In this blog post, Adam Healy of Digital Asset Custody, Inc explains custody services, their necessity in the crypto space, and how companies and regulators can work together for a better outcome.
Institutional custody services have proven critical in the traditional financial world, acting as intermediaries between financial services companies and executing instructions on behalf of their clients. It is these services that allow you to own equity in a company and not hold actual pieces of stock. But, the “traditional” infrastructures and vendors that facilitate custody of “traditional” assets, such as listed public equities, have not been able to keep pace with the rapidly emerging and regulatorily complex needs of institutional investors interested in the crypto category. And, while institutional custody services are as valuable in the crypto world as they are in the “traditional,” they are in their infancy, and there remains a division between two camps in determining the path forward.
In the first camp, we have a group we sometimes hear called the “crypto cowboys.” This group is talented and tech-forward. They are, of course, also mavericks, as they are applying their talents to a new frontier where some old rules simply can’t be applied. But “cowboy” is not synonymous with “outlaw.” What we have is an immense amount of talent self-selecting into blockchain and crypto-related endeavors. This type of talent influx happens in business and technology every time a true “sea change” is on the horizon, and generally is not correlated to criminality.
In the other camp we have the “sheriffs” — the SEC, FINRA, CFTC, NFA, FinCEN, various state bank and money transmission authorities and a wide variety of foreign regulatory entities. These parties express concern over the activities of the “crypto cowboys” and potential implications for the financial markets as well as mom-and-pop investors. Yet, in our experience, with few exceptions, the sheriffs don’t truly believe the crypto cowboys are an outlaw group. The sheriffs are simply struggling with how to evolve regulations such that they can reasonably be applied to crypto investment contexts.
It seems to us that both camps generally agree that, without institutional-grade, third-party crypto custody services and related regulatory clarity, institutional or “Wall Street” capital will largely remain on the sidelines. The details of exactly how regulatory clarity is evolving is a nuanced topic for a separate (and lengthy) article. But for now, real-world, let’s just try to address what both the crypto cowboys and the sheriffs desire: this, of course, largely relates to security — security that applies traditional safety and controls to an emerging asset class. In summary, both camps want available third-party custody services that: i) protect against third-party hacks (think Mt. Gox, et al.), ii) protect against internal collusion or fraud, iii) securely provide an ability to custody a wide and expanding variety of crypto or digital assets, (iv) allow for sufficient recordkeeping and reporting, and v) are delivered by custody vendors who acknowledge and proactively address the need for regulatory oversight.
Whether you are an institutional investor, an ICO issuer, a crypto exchange, or just someone who cares about facilitating technological innovation, you have reason to desire viable crypto custody services; without them, it is hard to envision a healthy path forward. The good news is, unlike a couple of years ago, such services are available today. However, there are considerations that need to be balanced when selecting a third-party crypto custodian.
1) Some component of off-line “cold storage” is advisable. Hot-wallet technologies, meaning wallets that are network connected to the Internet or local corporate networks, are of course important and facilitate trading, etc. But, the reality is that to date, all significant theft or loss of crypto assets has occurred online or with lacking multi-signature approaches. Your custodian should have a strong cold storage solution. Staying offline when practical is key. Proper cold storage infrastructure and physical security requires significant expenditure and skill sets to implement. But, it is achievable by properly staffed and educated custodians, and it substantially reduces attack vectors.
2) “Omnibus” storage is not advisable. Without delving deeply into regulatory topics, “omnibus account” scenarios are those under which multiple clients’ assets are pooled into a smaller number of accounts. This is often done to ease operational challenges for custodians, but at the same time, it increases the level of risk for the investors’ assets. From a regulatory perspective, omnibus accounts have contributed to numerous scandals — from Madoff to Lehman’s final chapter. But, we are principally discussing operational and not regulatory considerations. In addition to carefully considering the use of omnibus accounts as regulatorily defined, generally speaking, investors’ assets should not be commingled with assets of other investors under the control of the custodian. Storing investors’ assets in segregated accounts substantially decreases the possibility of bulk theft of assets — perhaps an obvious point, but one overlooked by some custody providers.
