On June 8, 2019, the staffs (the “Staffs”) of the Securities and Exchange Commission (“SEC”) and the Financial Industry Regulatory Authority (“FINRA”) issued a Joint Staff Joint Statement on Broker-Dealer Custody of Digital Asset Securities (the “Joint Statement”) in response to industry requests for clarification on the murky issue of how federal securities laws and FINRA rules would apply to custody of digital asset securities such as cryptocurrency coins and tokens.

The Joint Statement makes it clear broker-dealers seeking to participate in the digital asset securities marketplace must comply with FINRA rules and relevant federal securities laws and regulations, particularly the SEC’s Customer Protection Rule (“CPR”), codified in Rule 15c3-3 of the Securities Exchange Act of 1934 (the “Exchange Act”). What is not clear in the Joint Statement, however, is how broker-dealers can comply with the custody requirements of the CPR given the novelty of digital asset securities and the unique challenges of defining possession and control when dealing with purely digital assets.

The purpose of the CPR is to safeguard customer securities and funds held by broker-dealers , to prevent investor loss or harm in the event of a broker-dealer’s failure, and to enhance the SEC’s ability to monitor and prevent unsound business practices.  Specifically, the CPR requires broker-dealers to maintain physical possession or control (i.e. custody) over customer assets, to safeguard customer assets and to keep customer assets in an account separate from the broker-dealer’s assets, thus increasing the likelihood that customers’ securities and cash can be returned to them in the event of broker-dealer’s failure.

In addition to protecting customer assets in the event of a broker-dealer’s failure, the Staffs are justifiably concerned with broker-dealer custody of digital asset securities due to the threat posed by cyberattacks. The Joint Statement notes that one forensic analysis firm estimates that approximately $1.7 billion worth of bitcoin and other digital asset securities were stolen in 2018, of which approximately $950 million resulted from cyberattacks on bitcoin trading platforms.

But how can a broker-dealer maintain custody of purely digital securities in accordance with the CPR when digital asset securities are so different from traditional stocks and bonds? In the Joint Statement, the Staffs acknowledge that the nature of the distributed ledger technology on which digital asset securities operate may make it difficult for broker-dealers to evidence the existence of digital asset securities on their regulatory books and records and financial statements. The Staffs also recognize that this is turn could create challenges for auditors conducting annual audits of a broker-dealer’s financial statements. 

Unfortunately, although the SEC and FINRA have engaged in extensive dialogue with market participants on this question, the Joint Statement provides little guidance on how broker-dealers could satisfy the custody requirements of the CPR in relation to digital asset securities. According to the Staffs, “the specific circumstances where a broker-dealer could custody digital asset securities in a manner that the SEC and FINRA believe would comply with the CPR remain under discussion.”

The Joint Statement does indicate that one possible option for broker-dealers to avoid running afoul of the custody requirements of the CPR would be for broker-dealers to avoid engaging in custody functions altogether. This would involve the broker-dealer merely sending the trade-matching details or otherwise facilitating transactions between the buyer and seller of a digital asset security, with the transactions being settled directly between the buyer and seller away from the broker-dealer.

The Joint Statement also points out that some broker-dealers have suggested utilizing an issuer or transfer agent as a “control location” for purposes of meeting the custody requirements of the CPR. This would involve the issuer or transfer agent for the digital asset maintaining a traditional single master security holder list and an ownership record using distributed ledger technology. However, the Staffs refuse to say whether the issuer or transfer agent could be considered a satisfactory control location under paragraph (c)(7) of the CPR.

But while the Staffs fail to recognize any viable solution that would allow broker-dealers to meet the custody requirements of the CPR in the Joint Statement, it must be noted that methods for establishing and maintaining secure custody of encryption keys have existed for years. In fact, in March of 2019 a company called Bitwise Asset Management, Inc. (“Bitwise”) gave a presentation to the SEC in which Bitwise explained that custody in the digital asset world has been dealt with by storing the encryption keys necessary to access digital assets with regulated and insured third-party custodians. There are currently several regulated and insured third-party custodians performing this function for cryptocurrency exchanges today. These third-party custodians use “cold wallets” or “cold storage” computers that are unconnected to the internet and therefore nearly invulnerable to cyber-attacks.

But if cold storage of digital keys is such an effective means of establishing and securing custody of digital assets, how did $1.7 billion worth of bitcoin and other assets get stolen in 2018? According to Bitwise, the security breaches involved in these thefts were stolen from exchanges using “hot wallets” that were vulnerable because they were connected to the internet. It remains to be seen whether the Staffs will consider the use of third-party custodians employing cold storage to address the custody issues raised by broker-dealers.

SEC and FINRA Issue Joint Statement on Broker-Dealer Custody of Digital Asset Securities