Skip to main content

Crypto Custody

« Back to David Hoffman’s profile

By Amanda Gould

Ms. Gould is a third-year law student at University of Pennsylvania Carey Law School. This research was produced under supervision of Professor David Hoffman. 


Federal Law requires investment managers and broker-dealers transacting in large amounts of cash or securities to keep those assets with entities that meet certain safekeeping requirements.[2] Such custody rules—resulting from the chaos of the Great Depression—originally helped to create a financial market marked by a high degree of investor trust and liquidity. 

Recently, entrepreneurs seeking to trade in “crypto assets” have complained that the custody rule system impedes innovation.[3] Justin Schmidt, an asset manager for Goldman Sachs, summarized this frustration succinctly:

“One of the things [clients] ask me is ‘Can you hold our coins?’ and I say ‘No, we cannot[.] One of the things we have to take into consideration when we’re building out our business is what we can and cannot do from a regulatory perspective.”[4]

Why has a nearly-century-old set of legal rules caused such a ruckus?[5] What can be done? This White Paper aims to explore these questions in detail.

Two Custody Questions

There are really two separate “custody” questions. The first asks if crypto assets associated technologies are subject to federal customer protection and legal custody requirements. We call this the regulatory question.

The second inquiry—the cybersecurity question—explores the safekeeping of digital assets as a means of protecting against hacks and theft. That is, what combinations of security features, from public key cryptography to conventional offline mechanisms, actually holds safe crypto assets, and how should the industry decide on a set of best practices in a rapidly evolving field.

The cybersecurity question is related to the regulatory question in the sense that (historically) traditional custodians such as banks reliably kept client assets secure. But banks are not cryptography experts. Guaranteeing the physical security of blockchain-based and cryptographically-coded digital assets is more complex task than traditional custodians are accustomed to and extends beyond the scope of the regulatory question into an assessment of technical cybersecurity considerations.

Distinguishing whether the custody rules apply and what crypto-custody looks like from a cybersecurity perspective bears emphasizing because the agency tasked with enforcing the custody rules—the SEC—is not an arbiter of network security. The agency has notably deferred to industry self-regulation to determine best practices for safeguarding cash, securities, and related assets.

To fully appreciate the intricacies of the custody rules, it is helpful to review the basic premise behind modern financial intermediation. So before diving into either question, we begin with a brief look at securities intermediaries. In the field we’re looking at, they come in two types: central securities depositories and custodian banks.

Central Securities Depositories

The securities industry depends on intermediaries to trade, settle, and hold securities. Historically, companies issuing public shares did so by conveying paper stock certificates to each shareholder. But high trading volumes and deeper capital markets in the mid-1970s made it difficult for buyers and sellers to manually deliver paper certificated securities at the end of each trading day. The industry ultimately embraced the idea of a single, national securities clearing house capable of computerized recordkeeping. Today, securities are issued not as paper certificates, but as electronic book-entries in a centralized accounting system called a central securities depository (“CSD”).[6]

Under this system, the depository replaces the investor as the security’s registered (or “legal”) owner.[7] The registered owner holds shares directly with the issuing company.[8] For a depository, this involves acting as the holder of record and registrar for entire issuances of millions of securities.[9] The depository operates on a membership model and only institutions meeting specific regulatory, capital, and technical requirements (i.e., custodian banks, broker-dealers and international depositories) may access its services.[10] Securities are acquired or transferred to investors (the “beneficial owner”) through electronic entries in securities accounts facilitated by these depository participants.[11]

To reduce logistical burdens and operational risk associated with physically transferring certificates, securities are dematerialized within the depository such that the settlement of a transaction requires notifying it to make a book-entry change to reflect new ownership of the security. For settlement to occur, depository participants net trades into a single position at the end of the day and submit them to the depository’s clearing agency arm.[12] The clearing agency then matches and validates the participants’ settlement instructions and updates the transaction on the depository’s books by debiting or crediting the participants’ securities accounts.[13]  

Custodian Banks

In the hierarchy of securities intermediaries, custodian banks are situated between the depository and beneficial owner. While closely aligned, the role of a custodian is different from that of a depository. The depository is a market utility focused on ensuring the legitimacy security issuances and facilitating trade settlement.[14] Whereas, custodian banks monitor and service securities on behalf of institutional investors and private wealth clients through a custody agreement. Simply stated, the depository has a relationship with the issuer while the custodian has a relationship with the investor.[15]

Custodians banks have two main duties.

First, custodians link issuers with investors by providing the infrastructure necessary enable client participation in global financial markets.[16] 

Second, custodians employ physical and electronic systems to shield client assets against theft or misappropriation by investment advisers, fund managers, or third-parties. They also protect against the potential bankruptcy or insolvency of the adviser or the custodian itself by segregating client assets and identifying them as being held on the client’s behalf in securities accounts.[17] 

In this regard, the custodial service was centered around physical safekeeping of client assets, typically, for tangible assets, in vaults and safes. Once securities became dematerialized in depository, the bank’s role in physically safeguarding assets mutated toward servicing the legal entitlements that the assets’ records reflected. For electronic book-entry notations in individual client securities accounts, custodian banks essentially provide an administrative service.[18] The service includes distributing income and dividend payments on the securities, notifying the client of major corporate actions, providing proxy voting, and general reporting on material events related to the client’s holdings.[19]

With that jargon better in hand, let’s return to the Regulatory Question.

