a16z: 5 principles for crypto asset custody

Original title:Holding the future: Custody principles for a tokenized world

Original author: Scott Walker, Kate Dellolio, David Sverdlov, a16z

Original translation: Luffy, Foresight News

Registered investment advisors (RIAs) who invest in crypto assets face difficulties with unclear regulation and limited asset custody options. More complex, crypto assets carry different ownership and transfer risks than those RIAs previously responsible for. RIAs’ internal teams (operations, compliance, legal and other departments) have gone to great lengths to find willing and meet expectations, and despite the efforts, they still have difficulty finding qualified custodians, and the result is that RIAs has to hold these assets on their own. Therefore, crypto asset custody currently faces unique legal and operational risks.

What the crypto industry needs is a principled approach to address this critical problem for professional investors who help customers protect their crypto assets. In response to recent SEC requests for information collection, we have developed some principles that, if implemented, extend the objectives of the Investment Adviser Act custody rules to the new crypto asset class.

What are the differences in crypto asset custody

The control of the assets by the holder of a traditional asset means that others have no control. But this is not the case with crypto assets, and there may be multiple entities that have access to private keys associated with a set of crypto assets.

Crypto assets often come with a variety of inherent economic and governance rights that are crucial to the assets. Traditional debt or securities can "passively" earn income (such as dividends or interest) without transferring the assets or taking any further action after obtaining them. By contrast, crypto asset holders may need to take action to unlock specific gains or governance rights associated with the asset. Depending on the capabilities of a third-party custodian, RIAs may need to temporarily transfer these assets out of custody to unlock these rights. For example, certain crypto assets can earn income through pledge or earning farming, or have voting rights on governance proposals for protocols or network upgrades. These differences from traditional assets bring new challenges to crypto asset custody.

To facilitate tracking when self-hosting is suitable, we have developed this flowchart.

in principle

The principles we propose here are designed to uncover the mystery of custody for RIAs while retaining their responsibility to protect client assets. Currently, the market for qualified custodians (such as banks or broker-dealers) focusing on crypto assets is extremely narrow; therefore, our main focus is on the ability of the custodian entity to provide the substantial protections we believe are necessary to custodian crypto assets, not just the legal status of the entity as a qualified custodian under the Investment Adviser Act.

We recommend that RIAs with the ability to meet substantive protection requirements use self-hosting as a means when third-party hosting solutions that meet substantive protection measures are unavailable or do not support economic and governance rights.

Our goal is not to extend the scope of custody rules beyond securities. These principles apply to crypto assets belonging to securities and set standards for other asset types that meet RIAs' fiduciary responsibilities. RIAs should seek to hold crypto assets that are not part of securities under similar conditions and record custody practices of all assets, including reasons for significant differences in custody practices for different types of assets.

Principle 1: Legal status should not determine the qualifications of

crypto asset custodians

Legal status and protections related to a particular legal status are important to the custodian’s clients, but this is not all consideration when it comes to crypto assets custody. For example, federal franchised banks and broker-dealers are subject to custody regulations that provide strict protection to clients, but state franchised trusts and other third-party trustees can provide similar levels of protection.

The registration of a custodian should not be the only determinant of whether he or she is eligible to custody crypto-asset securities. In the field of encryption, the scope of "qualified trustees" should be expanded and should also include:

• State chartered trust companies (meaning that they do not need to meet the criteria for the definition of “bank” in the Investment Adviser Act except for supervision and inspection by state or federal banking regulators);

• any entity registered under the (proposed) federal crypto market structure legislation;

• Any other entity that demonstrates itself to meet strict customer protection standards, regardless of its registration status.

Principle 2: Crypto Asset Trustees shall establish appropriate protection

measures

No matter what technical tools are used, the custodian should take certain protective measures around crypto asset custody. These measures include:

1. Separation of power: Crypto Asset Trustees should not be able to transfer crypto assets without RIAs' cooperation.

2. Asset Isolation: Crypto Asset Trustees should not mix any assets held for RIAs with assets held for other entities. However, registered brokerage dealers can use a single integrated wallet, provided that it always maintains the latest records of ownership of these assets and discloses the situation to relevant RIAs in a timely manner.

3. Hosted hardware: Crypto Asset Custodians should not use any custodial hardware or other tools that may cause security risks or pose a risk of damage.

4. Audit: The crypto asset custodian shall undergo financial and technical audits at least once a year. Such audits should include:

Financial audits conducted by PCAOB registered auditors:

• Service Organization Control (SOC) 1 Audit;

• SOC 2 audit; and

• Recognition, measurement and presentation of crypto assets from the holder's perspective;

Technical Audit:

• ISO 27001 certification;

• Penetration testing; and

• Disaster recovery procedures and business continuity planning testing.

5. Insurance: The crypto asset custodian should have sufficient insurance coverage, or, if insurance is not available, sufficient reserves should be established.

6. Disclosure: Crypto Asset Custodians must provide RIAs with a list of major risks associated with their custody crypto assets, as well as relevant written supervision procedures and internal control measures to mitigate these risks. Crypto Asset Trustees should evaluate this quarterly to determine whether disclosures need to be updated.

