Self-Custody for Crypto Assets: Regulatory Implications for a New Asset Class

0. Introduction and Motivation

Custody is one of the most important issues within the financial industry. The reason there are so many legal controls around custody is because of all the mishaps that can occur when you entrust another party with your assets. Understandably, this is an issue that the SEC has had to tackle on numerous occasions^{1,2,3,4,5,6,7.8.9.10.11.12} making any solution that can comprehensively tackle this problem quite attractive.

Crypto is exciting in that it enables forms of custody that are impossible in the traditional world, disrupts trust and maintains enforceability. Crypto and Distributed Ledger Technology (DLT) can reduce or even eliminate conflicts of interest by disintermediating trust by enabling people to self-custodize their own assets. While one way of reducing conflicts of interest is to separate custodians and advisers and ensure “operational independence”, the more ideal way would be to utilize the technology that crypto offers in order to eliminate conflicts of interest altogether and make fraud impossible. When you don’t have access to assets at all, it is impossible for others to utilize them fraudulently or recklessly.

While there are many more benefits of DLT like provably verifiable sources of funds, smart contract legal controls and trusted identities on the blockchain, this paper will be specifically addressing the concept of self-custody and how traditional qualified custodians can operate within the rapidly growing Internet of Value.

Many misconceptions exist around blockchains, cryptocurrencies and DLT in general as it has been painted by mainstream media as a tool for criminals, money laundering schemes and other malicious actors. It is important to recognize that these individuals represent a minority of the cryptocurrency community and that the underlying technology can and should be used to empower individuals and provide financial access to unbanked individuals all over the world. In addition, crypto is often more open and transparent than fiat currency, with open ledgers, an immutable transaction history, and a public chain of transaction IDs. In short, DLT has the power to give consumers additional protections by creating a transparent regulatory framework that compels financial institutions to adhere to higher regulatory standards in an open financial ecosystem – a future that is for everyone.

1. An Introduction to Self-Custody

Very broadly, the idea of self-custody is quite simple. Self-custody is when each individual user is the custodian of their assets rather than an advisor, investment company, broker-dealer, exchange or qualified custodian. In general, whatever person or legal entity that holds or can gain access to the private keys to crypto assets will possibly be considered a custodian and/or safe-deposit box provider. Individual consumers are the only ones who have access to the private keys securing funds in self-custody which means that an Intermediary, whether a Investment Advisor (IA), Broker, Clearing Firm or any related or unrelated entity, never has custody while the individual is holding the funds in their address.

The idea behind self-custody is nothing new; People have hidden money under their mattresses for centuries before cryptocurrencies and DLT came along. Hiding money under your mattress often comes with some issues, namely that it is difficult to spend the money that you have hidden. In a digital self-custody model, the individual gains all the benefits of directly owning an asset while being able to remain connected to the wider economy. Self-custodied assets can be transacted instantly between peers and the benefits that one often derives from ownership of these assets can be claimed by the individual instead of the intermediary. Digital self-custody empowers individuals to take control of their finances.

In a self-custody model, however, we must also consider the method of storage and its correlation with “safe-deposit box” operators. Oftentimes, in order to self-custodize one’s assets, the individual will have to use software that assists them in managing their private keys and constructing transactions. In the digital crypto space this means providers of “wallet” services must ensure they are not deemed to be in custody of consumers assets whether as a depository or otherwise as this could inject a bailee-bailor, or similar, relationship potentially exposing the software providers to undue liability.

In a pure self-custody model involving consumers maintaining complete control and access to their private keys, wallet providers must carefully define the nature of the contractual relationship with wallet users and provide a varying level of care depending on the type of relationship, whether it be a type of bailment (gratuitous, for-hire or constructive) or other variety. It is important to recognize that the exact relationship between multiple parties may range anywhere from a bailor-bailee to a licensor-licensee relationship.

In the following examples, we are going to look specifically at how digital asset custody relates to Investment Advisors as this is often the most sensitive and complex area of custody. The following examples demonstrate situations in which an IA may be deemed to have custody.

1.1 SEC Definition of Custody and Examples that Demonstrate Custody or Lack Thereof

The SEC definition of custody is as follows:

An adviser has custody of client assets, and therefore must comply with the rule, when it holds, “directly or indirectly, client funds or securities or [has] any authority to obtain possession of them.”¹³

This is much in line with the previous statement in that any IA who has the private keys directly holds client funds. In order to clarify the definition of custody, the SEC also outlined three examples which sought to clarify when an advisor does or does not have custody.

