The term ‘custody’ in the context of virtual assets refers to the management and safekeeping of the cryptographic private keys that virtual asset owners use to execute virtual asset transactions. Whoever controls these private keys can sign transactions and change the amount of assets owned in near real-time – effectively controlling the asset.
Therefore, custody plays a very important role on the path to institutionalization, with VASPs needing to offer their own custody approach, or engage with secure custody providers.
The evolution of the custodian model in virtual assets is still developing, and there is a need for more independent, trusted parties to hold assets outside of a trading venue. Recently, more trusted custodians have emerged in the market to meet this need – a key indicator of ongoing wide-scale institutional adoption of the asset class.
Custody providers for virtual assets face a number of challenges, and are working in different ways to overcome them. For example, every participant in the virtual asset market needs a way to safely store and move their assets. In traditional FS, participants often rely on third parties to store and move assets safely. Yet, virtual assets are different in two ways:
As a consequence of these differences, three solutions have emerged:
To prepare for large-scale adoption, VASPs will need to increase the maturity of asset safekeeping. It is important to have more than ‘cold storage’. Instead, a combination of secure vaulting and cryptographic hardware with a governance model, robust terms of service, independent reviews (audit), and value-added services that create multiple layers of security are needed.
This will help:
In an industry where asset safekeeping is of ultimate importance and any breach can completely destroy a business like a crypto exchange, organizations would invest significant effort and capability to not only develop, but constantly enhance their asset custody solutions.
The safe custody of assets is a hot topic for VASPs, including one of Asia’s largest, Hong Kong-based OSL, which provides virtual asset custody services to clients, along with trading and technology services.
Usman Ahmad, Chief Information Officer of BC Technology Group, OSL’s parent company, says OSL has developed a multi-level framework to protect clients’ assets, to understand attack vectors, and to mitigate threats through cyber security protocols.
Steps include putting customer deposits into a ‘frozen wallet’ which restricts withdrawals to approved internal wallets only, separation of customer assets, and a scalable ledger to reconcile customer transactions against the external blockchain. OSL has also put in place clear segregation of duties and is being audited independently.
As threats sometimes come from unknown sources, such as sanctioned individuals that try to route transactions through OSL services, OSL has implemented a large-scale AML/CTF monitoring program for all assets in its custody.
Lastly, insurance is an important mechanism to increase consumer confidence in the safeguards and controls that have been put in place. As the insurance industry continues to mature in the Virtual Assets industry, Ahmad expects to see an evolution in insurance products and offerings that will ultimately underpin custody and asset management.
We have outlined a set of solutions on how to prevent against the physical and digital risks in virtual assets. If you are interested to know about this topic, you can read Cracking Crypto Custody, KPMG LLP (US) (2019).
VASPs need to have clear legal agreements, or ‘terms of service’, with custody services providers, and these must reflect the operating locations of the custody business. These terms should emphasize compliance with local regulations of factors such as KYC programs and AML, location of private key storage, and have a clear reference to the property and insolvency law that applies to assets in case of a defaulting custodian.
Insurance is often seen as a ‘holy grail’ for the investor’s protection; however, both the attainment of sufficient coverage and any eventual payout depend on the custodian’s ability to achieve high standards of asset protection. Insurance policies are often brokered individually, for a limited period, and covering specific systems and incidents only. Due to a lack of ‘vanilla policies’, industry standards, regulation on custody best-practice, and generally poor historic data sets, fees of 1 percent p.a. of the amount protected are common, making insurance expensive.
The lack of institutional-grade infrastructure and industry standards also hinders custodian services affordability, as insurers remain hesitant to participate. While certainly a challenge, we believe the development of comprehensive guidance from regulators and government agencies in the near-term will increase the attractiveness of virtual assets, driving insurers and third-party providers to expanding their service offerings to meet the needs of institutional grade retail investors.
Some custodians have been able to obtain insurance policies and offer insurance to their customers. The natural evolution would be for VASPs to likewise offer insurance to users, as this would instill confidence, and further assist institutional investors with the due diligence process.
Over time, we expect the custody choices for investors to become easier due to standardization of the industry and the emergence of certification programs. It will be helpful to have more support for institutional investors in their decision making and risk assessment in picking a custody solution that suits their needs best.