The Regulatory Question

The underlying assumption of a custody arrangement is that a specialized third-party is more likely to protect client assets from fraud and misappropriation than the investment advisers charged with managing those assets. Congress imposed a set of regulations to establish fiduciary obligations for the safekeeping of client securities, cash, and similar investment, all designed to curb the unsound business practices of investment managers (whose theft and abuses contributed to the 1929 stock market crash). The regulations establish fiduciary obligations for the safekeeping of client securities, cash, and similar investments.[20] Each statute promulgates similar but distinct custody requirements for the protection of client assets held by funds and managers.[21] Custody regulations typically allocate supervision of client assets to a subset of national banks. These custodian banks must adhere to federally-mandated fiduciary obligations, thus furnishing an added layer of protection to client assets.[22]

The custody rules are intended to insulate clients’ assets from unlawful activities by an investment management company or investment adviser by forcing an intermediary to assume control of the assets.[23] The custody requirements span physical safekeeping, third-party auditing, and transaction and settlement reporting.[24]

The SEC confirmed that many of the digital tokens distributed in initial coin offerings amount to the offer and sale of an “investment contract” and, therefore, meet the definition of a “security” under the federal securities laws.[25] Accordingly, crypto assets and adjacent platforms like wallets and exchanges will almost certainly fall within the scope of the custody rules.

To see how the custody rules might apply, let’s first look at how crypto assets are purchased, sold, and held today.

Trading Crypto Assets

The simplest form of transaction takes place “on a blockchain” between users who host the protocol on their own internet-enabled devices. These peer-to-peer transactions are validated in accordance with cryptographic security measures and are recorded on a blockchain’s distributed ledger. But because transacting directly on a blockchain requires finding your own trading partners and accepting the risk of self-custodying valuable tokens, most market participants buy, sell, and hold crypto assets through an ecosystem of user-friendly third-party intermediaries.[26] Paramount for our purposes are the intermediary services provided by electronic wallets and exchanges.[27]


Electronic wallet providers are exclusively concerned with storing and safeguarding public and private keys on behalf of their customers.[28] Recall, blockchain networks rely on public key cryptography to verify token ownership and transaction authenticity. Token owners are identified through a public address accessible to all other network participants.

The public address also corresponds to a unique private key known only to the token owner.[29] Both the public address and private key are lengthy strings of randomized alphanumeric code.[30] Together, they create a “digital signature” which must accompany every transaction associated with the public address. Whoever holds the private key has complete control over the assets associated with the key. Because blockchain transactions are instantaneous and irrevocable, users aim to keep their private key secret. The private key is only generated once, so misplacing a private key effectively renders worthless all tokens associated with that address.

To curb the risks associated with keeping track of these extremely valuable (but nonsensical) strings of text, third-party wallet services emerged to offer a safe storage solution for public and private keys.[31] Wallet services interact with various blockchain networks to store users’ public and private keys and to monitor account balances. Users may access their wallet with a conventional username and password through a convenient interface on a website, mobile app, or desktop client.[32] And although the private keys are in the wallet’s possession, the holder of the private key ultimately maintains control.[33] Any subsequent trading is at the user’s discretion because the service provider cannot access the keys (unless the wallet service is associated with a crypto exchange which will be discussed in detail below). 

To prevent cyber-attacks, some wallet services may keep the private keys on flash drives or bespoke hardware devices in a manner that is not connected to the internet for an additional fee.[34] The trade-off between this type of offline or “cold” storage and internet-connected “hot” storage is one of security versus liquidity.

In any case, although optimal custody scenario has yet to be defined, it is undisputed that control of the private key is a paramount concern. In fact, the private key is, in essence, the real asset. Its intrinsic properties and powers mean there is no way to truly safeguard it without exception. For instance, a key that is printed on a piece of paper and locked in a vault has still been exposed to at least one set of eyes (and therefore, one human brain or smartphone capable of committing the key to memory). Thus, private keys are at once an innovative security feature and a substantial liability.


An exchange is an online marketplace that lets users to convert fiat currencies into crypto assets or trade one crypto asset for another. Parties to a trade on an exchange can transfer crypto assets without having to run the underlying blockchain protocol on their individual devices.[35] Such transactions take place “off-blockchain.”[36] If an off-blockchain transaction is reflected on the public ledger at all, it will appear as a transaction between intermediaries instead of a transaction between the buyer and seller.[37]

While these centralized exchanges facilitate the majority of global crypto-trading, some market participants are moving to “decentralized” exchanges that lower counterparty risk by eliminating the need for an intermediary.[38] Decentralized exchanges enable cross-blockchain peer-to-peer transactions where trades are settled on-blockchain and users retain sole custody of their tokens throughout transaction process.[39] However, because decentralized exchanges are new and adoption is limited, the services face liquidity challenges, poor customer support, and pricing uncertainty.

