The Staffs of the Securities and Exchange Commission’s Division of Trading and Markets and the Financial Industry Regulatory Authority’s Office of General Counsel (jointly, Staffs) issued a Joint Statement on July 8, 2019 regarding broker-dealer custody of digital assets that fall within the definition of “securities.”1 The Joint Statement discusses various challenges that broker-dealers face when considering their compliance obligations under various provisions of the Securities Exchange Act of 1934, and certain rules thereunder, while engaging in activities involving digital asset securities. Although the Joint Statement provides certain useful guidance (e.g., scenarios that do not result in a broker-dealer having custody of digital asset securities), it does not offer guidance or solutions for addressing the many tensions that exist when broker-dealers seek to engage in activities involving digital asset securities and blockchain technology in compliance with the Exchange Act and its rules. Nevertheless, the Joint Statement is a significant milestone in the ongoing dialogue between securities market regulators and industry participants about how to best approach custodial and other issues in the blockchain context.
As markets for digital asset securities have developed in recent years, and as the financial services industry has increasingly explored applications of blockchain technology, the issue of broker-dealer custody of digital asset securities has attracted considerable attention. This is largely due to the practical challenges presented by applying the requirements of Exchange Act Rule 15c3-3 (Customer Protection Rule) to the unique characteristics of digital asset securities and blockchain technology. Historically, broker-dealer custody has been conceptually rooted in principles of physical possession and control. However, by virtue of the decentralized nature of blockchain technology, digital assets lack physical presence as ordinarily understood and, thus, require novel solutions to demonstrate possession and control in an analogous manner.2 This dynamic introduces a number of operational and compliance questions for broker-dealers seeking to engage in activities that may result in the broker-dealer being deemed to have custody of customers’ digital asset securities.
All broker-dealers are subject to a number of financial responsibility obligations under the Exchange Act aimed at: safeguarding customer securities; promoting certain business practices; and facilitating compliance with federal securities laws more broadly.3 These rules impose substantive requirements on broker-dealers; to the extent a broker-dealer seeks to maintain custody of customer securities or cash and serve as a “carrying broker-dealer,” it is these rules that govern how the broker-dealer structures and documents that custody.4 As the Staffs acknowledge in the Joint Statement, however, “[w]hether a security is paper or digital, the same fundamental elements of the broker-dealer financial responsibility rules apply,” and “market participants wishing to custody digital asset securities may find it challenging to comply with the broker-dealer financial responsibility rules without putting in place significant technological enhancements and solutions unique to digital asset securities.”
The Customer Protection Rule
The Joint Statement focuses primarily on the Customer Protection Rule and its application to a carrying broker-dealer seeking to custody digital asset securities. The Customer Protection Rule generally requires broker-dealers to take certain steps to safeguard customer assets. Broker-dealers that carry customer securities are required to “promptly obtain and [thereafter] maintain the physical possession or control of all fully-paid securities and excess margin securities carried by a broker or dealer for the account of customers.”5 This means that a carrying broker-dealer must hold these securities in a good control location, such as a bank or clearing agency, “free of liens or any other interest that could be exercised by a third party to secure an obligation of the broker-dealer.”6 The Joint Statement credits this framework with “produc[ing] a nearly fifty year track record of recovery for investors when their broker-dealers have failed,” which “stands in contrast to recent reports of cybertheft.”
As described above, broker-dealer custody historically has been rooted in concepts of physical possession and control, and the Customer Protection Rule similarly reflects these foundational principles. In the Joint Statement, however, the Staffs acknowledge that “there are many significant differences in the mechanics and risks associated with custodying traditional securities and digital asset securities,” making compliance with the Customer Protection Rule difficult. Transactions involving digital assets exist within the blockchain, and holders of digital assets rely heavily on private key authentication as a security measure to regulate the transfer of their assets. In the view of the Staffs, these characteristics could potentially subject carrying broker-dealers to: increased risk of fraud or theft; the potential risk of a lost or misplaced “private key,” resulting in effectively unrecoverable digital assets; and a general lack of “meaningful recourse to invalidate fraudulent transactions, recover or replace lost property, or correct errors.”
Against this backdrop, there lies the more fundamental question of whether a broker-dealer can ever demonstrate custody of digital asset securities in a manner that satisfies the requirements of the Customer Protection Rule. As the Staffs note, it may not be sufficient for purposes of the Customer Protection Rule that a carrying broker-dealer or third-party custodian holds a customer’s private key, as the broker-dealer may not be able to provide sufficient evidence that it has exclusive control of the underlying assets or that no other party has a copy of that private key. Moreover, a broker-dealer’s possession of a given private key may not necessarily allow it to “reverse or cancel mistaken or unauthorized transactions” with respect to the underlying digital assets.
