Custody Considerations (Part II)

In our last post, we discussed whether crypto assets are subject to Rule 206(4)-2 under the Investment Advisers Act—the so-called Custody Rule. Our conclusion was that, to the extent they are “securities” or “funds” of a client, the Custody Rule clearly applies to them, and that to the extent they are not, it would be prudent for an investment adviser to act as though they were.

In this post, we will discuss how an adviser can comply with the Custody Rule in connection with investing/trading in crypto assets on behalf of clients.

Maintaining Crypto Assets with a Qualified Custodian

How does an adviser who has custody over crypto assets maintain them with a qualified custodian?

This is probably the easy part.

“Title” to or ownership of a crypto asset consists of a string of randomly generated numbers/letters, commonly called a “private key.” A “private key” is maintained in the owner’s “wallet.” A “private key” enables transactions to be effected from the owner’s “wallet address.”

This means that a crypto asset is like a “bearer” instrument—whoever holds the private key effectively owns the asset.

If the holder of the “private key” loses it, or if the “private key” is destroyed or stolen (for example, by way of hacking), the holder effectively loses the asset, because there is no way to access the asset—and therefore no way to transfer, trade the asset, etc.—without the “private key.”

So, a qualified custodian may hold the “private key,” just as it might hold a bearer instrument, as long as it takes appropriate measures to ensure that the “private key” is safe from loss, destruction, and theft.

For example, the qualified custodian could write the “private key” down on paper and maintain such written record in its vault or in another secure setting (provided, of course, that the vault or other secure setting is protected by appropriate measures designed to guard against loss, destruction, and theft).

Or, the qualified custodian could maintain the “private key” in electronic format on a computer, thumb drive, or similar storage medium that is not connected to the internet, and maintain such medium in its vault or in another secure setting.

Caution: In this case, it may want to maintain the “private key” in duplicate electronic media, in case one fails to work.

Another alternative would be for the qualified custodian to maintain the “private key” exclusively on its network systems, provided there is appropriate electronic “back up” to protect against loss or destruction, and appropriate security and anti-hacking safeguards to protect against theft.

Given the risk of hacking, so-called “hot storage” appears to be the riskiest way to custody a digital asset.

The bottom line:

Given the fatal consequences of the loss, destruction, or theft of a “private key,” it is incumbent on the adviser, under its duty of care, to conduct extensive due diligence to assure itself that the qualified custodian has implemented appropriate measures to guard against those risks.

For example, in the Blass Letter (discussed in our post dated January 14), the SEC staff asks: “To what extent would cybersecurity threats or the potential for hacks on digital wallets impact the safekeeping of fund assets...”

As long as the adviser reasonably concludes, after conducting such due diligence, that the qualified custodian has implemented such measures, it does not appear that the requirement to hold the “private key” with a qualified custodian poses an insurmountable problem.

There appear to be several companies currently operating as “qualified custodians” in the crypto space.[1]

However, they ordinarily limit the types of crypto assets they are willing to custody.

Separate and apart from determining whether the qualified custodian has implemented appropriate security measures, the adviser should conduct appropriate due diligence to determine whether the blockchain platform on which a particular crypto asset resides provides reasonable safeguards against parties who might seek to subvert such platform (through cyber measures or otherwise) for the purpose of misappropriating assets that reside on such platform.

The adviser should never have access to the private key. Since that would effectively mean that the adviser “owns” the “private key,” it cannot truly be said in that situation that the key is being held by a qualified custodian. This is because the adviser’s access to the “private key” would thoroughly undermine one of the chief purposes of the Custody Rule – interposing a qualified custodian “watch dog” between the adviser, on the one hand, and the assets of the adviser’s clients, on the other hand.

(The last section of this post explains why an adviser cannot rely on the “Privately Offered Securities Exemption” with respect to crypto assets to obviate the need to hold those assets with a Qualified Custodian.)

