- There are many different types of cryptocurrency wallet, some of which offer more functionalities than simply storing keys.
- Regulators have, to a large extent, approached digital assets including cryptocurrencies in one of three ways.
- In the UK, for Art 40 of the Financial Services and Markets Act 2000 (Regulated Activities) Order 2001 to apply, both the safeguarding and administering of assets must be carried on.
Tokens valued at many billions of dollars move around the digital world at the click of a keyboard command on a daily basis with no physical form or central issuer or controller. Owners of these digital assets want to know who is responsible for ensuring that their digital wealth remains protected and available for use. For custodians and administrators, understanding the legal and regulatory consequences of their activities is equally critical. These are, however, complex legal questions in today’s e-world environment.
What are digital assets such as cryptocurrencies?
Cryptocurrencies provide a digital representation of traditional units of exchange that we traditionally treat as money. These units have a value because of the ability to exchange them for other items of value although the units may or may not have intrinsic value in their own right. A note may have intrinsic value because it is backed by a commitment of a substantive government, while metal such as gold may have value because of its ornamental or industrial uses. In either case, the supply of the reference asset must be limited while demand for it may vary resulting in variations in price or value. Variations in value can arise as a result of changes in the desire to use the unit as a means of exchange or because of issues relating to the underlying reference asset, e.g. the government may suffer economically or the uses of gold may change.
Users are not concerned about the specific note or item of gold they own but the holders’ right to their allocation of the reference asset must be clearly identified and verified. In the case of notes, banks are the controllers of this record of note ownership and the main exchange intermediary for individuals and businesses. Depositors, custodians and brokers do the same for gold and other commodities. However, digital assets such as cryptocurrencies do not involve any central repository or intermediary and the digital asset can be created at any point in the network and transferred between any individual users.
The European Banking Authority defines a virtual currency as:
“A digital representation of value that is neither issued by a central bank or public authority nor necessarily attached to a fiat currency, but is used by natural or legal persons as a means of exchange and can be transferred, stored or traded electronically.”
Cryptocurrencies in themselves are generally not regarded as securities.
Holding digital assets on the blockchain
Digital assets on the blockchain are unlike traditional assets due to the decentralized nature of the record and the ability to control the assets from various points of the network. Commodities or physical assets are located at a physical site or location and are subject to access controlled by the entity running or managing the site. The law of the jurisdiction where the physical assets are stored will often determine the rights of parties to the assets. Bank accounts or other typical financial assets are claims on a legal entity or counterparty which will have a physical location such as a registered office or location through which it trades which will generally determine the laws applicable to its activities. The law applicable to custodian arrangements where a third-party custodian holds the interest in financial or other assets will similarly tend to follow where the assets are held or where the custodian is based. Cryptocurrencies or other tokenized products are, however, not held in any physical location because they are based on a distributed ledger comprising a computerized record held across the system of multiple nodes, which may be in different countries not controlled by any individual registrar or central party.
While the network itself forms an indisputable record without any one entity being a controller, access to specifics of the information and authority to transact are provided through private keys based on a process of cryptography. The ability to access and control the assets is provided by holding the private key. The custodian is therefore a person who holds and controls the private key on behalf of another and through the process of cryptographic techniques is able to receive, hold, administer and transfer the underlying digital assets.
The EU Fifth Money Laundering Directive (MLD5) defines a “custodial wallet provider” as:
“An entity that provides services to safeguard private cryptographic keys on behalf of its customers, to hold, store and transfer virtual currencies.”
In determining the security of any digital assets and the roles of entities involved, it is therefore important to understand the process of crytptography in the context of digital assets such as cryptocurrencies and consider the different methodologies for holding control of the private key access to these assets.
A typical cryptocurrency, such as bitcoin, consists of three key numbers:
Private key: The private key is a randomly generated number (a 256-bit integer) which functions as a password for a particular coin. The private key allows the holder to access the funds that are contained in that particular coin address and transfer funds from one coin address to another. Just like a PIN this private key should be protected and known only to the owner of the address and never disclosed to anybody else. If a private key is lost or stolen, the owner of that wallet address will no longer have access to his/her funds at that coin address.
Public key: The public key is a pair of two such 256-bit numbers that are mathematically derived from the corresponding private key. This allows the public key to be shared publicly while keeping the private key safe. It allows only the holder of the private key the ability to prove ownership of the private key (corresponding to the public key) without divulging the private key. During the early use of bitcoin, public keys were used as the coin address, but to enhance security a separate set of letters and/or numbers is now used as the coin address allowing others to access the coin’s transaction history and make a transaction.
Coin address: The coin address is a hashed version of its corresponding public key, with the hash function mapping an arbitrarily sized number to a new fixed-sized number, in a randomized way. This adds an extra layer of security by not directly divulging the public key, and ensures that a wallet is harder to hack. While the coin address is publicly available, the mechanism of private key ensures only an authorized person can access the funds linked to that coin address. When coins are sent to the coin address, only the holder of the private key for that address will be able to prove ownership of the private key and spend these funds.
