Benjamin Bestgen: Custody of digital assets
The safekeeping of digital assets by professional custodians remains uncertain territory. Scottish solicitor Benjamin Bestgen provides an overview.
With the increasing popularity of digital assets, parties interested in buying, holding and trading them face a common problem: how can assets like cryptocurrencies, security tokens or utility tokens be adequately stored and safeguarded?
The digital space is riddled with jargon and in this article, I aim to use only as much as necessary. But for clarity, cryptocurrencies like Bitcoin are a form of digital value representation (akin, but not equal to money). Tokens are - loosely defined - digital representations of things in a particular ecosystem. A token can be a security or investment contract (security token), or, in the case of utility tokens, have a range of functions: it can be used e.g. as a toll to access certain platforms, it can contain title to a tangible asset (a yacht, car or apartment), or a legal right (a vote). Tokens can be publicly tradeable or be restricted to particular forums or organisations.
Let’s now talk about custody:
With most physical assets, custody is straightforward: bond certificates, jewels, works of art and the like can be placed in a secure vault. Physical security protocols regulate access to and transfer of the asset and also mitigate the risk of theft, damage and misappropriation. Regulators and auditors can satisfy themselves by physical inspection that the assets exist in the form and amount declared. Standard KYC and AML procedures determine the identity of the owner, legitimacy of the asset and help preventing fraud.
But digital assets are not tangible things but algorithms: a Bitcoin or token is represented online through a unique “public key”. It can be accessed only through a corresponding private key – another unique piece of code that matches with the public key, “unlocks” the asset and makes it accessible for use or transfer. In general, the party in possession of the private key controls the digital asset.
People can safeguard their digital assets themselves, with various “wallets” and “self-custody” solutions available for retail and business customers.
But for licensed and regulated professional custodians like banks, trust companies and other fiduciary services providers, digital assets pose unique challenges:
Regulation: professional custodians (and their insurers) need to know what their local regulator requires of them. But it appears that most jurisdictions, the UK included, either have no specific laws about the custody of digital assets yet (leaving it an unregulated activity) or try to shoehorn this issue into the scope of custody regulations predating digital assets. Often it is not even defined what “custody over digital assets” means.
As a first in the EU, Germany made custodial services for digital assets a regulated financial services activity in the latest amendment to its Banking Act (Kreditwesengesetz; KWG): as of 1 January 2020, §1(1a)6. KWG defines custody over digital assets as the “storage, administration and safeguarding of cryptoassets or private cryptographic keys used to hold, store or transfer cryptoassets on behalf of others” (translation by the author). A more detailed discussion of the KWG is outside this article but it will be interesting to see if Germany’s initiative will be taken up by other jurisdictions.
Proof of ownership: how can a custodian satisfy itself as well as auditors, regulators or tax authorities that person A is really the owner of the digital asset? And how can the custodian be certain that it has exclusive custody over the private key? The private key works similar to a bearer share: whoever controls it controls the digital asset. Depending on the digital architecture in which the asset is situated, there may be several private keys or the private key may have been split, with multiple parties (the custodian being one amongst them) holding parts of it and a “signing ceremony” may be required to bring the key together. In such cases custodians may wish to contractually limit their liability to such factors as they can reasonably know and control.
Security: digital assets are vulnerable to theft by hacking or misappropriation of the private key by dishonest persons. Likewise, the private key can be lost or negligently scrambled, thereby effectively losing the asset. Administering and safeguarding them requires specialist expertise and infrastructure. Custodians in the market for digital assets commonly offer:
Private key and digital asset are stored in an infrastructure connected to the internet – this can be in form of a trading account for immediate access or a segregated webspace with added security measures
Benefits are immediate or fast access for trading; internet connection makes it vulnerable to hacking and human error
Private key and digital asset are stored in a segregated offline infrastructure like encrypted hard-drives or USB sticks locked in a safe
More secure but still vulnerable to employee theft, negligence and fraud; asset can be made available within a few hours
Deep cold storage
Designed for long-term safekeeping; hardware on which the private key or asset is situated is stored offline and at a secure offsite facility, with highly restricted access
Added layers of security; it may take several hours or days for the asset to become available; expensive
While the question of who controls the private key is crucial, custodians also have to consider their policies around access to and utilisation of the key, signing ceremonies and identification of owners. Insurers may be willing to cover some of the risks associated with custody over digital assets but this is not a cure-all.
Tokenisation: increasingly, instead of paper contracts and physical procedures, parties want to use tokens to transfer rights to underlying real-world assets. Whoever owns the token, owns the asset, while the asset itself will not have to change its physical location. Custodians and insurers alike see the risk of fraud when tokens are traded while it’s unclear if the underlying asset even exists, what state it is in or whether it is truly owned by the person possessing the token. Trailblazing in this area, Liechtenstein enacted, effective on 1 January 2020, its Blockchain Act (Token und VT Dienstleister Gesetz; TVTG), developing a framework to regulate tokenisation, which is unfortunately outside the scope of this article. To ensure that the digital economy corresponds with the physical world, Liechtenstein created the role of the “physical validator”: this licensed professional is tasked with determining the owner of a token and ensuring that the rights and obligations represented by the token are upheld and enforced in the real world. Loss, damage or errors regarding the assets in question are likewise for the validator to resolve. Custodians and regulators in other jurisdictions may take note, as the role of a “physical validator” may turn out to be both a simple and extremely useful solution to some of the major uncertainties around digital assets and verification.
Related to the above, there is also a directors’ duties point to consider: when the directors of a fund or other cryptobusiness decide to engage a professional custodian to safeguard their portfolio of digital assets and private keys, the directors must consider:
- adequacy of the custodian’s offered security measures, policies and protocols;
- which exclusions and limitations in a custodian’s terms and conditions are reasonable and can be agreed;
- what price for the custodial services is reasonable and will additional insurance be required.
While some operators in the digital asset markets are exceptionally knowledgeable and experienced, many are not. The market crosses borders and attracts newcomers. There appears to be a lack of sufficiently stable standard market practices within or across jurisdictions that investors, service providers and their advisors can rely on.
For custodians, their clients and regulators alike it is therefore vitally important to engage in knowledge sharing and developing reliable “best practice” models for custody, as the digital asset economy shows no signs of slowing down.
Benjamin Bestgen is a Scottish qualified solicitor and notary public.