As the principal mechanism for market entry and exit, exchanges categorically have substantial power and influence over the industry. However, the exchange ecosystem is extremely fragmented. There are more than 200 active exchanges and each exchange supports different crypto-crypto and fiat-crypto pairings.[40] This fragmentation is further complicated by the fact that platforms independently set the price for each coin they list.[41] Typically, prices are based on current trading volume and customer supply and demand, but the exact process is opaque and ripe for manipulation.[42] Indeed, the price of bitcoin has varied by as much as $2,000 among some of the largest exchanges.[43]

To operate in the U.S. today, federal laws dictate that platforms must obtain state-issued money transmitter licenses and adhere to FinCEN anti-money laundering requirements.[44] New York was the first state to pass legislation that created a regulatory framework for businesses engaged in virtual currency transactions.[45] Accordingly, a “BitLicense” is required for all businesses operating in New York State or involving New York residents that transmit, control, administer, exchange, or maintain custody of virtual currencies on behalf of others.[46] But due to limited resources and a cumbersome review process New York has issued fewer than twenty BitLicenses since the regulation went into effect in 2015.[47] In the interim, other states (notably, Wyoming) have attempted to lure blockchain innovators by passing laws with less rigorous registration processes.[48]

But in the absence of a central regulatory body, it is unclear what percentage of client assets are actually held on the exchanges and whether the assets are pooled or kept in separate client accounts. This business model is not burdened by tokens’ cryptographic security measures because exchanges net trades using internal balance sheets off-blockchain. The only transactions recorded on a blockchain are deposits and withdrawals between exchange’s wallet and the user’s third-party wallet.[49]

Unpacking the crypto ecosystem thus illustrates an important (and perhaps ironic) point. The dominant mechanism for participating in a market built on decentralization is through a series of centralized intermediaries.[50]

This inference may be of regulatory significance because intermediated markets necessarily impose some risk to investors. Though intermediaries support markets by lowering transaction costs and reducing information asymmetries, intermediary risk weighs these benefits against the possibility that the intermediary defaults or becomes insolvent, resulting in loss or damage to the investor.[51] Intermediaries in crypto asset transactions are no different. They perform many of the same market-enhancing functions as traditional financial intermediaries, but they are also beholden to similar types of credit and liquidity risk.[52]

The presence of centralized intermediaries in a largely decentralized ecosystem makes exchanges obvious targets for hacking. Since 2011, thieves have netted $1.6 billion in tokens in at least 56 cyberattacks on cryptocurrency exchanges.[53] The most notorious hack occurred in 2014 when Mt. Gox—the world’s largest bitcoin exchange at the time—was forced to halt withdrawals and file for bankruptcy after it lost 850,000 bitcoin worth approximately $450 million.[54] There were no protective measures in place to secure customer assets, so hundreds of creditors were forced to endure lengthy legal proceedings in an attempt to reclaim their coins.[55] Others simply cut their losses and moved on.[56]

Which brings us back to a core tenant of federal securities laws: to protect client assets against inadvertent loss or theft by third-party intermediaries.

The following sections evaluate how crypto assets and crypto service providers fit into the custody and customer protection requirements of three federal securities laws—the Investment Advisers Act of 1940 (“Advisers Act”), the Investment Company Act of 1940 (“1940 Act”), and the Securities Investor Protection Act of 1970 (“SIPA”).

Regulating Investment Advisers

An investment adviser is a person or firm receiving compensation for advising others about security investments.[57] Advisers managing more than $110 million in client assets, and for whom a valid exception does not apply, must register with the SEC and adhere to the regulations prescribed in the Advisers Act.[58]

The “Custody Rule,” section 206(4)-2 of the Advisers Act, governs investment advisers who hold “directly or indirectly, client funds or securities.”[59]

There are four main components to the Custody Rule.

First, advisers have a fiduciary obligation to maintain clients’ funds or securities with a “qualified custodian.”[60] Qualified custodians are banks, registered broker-dealers, registered futures commission merchants, or foreign financial institutions that customarily hold financial assets for customers.[61] The Custody Rule dictates that qualified custodians must segregate client assets into separate accounts or into accounts under the name of the investment adviser as agent or trustee for the client.[62]

Second, the investment adviser needs to notify clients of the custodian’s name and the manner in which the assets are being held.

Third, the adviser must have a reasonable belief that the custodian is periodically sending account statements directly to the client containing information about the funds and securities in custody.[63] This reporting requirement also applies to accounts held in clients’ names as well as to individual investors in pooled investment vehicles.[64]

Finally, the investment adviser must agree to an annual surprise audit by an independent public accountant.[65]

Regulating Investment Companies

Registered investment companies (e.g., mutual funds and exchange-traded funds (“ETFs”)) are held to a different set of custody provisions under Section 17(f) of the ’40 Act. Though there are permissible alternatives, investment companies overwhelmingly choose to protect fund “securities and similar investments” by utilizing the custody services of banks.[66]

Custodians under the ’40 Act perform essentially the same services as qualified custodians under the Advisers Act, including asset safekeeping and accounting, transaction settlement, dividend and interest receipt, payment of fund expenses, and corporate action monitoring.[67]

Like the Advisers Act Custody Rule, neither the ’40 Act nor the accompanying SEC rules provide for the manner in which a custodian bank must maintain custody of assets. Instead, fund directors negotiate custody agreements with banks to determine the appropriate operating and compliance procedures and limitations on liability.

A registered fund investing solely or partially in crypto assets deemed to be securities will almost certainly invoke the ’40 Act custody provisions.

