As 2020 came to a close, the issue of how digital asset securities can be custodied by US broker-dealers became clearer, at least from a regulatory standpoint. In a release issued pursuant to the Securities Exchange Act of 1934, as amended (Exchange Act), on December 23, 2020, the Securities and Exchange Commission (SEC) laid out its vision for how broker-dealers can comply with the custody requirements of Rule 15c3-3 under the Exchange Act (the Customer Protection Rule) for investments in digital asset securities, suggesting a way to move forward that allows for future innovation with respect to these types of securities (hereafter, the SEC Digital Asset Securities Release or the Release). For further information, see the full text of the SEC Digital Asset Securities Release.
The issue of how a broker-dealer custodies digital assets has become increasingly important as regulatory pressure has mounted on issuers of digital assets to determine the status of those assets under the US federal securities laws. If the assets are determined to be securities under applicable US law, then all market participants who want to issue, distribute, or transfer such assets need to have a plan for determining where and how the assets will be held, and how they can be transferred to a new owner. The issue of custody is particularly acute for broker-dealers with retail or institutional customers. Under existing US securities laws, broker-dealers registered with the SEC must comply with the Customer Protection Rule. Paragraph (b)(1) of the rule requires broker-dealers to obtain and thereafter maintain, exclusive physical possession or control of all fully-paid and excess margin securities carried for the account of customers.
For traditional, non-digital securities, although complex, the requirements of the Customer Protection Rule can be met and managed through the use of electronic systems and controls, and by and through intermediaries who can be held legally responsible under federal law for safekeeping assets and maintaining accurate books and records. The custody system for traditional securities is “known” and “knowable” in the sense that all persons in the chain of custody are required to adhere to a uniform set of processes which ensure, on a minute-to-minute basis, the protection of customers assets and the segregation of those assets from the broker-dealer’s own proprietary cash and investments.
No such uniform system exists today for the custody of digital asset securities, and broker-dealers doing a business in digital asset securities have had no surety that applying any system to digital assets would result in compliance with the custody requirements of the Customer Protection Rule.
Breaking new ground, on an interim basis
The regulatory uncertainty that has surrounded custody issues for broker-dealers is set to change very quickly now with the publication of the SEC Digital Asset Securities Release. Taking a novel approach, the Release consists of two parts: first, a “statement” by the SEC of its position regarding the steps a broker-dealer can take to comply with the custody requirements of the Customer Protection Rule for the next five years – the statement consists of seven minimum steps and nine terms and conditions; and second, a “request for comment” on industry best practices and other matters. The Release explains that the SEC’s position statement is “an agency statement of general applicability with future effect designed to implement, interpret, or prescribe law or policy.”
Of greatest significance, a broker-dealer operating pursuant to the terms and conditions of the position statement articulated in the Release will not be subject to SEC enforcement action on the basis that the broker-dealer deems itself to have obtained and maintained physical possession or control of customer fully paid and excess margin digital asset securities for the purposes of paragraph (b)(1) of the Customer Protection Rule. Broker-dealers that wish to rely on the statement, however, will be subject to examination by the SEC and FINRA, and must comply with all other applicable SEC and FINRA rules. The position statement expires five years after its publication date.
The position statement identifies the following actions as the “minimum steps” a broker-dealer can take to comply with the custody requirements of the Customer Protection Rule:
- First, wall off the digital asset securities business in a legal entity registered with the SEC as a sole purpose (Special Purpose) broker-dealer (and depending on the business model, perhaps also registered as an alternative trading system (ATS)), and limit the business conducted by that broker-dealer to digital asset securities only, i.e., the broker-dealer should not conduct a business in “traditional” securities or any non-security digital assets. In this regard, the Release states:
“One step that a broker-dealer could take to shield traditional securities customers, counterparties, and market participants from the risks and consequences of digital asset security fraud, theft, or loss would be to limit its business exclusively to dealing in, effecting transactions in, maintaining custody of, and/or operating an alternative trading system for digital asset securities. Thus, to operate in a manner consistent with the [SEC’s] position, the broker-dealer could not deal in, effect transactions in, maintain custody of, or operate an alternative trading system for traditional securities.”
- Second, establish, maintain, and enforce reasonably designed written policies and procedures which can be used to determine whether a particular digital asset is a security under US federal securities laws. In this regard, the Release states:
“A second step the broker-dealer could take is to establish, maintain, and enforce reasonably designed written policies and procedures to conduct and document an analysis of whether a digital asset is a security offered and sold pursuant to an effective registration statement or an available exemption from registration, and whether the broker-dealer has fulfilled its requirements to comply with the federal securities laws with respect to effecting transactions in that digital asset security, before undertaking to effect transactions in and maintain custody of such asset.”
- Third, assess the characteristics of the digital asset security’s distributed ledger technology and associated network prior to providing the custody service. In this regard, the Release states:
“A third step the broker-dealer could take is to establish, maintain, and enforce reasonably designed written policies and procedures to conduct and document an assessment of the characteristics of a digital asset security’s distributed ledger technology and associated network prior to undertaking to maintain custody of the digital security and at reasonable intervals thereafter.”
