On July 8, 2019, the SEC’s Division of Trading and Markets and FINRA’s Office of General Counsel issued a joint statement on broker-dealer custody of digital asset securities (“Joint Statement”). The SEC and FINRA have been discussing issues of custody related to tokens and digital assets for years. For example, issues surrounding the custody of digital assets have been continuously cited by the SEC as one of the reasons for the failure to approve a cryptocurrency ETF.

The Joint Statement begins with the admission that historical rules do not adequately cover the complex issues related to digital assets, including rules related to the loss or theft of a security. In recent months the SEC and FINRA staff have been engaging in conversations with industry participants regarding how the rules could be applied or modified to suit the needs of the emerging technology of digital assets.

Any entity that transacts business in digital asset securities must comply with the federal securities laws. An entity that buys, sells, or otherwise transacts or is involved in effecting transactions in digital asset securities for customers will be required to register with the SEC as a broker-dealer and become a member of and comply with the rules of FINRA. Likewise, entities that make markets in securities (i.e., buy or sell for their own account) may also need to be registered as a broker-dealer.

Since the SEC issued its Section 21(a) Report on the DAO investigation, finding that digital assets and cryptocurrencies are, in most instances, securities, there has been a significant rise in the number of SEC applications for broker-dealer registration and membership applications with FINRA. There has also been a large increase in applications to FINRA by existing members to expand their business operations to include digital assets. On July 6, 2018, FINRA sent Regulatory Notice 18-20 to its members asking all FINRA member firms to notify FINRA if they engage in activities related to digital assets such as cryptocurrencies, virtual coins and tokens, and to continue to update FINRA on such activities through July 31, 2019. FINRA subsequently extended to the time to require firms to report activity through July 31, 2020.

Broker-Dealer Custody of Digital Assets

Broker-dealers that hold funds and securities must comply with Exchange Act Rule 15c3-3 (the “Customer Protection Rule”), which generally requires the broker to maintain physical possession or control over the customer’s fully paid and excess margin securities. Where funds and securities are purely digital, consideration needs to be made over how they are accounted for and who has the obligation. In addition, certain activities and access levels could amount to “receiving, delivering, holding or controlling customer assets,” such as having access to a private key code for a customer. As further discussed below, not all broker-dealers custody or hold customer assets.

The purpose of the Customer Protection Rule is to protect the customer funds, provide for processes in the event of a broker-dealer’s failure, and put systems in place so that the SEC can oversee and monitor business practices. Like attorney escrow accounts, a broker-dealer must keep customer’s assets segregated from their own and properly labeled and tracked as that customer’s property.

To satisfy the Customer Protection Rule, most broker-dealers use a third party, such as the Depository Trust Company (DTC), a clearing firm or a transfer agent (for book entry or DRS securities) as the actual custodian of the securities. Using a third party creates a check and balance, eliminating the risk of comingling or the loss of the security in the event the broker-dealer fails, and allowing for the reversal or cancellation of a mistaken or unauthorized transaction.

Digital assets are unique in that the way they are issued, held, and transferred is different from other securities up to this point. One of the principal concerns with the custody of digital assets relates to cybersecurity. The issue is prolific for all companies, but even more so for those working with cyber assets (for more information on the SEC’s guidance related to cybersecurity, see HERE. There have been many significant and well-documented cases of the theft of cyber-assets. For example, one blockchain forensic analysis firm estimated that approximately $1.7 billion worth of bitcoin and other digital assets had been stolen in 2018, of which approximately $950 million resulted from cyberattacks on bitcoin trading platforms.

Another unique concern with digital assets relates to the ramifications if a broker-dealer or customer loses their “private key” necessary to transfer a client’s digital asset securities. If a private key is lost, there is no method for retrieving the information and the digital assets could be lost forever. Likewise, if digital assets are unintentionally or fraudulently transferred to an unknown or unintended address, there would be no meaningful recourse to invalidate the fraudulent transactions, recover or replace lost property, or correct errors.

In addition to these real-world issues, technical compliance with the Customer Protection Rule is not easy with digital assets. The rule requires that “not later than the next business day, a broker-dealer, as of the close of the preceding business day, shall determine the quantity of fully paid securities and excess margin securities in its possession or control and the quantity of such securities not in its possession or control.” If possession and control results from possession of a customer’s private key and the ability to transfer digital assets using the private key, it may be difficult or impossible to establish that no other party has a copy of the private key and could therefore also exercise possession and control over the assets.

Broker-dealers that hold funds and securities must also comply with Exchange Act Rules 17a-3, 17a-4 and 17a-5, which require the broker-dealer to make and keep current ledgers reflecting all assets and liabilities, prepare regular statements and schedules and maintain a supported record of all securities carried for its customers. The very nature of digital assets make it difficult to prove they exist at all for purposes of complying with the rules. Programmers are working on creating a system to address this problem, including regulatory nodes and permissioned blockchains, but the problem has not yet been fully addressed to the satisfaction of the SEC and FINRA.

