The Custody of Digital Assets: Will Banks Become “Crypto-Enabled”?
In the future, digital assets will play an increasingly important role in the financial sector. Retail investors, but also financial institutions, will gain access to traditional and completely new asset classes in the form of tokens. This universe of digital assets provides the same legal certainty that we have known from the traditional financial markets for decades. Therefore, the custody of blockchain-based digital assets plays an essential role. In a world, in which banks will soon issue the digital Euro on a blockchain system, the importance of crypto custody does not seem to be fully understood. The ongoing concerns about the security of crypto custody providers are outdated. Crypto custodians offer financial institutions solutions that meet their regulatory standards and technical requirements. Authors: Benjamin Schaub, Philipp Sandner. See the German version here.
The future of digital assets is developing. The foundation, therefore, is provided by regulatory progress, but also by technological evolution within the blockchain sector. On the one hand, progressive regulation, as can be observed by the “Liechtenstein Blockchain Act” paves the way for digital assets and tokens. As a result of this law, any physical object with its associated rights and obligations can be fully transformed into a corresponding digital asset.
On the other hand, a look at the national blockchain strategy of Germany also points in the same direction, by showing that „many stakeholders regard the tokenization of assets and in particular securities as one of the central future blockchain applications“ (German government’s blockchain strategy, 2019). Furthermore, the German government would like to open its legislation for digital securities; starting with the issuance of digital bonds. At a later point in time, the implementation of digital shares and investment fund shares will be examined. As a consequence, the requirement for the certification of securities would no longer apply. In other words, securities will be dematerialized and will, therefore, require a crypto custodian for technical and regulatory reasons. There will be no way around this.
Regulatory legitimation of Bitcoin and other crypto assets
European countries are leading the way not only with regards to the token economy but also when it comes to creating a solid regulatory basis for financial institutions dealing with crypto currencies. Germany, in particular, stands out when it comes to regulating crypto custody. This activity involves storing private keys necessary for the transfer, storage, and safekeeping of digital assets. As a result, BaFin approval will be required from Q1 2020 in order a company seeks to act as a crypto custodian: Crypto custody becomes a financial service in the meaning of the German Banking Act (KWG).
Similar developments are also apparent in Switzerland. The local supervisory authority FINMA is continuously expanding the regulatory framework for FinTechs. In August 2019, the first two blockchain-focused banks received corresponding bank and security licenses: Sygnum and SEBA Bank. These banks are now able to offer crypto currencies and tokens to professional and institutional investors.
New technology in an old system
When it comes to the technical implementation of crypto custody, however, several challenges arise. In the “old world” of custody, assets (e.g., securities) are being physically stored at a Central Securities Depository. This type of custody is strictly regulated, in Germany for example by the German Safe Custody Act. As a consequence, there is no leeway in the technical realization for the safekeeping of physical objects. A physical object remains physical and is stored safely.
In the context of tokenization, this new technology is now being forced into such legacy systems. The key difference between the old and the new world of custody is that there are very different technical solutions for storing digital assets. From a regulatory point of view, the question of which or whether one of these solutions is to be preferred remains unanswered. In the draft bill, the German legislator only defines, which activities belong to crypto custody, namely „the custody, safekeeping, and administering of crypto assets or private cryptographic keys that serve to hold, store, and transfer crypto assets for others“ (Draft bill for the transposition of the 5th EU Anti-Money Laundering Directive, 2019).
A bumpy road: „classical“ crypto custody
Crypto exchanges, which store crypto assets or private keys in hot storage, i.e. wallets connected to the Internet, are known to be vulnerable to hacker attacks. The unfortunately not last, but most prominent case is certainly Mt. Gox. In February 2014, more than 850,000 Bitcoin were stolen at that time representing a market capitalization of around USD 460 million. The advantage of hot storage is that investors have immediate access to their assets and can, therefore, transfer them quickly.
An alternative approach, known as cold storage, stores crypto assets or the associated private keys on a platform that is not connected to the Internet. As a result, this custody solution is much more secure since it leaves no room for hackers to attack. However, this solution has disadvantages concerning the accessibility of the stored assets. In some cases, it can take several hours or even days for an investor to obtain control of his/her crypto assets. This is an inadequate solution for investors who want to react to market fluctuations or other opportunities.
