On July 8, 2019, the Division of Trading and Markets (SEC DTM) of the U.S. Securities and Exchange Commission (SEC) and the Office of General Counsel (FINRA OGC) of the Financial Industry Regulatory Authority, Inc. (FINRA) issued a “Joint Statement on Broker-Dealer Custody of Digital Asset Securities” (the Joint Statement).

While the Joint Statement states that SEC DTM and FINRA OGC (and the respective staffs of SEC DTM and FINRA) “are aware of, and encourage and support, efforts to address” issues arising from application of certain existing SEC and FINRA rules[1] to broker-dealer custody of “digital assets,”[2] it emphasizes that:

  • in general, “the application of the federal securities laws, FINRA rules, and other bodies of laws to digital assets, digital asset securities, and related innovative technologies raise novel and complex regulatory and compliance questions and challenges;” and
  • in particular, “established laws and practices regarding the loss or theft of a security…may not be available or effective in the case of certain digital assets.”

While it does not expressly say so, the Joint Statement appears to take the position that, at least at present, the regulatory and compliance issues, questions, and challenges associated with broker-dealer custody of digital asset securities have not been addressed to the satisfaction of SEC DTM and FINRA OGC and, consequently, broker-dealers will not be allowed to take custody of digital assets unless and until they are3].

The Issues

The Joint Statement, drawing upon “key principles” to which the staffs of SEC DTM and FINRA have historically adhered in their approach to broker-dealer regulation and investor protection, highlights three basic issues that arise under existing SEC and FINRA rules when broker-dealers seek to have custody of digital asset securities. The Joint Statement also addresses scenarios in which broker-dealers participate in activities related to digital asset securities but do not have custody of those securities in connection with such activities.

1. The Customer Protection Rule


The Joint Statement explains that the Customer Protection Rule has three key goals:

  • to safeguard customer securities and funds;
  • to prevent investor loss or harm in the event of a broker-dealer’s failure; and
  • to enhance the SEC’s ability to monitor and prevent unsound business practices.

To accomplish these goals, the Customer Protection Rule requires a broker-dealer not only to implement appropriate safeguards for customer assets, but to keep those assets separate from the broker-dealer’s own assets so as to increase the likelihood that customer assets will be returned to customers, and not be subject to the claims of the broker-dealer’s creditors in the event of the broker-dealer’s failure. If the broker-dealer fails, customer securities and cash should be readily available to be returned to customers. If the broker-dealer were to be liquidated under the Securities Investor Protection Act of 1970 (SIPA), the SIPA trustee would be expected to step into the shoes of the broker-dealer and be able to transfer, sell, or otherwise dispose of assets in accordance with SIPA.

According to the Joint Statement, among the “core protections” provided by the Customer Rule is the requirement that a broker-dealer must physically hold customers’ fully paid and excess margin securities or maintain them free of lien at a good “control location,[4] generally, a third-party custodian (e.g., the Depository Trust Company or a clearing bank) or, in the case of uncertificated securities (e.g., shares of mutual funds), the issuer or the issuer’s transfer agent.[5] The important factor is that there be a third party that controls the transfer of the securities. Under the “traditional securities infrastructure (including, for example, related laws of property and security),” there are also processes to reverse or cancel mistaken or unauthorized transactions.

Concerns Raised by Digital Asset Securities Under the Customer Protection Rule

The Joint Statement cites the following concerns arising from the “many significant differences in the mechanics and risks associated with custodying traditional securities and digital asset securities,” any or all of which “could cause securities customers to suffer losses, with corresponding liabilities for the broker-dealer, imperiling the firm, its customers, and other creditors.” Because of these risks, a broker-dealer that has custody of digital asset securities is obligated to carefully consider how it can be in a position to demonstrate that it holds possession or control of such securities in a manner that complies with the Customer Protection Rule.