Regulating Broker Dealers

Broker-dealers intermediate between buyers, sellers, and stock exchanges to facilitate the flow of securities.[68] Since broker-dealers are afforded some agency over their clients’ assets, they are required to register with the SEC and must meet certain financial responsibility requirements under SIPA.[69]

The “Customer Protection Rule” (Rule 15c3-3) is one such requirement. It is designed to guarantee that client funds and securities are properly safeguarded from the financial failure of a broker-dealer, making it the broker-dealer analogue to the Advisers Act and ’40 Act custody rules. The rule limits broker-dealers’ ability to use customer securities and cash to finance firm business pursuits and aims to ensure that broker-dealers maintain enough assets to satisfy customer claims in the event of insolvency.

The rule has two dimensions. First, broker-dealers must promptly obtain physical possession or control over customers’ fully-paid and excess margin securities.[70] Physical possession means securities are literally located with broker-dealer and that it has a sufficient number to satisfy all of its customers’ claims. Control is achieved through a custody agreement with one of several “control locations” specified in the rule, including banks as defined in Section 3(a)(6) of the Exchange Act.[71]

The second aspect of the Customer Protection Rule involves the creation of “Special Reserve Bank Accounts” for the exclusive benefit of customers (i.e., completely separate from the broker-dealer’s own bank account), with cash or qualified securities at least equal in value to the net cash owed to customers.[72]

Applying Investment Regulations to Crypto Asset Transactions

Consider, for example, a registered investment adviser who decides to incorporate crypto assets deemed to be securities into a client’s portfolio. The Custody Rule is triggered because the adviser now holds (directly or indirectly) client assets that are securities. This is the answer to the regulatory question for registered investment advisers. The Custody Rule applies. The question for the adviser then becomes, is my custodian capable of servicing crypto assets?

For most traditional bank custodians, the answer to this question is “no.” There are a number of reasons—many of which will be discussed in our evaluation of the cybersecurity question—why bank custodians are hesitant to offer their services to crypto assets. Broadly speaking, it is unclear what it means to have custody of a crypto asset in a way that both satisfies regulatory scrutiny and delivers on the safeguarding function.

In other words, the checks that regulators place on advisers and funds in the spirit of protecting investors (e.g., the use of qualified custodians, reporting requirements, and third-party audits) are at odds with what is necessary to physically keep crypto assets safe. The problem is unique to crypto because it is the only asset class to rely on public key cryptography to denote ownership and effect trades.

If, for instance, a custody agreement between an adviser (or fund) and bank custodian calls for the custodian to maintain physical possession of the public and private keys associated with a client’s crypto assets, what steps must the custodian take to ensure that the private key cannot be lost or stolen? [73] Would printing the private key on a piece of paper and storing it in a deposit box suffice? Should the custodian build its own proprietary wallet service? How will the custodian balance hot storage and cold storage? Or how about avoiding the headache of private keys entirely and opting to obtain the log-in information for the client’s preferred third-party wallet provider instead? Given these challenges, what level of liability is the custodian willing to accept in the custody agreement? 

Current custody methods and centralized securities holdings are designed to protect against adviser theft, misappropriation, or inadvertent loss of assets. But it is unclear whether a custodian of crypto assets will be able to mitigate against adviser fraud given the practical difficultly of truly securing bearer instruments like private keys. An investment adviser who wants to transfer crypto assets out of custody may so and then abscond with the assets no matter how robust the security measures were while the asset was under the custodian’s supervision.[74]

The exact nuances of securing crypto assets, while related to custody, are not necessarily within the regulatory purview of the SEC. The Commission deferred to banks and financial industry SROs to implement acceptable standards for vaults back when stocks were in physical paper form, and again for CSDs and intermediated trading more recently. Thus, despite the implications new custody procedures may have on market integrity, the SEC has historically taken a hands-off approach in determining adequate safeguarding solutions.

But physically securing assets is only part of the equation. There is an inherent tension between the physical safekeeping and independent auditing requirements as applied to crypto assets. Today, bank custodians’ primary function is recordkeeping. Surprise audits are a reasonable mechanism for regulating firms in this space. But is the same principle true for banks holding crypto assets? Depending on the bank’s security features, this may involve bringing online assets typically housed in cold storage. If main objective for crypto custody is limiting access to private keys (because whoever has the private key controls the asset), is it counterproductive to expose private keys to accountants for auditing purposes when those keys were moved to cold storage specifically for the purpose of limiting misappropriation risk in the first place?[75]

Perhaps most importantly, how will the independent auditors very ownership of the crypto assets? This task may require technical expertise beyond that of traditional accounting firms. And even for an auditor with proficiency in blockchain technology, it may not be possible to determine that the private key held by the custodian actually represents an ownership interest in the crypto asset.[76]

Clearance and settlement will also be an issue. Recall, the intermediary holding system works, in large part, because securities are housed in a central depository with a limited number of market participants authorized to access the IT infrastructure that communicates with the depository. How should the financial industry approach the integration of assets capable of universal distribution into a system that relies on a single central database? The current system’s cohesiveness gives intermediaries the ability to settle cash and security transactions on a net basis daily. But, for example, if crypto assets are held in cold storage, daily settlement is probably not an option.[77] Given crypto assets’ high volatility, intermediary risk is compounded the longer it takes to effectuate settlement.