3) Technology investment and token diversity is essential. That said, it is not easy. Architecting a custody solution capable of storing a diversity of crypto assets (not just major cryptocurrencies) with the flexibility to evolve and safely store future tokens is a significant undertaking. It is especially complex when taking into account the multi-signature technologies needed for cold storage. But, today there are custody providers with the ability to custody dozens of different tokens with the flexibility to evolve to meet investors’ future needs. We firmly believe continued “token coverage” expansion is critical to success.
4) Don’t forget the old just because of the new. There is much that is truly new with blockchain and related technology. In a good sense, much is changing. But, don’t overlook that in military and other contexts where security is paramount, many potent and battle-tested cyber and physical security protocols already exist. It is arrogant to assume all of that learning is suddenly not applicable solely because of blockchain. Therefore, when selecting a custodian, a relevant question is whether the management team has an interdisciplinary background, providing sufficient knowledge of both forward-looking blockchain technologies and of current, best practice, non-crypto cyber and physical security protocols.
5) Robust and secure disaster recovery. Does a custody provider have a well-thought-out and implemented disaster recovery plan incorporating multi-party and multi-factor authentication protocols, splitting or “sharding” of cryptographic keys and geographic diversity of those shards to assure asset preservation? Keys need to be carefully encrypted and sharded, and those shards need to be stored in multiple secure and geographically diverse locations. Further, access to the key shards must be achievable only via the confirmatory actions of multiple preauthorized and identified parties — never via the actions of an individual. If your custody provider does not have such a disaster recovery plan in place, you are talking to the wrong vendor.
6) Fulsome reporting. Cyber and physical security is the primary goal, but even if you know your assets are secure, there is still reporting and recordkeeping. Institutional investors, issuers, and exchanges are all subject to varied oversight and compliance obligations. It’s important that a custodian recognize this and provide clear, securely-delivered reports that customers can utilize to satisfy regulatory and audit obligations. This is a nuanced topic and impossible to properly summarize in a short article. However, without proper reporting from your custodian, everything from fund administrator interactions to tax compliance tends to become painful and protracted.
7) Balanced confidentiality and transparency. In both security and general financial services contexts, maintaining some level of confidentiality and discretion is required. Don’t expect a reputable custody provider to be willing to share all details of their operating procedures and security protocols with you as a prospective client. Keeping a low and guarded profile is essential. At the same time, whether evidenced by obtaining government security clearances or licensing and registration from regulatory entities such as the SEC or FINRA, look for a custody provider management team with a long history of transparent and compliant interactions with relevant governing entities. If a management team has not successfully balanced operating confidentiality with regulatory transparency and compliance in non-crypto contexts, chances are, they won’t be able to do so in a crypto context either, and this will eventually impact you as a customer.
We are not of the view that “sheriffs” and “cowboys” can’t agree on the right approach. Instead, we believe as the “Crypto Wild West” evolves, interests will largely be aligned such that cowboys and sheriffs can and will collaborate. In the interim, we believe that as investors, issuers, exchanges, and other parties select third-party custody providers, the above considerations need to be kept in mind to minimize security breaches, loss of assets, and/or perceived related regulatory infractions.
Adam Healy is Chief Security Officer for Digital Asset Custody, Inc., a purpose-built digital asset custody provider. Adam has over 15 years of cyber security and systems engineering experience spanning several highly regulated industries. This experience includes numerous roles within the U.S. Intelligence Community and Department of Defense where he co-led technical architecture of the Intelligence Community’s IT Enterprise (ICITE) COE/DTE prototype. After Adam’s government service, he led cyber security engineering teams at Palantir Technologies where he was responsible for numerous engagements with Fortune 500 companies focused on using big data to drive security operations, insider threat detection, and cyber threat intelligence. Additionally, Adam’s background includes building security programs for regulated fintech startups, designing enterprise solutions for the largest government agencies while at Microsoft’s National Security Group, and four years as an active duty U.S. Marine.