37 - Qualifying a custodian
Opinions expressed are solely my own. Shout out to my friend and colleague John Schneider and my parents for some great edits.
In the middle of last month, it came to light that another major player in the crypto space was in serious trouble. Prime Trust, a widely used custodian and trading service provider, was ordered by the Nevada Financial Institutions Division to cease all activities and soon thereafter was put into receivership. As shocking as the bankruptcy of Prime Trust is, the details are even more so. According to court filings (Pg. 5-7), Prime Trust had lost access to what appears to be almost $79M in customer digital assets. In order to fill the gap, Prime Trust used customer fiat funds to purchase more digital assets.
The similarities between the Prime Trust and FTX are striking. Customer digital assets are lost through either negligence or misappropriation; and once again we see other customer funds being used to backstop other customer funds. The difference between these two events is that industry experts have always questioned how FTX and other retail exchanges store digital assets. Prime Trust, on the other hand, fell into a category of institutions whose entire existence revolved around the safe keeping of customer funds.
What makes a qualified custodian?
Prime Trust is (or was?) in a class of businesses known as "qualified custodians" (QC). A custodian by the traditional definition is an institution that keeps a customer's securities safe from loss or theft. A qualified custodian is a specific designation outlined by the SEC indicating institutions that can custody customer's securities. In a 2013 statement, the SEC designated "banks, registered broker-dealers, futures commission merchants (FCM), or certain foreign entities" as qualified custodians which investment advisors must use to securely store customer funds. Some have questioned whether any company providing custody services for digital assets can have QC status.
If you noticed earlier, the state of Nevada was the one to put Prime into receivership. The reason for this was because Prime was a Nevada-based LLC registered as a trust company. Trust companies are a state issued designation for entities that are in the business of providing custody services for customer assets. Every custodian in the digital asset space is a state licensed trust company most commonly based in New York, South Dakota, Wyoming, and Nevada.
The debate about digital asset trust companies' status revolves around the question: do state chartered trusts provide the same protections that banks, broker dealers, and other SEC designated institutions do? In 2020, Wyoming asked the SEC to clarify this point; and in response, the SEC issued a request for comment by the digital asset industry. Fidelity Digital Asset and other custodians responded with statements in support of state chartered trust companies’ being designated as “qualified custodians.” The SEC has continued to pursue the topic with a 2023 proposal that provides some clarity but still leaves the state trust question up to debate.
The questions around state chartered trust companies having qualified custody status has led to multiple companies attempting to follow traditional means to resolve the issue. In 2021 Anchorage Digital, Pretgo, and Paxos obtained approval from the Office of Comptroller of Currency (OCC) to convert their state chartered trust companies into federally chartered banks. The benefits of the move are still questionable as federally chartered banks have strict oversight and capital requirements that could make managing the custody of digital assets challenging. Since 2021, the OCC has become less accommodative to digital asset companies interested in making the switch and has even issued statements discouraging banks within its authority not to engage with the digital asset industry.
A qualified custody checklist
Regardless of the legal structure, hedge funds, venture firms, and other large institutions look to top tier custodians to help secure their funds. Considering the origin of digital assets, these businesses’ storing funds with other entities might seem to go against the ethos of the space. The true innovation digital assets drive is the optionality for these businesses to pick how their funds are stored. Custodians are one of many options for holding digital assets; some of the others we discussed in 10 - The different wallets and their risks. Institutions work with custodians to reduce risk, avoid the cost of maintaining and securing their own private keys, and establish a separation between the firm and customer funds. The hardest part is deciding which custodian to choose.
In the bull market days of 2020 and 2021, there was a general lack of discipline around custody due diligence. Custody isn't a sexy topic and the finer details of how a partner custody's assets gets overlooked. In others, custodians made outright false statements about what they do and how they do it. In the wake of FTX, Genesis, and now Prime Trust, businesses are asking serious questions about how custody is being managed by their business partners.There are a few key facts that define what to look for in a custody partner specifically around regulatory status, business reputation, wallet creation, hardware and software, and operational procedures.
Regulatory status
We have discussed at length the regulatory status needed for digital asset custody. Most institutions want to see a business that can claim qualified custody status. The primary benefit of the status is regulatory oversight. State chartered trusts go through annual audits, system and organizational control (SOC) testing, and annual reviews conducted by their regulatory body. New York's Department of Financial services (NYDFS) is notoriously strict, and institutions that hold licensing in the state are often held in high regard.
Business reputation
"Nobody was ever fired for hiring IBM" is a favorite saying by business professionals about working with companies that have a sterling reputation. In an industry that moves so fast and has so much nuance, new entrants are well served to work with a strong reputation. One of the problems in the custody space is that reputations built in good times are failing in the down markets. Bakkt is a company that was built with reputation in its founding, as it inherited its regulatory and compliance traits from its parent company, the Intercontinental Exchange. Data security was the focus from the start.
Wallet structure
Blockchain architecture and good old fashioned cryptography allow for multiple ways to generate private keys. The classic structure involves one private key created per wallet. Over time, advancement in blockchain technology and innovative applications of old cryptography gave rise to multi-sig and multiparty computation (MPC) based key structures. Institutions want to see key material distributed using one of these techniques and not stored in a single form.
Hardware and software
Hardware and software are the literal foundation of any custody product. What kind of devices key material is stored and where those devices are housed are critical data points in choosing a custody provider. Secured enclaves and self managed data centers are typically the ideal deployment for securing key material. Ensuring access to applications which control the private keys is secured through 2FA, VPN connectivity, and authorized IP addresses help prevent unwanted actors from accessing your system. If the system is changed in any way, alerts should be sent to the proper personnel notifying them of the change.
Operational procedures
Behind every great system is a great team. Custody providers should have a dedicated operations team whose responsibility it is to manage and maintain the custody system. Teams should have segregation of duties, and no single person should have super user rights. Operations teams with experience in the space and understanding of the digital asset ecosystem as a whole are a massive value add. It's a good idea for institutions to speak with and vet a custodian's operations team before sending over any digital assets.
Prime Trust's story is interesting because of how much needed to happen for them to end up in the situation they currently face. First, they lost access to customer funds because they sent them to old wallets to which they did not have access. Second, they used other customer funds to cover their mistake. What this means is that: 1) they must have lost access to their original wallet’s private keys; 2) they had so few controls that it allowed Prime Trust to do what it pleased with customer funds; and 3) management allowed this to happen. Whatever the long term outcome is for Prime Trust, this has been a master class in what not to do as a custodian.
Conclusion
Custody of crypto assets at an institutional level is not an easy job. It requires a massive amount of up front investment and industry-specific knowledge. The innovation that makes digital assets so impactful also makes them incredibly risky. Private keys are simply a string of letters and numbers that if accessed can allow anyone to move funds. Custodians take on that risk for their customers and play an incredibly important role in the digital asset ecosystem. The one benefit of the poor business practice plague that is sweeping the industry is that it educates everyone on what questions need to be asked before working with a custodian.