The biggest challenge for broker-dealers planning to service crypto asset trades is the requirement for physical possession or control over all client securities.[78] Taken literally, broker-dealers would need obtain—and safely store with a control location bank—the public and private keys for every customer trading in crypto.

But it is unclear how this would work in practice. Broker-dealers require significantly more liquidity than investment advisers and funds. Is it practical to think about custody in terms of securing individual private keys for firms that support thousands of trades each day? When broker-dealers execute trades for their customers, are the transactions memorialized on a blockchain or recorded on an internal balance sheet? And to the extent that certain tokens also count as qualified securities under the second arm of Rule 15c3-3, is a weekly tally for the reserve amount sufficient given the high volatility of crypto assets?

The liquidity needs also raise a question related to the relationship a broker-dealer may need to have with a crypto exchange. Since pricing varies by exchanges, how will broker-dealers determine the appropriate rate to quote their customers? As the primary mechanism for entering and exiting the crypto markets, will broker-dealers become dependent on crypto exchanges to satisfy liquidity? More likely, increasing trading volumes on crypto exchanges will lead to a push from regulators to have crypto exchanges register as national exchanges or alternative trading systems under the Exchange Act. That said, many of the largest crypto exchanges operate in countries outside the SEC’s jurisdiction.

The previous illustrations of the likely safekeeping challenges for bank custodians also apply for broker-dealers using banks as their control location.

The Cybersecurity Question

We noted earlier that custodian banks began as experts in physical safekeeping with vaults and safes. And although it is not brand new, the shift to immobilized decertificated securities and electronic book-entry settlement is a relatively recent endeavor. Now, bank custodians are suddenly being asked to adopt and become fluent in the nuances of crypto assets, public key cryptography, and blockchain technology. Admittedly, this is not their area of expertise. 

Thus, as a threshold matter, regulators should consider whether bank custodians (and their partner securities intermediaries) are the right people for the job. In other words, does it make sense to task legacy financial institutions with developing the IT infrastructure necessary to make investing in digital assets possible on a grand scale? The unique characteristics of digital assets make this, in large part, a cybersecurity assignment.

To be sure, financial intermediaries are highly proficient in cybersecurity—evidenced by the digital network they created to facilitate secure trading and settlement among CSDs, custodians, clearing agencies, and national exchanges. But cybersecurity expertise and cryptography expertise are not one in the same. The existing financial market infrastructure was not designed with compatibility for cryptographically-coded assets in mind. To integrate crypto assets into the current systems would involve significant financial and human capital considerations.

The alternative would require custodians to depart from decades of established custodial practices to rely on third-party technology.[79] Third-party custodians are digitally-native custody startups established specifically to safeguard digital assets. A handful of custody startups are technically qualified custodians (though not approved by the SEC).[80]

The startups leveraged a workaround in the definition of “bank” under the Advisers Act and the ’40 Act which allows them to register as state-chartered limited purpose trust companies and meet the definition of a custodian under both Acts. Section 202(a)(2) of the Advisers Act and Section 2(a)(5) of the ’40 Act, define “bank” to include, among other entities,

“a trust company…doing business under the laws of any State or of the United States…[which] consists of receiving deposits or exercising fiduciary powers similar to those permitted to national banks…and which is supervised and examined by state or federal authority having supervision over banks or saving associations…”[81]

Assessing whether a state-chartered trust company qualifies under this definition turns on the interpretation of “fiduciary powers” for the purposes of that state’s banking oversight function. Notably, New York trust company fiduciary powers include acting as a custodian.[82] Indeed, two of the largest custody startups—Coinbase Custody and Gemini—are registered as New York State-chartered limited purpose trust companies.[83] Receiving a state trust charter provides the benefit of avoiding multistate money transmitter licensing and may allow the company to operate in other U.S. states.

The SEC’s unwillingness to recognize these entities as valid custodians likely stems from the fact that the ’40 Act exempts from the definition of a “bank” trust companies operating solely for the purpose of evading the requirements of the Act.[84]

Undeterred, the startups pitch institutional investors on their proprietary security technology, best-in-class policy controls, and broad wallet and token support.[85] There is very little explanation of what these features mean in practice (presumably to keep the integrity of the security solutions). Many of the biggest custody startups also operate exchanges and provide wallet services. Their marketing materials describe internal protocols designed to avoid conflicts of interest between the various lines of business. But without regulatory oversight there is no way to know the legitimacy of their services.[86]

Ultimately, every meaningful exploration into the cybersecurity challenges surrounding crypto assets begins and ends with the private key. Anyone with a moment’s exposure to the key has the ability to control the asset. And no matter how extensive a custodian’s labyrinth of passwords, wallets, hard-drives, locks, or vaults may be, securing private keys against intrinsic and extrinsic threats is essentially an impossible task.

We consider the cybersecurity question independent from the custody considerations because the need for stronger cybersecurity controls is pervasive. While the crypto industry remains extremely susceptible to bad actors (hackers stole $1 billion in crypto assets from exchanges and personal wallets in 2018), the threats affecting these networks and entities cannot be remedied by a custodian.[87]

If blockchain-based assets and conventional intermediaries are to coexist, the pressing question for regulators is twofold. Broadly, are regulators comfortable integrating assets with an inherent misappropriation risk into our financial systems? And if so, are they willing to merge “custody” with “cybersecurity” in defining safeguarding mechanisms for financial institutions holding crypto assets, thus deviating from the longstanding practice of deferring to industry SROs for custody implementation?