The Wyoming Head Start

When a third party is used to custody securities for a broker-dealer, that party must satisfy the rule as a good control location. A good control location is based, in part, on the entity’s ability to maintain exclusive control over customer securities. A licensed bank constitutes a good control location. A licensed bank, as defined in Section 3(a)(6) of the Securities Exchange Act of 1934, includes state chartered banks and excludes trust companies. To meet the good control location requirement, a bank is required to acknowledge that customer securities are not subject to any kind of security interest or claim, and that the securities are under its “exclusive control.”

As a result, and interestingly, Wyoming has a leg up in the custody arena. In March 2018, Wyoming passed several blockchain-friendly bills (see HERE) and followed those up with more legislation earlier this year. Wyoming HB 74 authorized a new type of financial institution called the special purpose depository institution (SPDI). The Acts enable a new type of financial institution that allows approved Wyoming corporations to engage in banking business related to digital assets, including custodial services. It appears an SPDI would meet the SEC and FINRA definition of a good control location and, as a state chartered bank, could provide custodial services for broker-dealers regardless of the location of such broker-dealer.

Noncustodial Broker-Dealer Services

As mentioned above, not all broker-dealers that seek to be in the digital asset business intend to custody such assets. Regulators, including the SEC and FINRA, are less concerned where services do not include custody. Non-custodial services include: (i) arranging purchases and sales that are completed directly between the parties without broker-dealer escrow or custody services (for example, private placements or “over-the-counter” transactions); or (ii) arranging purchase and sale transactions that are completed through a trading platform such as an ATS.

Securities Investor Protection Act of 1970 (SIPA)

The Joint Statement also discusses SIPA in the context of digital assets. That is, if a broker-dealer fails or is unable to return customer property, that broker-dealer is liquidated in accordance with SIPA. Under SIPA customers are eligible for up to $500,000 “insurance” for missing assets. SIPA only applies to securities as defined under that Act and cash to be used to purchase securities. The definition of a security under SIPA is not consistent with the definition of a security under other federal securities laws and there is uncertainty as to whether SIPA applies to all digital assets.

Further Reading on DLT/Blockchain and ICOs

For a review of the 2014 case against BTC Trading Corp. for acting as an unlicensed broker-dealer for operating a bitcoin trading platform, see HERE.

For an introduction on distributed ledger technology, including a summary of FINRA’s Report on Distributed Ledger Technology and Implication of Blockchain for the Securities Industry, see HERE.

For a discussion on the Section 21(a) Report on the DAO investigation, statements by the Divisions of Corporation Finance and Enforcement related to the investigative report and the SEC’s Investor Bulletin on ICOs, see HERE.

For a summary of SEC Chief Accountant Wesley R. Bricker’s statements on ICOs and accounting implications, see HERE.

For an update on state-distributed ledger technology and blockchain regulations, see HERE.

For a summary of the SEC and NASAA statements on ICOs and updates on enforcement proceedings as of January 2018, see HERE. and information on the International Organization of Securities Commissions statement and warning on ICOs, see HERE.

For a review of the CFTC’s role and position on cryptocurrencies, see HERE.

For a summary of the SEC and CFTC testimony to the United States Senate Committee on Banking Housing and Urban Affairs hearing on “Virtual Currencies: The Oversight Role of the U.S. Securities and Exchange Commission and the U.S. Commodity Futures Trading Commission,” see HERE.

To learn about SAFTs and the issues with the SAFT investment structure, see HERE.

To learn about the SEC’s position and concerns with crypto-related funds and ETFs, see HERE.

For more information on the SEC’s statements on online trading platforms for cryptocurrencies and more thoughts on the uncertainty and the need for even further guidance in this space, see HERE.

For a discussion of William Hinman’s speech related to ether and bitcoin and guidance in cryptocurrencies in general, see HERE.

For a review of FinCEN’s role in cryptocurrency offerings and money transmitter businesses, see HERE.

For a review of Wyoming’s blockchain legislation, see HERE.

For a review of FINRA’s request for public comment on FinTech in general and blockchain, see HERE.

For my three-part case study on securities tokens, including a discussion of bounty programs and dividend or airdrop offerings, see HERE; HERE and HERE.

For a summary of three recent speeches by SEC Commissioner Hester Peirce, including her views on crypto and blockchain, and the SEC’s denial of a crypto-related fund or ETF, see HERE.

For a review of SEC enforcement-driven guidance on digital asset issuances and trading, see HERE.

For information on the SEC’s FinTech hub, see HERE.

For the SEC’s most recent analysis matrix for digital assets and application of the Howey Test, see HERE.

For FinCEN’s most recent guidance related to cryptocurrency, see HERE.

For a discussion on the enforceability of smart contracts, see HERE.