However, the supposed safety of this solution also bears risks, as the case of QuadrigaCX CEO Gerald Cotton, who died in December 2018, shows. He alone was in possession of the necessary passwords and authorization for the company’s cold wallet, resulting in an irreversible loss of approximately USD 140 million in assets since his death. These two cases tragically illustrate the technical difficulties of crypto custody. They also show, however, that regulatory requirements are necessary in order to create a stable legal foundation for products, as well as providing the appropriate protection for consumers.
Figure 1 shows providers of classical crypto custody services. Crypto exchanges such as Bitfinex and Binance hold their assets in hot wallets, as described above. Coinbase and BitGo, on the other hand, follow the other approach, cold storage. Ledger and Trezor are known for manufacturing hardware for the private custody of crypto assets. Interestingly, however, suppliers in these categories are also evolving. In October 2019, Bitstamp, one of Europe’s largest crypto exchanges, announced that it would use Ledger’s security solution thereby also entering the market for financial institutions.
As follows, the emerging trends within the custody industry will be examined and key differences will be highlighted. The following figure reflects the subjective assessment of the authors concerning the mentioned custody providers.
Differentiation non-/self-custodian vs. custodian
Especially in the light of the German draft bill for the implementation of the 5th EU Anti-Money Laundering Directive, the differentiation between non-/self-custodians and crypto custodians plays an important role. By definition, a non-/self-custodian merely provides a client with the hardware or software to secure private keys. The management of the private keys is then the responsibility of the client. According to the latest information, providers in this category will not require any permission or license from BaFin for their business at this stage.
Among the non-custodians, for example, there is Upvest. Its customers can integrate crypto custody in their services using an API. The Munich startup Tangany, on the other hand, is entering the market as a crypto custodian, thus applying to BaFin for its license. From a regulatory point of view, Tangany will provide custody for the private keys on its own responsibility.
A little hot, a little cold: warm storage
Given the outlined difficulties of “classical” crypto custody, it is not surprising that new concepts of custody have developed. These concepts try to eliminate previous weaknesses while maintaining the benefits of existing solutions. The crypto custodian ecosystem is changing in this respect, offering a variety of solutions for different target groups, but increasingly focuses on financial institutions. Additionally, there is a striking trend towards solutions in the middle of the spectrum of cold storage and hot storage. All providers in Figure 2 belong to this category. A core feature of so-called warm storage is the ability to benefit from the digitality of the assets by making them available within a few seconds in order to actively participate in the market with full liquidity.
For the necessary security, which fulfills both the requirements and standards of banks, an old friend of this industry is being used, so-called hardware security modules (HSMs). The main task of an HSM is to generate, store, or manage cryptographic keys and to protect them from unauthorized access. HSMs get certified in accordance with security standards and are connected to a network with strong restrictions only, making unauthorized access or attacks extremely difficult. A further advantage of using HSMs for crypto custody is that the actual custodian does not obtain possession of the private keys, as these cannot be extracted by the provider either.
A closer look at the providers in the field shows that HSMs are being deployed differently. Finoa, a FinTech located in Berlin, for example, uses HSMs in its own data center. Therefore, the classification is made on the far left in Figure 2, as this part of the service is also under the control of the company.
For its custody solution, the provider Plutoneo cooperates with the established German-based IT full-service provider GISA which provides IT services for critical infrastructure since years. As a result, Plutoneo has a large number of developers with years of experience in the IT security of critical infrastructures at its command. The range of custody solutions is therefore wide and includes cloud-based custody as well as custody at GISA’s or the customer’s data center.
The crypto custodians Tangany and Upvest use the cloud HSM services of Google. Both providers can be found one cell further to the right as this part of the service is not directly under their control. It is absolutely essential that our classification should be seen as neutral concerning the quality of the respective solution. In the course of the next few years, it will be interesting to observe whether it is of importance for potential customers if a data center is operated independently or if the services of a cloud provider are being used. Furthermore, it must be monitored closely whether the two different approaches are reflected in the cost structure of the respective crypto custodians.
Within warm storage, concepts emerge in various forms that pick up the fundamental idea of decentralization. Trustology, for example, fulfills some criteria that would make it a centralized provider as shown in Figure 2 (e.g., usage of HSMs). However, users can integrate their MetaMask wallet here, allowing them to use decentralized applications (DApps) in the Ethereum network, such as MakerDAO or Compound Finance. This enables users to participate in decentralized financial products that are settled entirely via smart contracts and, for example, earn interest for loans using crypto currencies.