[1] Rachel Wolfson, Custodial Solutions Are the Latest Innovation in Cryptocurrency Ecosystem As Seen By Coinbase and Others, Forbes (Sept. 20, 2018),

[2] See 15 U.S.C. § 78aaa (2018); 15 U.S.C. § 80a-1 (2018); 15 U.S.C. § 80b (2018).

[3] See Olga Kharif and Sonali Basak, Regulated Crypto Custody is (Almost) Here. It’s a Game Changer., Bloomberg (June 18, 2018 5:00 AM),

[4] Vildana Hajric, Goldman Says Regulatory Hurdles Prevent Holding of Crypto Assets, Bloomberg (Nov. 27, 2018 3:02 PM),

[5] See Kharif, supra note 3; see also Rachel Wolfson, Custodial Solutions Are the Latest Innovation in Cryptocurrency Ecosystem As Seen By Coinbase and Others, Forbes (Sept. 20, 2018),

[6] See U.S. Dep’t of the Treasury, Comptroller of the Currency, Administrator of National Banks, Custody Services: Comptroller’s Handbook 74 (2002),

[7] Issuer Restrictions or Prohibitions on Ownership by Securities Intermediaries, Exchange Act Release No. 34-50758A, 70 Fed. Reg. 70862, n.21 (Mar. 15, 2005), available at

[8] What is a “Registered” Owner? What is a “Beneficial” Owner?,,

[9] See The Clearing House, The Custody Services of Banks 4 (2016),

[10] See The Clearing House, supra note 9, at 12.

[11] See Charles W. Mooney Jr., Global Standards for Securities Holding Infrastructures: A Soft Law/Fintech Model for Reform 2 (Faculty Scholarship at Penn Carey Law, 2019),

[12] Issuer Restrictions or Prohibitions on Ownership by Securities Intermediaries, Exchange Act Release No. 34-50758A, 70 Fed. Reg. 70862, n.27 (Mar. 15, 2005), available at

[13] See The Clearing House, supra note 9, at 15.

[14] See Sophia Green, Rules of Engagement Become Blurry, Financial Times (Feb. 1, 2009),

[15] Id.

[16] See The Clearing House, supra note 9, at iii.

[17] Assets held by a bank under a custodial agreement are not the bank’s assets. If the custodian were to become insolvent, the beneficial owner’s ownership interest in the underlying security would be protected because security entitlements are separate from the custodian’s estate. And unlike broker-dealers, who may exercise discretion over client assets, custodian banks cannot use assets on the client’s behalf or for their own purposes. Any decisions to buy or sell securities are made solely by the beneficial owner. The custodian’s role is limited to holding securities in client accounts and processing client-initiated transactions. See The Clearing House, supra note 9, at vi.

[18] See id. at 3.

[19] Id.

[20] See 15 U.S.C. § 80a-1 (2018); 15 U.S.C. § 80b (2018).

[21] The SEC also generated custody rules for managers and funds under its rulemaking authority set forth in the Investment Advisers and Investment Company Acts of 1940, respectively. See 17 C.F.R. § 270.17f1-7 (2018); 17 C.F.R. § 275.206(4)-2 (2018).

[22] See 12 CFR § 9.13 (2010).

[23] See Jesse Kanach et al., Crypto Fundamentals: Custody and Why the Legal Issues Surrounding it Matter 12 (2018), [hereinafter Crypto Fundamentals].

[24] Id.

[25] See Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934: The DAO (July 25, 2017),

[26] See Immaculate Dadiso Motsi-Omoijiade, Financial Intermediation in Cryptocurrency, in Handbook of Blockchain, Digital Finance, and Inclusion 207, 209 (David Lee Kuo Chuen ed., 2017) [hereinafter Financial Intermediation in Cryptocurrency Markets].

[27] Id. at 209.

[28] Id. at 214.

[29] See Kevin Werbach, The Blockchain and the New Architecture of Trust 40 (Sandra Braman ed., 2018).

[30] Id. at 40.

[31] See Noelle Acheson, How to Store Your Bitcoin, Coindesk (Jan. 20, 2018),

[32] Wallets come in a variety of formats and there are advantages and vulnerabilities with each wallet type. At a high level, wallets can be divided into five categories, desktop, mobile, online, paper, and hardware wallets. Desktop wallets are software that is downloaded locally on a user’s computer. Similarly, mobile wallets operate through a mobile app on a smartphone. Online wallets are cloud-based services that may be accessed from any internet-enabled device at any location. Paper wallets generally thought to be the least secure as they consist of writing down the private key on a piece of paper and storing it somewhere the user deems safe. Finally, hardware wallets are specialized devices akin to a USB thumb-drive. These devices store private keys offline and may be connected to an internet-enabled device whenever the user needs to initiate a transaction with their tokens. See Noelle Acheson, How to Store Your Bitcoin, Coindesk (Jan. 20, 2018),

[33] See Financial Intermediation in Cryptocurrency Markets, supra note 26, at 215.