- Fourth, establish, maintain, and enforce reasonably designed written policies, procedures, and controls for safekeeping digital asset securities and demonstrating that the broker-dealer has exclusive possession or control over the digital asset securities, which controls are consistent with industry best practices that protect against theft and other unauthorized use of or access to the assets, including unauthorized or accidental use of private keys. In this regard, the Release states:
“These policies, procedures, and controls could address, among other matters: (1) the on-boarding of a digital asset security such that the broker-dealer can associate the digital asset security to a private key over which it can reasonably demonstrate exclusive physical possession or control; (2) the processes, software and hardware systems, and any other formats or systems utilized to create, store, or use private keys and any security or operational vulnerabilities of those systems and formats; (3) the establishment of private key generation processes that are secure and produce a cryptographically strong private key that is compatible with the distributed ledger technology and associated network and that is not susceptible to being discovered by unauthorized persons during the generation process or thereafter; (4) measures to protect private keys from being used to make an unauthorized or accidental transfer of a digital asset security held in custody by the broker-dealer; and (5) measures that protect private keys from being corrupted, lost or destroyed, that back-up the private key in a manner that does not compromise the security of the private key, and that otherwise preserve the ability of the firm to access and transfer a digital asset security it holds in the event a facility, software, or hardware system, or other format or system on which the private keys are stored and/or used is disrupted or destroyed.”
- Fifth, establish, maintain and enforce reasonably designed written policies and procedures that address what steps the broker-dealer would take in the event of threats to its custody function, or threats to the broker-dealer’s ability to maintain its operations. In this regard, the Release states:
“These policies and procedures should include measures for ensuring continued safekeeping and accessibility of the digital asset securities, even if the broker-dealer is wound down or liquidated, and thus would provide a reasonable level of assurance that a broker-dealer has developed plans to address unexpected disruptions to the broker-dealer’s control over digital asset securities.”
- Sixth, provide written disclosures to prospective customers about the risks of investing in or holding digital asset securities, including the risk that the securities will not be covered by SIPA and SIPC. In this regard, the Release states:
“The purpose of such disclosures is to provide the prospective customers with sufficient and easily understandable information about the risks to enable them to make informed decisions about whether to invest in or hold digital asset securities through the broker-dealer.”
- Seventh, develop and enter into a written agreement with each customer setting forth the terms and conditions applicable to the broker-dealer’s transactions in digital asset securities, including the functions of purchasing, holding, transferring, and liquidating the securities. In this regard, the Release states:
“This step would ensure documentation of the terms of agreement between the customer and the broker-dealer providing custody of the customer’s digital asset security, which would provide greater clarity and certainty to customers regarding their rights and responsibilities under the agreement with the broker-dealer.”
Terms and conditions
After considering the minimum steps discussed above, a broker-dealer may rely on the SEC’s position statement and not be subject to an SEC enforcement action under paragraph (b)(1) of the Customer Protection Rule, if the broker-dealer complies with the following nine terms and conditions, summarized here:
- The broker-dealer has access to the digital asset securities and the capability to transfer them on the associated distributed ledger technology
- The broker-dealer limits its business to digital asset securities only
- The broker-dealer has, and enforces, reasonably designed written policies and procedures that require the broker-dealer to analyze and document its determination with respect to whether a particular digital asset is a security under US law
- The broker-dealer has, and enforces, reasonably designed written policies and procedures to assess, and document its assessment, of the characteristics of the security’s distributed ledger technology and network, prior to undertaking any custody function, and at reasonable intervals thereafter
- The broker-dealer does not undertake to perform a custody function if it is aware of any material security or operational problems or weaknesses with the distributed ledger technology and network used to access and transfer the security, or is aware of other material risks posed to the broker-dealer’s business by the digital asset security
- The broker-dealer has, and enforces, reasonably designed written policies, procedures, and controls that are consistent with industry best practices to demonstrate that the broker-dealer has exclusive control over the digital asset securities and to protect against theft, loss, and unauthorized access to private keys
- The broker-dealer has, and enforces, reasonably designed written policies, procedures, and arrangements to identify in advance the steps the broker-dealer would take if certain events occur that threaten or compromise the custody function, e.g., blockchain malfunctions; ensure that the broker-dealer can comply with a court-ordered asset freeze; and can transfer the assets to a third-party if the broker-dealer can no longer safely maintain the assets
- The broker-dealer informs prospective customers in writing: (i) that the broker-dealer is relying on the SEC’s statement with respect to custody; (ii) and about the risks of investing in and holding digital asset securities, including the fact that the assets may not be covered by SIPA, may be subject to fraud and manipulation, price volatility, and liquidity issues, among others, and the mechanisms the broker-dealer employs to protect its private keys, and
- The broker-dealer enters into a written agreement with each customer that details the terms and conditions applicable to the broker-dealer’s safekeeping of the customer’s assets.
Request for comment
The SEC’s position statement becomes effective 60 days after its publication in the Federal Register. In addition to publishing the position statement, the SEC also has invited all interested persons to submit written comments on specific questions included in the Release related to custody issues, such as identifying industry best practices for protecting against the loss or theft of private keys; identifying the processes, software and hardware systems currently available to broker-dealers to create, store, and use private keys; and identifying accepted practices or model language with respect to disclosing the risks of digital asset securities and the use of private keys. The Request for comment also solicits comment on whether the SEC’s position statement should be expanded in the future to include other businesses such as traditional securities and/or non-security digital assets. As of the date of this legal alert, the Release has not yet been published in the Federal Register but publication is expected very soon and comments already received by the SEC are available on the SEC’s public web site.
In the near term, broker-dealers in the digital asset securities business may be able to rely on the new SEC position statement, i.e., complying with its terms and conditions as the mechanism for complying with paragraph (b)(1) of the Customer Protection Rule. In the longer term, broker-dealers can look forward to a continuing dialogue with the SEC on the myriad issues raised by this particular asset class. It is clear that the SEC, in addition to examining broker-dealers relying on the position statement, will continue to evaluate its position, on an on-going basis.