Just before the recent federal government shutdown, SEC staff issued a no-action letter providing some clarity as to who can serve as a permissible custodian under the Investment Company Act of 1940 and a “qualified custodian” under the Investment Advisers Act of 1940 with respect to digital assets that may be subject to the custody provisions of those acts (referred to in this article as crypto assets). Specifically, the no-action letter provides more certainty regarding the use of banking institutions and trust companies that are subject to a state banking supervisory authority and that exercise fiduciary powers under state law (state-regulated entities, or SREs) to act as custodians permitted under those acts with respect to crypto assets.
Under the Investment Company Act of 1940, registered investment companies and business development companies (each referred to in this article as a regulated investment company) must maintain securities and similar investments with specified custodians, including “banks,” as defined in that act. Similarly, any adviser registered under the Investment Advisers Act of 1940 having custody of client funds or securities must maintain those assets with a “qualified custodian,” which is defined to include banks, as defined under that act. Under both acts, a “bank” generally includes entities with a “substantial portion” of their business consisting of “receiving deposits or exercising fiduciary powers similar to those permitted to national banks under the authority of the Office of the Comptroller of the Currency.”
There has been some uncertainty as to when the fiduciary powers of SREs could be considered similar to those of national banks, as well as uncertainty about what level of fiduciary and deposit-taking activity would be deemed a “substantial portion” of an SRE’s business. Meanwhile, according to the request for no-action assurance, the number of institutions offering custody services for crypto assets has not kept pace with the sharp increase in investor demand for exposure to those assets.
Current Regulatory Regime for SREs and Internal Controls
The request for no-action assurance noted the robust nature of each state’s regulatory regime for SREs, which it said generally included being subject to specified requirements. Among other things, according to the request, these include: (a) minimum capital levels; (b) restrictions on activities and balance sheet investments; (c) periodic reporting related to financial condition; and (d) periodic exams and the potential for enforcement actions initiated by state authorities.
The request also identified controls typically put in place by SREs that do provide custody services for crypto assets and cash and cash equivalents used to effect transactions in those assets (referred to in this article as related cash and cash equivalents). These controls are critical, since custody involves the safekeeping of cryptographic “keys,” the loss of which in all likelihood would be irreversible.
As noted in the request, these controls include: (a) “deep” cold storage, to make retrieval of the keys time-consuming; (b) third-party annual financial statement audits; (c) third-party reporting on financial, governance, and IT processes and controls; (d) encryption protocols and crypto asset movement verification controls; and (e) policies and procedures relating to security, business continuity, and private key generation and storage. The request further noted that these controls are separate from due diligence procedures that regulated investment companies and registered investment advisers typically follow to ensure that custodians have adequate controls in place to safeguard custodied assets.
Conditions to No-Action Relief
SEC staff set out four conditions to the no-action assurance that a regulated investment company or registered investment adviser, as applicable, must satisfy with respect to its placement and maintenance of crypto assets and related cash and cash equivalents with an SRE to be able to treat the SRE as a “bank” under the Investment Company Act of 1940 and the Investment Advisers Act of 1940, respectively. The first condition deals with due diligence steps that must be undertaken, the second condition addresses contractual safeguards, the third condition relates to disclosure of the custodial arrangement, and the fourth condition concerns best-interest determinations.
First Condition: Inquiry into Status of the SRE and Its Controls
Prior to engaging an SRE, the regulated investment company or registered investment adviser must have a reasonable basis, after due inquiry, to believe that the SRE has undertaken several steps related to the integrity and security of its operation as a custodian. First, the SRE must be authorized by state banking authorities to provide custody services for crypto assets and related cash and cash equivalents. Second, the SRE must maintain written procedures reasonably designed to protect those assets from risk of theft, loss, misuse, or misappropriation, addressing such topics as private key management and cybersecurity.
As part of making this determination, the regulated investment company or registered investment adviser must confirm, after review, that the SRE’s financial statements have been audited by an independent public accountant in accordance with generally accepted accounting principles. They also must confirm, after review, that the SRE’s internal controls report prepared by the accountant contains its opinion that these controls are reasonably designed and operate effectively to meet control objectives relating to the SRE’s custodial services, including safeguarding crypto assets and related cash and cash equivalents during the year.
Second Condition: Contractual Safeguards
The regulated investment company or registered investment adviser (or the registered investment adviser’s client) must be party to a written custodial services agreement with the SRE providing that the SRE will not directly or indirectly lend, pledge, hypothecate, or rehypothecate any crypto assets or related cash and cash equivalents without the prior written consent of the regulated investment company or the registered investment adviser’s client, as applicable.
The agreement must also provide that any such transfer of interest or control can only be for the account of the regulated investment company or registered investment adviser’s client, as applicable, and that all crypto assets and related cash and cash equivalents held in custody by the SRE are segregated from the SRE’s assets.
Third and Fourth Conditions: Disclosure and Best-Interest Determinations
A regulated investment company must disclose to its board of directors (or trustees), and a registered investment adviser must disclose to its clients, any material risks associated with using SREs as custodians of crypto assets and related cash and cash equivalents. Lastly, the regulated investment company or registered investment adviser must reasonably determine that the use of the SRE’s custody services is in the best interest of the regulated investment company, its shareholders, or the registered investment adviser’s client.
In a statement released the same day, SEC Commissioner Hester Peirce commended the staff for providing additional flexibility to registered investment advisers and regulated investment companies in satisfying custody requirements applicable to crypto assets. She also called for the SEC to “consider whether the custody requirements applicable to registered advisers and regulated funds should be improved and modernized.” The no-action letter itself noted that the SEC is considering rulemaking regarding custodial requirements for crypto assets. More developments on this front seem very likely to follow.