[34] See Financial Intermediation in Cryptocurrency Markets, supra note 26, at 215.

[35] See Dennis Chu, Note, Broker-Dealers for Virtual Currency: Regulating Cryptocurrency Wallets and Exchanges, 118 Colum. L. Rev. 2323, 2328 (2018).

[36] Sarah J. Hughes & Stephen T. Middlebrook, Advancing a Framework for Regulating Cryptocurrency Payments Intermediaries, 32 Yale J. on Reg. 495, 497 (2015),

[37] Id. at 497-98. 

[38] Lindsay X. Yin, Deconstructing Decentralized Exchanges, Stan. J. Blockchain L. & Pol’y (2015),

[39] Id.

[40] Based on data from, a token and exchange aggregator website. See Top Cryptocurrency Exchanges by Trading Volume,, (last visited Feb. 28, 2019); Sara Hansen, Guide to Top Cryptocurrency Exchanges, Forbes (June 20, 2018),

[41] See Hansen, supra note 40.

[42] See Kira Egorova, Crypto Exchanges, Explained, Cointelegraph (Jul. 10, 2018),

[43] See Stan Higgins, As Bitcoin Soars, Prices Diverge Wildly Across Exchanges, Coindesk (Dec. 7, 2017),

[44] See Dechert LLP, Financial Services Quarterly Report, JDSupra (Apr. 18, 2019),; see also Coinbase, Legal,

[45] Press Release, N.Y. State Dep’t Fin. Services, NYDFS BitLicense is First Comprehensive Regulatory Framework for Firms Dealing in Virtual Currency Such as Bitcoin (Sept. 22, 2015),

[46] N.Y. State Dep’t Fin. Services, BitLicense Frequently Asked Questions (2019),

[47] See Jimmy Aki, Bitstamp Receives New York BitLicense, Bitcoin Magazine (Apr. 10, 2019), (describing Bitsamp as the recipient of New York Department of Financial Service’s nineteenth BitLicense); Jen Wieczner, Inside New York’s BitLicense Bottleneck: An ‘Absolute Failure?’, Fortune (May 25, 2018),

[48] See Caitlin Long, What Do Wyoming’s 13 New Blockchain Laws Mean?, Forbes (Mar. 4, 2019),

[49] See Nirupama Devi Bahaskar & David Lee Kuo Chuen, Bitcoin Exchanges, in Handbook of Digital Currency 560 (David Lee Kuo Chuen ed., 2015).

[50] There are a handful of decentralized exchanges that substitute the escrow service of centralized exchanges for a series of smart contracts that pull crypto assets directly from users’ personal wallets. However, decentralized exchanges harbor their own challenges, and low adoption has led to liquidity issues. See Loi Lou, Solving the Liquidity Challenge of Decentralized Exchanges, Coindesk (Aug. 13, 2017),

[51] See Charles W. Mooney Jr., Global Standards for Securities Holding Infrastructures: A Soft Law/Fintech Model for Reform 3 (Faculty Scholarship at Penn Carey Law, 2019),

[52] See Sarah J. Hughes & Stephen T. Middlebrook, Advancing a Framework for Regulating Cryptocurrency Payments Intermediaries, 32 Yale J. on Reg. 495, 497 (2015),

[53] Steven Russolillo & Eun-Young Jeong, Cryptocurrency Exchanges Are Getting Hacked Because It’s Easy, Wall St. J. (July 16, 2018 1:14 AM),

[54] Nathaniel Popper, Mt. Gox Creditors Seek Trillions Where There are Only Millions, N.Y. Times: DealBook (May 25, 2016),

[55] Id.

[56] Id. In an odd twist, after Mt. Gox defaulted, its CEO “found” 200,000 bitcoins on an old wallet. Due to the drawn-out bankruptcy proceedings, the 200,000 bitcoins appreciated in value to more than $1 billion during the 2017 bitcoin rally and the creditors were subsequently repaid. See Adrianne Jeffries, Inside the Bizarre Upside-Down Bankruptcy of Mt. Gox, The Verge (Mar. 22, 2018),

[57] See 17 CFR 275.202(a)(11) (2018).

[58] Investment Advisers, FINRA,

[59] 17 C.F.R. § 275.206(4)-2 (2018).

[60] Staff of the Inv. Adviser Reg. Off., Regulation of Investment Advisers by the U.S. Securities and Exchange Commission 33 (2013),

[61] See 17 C.F.R. § 275.206(4)-2(d)(6)(i)-(iv) (2018).

[62] The Off. of Invest. Educ. and Advoc., Investor Bulletin: Custody of Your Investment Assets (2013),

[63] Staff of the Sec. Exch. Comm’n Division of Inv. Mgmt., Information for Newly-Registered Investment Advisers (2010),

[64] Id.

[65] See The Off. of Invest. Educ. and Advoc., supra note 62.

[66] A permissible bank custodian under the ’40 Act is a bank with at least $500,000 in aggregate capital, surplus, and undivided profits. See 17 C.F.R. §270.17f (2018).

[67] See 1 Regulation of Investment Companies § 8.02 (2019). An alternative to bank custody is “self-custody” in which a registered fund may keep client securities and similar investments with a bank or other depository whose operations are supervised by federal or state authorities. The fund’s assets must be physically segregated from other assets held by the bank and are subject to verification by an independent accountant three or more times per year.

