Growing Concern on Safekeeping of Crypto Assets

On Jan. 14, 2020, the Financial Services Agency of Japan (JFSA) published draft amendments of enforcement orders, cabinet office ordinances and guidelines (“Proposed Amendment”) concerning the recently amended and enacted crypto asset laws. The amended laws enhance the regulations on transactions related to crypto assets, such as cryptocurrency trades and administration, crypto derivatives, and security token offerings (STOs).1 

Japan started to regulate cryptocurrencies exchanges in April 2017 under international demand to cope with money laundering and terrorist financing issues. However, cryptocurrency thefts from online wallets of crypto exchanges occurred on several occasions due to insufficient security measures against hacking. In October 2018, the Financial Action Task Force revised its recommendations on anti-money laundering and combatting the financing of terrorism (AML/CFT), by which “crypto custody service provider” was included in the definition of “virtual asset service provider” to clarify the need to regulate the custody service providers.

To tackle the increasing risk of hacking and international concern on AML/CFT in relation to crypto custody, the Act on Settlement of Funds (Act No. 59 of 2009), or Payment Services Act (PSA), which regulates crypto asset exchange operators (“CA Exchangers”), was amended to heighten the standard for cryptocurrency administration by requiring segregation of customer crypto assets and use of offline storage, and to mandate independent crypto custody service providers to be registered under the PSA.

The Proposed Amendment provides details for the regulations on crypto assets, including those on crypto custody services.

Crypto Custody Service Under the PSA

The PSA defines the custody of crypto assets (“CA Custody”) as “administration of crypto assets on behalf of another person.” It was unclear what type of service would be regulated as “CA Custody” under the PSA, because the definition was quite broad. The Proposed Amendment supplements this definition by a guideline as follows:

If a service provider is in a position to execute the transfer of users' crypto assets on its own, for example, when the service provider holds private keys by itself or jointly with another person, by which the service provider can initiate crypto assets transfer without the users’ involvement, such service is recognized as CA Custody under the PSA, provided that whether a service falls under “administration of crypto assets on behalf of another person” shall be determined substantively based on the actual services on a case-by-case basis.

For example, if a service provider keeps two private keys for a 2-of-3 multisig wallet holding a user’s cryptocurrencies, such service provider would be viewed as conducting CA Custody service, because the service provider can transfer a user’s cryptos without a user’s involvement. In contrast, if the keys are distributed among the user and two service providers, each provider holding only one private key cannot transfer a user’s cryptos by itself. In such case, both providers would not be regulated as CA Custody unless the providers jointly hold the private keys and act in concert so that they can transfer the user’s crypto assets by themselves.

Although the guideline provides some clarity, the applicability of CA Custody regulations to some practical cases remains ambiguous and shall be assessed substantively based on the actual services provided as the guideline stipulates. For example, if a company receives customers’ cryptocurrencies in connection with its services, but does not intend to provide the crypto custody service (e.g., pledged as collateral), it should carefully consider its operations and business structure to avoid being recognized as providing CA Custody services under the PSA.2

Registration and Segregation Requirements

To provide crypto custody services for Japanese residents, the service provider is required to be registered as a CA Exchanger under the PSA even if it does not engage in sale or purchase of cryptocurrencies. CA Exchanger is generally required to be a joint-stock company (kabushikigaisya) established in Japan under Japanese law. If a foreign crypto custody service provider is licensed or registered in its home jurisdiction, such provider may apply for the CA Exchanger registration by having an office and a representative in Japan without establishing a company in Japan.

The registered CA Custody service provider principally needs to keep customers’ crypto assets in an offline environment, e.g., a cold wallet. For the purposes of users’ convenience and streamlined provision of custody service, the service provider may keep a minimum amount of crypto assets in an online environment, but the value of such cryptos held online shall not exceed 5% of the total value of crypto assets the service provider holds for its customers. In addition, the provider must maintain the cryptocurrencies of its own at least in the same amount as that of customers’ crypto assets held in a hot wallet (“Guaranty Crypto Assets”) to protect customers. The Guaranty Crypto Assets must be held in an offline environment, and the CA Custody service provider is required to segregate the customers’ crypto assets and Guaranty Crypto Assets from the other assets of its own.

Requirements for AML and CFT

A CA Exchanger including the Crypto Custody service provider is required to conduct onboarding and ongoing Know-Your-Customer procedures such as customer identity verification, screening, customer due diligence, periodic review and recordkeeping. In addition, the CA Custody service provider must report suspicious transactions to the regulators.

Schedule

The Proposed Amendment is subject to a public comment process, which will close on Feb. 13, 2020, and may be modified or provided with further guidance by the JFSA. After the public comment process of the Proposed Amendment, the amended laws will go into effect, which is expected by May 2020. An existing crypto custody service provider is required to file an application for the CA Exchanger registration within the grace period of six months and to get registered within 18 months after the implementation of the amended PSA in order to continue its services for the residents in Japan.