is paid by and acts in the interests of the investors to protect their assets. The IM is able to request transfers of fiat and crypto but the custodian must make and verify the transactions on behalf of the investors.

Role of the Administrator

The administrator of the fund is chosen by the IM and performs NAV calculations, corporate secretarial services as well as processing investor transactions, namely subscriptions and redemptions. The Administrator will send subscription funds (used to buy shares in the fund) from investors to the custodian and will request fund movements from the custodian to pay redemptions.

Withdrawal security at trading counter-parties

The fund will trade with several counter-parties, who as in the fiat world, would require the fund to post margin to cover trading risk. Many crypto trading locations, such as the exchanges, require margin to be posted in crypto currency. The fund should only trade with exchanges that have secure withdrawal procedures that separate the trading function from the funds movement. Some more retail oriented exchanges use one access key for both trading and fund withdrawals which makes them unsuitable for institutional use as the IM would be able to add blockchain addresses and move funds. Institutional use exchanges separate this functionality and add additional security measures such as restricting withdrawals to only whitelisted crypto addresses.

Secure fund movements

The custodian can take several measures to ensure that fund movements initiated by them are secure:

1. First, all fund movements should be signed by multiple parties, including more than one party at the custodian, by the IM and by either a fund director or an administrator.

2. Fund instructions should only be accepted from pre-approved (whitelisted) IP addresses.

3. Funds should only be sent to whitelisted destinations on the crypto’s blockchain.

4. Depending on transaction type and size, the number of signatories will vary and destination checks will be made.

5. In order to freeze unauthorized transactions before they are sent to the mempool, a predetermined delay should be introduced between the final transaction signing and the sending. These delays enable stakeholders to stop the processing of unauthorized transactions before they are entered in the blockchain.

Notification of stakeholders

All transaction movements should be notified to the telegram and email addresses of the fund directors, administrators, and IM. The IM or administrator, depending on who initiated the movement, is responsible for checking the transaction details.

Whitelisted IP addresses

Cash and crypto movement instructions for exchange margin movements can only originate from the IM’s IP address. These movements must be approved from the administrator’s IP address. The administrator can request fiat movements to pay redemptions and these must be approved from the IM’s IP address.

Delays

As an example the following delays should be applied by the custodian for transaction instructions received. The delay is between creating the transaction internally at the custodian with notification of the stakeholders and entry of the transaction to the node. The delays are based on the size of the cash/crypto being moved in any rolling 24 hour period.

Less than $1MM no delay.

$1MM to $5MM four hour delay.

$5MM to $10MM eight hour delay

>$10MM 24 hour delay.

The rolling delay is based on the sum of the previous 24 hours’ transactions. So if a $900k transaction is followed by a $110k transaction with 24 hours, a four hour delay would be added to the $110k transaction.

Whitelisted crypto blockchain addresses

The custodian should securely maintain a list of the fund’s blockchain addresses which are whitelisted for the different cryptos as well as the exchanges’ blockchain addresses. This list will be sent to the stakeholders after any additions or modifications to the various addresses.

Updates to IP and blockchain whitelists

The custodian should only add trusted IP addresses and blockchain addresses to the whitelist with written approvals from a fund director and emails from the administrator or manager. There should be a delay of 24 hours between a modification of the list and funds being sent to that address.

Transaction signing

On receipt of a movement instruction from the IM, the custodian should create a movement transaction to be signed by the Administrator. Transactions greater than $10MM will need an additional signature approval from a fund director. All signatures should be confirmed with a second authorization code sent to an iOS device and entered into the custodians’ system.

Key sharding

The custodian should shard the private keys for the crypto addresses it controls and store them in separately accessed locations. They keys should be reconstructed by software and never be visible to any employee of the custodian.

Sample transactions

Subscription

Fiat funds from subscriber’s (investor’s) account to the fund’s bank account.

Administrator controls account and wires funds from fund’s account to the custodian’s fiat account held in the name of the fund (no co-mingling with other funds).

Fiat to Crypto conversion

Custodian moves fiat to the exchange’s fiat address.

IM buys crypto with the fiat, which the exchange moves to the fund’s crypto address.

Crypto movement from Custodian to Exchange

IM instructs custodian to move crypto from fund’s address to the exchange’s address.

Custodian creates transaction to move crypto to the exchange.

Crypto movement from Exchange to Custodian

IM instructs custodian to move crypto from the exchange. Custodian creates a transaction with the exchange to move crypto to the custodian’s address.

Crypto to fiat conversion for redemption

IM sells crypto to buy fiat, with the exchange moving the fiat to the custodian’s exchange fiat account. Custodian can then move fiat from the exchange to the fund’s bank account.

Fiat movement from Exchange to Custodian

IM instructs the custodian to move fiat from exchange. Custodian creates transaction with exchange to move fiat to the custodian’s bank account for the fund.

Redemption

Administrator calculates redemption proceeds and wires this amount from the fund’s fiat account to the redeemer’s (investor’s) fiat account.

Many thanks to Ailsa Darroch for her input