1.1.1 Example 1

The first example is as follows:

“…an adviser has custody when it has possession of client funds or securities, even briefly. An adviser that holds clients’ stock certificates or cash, even temporarily, puts those assets at risk of misuse or loss. The amendments, however, expressly exclude inadvertent receipt by the adviser of client funds or securities, so long as the adviser returns them to the sender within three business days of receiving them. The rule does not permit advisers to forward clients’ funds and securities without having “custody,” although advisers may certainly assist clients in such matters. In addition, the amendments clarify that an adviser’s possession of a check drawn by the client and made payable to a third party is not possession of client funds for purposes of the custody definition.¹⁴” (SEC Custody Example 1)

There are four parts in there that clarify when an IA has custody which have analogous scenarios in crypto.

The first part states that an IA has custody if it has possession of the assets even temporarily. If the IA knowingly accepts crypto to a non-contract address¹⁵ with intent to send it to another party, then the IA has custody during the time that they accepted the crypto. It is worth noting that this rule may be less relevant in publicly auditable chains if IAs disclose all transaction records publicly as traditionally transactions operate in a “black box” that enable fraud, but this form of custody likely still applies in this scenario.

The second part states that an IA does not have custody if they inadvertently receive funds that they did not expect to receive so long as they return them to the sender within 3 business days. This is particularly relevant in the crypto world as anyone can initiate a transaction to a public address. In public blockchains, the sender address is readily available so any unexpected transactions can be easily sent back to the initiating party less any on-chain fees.

The third part states that an IA cannot “forward” funds to a third party without having custody, but can assist the client in such matters. An IA couldn’t accept funds then immediately send them to a third party from a non-contract address, however, an IA could likely assist the client in transaction construction so long as the receiving address is a third party that is operationally independent from the IA.

There are some dynamics that need to be considered here such as the ability to place a “hold” on funds or forwarding funds on the IA’s book to third parties before accepting client funds. Both of these solutions may be able to avoid custody for the IA if constructed correctly.

The fourth part states that an IA does not have custody if they receive a check that is addressed to a third party. This is relevant in crypto since IAs may regularly receive non-broadcasted transactions that are not addressed to the IA, but a third party such as an operationally independent qualified custodian. If the IA provides transaction broadcast services, the IA can safely store these transactions, which the IA may have assisted the client in constructing per part 3, and broadcast them to the public network.

A note on this exception is that certain transaction schemes may enable a transaction to be “addressed to a third party” in a similar fashion. This could include a smart contract process or secret claiming process scheme similar to an atomic swap. As always, it is important to consider the circumstances and events on a technical level in order to make a proper custody interpretation.

1.1.2 Custody Second Example

The second example is as follows:

“…an adviser has custody if it has the authority to withdraw funds or securities from a client’s account. An adviser with power of attorney to sign checks on a client’s behalf, to withdraw funds or securities from a client’s account, or to dispose of client funds or securities for any purpose other than authorized trading has access to the client’s assets. Similarly, an adviser authorized to deduct advisory fees or other expenses directly from a client’s account has access to, and therefore has custody of, the client funds and securities in that account. These advisers might not have possession of client assets, but they have the authority to obtain possession.¹⁶” (SEC Custody Example 2)

In this example, if an IA has the ability to obtain possession of funds in any way, then they have custody of those funds unless it explicitly relates to authorized trading. Barring any incorrectly structured legal controls, the technical controls that surround the security of private keys and trading or portfolio management authorizations should be sufficient for IAs to avoid custody under this example. In other words, if the IA never has access to the user’s private keys then they would have no authority or ability to withdraw funds from the client’s account.

The application of this example, however, becomes unclear when you have a smart contract that is operating in a “no-custodian” scenario. We will discuss the implications of a smart contract custodian more in depth in the section on transactional custody.

Additionally, an “authorized trading” definition as it applies to access to cryptocurrencies will need to be well defined. For example, a sharded key that is provided to the IA only in the event that the IA has been authorized to make a trade on behalf of a client may not be considered custody under this guidance, however, it would clash with previously established private key custody scenarios. As regulation evolves, these areas will likely be clarified.

