The Curious Conundrum of Custodizing Cryptocurrencies
Gregory Eaden tightens his jacket to brace the chill. It’s unseasonably cold for this time of year in New York City as he makes his way down the stairwell of a nondescript office building on West 44th Street and 8th Avenue.
By all accounts the concrete and brick structure housing billions of dollars worth of securities are remarkable for its unremarkability.
Eaden says it is deliberate as he puts his thumb on the fingerprint scanner at what is to be the first of several doors and manned security stations that we will need to pass through before heading into the building housing billions of dollars worth of share certificates and other security documents.
Although the actual value of securities held in the building is a closely guarded secret, Eaden is able to tell us that he estimates it to be in the billions.
Inside the cavernous basement of the building, climate controlled and de-humidified rooms house row after row of share certificates and documents in neatly ordered lock boxes behind a double-glazed glass chamber that is itself monitored by several layers of security both manned and unmanned.
Few have seen the inside of the building and Eaden is one of those few.
As one of the compliance officers at one of the world’s largest regulated and licensed custodians, the company that Eaden works for helps to ensure that financial markets continue to hum along at the breakneck speed and efficiency that the world has grown accustomed to.
Ancient Schisms For Modern Technology
And despite the rise of cryptocurrencies and blockchain technology, which facilitate peer-to-peer transactions, the role of the custodian is unlikely to vacate anytime soon. According to Eaden, who himself is a self-professed cryptocurrency advocate,
“You’re (cryptocurrencies) trying to create an entirely trustless system. But the reality is that human nature means there will always be bad actors.”
“The system (cryptocurrencies) is notable for its libertarian and idealistic approach, but it’s naive to assume that complete trustlessness is possible if you ask me.”
A lawyer by training, Eaden is a natural skeptic, which is why his interest in cryptocurrencies seems somewhat ironic. But he argues that when peer-to-peer transfers of value eventually takeoff, you’ll still need a referee — someone to explain what the rules are and to call the amount of yardage — a custodian in other words.
While cryptocurrencies and blockchain technology seek to disrupt the traditional financial system by reducing, if not ultimately eliminating the role of banks and other financial intermediaries, there is still one intermediary role for which the legacy financial system may still serve a purpose in a future quasi-trustless financial ecosystem — the custodian.
What do you do?
In a nutshell, custodians secure and custodize assets on behalf of other parties. These assets are usually shared certificates, client funds or other securities, but with the rise of other asset classes, many custodians are now also custodizing more and more exotic assets such as art or classic cars.
The legal definition of custody can be found in the Securities and Exchange Commission Rule 206(4)-2(c)(1):
“Custody means holding, directly or indirectly, client funds or securities, or having any authority to obtain possession of them. You have custody if a related person holds, directly or indirectly, client funds or securities, or has any authority to obtain possession of them, in connection with advisory services you provide to clients.”
For an example of this, we turn to the U.S. Securities and Exchange Commission (SEC) which states,
“Advisers have custody where the adviser has possession of client funds and securities or has power of attorney to sign checks on a client’s behalf, to withdraw funds or securities from the client’s account, including fees, or to otherwise dispose of a client’s assets for any purpose other than authorized trading.”
But when it comes to cryptocurrencies, most parties self-custodize no?
What is the value then of the custodian?
It is precisely the self-custodization of cryptocurrencies which has stunted the growth and widespread use of cryptocurrencies.
The problems with self-custody are myriad.
Just consider the guy from the United Kingdom who hired a backhoe to dig up a lot to find his thumb drive with over US$100 million worth of Bitcoin which he had carelessly tossed away, and it's obvious what some of the problems are.
And it doesn’t just stop there.
Self-custody of cryptocurrencies also prevents further financialization and securitization of cryptocurrencies as well as cryptocurrency derivative products.
Whether we like it or not, financialization is key to institutional investor interest in any asset class.
And if cryptocurrencies are to fulfill that role, a more robust custody solution needs to be found because you can’t securitize something if you don’t have a referee to say where that something exists or not.
Which is why the SEC has its work cut out for it when it comes to the custody of cryptocurrencies and other digital assets.
SEC to the rescue?
For starters, the SEC has to reconcile decades’ old laws regarding custody which envisaged a world of paper, with the current state of art which is entirely digital.
