A joint statement issued by the staffs of the SEC and FINRA provides insight into the issues under consideration regarding broker-dealer custody of digital asset securities, such as initial coin offerings. The SEC and FINRA staffs remind entities effecting transactions in digital asset securities of broker-dealer registration requirements and obligations under the broker-dealer financial responsibility rules with regard to custody. While the SEC and FINRA staffs did not provide actionable guidance regarding the custody of these assets, they did reiterate their commitment to encourage and support innovation through continued engagement with market participants.
The staffs of the Division of Trading and Markets (TM) of the US Securities and Exchange Commission (SEC) and of the Office of General Counsel of the Financial Industry Regulatory Authority, Inc. (FINRA) issued a joint statement on July 8 on broker-dealer custody of digital assets that are also securities.
 The long-anticipated Joint Statement provides some insight on the issues under consideration by TM staff and FINRA staff (Staffs) as they relate to broker-dealers and digital asset securities. In particular, the Joint Statement does not identify specific Staff-approved circumstances under which a broker-dealer could custody digital asset securities in a manner consistent with the Customer Protection Rule. Perhaps as a result, the Joint Statement falls short on providing actionable guidance for broker-dealers eager to custody digital asset securities. In brief, the Joint Statement notes the following:
- An entity that effects transactions in digital asset securities for itself or for others should be mindful of (1) the broker-dealer registration requirements in Section 15 of the Securities Exchange Act of 1934 (Exchange Act) and (2) Rule 15c3-3 thereunder (Customer Protection Rule or Rule 15c3-3) if it intends to custody those assets for customers.
- Broker-dealer digital asset securities activities that do not involve the broker-dealer engaging in custody functions do not raise the same federal securities laws compliance concerns as business models that involve custody functions. Digital asset securities custody implications are still under consideration by the Staffs.
- It may be difficult for a broker-dealer to evidence the existence of digital asset securities for the purposes of its regulatory books, records, and financial statements.
- Broker-dealers that seek to custody digital asset securities for customers may encounter issues in establishing the requisite “control” under the Customer Protection Rule.
- The fact that a broker-dealer maintains a private key for a digital asset security may not be sufficient by itself to demonstrate that the broker-dealer has exclusive control of the digital asset security.
- The applicability of the Securities Investor Protection Act of 1970 (SIPA) to a customer’s digital assets depends on whether those assets are securities, and in the case of assets that are securities, on whether the broker-dealer can establish the requisite control over those assets.
- TM will consider whether the issuer or the transfer agent of a digital asset security can be considered a satisfactory control location pursuant to an application under Rule 15c3‑3(c)(7).
Implications Under the Customer Protection Rule
The Joint Statement begins by reminding market participants that effecting transactions in digital asset securities for customers or for their own accounts could implicate the broker-dealer registration and FINRA membership requirements under the Exchange Act.
 It further reminds market participants that the application of the federal securities laws more generally to digital asset securities raises novel and complex regulatory questions and challenges. As an example, the Staffs note that a broker-dealer’s compliance with the Customer Protection Rule is largely facilitated by the legal and practical framework that has evolved to address the loss or theft of a security, which they note may not be available or effective for certain digital assets. The Joint Statement then describes the purpose of the Customer Protection Rule, a central tenet of broker-dealer regulation.
In brief, the Customer Protection Rule is designed “to give more specific protection to customer funds and securities, in effect forbidding brokers and dealers from using customer assets to finance any part of their businesses unrelated to servicing securities customers; e.g., a firm is virtually precluded from using customer funds to buy securities for its own account.” As explained by the SEC:
Rule 15c3-3 requires a broker-dealer that maintains custody of customer securities and cash (a “carrying broker-dealer”) to take two primary steps to safeguard these assets. The steps are designed to protect customers by segregating their securities and cash from the broker-dealer’s proprietary business activities. If the broker-dealer fails financially, the securities and cash should be readily available to be returned to the customers. In addition, if the failed broker-dealer is liquidated in a formal proceeding under [SIPA] the securities and cash would be isolated and readily identifiable as “customer property” and, consequently, available to be distributed to customers ahead of other creditors.
With respect to securities, Rule 15c3-3 requires that a carrying broker-dealer maintain physical possession or control over customers’ fully paid and excess margin securities. In this context, physical possession or control means that securities are held by the broker-dealer in one of several locations specified in Rule 15c3-3(c) and free of liens or any other interest that could be asserted by a third party to secure an obligation of the broker-dealer. Because most securities now generally exist in uncertificated form, broker-dealers more commonly establish control over securities rather than physical possession in order to comply with the Customer Protection Rule.
The Joint Statement notes that while a number of firms have approached FINRA seeking to register or amend their registrations to enter the digital asset security space and custody digital asset securities, the Staffs have yet to identify specific circumstances where a broker-dealer could custody digital asset securities in a manner that would comply with the Customer Protection Rule. That said, the Staffs reiterated their commitment to encourage and support innovation through continued engagement with market participants.
Noncustodial Broker-Dealer Models for Digital Asset Securities
The Staffs provided the following examples of activities that do not involve a broker-dealer engaging in custody functions, and as such, do not raise the same level of concern among the Staffs regarding custody:
- Matching/Private Placement: A broker-dealer sends trade-matching details (e.g., identity of the parties, price, and quantity) to the buyer and issuer of a digital asset security and the issuer settles the transaction bilaterally between the buyer and the issuer, away from the broker-dealer. The broker-dealer instructs the customer to pay the issuer directly and instructs the issuer to issue the digital asset security to the customer directly (e.g., to the customer’s “digital wallet”).