1.1.3 Third Example

The third and final example is as follows:

“…The last example clarifies that an adviser has custody if it acts in any capacity that gives the adviser legal ownership of, or access to, the client funds or securities. One common instance is a firm that acts as both general partner and investment adviser to a limited partnership. By virtue of its position as general partner, the adviser generally has authority to dispose of funds and securities in the limited partnership’s account and thus has custody of client assets.¹⁷” (SEC Custody Example 3)

This is again more of a legal control rather than a technical one, but one instance where this may be relevant is in the case where an IA acts as both as an advisor and as a shared-secret clearinghouse where keys are reconstructed in order to clear transactions. Even though these are separate activities, the related IA entity will, albeit very briefly, come into possession of the entire private key in the process of reconstructing a shared secret.

1.2 Observations

What we can glean from these examples as applied to crypto is that many of the concepts with regards to custody translate over fairly well. Custody clearly can and does exist in this space. In every example, the issue of custody mainly boils down to who controls the private keys to what wallet and at what point and how funds enter and exit that wallet.

2. Transactional Custody and No-Custody Schemes

Custody becomes much more nuanced when you begin to go beyond the simple “who holds the private key” rule. Certain questions come up in the nature of cryptocurrencies such as at what point can I consider myself the owner of these assets given the nature of block confirmations? Who is the legal owner in transactions and at what point are they the legal owner? What happens in simultaneous exchange schemes? What happens when you have an open source contract retain custody of funds? Using DLT and cryptographic standards in certain ways have the ability to have no transactional intermediary or custodian at certain points in a transaction.

2.1 Block Confirmations and Double Spend

Many people take ownership for granted in the crypto space. Documented double spend attacks have occurred^18,19,20,21 and as cryptocurrencies rise in value, the incentive to execute a double spend attack against an unsuspecting financial firm that uses a minimal confirmation system becomes much larger. For example, suppose a broker-dealer guarantees that a trade will be executed within 15 minutes of an asset being received. If it is not clearly defined at what point the asset is received, then this promise can become quite malleable. We will not suggest a solution to this problem here, but it would appear that a best practice for firms that make such assurances would be to include a “confirmation time” at which point the firm considers the assets under their possession. This could also take into account the number of block confirmations a transaction has. If a double spend attack were to be executed, it could cause a cascade of transaction failures affecting both the user and firm with liability being ambiguous. Firms should be careful about dealing with cryptocurrencies without an audit of the underlying network that secures it.

2.2 Simultaneous Exchange and Atomic Swaps

Another interesting feature that cryptocurrencies can offer is simultaneous exchange without an intermediary, commonly referred to as an “Atomic Swap”. Essentially, two parties can agree to enter into an exchange contract on two different chains and transfer ownership of assets simultaneously. This exchange is enforceable since by claiming assets on one chain, the other party has the ability to claim assets on the other chain and neither party has the ability to back out²².

In situations like these, it would appear that there is no custodian whatsoever. If an IA or broker-dealer acted as a neutral communication channel between the two parties and the two parties performed a swap in this way, the intermediary in this case would never have custody of any funds by the legal definition. The intermediary cannot gain access to the funds, withdraw the funds or move the funds at any point. This is analogous to the IA receiving two checks, as mentioned previously, each addressed to the other party, and distributing the checks to the correct party as per SEC Custody Example 1. As the technology evolves in this area, it will be important to keep this exemption in mind as it will become particularly relevant as more advanced transaction schemes begin to emerge.

2.3 Smart Contract Custodians

Custody is again ambiguous when you consider Smart Contracts which can often act as custodians. Smart Contracts are code that are deployed to the blockchain that operate exactly as they are programmed. Smart Contracts have the ability to take in funds, do certain actions to them, then send them elsewhere or back to the original sender. Smart contracts can also interact with external data (through the use of oracles), execute transactions and interact with the blockchain that it resides on. Smart contracts are entirely deterministic and it is often common practice for the source code for the compiled code, which is the code that is deployed to the blockchain, to be entirely open source so any individual can read and verify what the contract does. If the Smart Contract code is not open source, the end user can be misled as to the exact functionality of a contract. However, if the Smart Contract code is open source, then independent peer review is very easy. We will assume that smart contract code deployed by financial institutions are open source in this section.

2.3.1 Contract Ownership

There are cases where an IA that has deployed a contract would have custody. In many cases, smart contracts are assigned “owners” who essentially have elevated permissions in the contract²³. Depending on these permissions, a contract deployed by an IA could cause the IA to have custody. For example, if the IA has the ability to change the underlying code to allow them to withdraw or if the owner can arbitrarily withdraw funds, the IA clearly has custody as per SEC Custody Example 2 and SEC Custody Example 3 where the contract is essentially operating as an extension of the IA as a related party. If, however, the contract owner does not have the authority to change the code or withdraw funds or otherwise gain access to the funds without outside controls, the IA might not have custody.

