SEC must solve its cryptocurrency custody conundrum
Too much regulation may stifle innovation but too little will put Main Street investors at risk
As blockchain technology grows in popularity, the US Securities and Exchange Commission faces a conundrum: how should it regulate the safekeeping or custody of a digital asset owned by an investment fund or managed account?
To solve this puzzle, the regulator has to reconcile decades-old laws with new and inherently risky technology. Too much regulation may stifle innovation but too little will put Main Street investors at risk. Doing nothing is not an option.
Current law requires mutual funds to deposit securities and similar assets in a vault or other depository belonging to a bank or trust company. Registered investment advisers must also maintain client assets with a qualified custodian.
The law stops short of specifying how a custodian bank must safeguard, or maintain custody of, a client’s assets.
Distributed ledger technology such as blockchain presents a novel challenge: how can a custodian, or an auditor, be certain that the custodian actually has possession of a digital asset?
In theory, the answer is simple. To prove ownership of a digital asset, such as bitcoin, you must have both a public key and a corresponding private key.
The public key appears as a string of digits representing a unique transaction that is added on as a block in a chain of other transactions.
The private key, however, is a string of digits that is intended to be kept secret, a sort of electronic bearer instrument. Whoever has the private key can transfer a digital asset immutably and potentially anonymously to anyone.
The SEC’s challenge is to ensure that such digital assets cannot be stolen or misappropriated.
The answer may involve a combination of physical and electronic solutions, and some creative legal thinking.
Some banks assert that they have developed platforms and procedures to keep digital assets safe. These may include holding digital assets in an offline wallet rather than on an exchange, requiring multiple electronic signatures to obtain access to the private key and keeping the private key on a computer in a physical vault — without an internet connection — to prevent criminals hacking in.As there is no single answer to what kind of security is sufficient, the SEC should take a balanced, practical approach. It should not try to prescribe specific technological standards because what is appropriate for one custodian may not work for another and today's state-of-the art requirements may become rapidly outdated.
Regulations should require custodians to embrace technology that is sufficient to provide adequate security, coupled with robust and ongoing testing, similar to how financial intermediaries test for the adequacy of cyber security protections.
The SEC could also treat all — or certain categories of — digital assets as securities solely for purposes of the custody rules, without determining whether they are securities that must be registered for sale.
This approach would provide some certainty on the application of the custody rules. This would be welcome as some senior SEC staff have suggested that some digital assets that are securities may morph into non-securities and vice versa. Bitcoin, for example, is generally thought not to be a security, but certain non-fungible tokens, such as CryptoKitties, may morph into securities depending on how their functions change over time.
The SEC could also establish robust standards for safekeeping programmes. These could include internal control reports and compliance testing.
It could also consider a backstop that would involve special capital requirements or a form of third-party insurance to protect digital assets.
But the SEC will never be able to eliminate digital asset fraud, just as it cannot eliminate other forms of theft.
No matter how many protections are required, the first time that a bad actor empties the digital wallet of an investment account, everyone — including the press and Congress — will point fingers at the SEC for failing to require sufficient safeguards.
Yet, by considering novel regulatory approaches adapted to the risks inherent in digital assets, educating investors, holding market participants to high standards and vigorously prosecuting bad actors, the SEC has the power to nurture technological innovation while still protecting Main Street investors.
Disclaimer: First published in the Financial Times here.