  • The manner in which digital asset securities are issued, held, and transferred may create greater risk that a broker-dealer maintaining custody of them could be victimized by fraud or theft; and, in the event of such fraud or theft, the broker or dealer may have no meaningful way to identify and seek recovery from the fraudster or thief.
  • A broker-dealer could lose a “private key” necessary to transfer a client’s digital asset securities (in which case the securities themselves are effectively lost and cannot be recovered, unless and until such key is found).
  • A broker-dealer could accidentally transfer a client’s digital asset securities to an unknown or unintended address, without meaningful recourse to correct the error. Similarly, a person associated with the broker-dealer could engage in an unauthorized transfer of a client’s digital asset securities, and the broker-dealer would not have the ability to reverse the unauthorized transaction.
  • If a broker-dealer (or its third-party custodian) holds the private key, the fact that it does so may not be sufficient evidence by itself that the broker-dealer has exclusive control of the related digital asset security, because the broker-dealer may not be able to demonstrate that no other party has a copy of the private key.

2. Books and Records and Financial Reporting Rules


The Record-Keeping Rule, the Record Retention Rule, and the Financial Reporting Rule require a broker-dealer to (among other things):

  • make and keep current ledgers reflecting all assets and liabilities, as well as a securities record reflecting each security carried by the broker-dealer for its customers and all differences determined by the count of customer securities in the broker-dealer’s possession or control compared to the result of the count with the broker-dealer’s existing books and records; and
  • routinely prepare financial statements, including various supporting schedules particular to broker-dealers, such as Computation of Net Capital under the Net Capital Rule and Information Relating to the Possession or Control Requirements under the Customer Protection Rule.

These requirements are designed to ensure that a broker-dealer makes and maintains certain business records to assist it in accounting for its activities. These rules also assist the SEC and FINRA in examining for compliance with the federal securities laws and are therefore are an integral part of the financial responsibility program for broker-dealers.

Concerns Raised by Digital Asset Securities Assets Under the Record-Keeping, Record Retention, and Financial Reporting Rules

The Joint Statement believes that “the nature of distributed ledger technology, as well as the characteristics associated with digital asset securities, may make it difficult for a broker-dealer to evidence the existence of digital asset securities for the purposes of the broker-dealer’s regulatory books, records, and financial statements, including supporting schedules.” This difficulty, in turn, creates challenges for the broker-dealer’s independent auditor when it seeks to obtain sufficient appropriate audit evidence in connection with testing management’s assertions in the financial statements during the annual broker-dealer audit.[6]

The Joint Statement discusses its understanding that some broker-dealers are considering the use of distributed ledger technology with features designed to enable them to meet recordkeeping obligations and facilitate prompt verification of digital asset security positions (for example, in the form of “regulatory nodes” or “permissioned” distributed ledger technologies). The Joint Statement cautions broker-dealers that they should consider how the nature of the technology may affect their ability to comply with the Record-Keeping and Financial Reporting Rules.

3. Concerns Under SIPA

The Joint Statement expresses concern that if a particular digital asset held in custody by a broker-dealer does not meet the definition of “security” under SIPA,[7] the investor protections afforded under that Act would not apply to such asset, with the result that the investor would (with respect to that asset) become a general creditor of the broker-dealer in the event of the broker-dealer’s insolvency.[8] Further, uncertainty regarding when and whether a broker-dealer holds a digital asset security in its possession or control “creates greater risk for customers that their securities will not be able to be returned in the event of a broker-dealer failure.”

The Joint Statement believes that “such potential outcomes are likely to be inconsistent with the expectations of persons who would use a broker-dealer to custody their digital asset securities.” The Joint Statement, however, does not go on to discuss (or even suggest) whether, through appropriate disclosure to customers, a broker-dealer could appropriately inform customers that, to the extent digital assets held in custody by the broker-dealer are not “securities” (as defined in SIPA), customers should not expect to be afforded SIPA protection. Further, the SIPA concerns articulated by the Joint Statement are simply inapplicable to the many digital asset securities that are offered, sold, and issued as “investment contracts” in transactions that are not registered under the Securities Act, because these securities are not entitled to SIPA protection in the first place.