2.3.2 Automated Contract Ecosystem

What if the contract pays fees out regularly to the IA even if the IA has no ownership controls which would give them custody? In this case, it is best to think of the analogous scenario in the traditional world. If a qualified custodian regularly pays the IA fees without giving the IA authority to access funds, then the IA typically does not have custody. In the same sense, if the contract is a qualified custodian which pays out fees to the IA at a predetermined rate, it would appear that the IA does not have custody. One possible exception may be that the IA has the ability to change the fee rate as owners of the contract and a malicious IA could change the fee to 100% of assets under management in order to gain access to all the funds. In this case, the IA would likely have custody although they would be caught rather quickly as the blockchain is publicly auditable.

2.4 Observations

Many of these cases can be grounded in the examples provided in SEC Custody Example 1, SEC Custody Example 2 and SEC Custody Example 3. While simultaneous exchange and “no-custody” scenarios do exist, each contract should be carefully thought through and open-sourced for peer review in order to put the correct technical controls in place. Built correctly, however, these technical controls can provide clients vastly greater protection against malicious actors, more predictability in how their funds are used and more transparency into how the IA is treating their funds.

3. Key Sharding and Shamir’s Secret Sharing

Key sharding and secret sharing provide additional utility to firms who wish to operate in the crypto world. The peer-reviewed cryptographic process by which this key sharding occurs is called Shamir’s Secret Sharing²⁴. Key sharding can provide consumers the piece of mind of not having to fully self-custodize their own assets while it provides financial firms the utility to move the burden of custody to another qualified custodian preventing fraudulent usage of the funds. Key sharding is unique in that while the key is in its sharded state with multiple operationally independent each holding a shard, nobody has custody. No participant in this system has custody until they have obtained enough shards to reconstruct the private key which has access to the client funds. There are multiple ways to set up this scheme and we will go through some of the details of how this system can work.

3.1 What is Key Sharding?

Key sharding refers to the process of splitting a key up into multiple “segments” whereby each segment has no utility on its own, but when combined, they comprise a collective secret such as a private key. In general, there are two different types of sharding which are referred to as “n/n” and “m/n”. In n/n sharding, n shards are created and all n shards are required to restore the secret. If you have n-1 shards, you have no more information than if you have 1 or 0 shards. In m/n sharding, n shards are created and m shards are required to restore the secret. For example, if there are 8 shards and 3 are required to restore the secret, then m/n would be 3 / 8. Note that m < n must always be true. This is different from n/n sharding since it doesn’t require all n participants to cooperate in order to restore the secret.

3.2 Defining Operationally Independent

Operational independence becomes important in key sharding as related parties who each have a shard would not be sufficient to show lack of custody if the private key can be trivially assembled. Operationally independent has a federal legal definition which is as follows:

“Operationally independent: for purposes of paragraph (b)(6) of this section, a related person is presumed not to be operationally independent unless each of the following conditions is met and no other circumstances can reasonably be expected to compromise the operational independence of the related person:

(i) Client assets in the custody of the related person are not subject to claims of the adviser’s creditors;

(ii) advisory personnel do not have custody or possession of, or direct or indirect access to client assets of which the related person has custody, or the power to control the disposition of such client assets to third parties for the benefit of the adviser or its related persons, or otherwise have the opportunity to misappropriate such client assets;

(iii) advisory personnel and personnel of the related person who have access to advisory client assets are not under common supervision; and

(iv) advisory personnel do not hold any position with the related person or share premises with the related person.²⁵”

While this definition may not be immediately applicable during the time that nobody has custody and the key is fully sharded, one can consider the concept of “collective custody” where if multiple related parties collectively have the pieces required to restore a private key, they are likely to be found to have custody. This will be a working definition since operational independence is important to consider when looking at who has the power to restore private keys.

3.3 Custody Implications in n/n Sharding

Since n/n sharding requires the cooperation of all parties involved in the sharding process, you must examine the operational independence of every member of this system. If even one member is operationally independent where, for instance, the user holds a single shard of the key, then it can be clearly argued that no participant in this system has custody. This system provides increased security to the client and reduced risk to the firm. When the user wants to initiate a transaction, they can share their shard with a qualified custodian who can assemble all the shards and sign a transaction on behalf of the user. So long as the custodian is trusted to destroy the user’s shard, the system remains secure. The user can easily audit the transactions that are created on a public ledger to ensure that no transactions that they do not approve are created.