- OTC Secondary Trades: A broker-dealer facilitates “over the counter” secondary market transactions in digital asset securities without taking custody of or exercising control over the digital asset securities, with the buyer and seller settling the transaction directly.
- Trading Platforms: This scenario involves a secondary market transaction in which a broker-dealer introduces a buyer to a seller of digital asset securities through a trading platform where the trade is settled directly between the buyer and seller. An example of this scenario involves a broker-dealer that operates an alternative trading system to match buyers and sellers of digital asset securities. The trades would either be settled directly between the buyer and seller, or the buyer and seller would give instructions to their respective custodians to settle the transactions.
The common theme in these scenarios is the broker-dealer is not exercising a level of control over the digital asset securities such that the broker-dealer would be viewed as having custody over the assets.
Considerations for Broker-Dealer Custody of Digital Asset Securities
In discussing custody issues, the Joint Statement explains that compliance with the Customer Protection Rule can be difficult for broker-dealers when dealing with digital asset securities. In this regard, the Staffs specifically mentioned that the manner in which digital asset securities are issued, held, and transferred may create greater risk that a broker-dealer maintaining custody of such assets could
- be victimized by fraud or theft,
- lose a “private key” necessary to transfer a client’s digital asset securities, or
- transfer a client’s digital asset securities to an unknown or unintended address without meaningful recourse to invalidate fraudulent transactions, recover or replace lost property, or correct errors.
The Staffs also stated that “a broker-dealer may face challenges in determining that it, or its third-party custodian, maintains custody of digital asset securities.” With respect to private keys held by a broker-dealer, for example, the Staffs highlighted that maintenance of such keys may not be enough to demonstrate exclusive control of the digital asset security as would be required under the Customer Protection Rule. By way of example, the Staffs stated that a broker-dealer may not be able to demonstrate that no other party has a copy of the private key and could transfer the digital asset security without the broker-dealer’s consent. These risks, including the potential inability of a broker-dealer (or custodian) to reverse or cancel transactions, could cause customers to suffer losses in a manner that creates existential liabilities for the broker-dealer.
Books and Records and Financial Reporting Rules
In discussing the SEC’s recordkeeping and financial reporting rules, the Staffs stated that the “nature of distributed ledger technology, as well as the characteristics associated with digital asset securities, may make it difficult for a broker-dealer to evidence the existence of digital asset securities for the purposes of the broker-dealer’s regulatory books, records, and financial statements, including supporting schedules.” This, in turn, can make it difficult for a broker-dealer’s independent auditors to carry out their validation and other audit procedures.
The Staffs highlighted that in the event of the failure of a broker-dealer with custody of a nonsecurity digital asset, SIPA protection likely would not apply; and in the event of a broker-dealer’s insolvency, holders of those digital assets would have only unsecured general creditor claims against the broker-dealer’s estate. For those digital assets that are securities, the Staffs stated that “uncertainty regarding when and whether a broker-dealer holds a digital asset security in its possession or control creates greater risk for customers that their securities will not be able to be returned in the event of a broker-dealer failure.”
Control Location Applications
As mentioned previously, Rule 15c3-3(c) specifies the manner in which a broker-dealer can establish that it has “control” over securities held for the account of customers. Of particular relevance, Rule 15c3-3(c)(7) provides that securities under the control of a broker-dealer are securities that are held in such other locations as the SEC shall upon application from a broker or dealer find and designate to be adequate for the protection of customer securities (so-called “good control locations”). In this regard, the Staffs indicated that they have received inquiries from broker-dealers wishing to use an issuer or transfer agent as a proposed “control location” for purposes of the Customer Protection Rule, and noted that they “will consider whether the issuer or the transfer agent can be considered a satisfactory control location pursuant to an application under paragraph (c)(7) of Rule 15c3-3.”
The Joint Statement leaves market participants with uncertainty regarding the custody of digital asset securities. This uncertainty is not limited to broker-dealers, but includes other market participants such as investment advisers and investment companies that may rely on broker-dealers to custody assets. Moreover, the Joint Statement did not adequately address the custody of digital assets that the SEC made clear are not securities—such as bitcoin—and the extent to which custody of such assets implicates the Customer Protection Rule. While the Staffs mentioned entertaining good control location applications under Rule 15c3-3(c)(7), they missed an opportunity to address whether other locations described under Rule 15c3-3(c) could be used to establish control by a broker-dealer. For example, Rule 15c3-3(c)(4) contemplates that a foreign depository, a foreign clearing agency, or a foreign custodian can serve as a good control location upon application to the SEC. In this regard, foreign banks are making concerted efforts to custody digital assets and could prove a way forward, provided that TM does not object to an application requesting that such foreign banks be deemed a good control location. In addition, we note that Rule 15c3-3(c)(5) provides that banks, as defined in Section 3(a)(6) of the Exchange Act, can serve as good control locations without the need to file applications with the SEC. The definition of a bank is potentially broad enough to capture limited purpose trust companies registered with state banking authorities, which, incidentally, is the way that some digital asset exchanges are choosing to register.
On the plus side, the Staff indicated that they have found their discussions with industry participants regarding these custody issues to be useful. The Staffs stated that they encourage and support innovation and that they “look forward to continuing [the] dialogue as market participants work toward developing methodologies for establishing possession or control over customers’ digital asset securities.”