Current law requires mutual funds to deposit securities and similar assets in a vault or other depository belonging to a bank or a trusted company. Investment advisors must also maintain client assets with a qualified and regulated custodian.
But the law stops short of specifying how a custodian bank must safeguard or maintain custody of a client’s assets.
In other words, a licensed custodian could just as well place the share certificates under the mattress of the bank’s CEO or hide it under the doormat, as much as creating a purpose-built nondescript fortress of share certificates on 8th Avenue — it’s entirely discretionary.
As the custody industry has evolved, there have of course developed certain norms and best practices in the custody business.
But as one will recall from the (lack of) release of a President’s tax returns — norms are not the equivalent of a legal or binding obligation — and that has serious ramifications when trying to custodize cryptocurrencies or digital assets.
How do you bottle what doesn’t physically exist?
Because the “possession” of cryptocurrencies is so novel, many legacy financial market intermediaries have yet to fully grasp the handling of these digital assets, let alone develop processes to safely handle them.
A “private key” for a cryptocurrency wallet is simply controlled over the unspent transactions in a “public key.”
Think of the “public key” as the address to a home and the “private key” as the access to control the contents of that home. You can have mail slotted through the mail slot at the door, but only the holder of the key to the home (the private key) can access the mail.
In cryptocurrencies, the private and public keys are usually a string of alphanumeric characters.
The SEC’s challenge is to ensure that such digital assets cannot be stolen or misappropriated.
Once someone has access to the private key of a cryptocurrency wallet, they will have access to the contents inside and because transfers of cryptocurrency are immutable (irreversible), there’s nothing to stop them from stealing the contents once private keys are compromised.
Think Out of the Box
The solution to custodizing digital assets may involve a combination of physical and digital solutions and unfortunately will also require creative legal thinking — something that has traditionally been in short supply.
For an industry which has a tendency to rely on precedents, cryptocurrencies represent uncharted territory.
Some banks have assured prospective digital asset custodian clients that they have developed platforms and procedures to keep digital assets safe. These measure include holding assets in an offline wallet (cold wallet), requiring multiple electronic signatures to manipulate the cryptocurrencies within the wallet (multisig), as well as keeping the private key to a cryptocurrency wallet on a computer that has never been on the internet and which is physically secured in a vault (air gap) with no internet access.
But there is no single answer to custodizing digital assets, which is why the SEC should take a balanced and practical approach.
Similar to its approach for securities, the SEC should not be overly prescriptive because what is appropriate for one custodian may be counter-intuitive for another.
Instead, it may make sense to specify some minimum custodization standards and then allow the market to do its work to develop standards and best practices, the same way that has developed for financial markets.
To bolster public confidence in digital assets, the SEC could also consider establishing robust standards for safekeeping programs.
Such programs could include minimum internal control reports and compliance testing and the SEC could even consider a backstop that would involve special capital requirements or insurance to protect assets.
And while the cryptocurrency community may rail against such requirements for adding cost and friction to the sought after frictionless blockchain ecosystem, until such time when all fraud and bad behavior can be eradicated from the industry, some legacy structures and institution will continue to provide value.
The current practice of cryptocurrency exchanges to custodize cryptocurrencies on the exchange itself cannot carry on indefinitely.
As evidenced by the recent US$190 million loss of cryptocurrencies from Canadian cryptocurrency exchange QuadrigaCX, when its founder who had sole access to the passwords controlling the cryptocurrencies died under suspicious circumstances, self custody — especially on a cryptocurrency exchange which also facilitates trading — is clearly not the answer.
And for hackers, cryptocurrency exchanges are too attractive a target to pass up. As centralized points of weaknesses in the cryptocurrency ecosystem, they facilitate trading and the storage of cryptocurrencies — a juicy target for any hacker.
And although decentralized cryptocurrency exchanges have been touted as a solution to custody — because decentralized exchanges facilitate direct peer-to-peer transactions — the ability to manipulate market behavior on such exchanges through front running (paying more transaction fees to get an order ahead of other traders) as well as other market manipulative measures make that solution not altogether satisfactory.
Which is why despite the peer-to-peer panacea prescribed by the cryptocurrency community and decentralized exchanges arguably pandering to that solution — the argument for institutional-grade cryptocurrency custodians continues to be a strong one.