3.4 Custody Implications in m/n Sharding

With m/n sharding, some additional complexities arise when you have to consider all the possible permutations that m shards can be assembled from the n participants (Specifically this number in formula ). If any permutation of m shards are held by related parties who are not operationally independent, then that party has custody.

With m/n sharding, a qualified custodian is still required in order to “clear” transactions. The qualified custodian in this case can be delegated to assemble any m combination of the n shards and sign transactions on behalf of the user and destroy the shards after it is finished. Again, when the key is fully assembled, it is a private key and provides full access to funds held by that private key which implies custody during the time that the private key exists.

3.5 Custodian Reducing Risk as a Sharded Clearinghouse

With key sharding there are enormous benefits. Parties can hold shards of a key without being granted access to funds. This means that the IA can have shards, multiple custodians could have shards and the user can hold shards, all without invoking custody laws. This also provides additional security as even if a malicious party compromises an individual in this system, the funds remain secure as the compromised party only holds a single shard of a key.

In this system, however, a party is still required to hold the private key once it has been fully assembled. This could either be the user who doesn’t want to bear the burden of holding their keys all the time and would invoke self-custody when they assemble all the shards or this could be a qualified custodian who signs transactions on behalf of the user when all the shards are assembled. In the case of a qualified custodian, this would mean that the custodian effectively acts as a “clearinghouse” being the final stamp of approval before a transaction is signed. The custodian also has the ability to destroy the keys meaning at any point if they are compromised, damages are minimal since only the keys that were fully assembled at the time the custodian was compromised would be leaked.

3.5.1 BIP32 “Specific Custody” Technical Control

An open standard called BIP32²⁶ allows a single key to be used to deterministically generate many wallets on many different DLT-based currencies. BIP standards are peer-reviewed and have proven themselves to be technically robust in the face of billions of transactions and countless hacking attempts. While you can certainly shard the root key which provides access to all of the wallets and reassemble that every time a transaction is initiated, it would be much safer to only assemble one branch of the BIP32 tree so that the “Sharded Clearinghouse” only has custody of the specific asset that it is trying to send rather than all the assets at once. This is just one of many possible ways that a technical control can be implemented to mitigate risks on qualified custodian operating in the crypto space.

3.6 Observations

Key sharding provides many benefits including increased security, implementation of technical controls and increased functionality that can be exposed to the end user. Something that any custodian or IA who engages in key sharding should be aware of is related parties gaining access to too many shards. Key sharding, however, can provide a much more accessible experience to users who feel overburdened by having to self-custodize all of their funds at the same time. Self-custody schemes can still be implemented with key sharding if all the shards are assembled with the user or a qualified custody can be used to ensure that only the relevant parties have custody. It is important to recognize the nuances that exist in this technology and to appropriately address them when implementing any sort of key sharding scheme, but if utilized correctly, these schemes can revolutionize traditional custody models.

4. Conclusion

While the crypto industry can often be confusing and overwhelming to outsiders, there exist clear parallels between the way traditional custody works and how crypto custody ought to work. While there are some new ideas that are brought forth with the introduction of self-custody, smart contracts and key sharding, these ideas can be grounded in the custody laws that have governed the traditional financial system.

Through the use of legal and technical controls, DLT can enable a whole new era of transparent, compliant and consumer centric finance. Conflicts of interest can be eliminated and provably fair controls can be implemented that benefit both financial institutions and the consumers they serve. DLT has many benefits that should appeal to consumers, institutions and regulators alike.

It is important to recognize that healthy regulation is required for this industry to thrive. Regulation that fosters innovation while protecting consumers will enable DLT and crypto technology in general to be freely used by well-intentioned individuals while preventing bad actors from entering the system. Once we make our way past the misconceptions surrounding this industry we can have an intelligent conversation surrounding the usage of this technology and how it can be safely and securely implemented for a mass market audience.

Disclaimer

This paper is for informational purposes only and is not available for the purpose of providing legal advice. Any individual reading this should contact their attorney to obtain advice with respect to any particular issue or problem. Use of and/or access to this paper do not create an attorney-client relationship between the author and the reader. The opinions expressed in this paper are the opinions of the individual author and may not reflect the opinions of the publishing organization.

Paper © 2018 and © 2023 Ethos