The blockchain company Riddle & Code deploys a decentralized architecture with several hardware components. The provider expects increased security compared to solutions that rely on HSMs. With this approach, the private key is not stored on one device but is instead distributed to multiple devices in single pieces (Shamir’s Secret Sharing). A transaction must, therefore, be authorized by a certain threshold of devices in order to be valid.
By far, the most radical approach is pursued by Qredo, which intends to fulfill the original idea of a decentralized system. The network consists of Decentralized Trust Authorities (D-TAs) based on the software of Apache Milagro. In the beginning, users determine how many signatures are required to authorize a transaction, e.g. 4 of 5. Shamir’s secret sharing is used to share authorization amongst the governing parties. This approach does not use different hardware components for authorization, but rather network participants defined by the customer, who must identify themselves using biometric data. Only when the authorization threshold is reached, the D-TAs grant access to the private key. An HSM is used for the storage of the private keys in this solution as well.
Recovering assets after a disaster
In the past, lost or stolen private keys have resulted in the permanent loss of the associated assets. While for private investors such a threat was probably an obstacle that could be accepted reluctantly, it was undoubtedly a knockout criterion for financial institutions. However, those days are over. The use of HSMs eliminates the possibility of losing private keys. The crypto custodians, which use HSMs for their solutions, create backups. Additionally, these stored in geographically different zones.
Common to all crypto custody solutions is the fact that the authentication of users and thus the access to a wallet is made significantly more secure. In recent years, two-factor authentication (2FA) has established itself as the standard for personal identification. In this case, a combination of something that the user knows (password) and an object that the user owns (smartphone) is used. Lately, at least one further dimension has been added to this identification mechanism. Multi-factor authentication (MFA) also uses biometric data (e.g., fingerprint and/or face ID) in addition to the two parameters mentioned above.
For banks and other financial service providers, the latest development is very positive. Finally, crypto custodians enable the world of digital assets for financial institutions. Therefore, financial institutions now have tremendous opportunities for the development of new products, services, and markets.
However, due to the large number and very subtle differences between the available custody solutions, it is also a very complicated task to select the supposedly ideal provider. One of the significant challenges is to understand the technical differences between the providers. Crypto custodians, on the other hand, have to deal with the complexity of their products as well since they can only sell the supposedly best and most advanced technology if a.) it is understood by the customer and b.) the customer trusts this solution and its provider.
For these reasons, it will be exciting to observe, which solution is preferred by financial institutions. Conversations with providers of crypto custody show that smaller banks are more agile and interested than large players and tend to be receptive to cloud-based security solutions, for example. It can be concluded from this statement that large financial institutions might prefer a provider that covers both security and regulatory aspects from a one-stop-shop.
As regulation and technology progress, the world of digital assets opens up for financial institutions. The ecosystem of crypto custodians has undergone an enormous development. The race for promising market positions among providers has begun and will become intense in 2020, especially in Germany. With the issuance of licenses for crypto custodians by the German regulator BaFin, however, it is up to the banks and other financial service providers to position themselves. The opportunities are great — the market potential for blockchain-based assets is immense. However, one thing must be clear: Anyone, who waits or hesitates, will be left behind by the rapid technological development of blockchain technology — perhaps forever.
If you like this article, we would be happy if you forward it to your colleagues or share it on social networks. More information about the Frankfurt School Blockchain Center on the Internet, on Twitter or on Facebook.
Benjamin Schaub is a project manager and research assistant at the Frankfurt School Blockchain Center (FSBC). His interests include blockchain regulation and governance as well as blockchain use case development. You can contact him via mail (email@example.com) or on LinkedIn (www.linkedin.com/in/benjamin-schaub).
Prof. Dr. Philipp Sandner is head of the Frankfurt School Blockchain Center (FSBC) at the Frankfurt School of Finance & Management. In 2018, he was ranked as one of the “Top 30” economists by the Frankfurter Allgemeine Zeitung (FAZ), a major newspaper in Germany. Further, he belongs to the “Top 40 under 40” — a ranking by the German business magazine Capital. The expertise of Prof. Sandner, in particular, includes blockchain technology, crypto assets, distributed ledger technology (DLT), Euro-on-Ledger, initial coin offerings (ICOs), security tokens (STOs), digital transformation and entrepreneurship. You can contact him via mail (firstname.lastname@example.org), via LinkedIn (https://www.linkedin.com/in/philippsandner/) or follow him on Twitter (@philippsandner).