Methods of holding digital assets
The process of holding and accessing digital assets in a blockchain context therefore refers to the access to or holding of the private key, so a holder can access information on and receive, transfer or deal in the digital assets recorded on the relevant blockchain. The means of holding or storage of public and private keys for digital assets is usually referred to as a wallet.
A crypto currency wallet, at the most basic level, refers simply to a device, either software or hardware, that securely stores public and private keys of users in order to allow them to transact without having to memorize those private and public keys. Such wallets include cloud based online wallets, mobile wallets contained on owners’ phones as apps, desktop wallets (generally considered to be more secure than online or desktop wallets), hardware wallets stored on a device such as a USB stick and even paper wallets.
When is holding digital assets a regulated activity?
The legal and regulatory framework for holding or administering digital assets on behalf of others is complicated due to the multi-jurisdictional nature of the asset and inconsistency in the legal and regulatory framework applying in different countries.
Regulators have, to a large extent, approached digital assets (including cryptocurrencies) in one of three ways:
- By requiring entities dealing in or providing custody arrangements for cryptocurrencies to comply with money laundering and anti-terrorism funding requirements through effective “know your client” and identification controls. In Europe this will come into effect in 2019 through MLD5.
- Some regulators have applied specific regulatory authorizations to those providing digital ledger technology services or virtual currency services, which apply regardless of the digital assets being traded as securities or otherwise.
- Some regulatory regimes, e.g. in the UK, regulate the activity of safeguarding and administrating assets if the assets constitute financial instruments. The legal and regulatory treatment of the custodian is largely dependent on the approach adopted in any relevant jurisdiction to the characterization of those assets.
Regulation of custodial Services in the UK
The UK Financial Conduct Authority (FCA), in April 2018, confirmed that it does not consider cryptocurrencies per se to be currencies or commodities for regulatory purposes under Markets in Financial Instruments Directive II (MiFID II). In principle, therefore, custodians and wallet providers would not be subject to MiFID II requirements, provided that the tokens in question do not constitute derivatives or transferable securities under MiFID II.
Security tokens which bear characteristics of transferable securities and are directly comparable to regulated products such as shares would, however, typically fall within the scope of MiFID II and result in more of those engaging in certain custody activities being subject to a requirement to obtain authorization.
When determining whether regulatory permissions/ authorization are necessary in the UK when providing custodian services, consider:
- Are the tokens securities or contractually based investments?
- Is the person in question offering administration services as well as custody services?
- Is the person in question carrying on the activity in the UK?
- Does an exclusion apply?
There are no regulatory requirements when providing custodian services if the answer to the first three questions above is no or if an exclusion applies.
Application of the UK regulatory regime to custody of digital assets
The relevant UK regulated activity is “safeguarding and administering investments” (Art 40 of the Financial Services and Markets Act 2000 (FSMA) (Regulated Activities) Order 2001) (RAO). A person must not carry on the activity of safeguarding and administering investments in the UK unless an authorized or exempt person, or an exclusion applies. A person who arranges for others to safeguard and administer investments will be deemed to be carrying on the same regulated activity.
For the regulation to apply, both elements of the activity must be carried on (i.e. safeguarding and administering assets). Neither safeguarding nor administration are defined in the legislation but the FCA has issued guidance on what those cover.
The following activities will not constitute administration under Art 40 of the RAO:
- Providing information on the number of units or the value of assets;
- Currency conversion. For example, converting income in respect of assets held, received in US dollars, into pounds sterling; and
- Receiving documents relating to an investment solely for the purposes of onward transmission to, from or at the direction of the owner of the investment. A node simply recording or verifying the digital information which is the subject of the holding is unlikely to be a custodian or providing administration services.
If no administration services are being provided in addition to the custody, then performing the custody aspect will not need to be regulated under Art 40 of the RAO.
Carried on in the UKM
Only regulated activities carried on in the UK fall within the territorial scope of FSMA. The general view is that safeguarding and administering is usually carried on at the place where the person who safeguards and administers, or arranges for another person to do so, is present. If the entity is not UK-based, then it will not be regulated under this legislation, but anyone who arranges for the custody by the overseas person, who themselves carry on the arranging activity in the UK, could be caught.
There are also certain exemptions that may apply and careful consideration will be needed to check if they do.
Ancillary services may themselves be regulated activities
A wallet provider that offers custodian services for cryptocurrency only will not be subject to the requirement for authorization in respect of safeguarding and administering but must take care that they do not carry on ancillary services that would require authorization. For example, an entity may take and hold fiat currency as part of the custody services which could constitute the regulated activity of deposit taking or providing e-money, so it’s important to check the nature of the taking and holding of the fiat currency.
In the same way, while the simple holding of and transacting in the cryptocurrency may not require authorization, offering forward or option contracts relating to cryptocurrencies could result in the entity falling within a regulated activity relating to dealing in derivatives requiring specific authorization.
Digital assets offer a new dynamic and flexible way of transacting for individuals and businesses in a quicker, more efficient and costeffective manner. Nonetheless, participants need to be aware of the wide range of legal and regulatory requirements that can apply in relation to holding and administering digital assets including cryptocurrencies in the digital environment.