The importance of custodians in bitcoin adoption and ownership
Why bitcoin’s decentralized properties require reliable custodians and diligent investors
Why is custody so important in bitcoin and what does the custody landscape look like today?
One of the core tenets of bitcoin is the ability to own and control your assets without any counterparty risk or dependencies on third parties. But what does it really mean to own bitcoin? Property rights in the bitcoin network are not enforced by companies or governments but instead are enforced through cryptography. In the earliest days of bitcoin, the only way to own bitcoin was to use your own cryptographic “private keys,” a practice known as self-custody.
Self-custody means controlling your own private keys without the use of a centralized custodian. If you lose your private key(s) you will have lost your bitcoin. If an attacker discovers your private key(s), that attacker can use them to sign a bitcoin transaction transferring your bitcoin to the attacker’s wallet. Since the bitcoin network is decentralized, all transactions are immutable, which means no individual or company has the ability to reverse a transaction.
Custodians play a critical role within the digital asset ecosystem and were created to relieve users of the responsibility and complexity of managing their own private keys. In a custodial relationship, users delegate the responsibility to protect their private keys to the custodian, who in turn use a web or mobile application to authenticate users, authorize transactions, and subsequently move the assets on their behalf.
While the U.S. is known to have a number of household names that provide custodial services, each of which are subject to oversight by various regulatory agencies such as the SEC, FINCEN, NYDFS, etc., many custodians over the years have operated outside of a regulatory framework. This has resulted in riskier operations with fewer investor protections and has resulted in numerous incidents where customer funds were lost or stolen. As such, any custodian comes with risks that we will further explore throughout this paper.
Risks with bitcoin custody
Custodians must protect cryptographic private keys against theft, loss, and corruption, which requires having strong internal controls around the custody processes they employ to keep them secure. This means that details about the locations, processes, and controls around protecting the key(s) from external threats must remain secret and secure, but without transparency on how this is achieved, how can people obtain the assurances they need? Business operations, quality assurance, and protecting from internal threats requires some divulgence of information which requires the best custodians to strike a careful balance between obscurity and transparency.
For the customer or client entrusting a bearer asset like bitcoin to a custodian, there are a number of risks that could result in the complete and permanent loss of funds. In this paper, we will take a closer look at six common attack vectors custodians must solve for.
6 attack vectors that custodians must mitigate
1
Outside attackers
One of the most common threats to custodians outside attackers that look to compromise the custodian’s key management, applications, personnel, and/or devices.
Once an attacker steals bitcoin, its immutable ledger makes funds effectively impossible to recover after a short period of time.
2
Insider threats
Outsiders aren’t the only threat to consider, as often times, the most dangerous threat to a custodian’s security comes from within. Custodians are responsible for properly securing client funds, but they must also be prepared to use the private key(s) they protect to sign transactions on behalf of their users. Personnel that can trigger the use of private keys—or choose not to trigger the use of private keys when authorized by a user—reflect additional risk that custodians must mitigate against.
3
Securing account credentials
Within the bitcoin network, all bitcoin are controlled by private keys; hence the common bitcoin parlance “not your keys, not your coins.”
Since custodians move bitcoin on behalf of their customers, they must take responsibility for proper security not just with the private keys, but also with the customer’s account, to ensure that withdrawals are going to the intended recipient. Unfortunately, compromises at the account level that irreversibly send bitcoin to an attacker’s wallet are a common occurrence.
Social engineering and phishing attacks are routinely attempted on individual customers. While the ultimate responsibility may rest with the customer, custodians and exchanges must take proactive measures to secure account information and effectively mitigate the risk of customer impersonation.
4
Borrowing and rehypothecation
Several exchanges over the years have offered users a yield on the assets they deposit on the exchange’s platform. They are able to offer this yield as the assets that a customer deposits are then lent out for other purposes; as such, the user is earning a yield as compensation for the risk they’re taking in lending their assets. Similarly, rehypothecation involves using a customer’s collateral for other purposes such as collateral for additional loans or other trading strategies. Both of these scenarios present risk to the user (e.g., liquidity, market, counterparty, etc.) as well as to the exchange or custodian.
5
Regulatory actions
Trusted custodians can be shut down by governments or regulatory agencies due to failure to comply with relevant laws and regulations. Regulatory action can be taken against any company and can come with little to no warning to the customers.
6
Operational failure
Many kinds of operational failure modes can cause custodians to become insolvent. And sometimes, a custodian’s insolvency is not even known to them until they attempt to fulfill their clients’ withdrawal requests.
Key considerations for choosing a custodian
In evaluating threats that exchanges and custodians face, as well as the most common methods they use to mitigate these threats, we can identify some key criteria for choosing a custodian across four main categories: security, compliance, transparency, and reliability.
Security
A primary indication of mature organizational security is whether an organization hires for and controls its own custodial capabilities. While details on this are rarely disclosed in full, there are some good indicators for whether a custodian invests in the necessary infrastructure to accomplish this.
Compliance and legal
In the United States, bitcoin custodians are required to abide by money transmission laws and corresponding regulations in the states they operate given their requirement to register as a Money Services Business with FinCEN. Additionally, they must comply with Know Your Customer (KYC) and Anti-Money Laundering (AML) laws such as the Bank Secrecy Act, and the Patriot Act. Any reputable custodian operating in the United States will be required to meet these basic regulatory requirements.
Transparency and reporting
Custodians must strike a careful balance between obscurity and transparency in their data classifications and access controls. The most secure custodian is not always the most transparent, but there are some key areas where transparency and reporting have clear benefits for choosing a custodian that maximally mitigates the threats described in the section above.
Operational reliability
A key indicator of a reliable custodian is one who invests heavily in its own custodial capabilities instead of relying on contractors or vendors, but operational reliability extends far beyond private key management.
Managing the risks
Despite the challenges associated with directly managing private keys, custodians play a critical role in the bitcoin ecosystem. There are many benefits to trusted centralized custodians as they have helped accelerate bitcoin adoption to this day. Understanding the complexities and risks with bitcoin custody involves choosing a custodian who prioritizes security, compliance, is financially stable, and has the infrastructure associated with managing its own custodial capabilities.
Dive into our thinking:
The importance of custodians in bitcoin adoption and ownership
Why bitcoin’s decentralized properties require reliable custodians and diligent investors
Download PDFKPMG Modern Technology Risk
Centers of Excellence
Explore more
Insight
Bitcoin’s role in the ESG imperative
Discover the ESG impact of bitcoin and the misconceptions it may pose in the market
Insight
Keys to a successful API Management Strategy
Embrace the API-first digital transformation
Cryptocurrencies and other digital assets
Our reporting, guidance and publications relevant to crypto and other digital assets
Meet our team