[68] Press Release, U.S. Sec. and Exch. Comm’n, SEC Adopts Amendments to Financial Responsibility Rules for Broker-Dealers (July 31, 2013),

[69] Id.

[70] See 17 C.F.R. § 240.15c3-3(b)(1) (2018). Excess margin securities in a customer account are those securities with a market value greater than 140 percent of the customer’s debit balance. See Key SEC Financial Responsibility Rules 137,

[71] 15 U.S.C. §78c-3(a)(6) (2018).

[72] Once a week, the broker-dealer is required to add up the total credit items it owes customers and subtract outstanding debits. If the credits exceed the debits, the broker-dealer is must deposit the net amount into the reserve account. Those funds cannot be used for the proprietary activities of the firm. See In the Matter of Merrill Lynch, Pierce, Fenner & Smith Inc., Exchange Act Release No. 78141 (June 23, 2016), 

[73] We discuss digitally-native alternative custody solutions in “The Cybersecurity Question” section. These entities have received approval as custodians by registering as state-chartered trust companies.

[74] See Debevoise & Plimpton, Custody of Digital Assets: Centralized Safekeeping of Decentralized Assets Under the Investment Advisers Act 10 (2018), To be sure, the advent of multi-signature (“multi-sig”) wallets has partially solved for this. The contents held in a multi-sig wallet remain inaccessible unless multiple authorized parties each correctly input in their corresponding private key. Additional security layers may be enforced through smart contract multi-sig wallets such as limiting transfers to pre-designated wallets or the frequency of transfers in a given timeframe. See Thomas Kerin, The Year of Multisig: How is it Doing So Far?, Coindesk (May 17, 2014),

[75] See Debevoise & Plimpton, supra note 74, at 9.

[76] However, there are startups doing this kind of work specifically for the blockchain industry. For example, Elliptic is a cryptocurrency analytics and intelligence firm that specializes in auditing crypto exchanges for anti-money laundering compliance and forensic and investigative services. See What We Do, Elliptic,

[77] One exchange has started integrating its platform with cold storage, meaning its customers may more readily transact with assets maintained offline. See Ana Alexandre, Coinbase Custody Conducts First OTC Trade From Cold Storage, Cointelegraph (Mar. 13, 2019),

[78] 17 C.F.R. § 240.15c3-3(b)(1) (2018).

[79] See Jesse Kanach et al., Crypto Fundamentals: Custody and Why the Legal Issues Surrounding it Matter 15 (2018),

[80] Press Release, U.S. Sec. and Exch. Comm’n, SEC Suspends Trading in Company for Making False Cryptocurrency-Related Claims about SEC Regulation and Registration (Oct. 22, 2018), (“The SEC does not endorse or qualify custodians for cryptocurrency, and investors should use vigilance when considering an investment in an initial coin offering … .”) (internal quotations omitted).

[81] 15 U.S.C. § 80a-17(f )(1) (2018). See also § 80a-26(a)(1) (2018); § 80a-2(a)(5)(C) (2018); 15 U.S.C. 80b-2(a)(2) (2018).

[82] See New York State Department of Financial Services, Information and Procedure for the Organization of a Trust Company for the Limited Purpose of Exercising Fiduciary Powers (last visited April 18, 2019),

[83] See Beyond Enterprise-Grade Security, Digital Asset Custody Company,; Custody Agreement, Gemini (Nov. 19, 2018),, see also Crypto Asset Custody for Intuitions, Coinbase Custody,

[84] 15 U.S.C. § 80a-2(a)(5)(C) (2018).

[85] See, e.g., Custody Services, Gemini (Nov. 19, 2018),; see also Crypto Asset Custody for Intuitions, supra note 83.

[86] On the other end of the spectrum, a few traditional custody providers and investment managers announced plans to launch divisions designed to facilitate cryptocurrency transactions and provide custody for the assets. The announcements for these initiatives coincided with the late-2017 bitcoin rally, and subsequent information about their progress has been limited. See Anna Irrera, Fidelity Launches New Company for Trading and Storing Cryptocurrencies, Reuters (Oct. 15, 2018),; Hugh Son, Dakin Campbell & Sonali Basak, Goldman is Setting Up a Cryptocurrency Trading Desk, Bloomberg (Dec. 21, 2017),

[87] See Matthew Leising, Crypto’s Billion-Dollar Theft Problem Prompts Safer Way to Trade, Bloomberg (Jan. 16, 2019),

[88] Jesse Kanach et al., Crypto Fundamentals: Custody and Why the Legal Issues Surrounding it Matter 15 (2018),

[89] Leslie Ankney, Why Custodians are Coming to Crypto, Forbes (Mar. 14, 2019, 03:20 PM),

[90] Kate Rooney, Companies Race to Solve Bitcoin’s Security Problem Despite Slumping Prices, CNBC (Sept. 12, 2018),

[91] Kate Rooney, Companies Race to Solve Bitcoin’s Security Problem Despite Slumping Prices, CNBC (Sept. 12, 2018),

[92] Olga Kharif and Sonali Basak, Regulated Crypto Custody is (Almost) Here. It’s a Game Changer., Bloomberg (June 18, 2018 5:00 AM),