6. Custody Area: The crypto asset custodian shall not custody crypto assets in any jurisdiction where local laws stipulate that the custody assets will become part of the bankruptcy property upon their bankruptcy.

In addition, we recommend that crypto asset custodians implement protections related to the following processes at each stage:

• Preparation phase: Review and evaluate the crypto assets to be hosted, including the key generation process and transaction signature program, whether it is supported by an open source wallet or software, and the source of every piece of hardware and software used in the key management process.

• Key generation: Encryption technology should be used at all levels of this process, and multiple encryption keys are required to generate the private key. The key generation process should be "horizontal" (that is, there are multiple encryption key holders at the same level) and "vertical" (that is, there are multiple encryption levels). Finally, the quorum requirement should also ensure the actual presence of certified personnel.

• Key storage: Never store keys in plain text, they can only be stored in encrypted form. The key must be physically isolated by geographic location or by a different visitor. If a hardware security module is used to save a copy of the key, it must comply with the security rating of the United States Federal Information Processing Standard ("FIPS"). Strict physical isolation and authorization measures should be implemented. Crypto Asset Trustees should maintain at least two levels of encryption redundancy so that they can maintain operations in the event of natural disasters, power outages or property damage.

• Key usage: Wallets should require authentication; in other words, they should verify that the user's identity is true and only the authorized party can access the wallet. Wallets should use mature open source encryption libraries. Another best practice is to avoid using a key for multiple purposes. For example, the key should be saved for encryption and signature respectively. Following the "minimum privilege" principle, that in the event of a security breach, access to any assets, information or operations should be limited to the parties that are absolutely necessary for the system to operate.

Principle 3: Crypto Assets Custody Rules should allow registered

investment advisors to exercise their economic or governance rights related to custody of crypto assets.

Unless otherwise directed by the Client, RIAs shall be able to exercise economic or governance rights associated with custodial crypto assets. During the previous SEC management, many RIAs adopted a conservative strategy to entrust all crypto assets to qualified custodians, given the uncertainty of token classification. As mentioned earlier, there is a limited market for optional custodians, which often leads to only one qualified custodian willing to support a particular asset.

In these cases, RIAs can require the exercise of economic or governance rights, but crypto asset custodians may choose not to provide these rights for some reasons. RIAs, in turn, feel that they do not have the authority to choose other third-party trustees or self-custody to exercise these rights. These economic and governance rights include pledge, earnings farming or voting.

Based on this principle, we argue that RIAs should select third-party crypto asset custodians that comply with relevant protections so that RIAs can exercise their economic or governance rights related to custodial crypto assets. If a third party fails to meet both requirements, the temporary transfer of assets for self-custody by RIAs in order to exercise economic or governance rights should not be considered deregistered.

All third-party trustees shall make every effort to provide RIAs with the ability to exercise these rights when the assets are still custody and shall, when authorized by RIAs, take commercially reasonable actions to exercise any rights related to the on-chain assets.

Before transferring the asset out of custody for the purpose of exercising a rights related to a crypto asset, the RIAs or the custodian must first determine in writing whether the right can be exercised without transferring it out of custody.

Principle 4: Crypto Assets Custody Rules should be flexible for optimal

execution

RIAs have the best execution obligation in terms of trading assets. To this end, RIAs can transfer assets to crypto trading platforms to ensure optimal execution of the asset, regardless of the status of the asset or the custodian, provided that RIAs have taken the necessary steps to ensure the security of the trading venue, or RIAs have transferred crypto assets to entities regulated by the legislation after legislation is finalized.

As long as RIAs determines that it is wise to transfer crypto assets to the trading ground to achieve optimal execution, such transfer should not be considered out of custody. This requires RIAs to reasonably determine that the site is suitable for optimal execution. If the transaction cannot be properly executed in the venue, the assets shall be returned immediately to the crypto asset custodian.

Principle 5: In certain circumstances, RIAs should be allowed to self-host

While using third-party custody should still be the primary choice for crypto assets, RIAs should be allowed to self-custody of crypto assets in the following cases:

• RIAs determines that third-party trustees that meet their required protections cannot be found;

• RIAs’ own custodial arrangements are at least as effective as the protections available for third-party custodians;

• Self-custody is necessary to exercise any economic or governance rights associated with crypto assets.

When RIAs decide to self-custody crypto assets for these reasons, RIAs must confirm annually that the circumstances justifying self-custody have not changed, disclose self-custody to clients, and make such crypto assets subject to audit requirements under the custody rules.

The crypto asset custody approach based on these principles ensures that RIAs can adapt to the unique characteristics of crypto assets while fulfilling their fiduciary responsibilities. By focusing on substantive protection rather than rigid classification, these principles provide a pragmatic way forward for protecting customer assets and unlocking asset capabilities. As the regulatory environment evolves, clear standards based on these protections will enable RIAs to manage crypto assets responsibly.