4. Situations Where Broker-Dealers Do Not Have Custody of Digital Asset Securities

The Joint Statement notes that certain broker-dealers engage in activities with respect to digital asset securities that do not involve the broker-dealers taking custody of those securities. The Joint Statement concludes that “generally speaking” these non-custodial activities “do not raise the same level of concern” as activities that involve the broker-dealers taking custody (as long, of course, as relevant securities laws, self-regulatory organization rules, and other legal and regulatory requirements are followed). The Joint Statement provides the following examples of non-custodial activities that “do not raise the same level of concern:”

  • A broker-dealer sends trade-matching details (e.g., identity of the parties, price, and quantity) to the buyer and issuer of a digital asset security—similar to a traditional private placement—and the issuer settles the transaction bilaterally between the buyer and issuer, away from the broker-dealer. In this case, the broker-dealer instructs the customer to pay the issuer directly and instructs the issuer to issue the digital asset security to the customer directly (e.g., the customer’s “digital wallet”).
  • A broker-dealer facilitates “over-the-counter” secondary market transactions in digital asset securities without taking custody of or exercising control over the digital asset securities. In this case, the buyer and seller complete the transaction directly and, therefore, the securities do not pass through the broker-dealer facilitating the transaction.
  • A broker-dealer facilitates secondary market trading in a digital asset security by introducing a buyer to a seller of digital asset securities through a trading platform where the trade is settled directly between the buyer and seller. For example, a broker-dealer might operate an alternative trading system (ATS) that matches buyers and sellers of digital asset securities and the resulting trades either would be settled directly between the buyer and seller, or the buyer and seller would give instructions to their respective custodians to settle the transactions.[9] In either case, the ATS would not guarantee or otherwise have responsibility for settling the trades and would not at any time exercise any level of control over the digital asset securities being sold or the cash being used to make the purchase (g., the ATS would not place a temporary hold on the seller’s wallet or on the buyer’s cash to ensure the transaction is completed).[10]

By stating that non-custodial activities of the type described above “do not raise the same level of concern” as custodial activities, the Joint Statement implies that SEC DTM and FINRA OGC have at least some level of concern regarding those non-custodial activities. Unfortunately, the Joint Statement does not specify what that level of concern is, nor does it specify any of the factors that contribute to that level of concern, leaving it to market participants to guess what those factors might be.


The Joint Statement, like many (if not all) prior SEC and FINRA statements regarding digital assets, contains the obligatory declaration that the agencies “encourage” and “support” innovation in the securities markets. At the same time, the Joint Statement, like those prior statements, offers little in the way of concrete guidance as to how market participants may comply with existing rules when conducting activities involving digital assets.[11] Notably, despite its expression of support for innovation, there is nowhere to be found in the Joint Statement even a suggestion that it may be appropriate for the SEC and FINRA to reconsider and perhaps revamp their rules to enable the innovation they claim to support.[12] Instead, we are left with a veiled warning that, at present, broker-dealers that have custody of digital asset securities are likely to be found in violation of SEC and FINRA rules:

“In recent months, the Staffs have been engaged with industry participants regarding how industry participants believe a particular custody solution for digital asset securities would meet the possession or control standards prescribed in the SEC’s Customer Protection Rule. The Staffs have found these discussions to be very informative and appreciate market participants’ ongoing engagement on these issues. The Staffs…look forward to continuing our dialogue as market participants work toward developing methodologies for establishing possession or control over customers’ digital asset securities…

“Various unregistered entities that intend to engage in broker-dealer activities involving digital asset securities are seeking to register with the [SEC] and have submitted New Membership Applications (NMAs) to FINRA. Additionally, various entities that are already registered broker-dealers and FINRA members are seeking to expand their businesses to include digital asset securities services and activities. Under FINRA rules, a firm is prohibited from materially changing its business operations (e.g., engaging in material digital asset securities activities for the first time) without FINRA’s prior approval of a Continuing Membership Application (CMA)...

“The NMAs and CMAs currently before FINRA are diverse: Some of the NMAs and CMAs cover proposed business models that would not involve the broker-dealer engaging in custody of digital asset securities. On the other hand, some NMAs and CMAs include the custodying of digital asset securities, and therefore implicate the Customer Protection Rule, among other requirements.

“Some of these entities have met with the Staffs to discuss how they propose to custody digital asset securities in order to comply with the broker-dealer financial responsibility rules. These discussions have been informative. The specific circumstances where a broker-dealer could custody digital asset securities in a manner that the Staffs believe would comply with the Customer Protection Rule remain under discussion, and the Staffs stand ready to continue to engage with entities pursuing this line of business.” [emphasis added].