Surprise and Financial Audits

The more difficult questions arising under the Custody Rule relate to the application of:

• the Surprise Examination Requirement to crypto assets (discussed in our post dated March 7); and
• the audits required to be performed in cases where an adviser relies on the Audit Exception (discussed in our post dated March 7).

Questions Raised by the Surprise Examination Requirement in the Context of Crypto Assets

As stated in the SEC’s Guidance for Accountants, a surprise examination under the Custody Rule is a compliance examination to be conducted in accordance with AICPA attestation standards.[2]

The objective of the accountant’s examination is to validate that client funds and securities of which an investment adviser has custody are held by a qualified custodian in a separate account for each client under that client’s name, or in accounts that contain only clients’ funds and securities, under the investment adviser’s name as agent or trustee for the clients.

While a detailed examination of the (lengthy and complicated) AICPA attestation standards is beyond the scope of this blog, the novelty of the manner in which ownership of crypto assets is recorded does not easily lend itself to current validation practices that make use of, for example, records generated by issuers of securities (for example, in the case of private placements) or third-party intermediaries (e.g., account statements, confirmations) such as broker-dealers, banks, registrars, transfer agents, clearing housings, and securities depositories that are subject to extensive control environments.

Questions Raised by the Audit Exception

If an adviser relies on the Audit Exemption with respect to an investment vehicle managed by the adviser, additional questions arise from the requirement for the auditing firm not only to validate the existence of the assets owned by the vehicle, but to determine whether such assets are appropriately valued.

In light of these difficult questions (discussed in our post dated February 4), an adviser that is subject to the Surprise Examination Requirement or that relies on the Audit Exception should—prior to investing in crypto assets on behalf of its clients—confirm with the independent public accountant responsible for conducting the surprise examination or for auditing the financial statements of the pooled investment vehicle that such accountant can perform such surprise examination or audit in a manner that complies with applicable professional accounting standards, including, in the case of an audit of the financial statements of a pooled investment vehicle, U.S. generally accepted accounting principles or GAAP (with some exceptions for non-U.S. funds and non-U.S. advisers) and U.S. generally accepted auditing standards or GAAS.

Why an Adviser Cannot Rely on the “Privately Offered Securities Exemption” with Respect to Crypto Assets to Obviate the Need to Hold Those Assets with a Qualified Custodian

Paragraph (b)(2) of the Custody Rule provides that a registered investment adviser is not required to maintain, with a “qualified custodian,” securities that are:

• acquired from the issuer in a transaction or chain of transactions not involving any public offering;
• uncertificated, and ownership thereof is recorded only on the books of the issuer or its transfer agent in the name of the client; and
• transferable only with prior consent of the issuer or holders of the outstanding securities of the issuer.

Paragraph (b)(2) also provides that, in the context of a limited partnership, limited liability company or other type of pooled investment vehicle, the foregoing exception from the requirement to maintain “privately offered securities” with a “qualified custodian” is available only if the vehicle is audited, and the audited financial statements are distributed to investors in the vehicle, as prescribed by paragraph (b)(4) of Custody Rule.

Does the “privately offered securities exception” enable an adviser that has “custody” over crypto assets that are “securities,” and that were acquired from the issuer in a transaction or chain of transactions not involving any public offering, to avoid the requirement to maintain such securities with a “qualified custodian”?

The answer: given the way DLT or blockchain technology works, even though such securities clearly are “uncertificated,” it cannot be said that the ownership of such securities “is recorded only on the books of the issuer or its transfer agent in the name of the client.”

Accordingly, an adviser that has “custody” over crypto assets that are “securities” must maintain such securities with a “qualified custodian,” regardless of whether such securities were privately offered.

---

[1]Examples: Gemini Trust Co., BitGo Trust Co., Coinbase Custody Trust Co., NYDIG Trust Company. Others have been rumored to be entering the custody market (e.g., Fidelity, which apparently would limit its initial custody to Bitcoin and Ether).

[2]See IAA Release No. 2969 (Dec. 30, 2009).