Control Location Requirements
The Joint Statement discusses issues raised by the Customer Protection Rule’s control location requirements. The Customer Protection Rule specifies a number of entities that qualify as control locations adequate for the protection of customer securities, but it also provides that the SEC may designate other locations as control locations upon application from a broker-dealer.7 For example, the SEC has permitted broker-dealers to treat the issuer of mutual fund shares or such an issuer’s transfer agent as a viable control location for purposes of maintaining mutual fund shares under the Customer Protection Rule.8 Likewise, the SEC has issued no action letters permitting a transfer agent, under certain circumstances, to function as a control location for the maintenance of other uncertificated securities.9
According to the Joint Statement, there are open questions as to whether and how this framework can extend to the blockchain context. The Joint Statement notes that the Staffs have received inquiries from industry participants as to whether an issuer or transfer agent may be utilized as a potential control location for uncertificated securities where “the issuer or a transfer agent maintains a traditional single master security holder list, but also publishes as a courtesy the ownership record using distributed ledger technology,” with the inquiring broker-dealers asserting that the resulting distributed ledger would not be the “authoritative record of share ownership.” As the Joint Statement observes, however, prior no-action letters concerning the circumstances under which an issuer or transfer agent may qualify as a control location do not contemplate blockchain technology. Accordingly, the viability of such an arrangement remains unresolved, and the Staffs state that the Division of Trading and Markets will consider “whether the issuer or the transfer agent can be considered a satisfactory control location pursuant to an application.”
Books and Records and Financial Reporting Rules
Although the Joint Statement focuses primarily on the application of the Customer Protection Rule, as well as the difficulties of custodying digital assets in general, it also addresses questions arising under other rules relating to a broker-dealer’s books, records and financial reporting obligations. In general, these rules require a broker-dealer to maintain “current ledgers reflecting all assets and liabilities” and records “reflecting each security carried by the broker-dealer for its customers and all differences” and to prepare routine financial statements and supporting schedules.10 The ability of a broker-dealer to satisfy these obligations is thus shaped to some extent by the manner in which it custodies customer assets.
According to the Joint Statement, the characteristics of digital assets and distributed ledger technology complicate a broker-dealer’s ability to comply with these obligations. For example, the Staffs note that it may be “difficult for a broker-dealer to evidence the existence of digital asset securities for the purposes of the broker-dealer’s regulatory books, records, and financial statements, including supporting schedules,” which may, in turn, pose challenges to an auditor’s ability to conduct meaningful review and obtain evidence to support the assertions a broker-dealer makes in connection with its financial statements.11
Eligibility under Securities Investor Protection Act of 1970
The Joint Statement also addresses the issue of whether digital asset securities are eligible for protection under the Securities Investor Protection Act of 1970 (SIPA), which governs the liquidation of failed broker-dealers unable to return the customer property in their custody. SIPA provides eligible customers with a first-priority claim to cash and securities held by the broker-dealer for its customers, and up to $500,000 in insurance coverage12 to the extent such property is unavailable. However, these protections are applicable only to “securities” as defined in SIPA, as well as to any cash deposited with the broker-dealer for the purpose of purchasing securities. Significantly, not every asset that is deemed a security for purposes of the federal securities laws will be deemed a security for purposes of SIPA eligibility. SIPA defines “security” more narrowly than the definitions in the Exchange Act or other federal securities law statutes,13 excluding from its scope any investment contract or interest that is not “the subject of a registration statement with the Commission pursuant to the provisions of the Securities Act of 1933.”14 Thus, in the event of a broker-dealer failure, a holder of securities that had been offered through an exemption from registration would be ineligible for SIPA protection, and the customer would have only an unsecured general creditor claim in the broker-dealer’s liquidation rather than a more senior first-priority claim.
The Joint Statement emphasizes this tension as a consideration for industry participants engaging in digital asset securities transactions. To the extent a given digital asset qualifies as a security, it may or may not be eligible for SIPA protection, leaving customers vulnerable in the event of a broker-dealer failure. The Staffs also note in the Joint Statement that the process of returning customer property is further complicated by the “uncertainty regarding when and whether a broker-dealer holds a digital asset security in its possession or control.” According to the Staffs, such outcomes are “likely to be inconsistent with the expectations of persons who would use a broker-dealer to custody their digital asset securities.” This admonition is particularly salient given that many digital asset securities are presently offered pursuant to exemptions from registration.
The emergence of digital asset securities and blockchain technology has prompted critical evaluation of how the federal securities laws apply to securities constructed and residing on blockchains. Custodial issues, in particular, present several unresolved questions, as it is in this area where the substantive requirements of the existing regulatory framework are difficult to reconcile with the particular characteristics of this new type of asset and its underlying technology. The Staffs are continuing to engage with market participants on possible solutions to the novel custody questions that digital assets and blockchain technology present, and market participants are continuing to experiment with developing methodologies and tools to achieve compliance on custodial issues. By providing insight into the Staffs’ current thinking on these matters, the Joint Statement serves as helpful guidance for market participants seeking to navigate the challenges of conducting a securities business that includes digital asset securities and blockchain technology.