The term ‘custody’ in the context of virtual assets refers to the management and safekeeping of the cryptographic private keys that virtual asset owners use to execute virtual asset transactions. Whoever controls these private keys can sign transactions and change the amount of assets owned in near real-time – effectively controlling the asset.
Therefore, custody plays a very important role on the path to institutionalization, with VASPs needing to offer their own custody approach, or engage with secure custody providers.
The evolution of the custodian model in virtual assets is still developing, and there is a need for more independent, trusted parties to hold assets outside of a trading venue. Recently, more trusted custodians have emerged in the market to meet this need – a key indicator of ongoing wide-scale institutional adoption of the asset class.
Challenges for custody providers
Custody providers for virtual assets face a number of challenges, and are working in different ways to overcome them. For example, every participant in the virtual asset market needs a way to safely store and move their assets. In traditional FS, participants often rely on third parties to store and move assets safely. Yet, virtual assets are different in two ways:
- Direct access: Virtual assets were designed to provide owners with full control over them, without the need for centralized middlemen that record ownership or transactions.
- Ownership and bookkeeping: Virtual assets exist and are recorded only in the virtual space without a local register of ownership. This means whoever has control over the asset, specifically the private key, has ownership by design. It requires local contract law to record changes to this arrangement, i.e. between a custodian and the asset owner.
As a consequence of these differences, three solutions have emerged:
- Self-custody solutions: These leverage direct access to the asset (referenced as ‘access to the private key’), through either software and hardware to store the assets. Solutions are differentiated between ‘hot’ and ‘cold’ storage, whereby hot indicates that the ‘wallet’ has direct access to the internet, and cold indicates ‘air-gapped’ computers, without internet access and often kept in a protected location. Examples of self-custody are Hardware Security Modules (HSM) in a data center, to simple USB stick or mobile wallets with pre-configured software.
- Exchange-hosted wallets: Some exchanges offer ‘hosted wallets’, which are commonly used for asset storage by retail investors and traders. Exchanges took on this role to smooth out trading activities, and over time have strengthened their service and safety. The retail investor does not have an actual wallet, and does not have access to private keys, like in the case of self-custody solutions.
- Independent full-service custodians: These service virtual asset exchanges and institutional investors that want to safely keep a large amount of assets and operate across multiple jurisdictions. They store the assets both hot and cold, and may also offer regulatory compliance services and tax reporting.
To prepare for large-scale adoption, VASPs will need to increase the maturity of asset safekeeping. It is important to have more than ‘cold storage’. Instead, a combination of secure vaulting and cryptographic hardware with a governance model, robust terms of service, independent reviews (audit), and value-added services that create multiple layers of security are needed.
This will help:
- Protect the asset against hacking and other cyber security risks
- Prevent physical access or stealing of the vault or wallet hardware
- Back-up the asset as safe as the originals
- Prevent single points of failure by a clear separation of duties
- Offer insurance in case the asset is being compromised
- Manage liquidity and 24-hour access to the asset if needed
- Continuous compliance with local and global regulations
In an industry where asset safekeeping is of ultimate importance and any breach can completely destroy a business like a crypto exchange, organizations would invest significant effort and capability to not only develop, but constantly enhance their asset custody solutions.
OSL’s approach to custody
The safe custody of assets is a hot topic for VASPs, including one of Asia’s largest, Hong Kong-based OSL, which provides virtual asset custody services to clients, along with trading and technology services.
Usman Ahmad, Chief Information Officer of BC Technology Group, OSL’s parent company, says OSL has developed a multi-level framework to protect clients’ assets, to understand attack vectors, and to mitigate threats through cyber security protocols.
Steps include putting customer deposits into a ‘frozen wallet’ which restricts withdrawals to approved internal wallets only, separation of customer assets, and a scalable ledger to reconcile customer transactions against the external blockchain. OSL has also put in place clear segregation of duties and is being audited independently.
As threats sometimes come from unknown sources, such as sanctioned individuals that try to route transactions through OSL services, OSL has implemented a large-scale AML/CTF monitoring program for all assets in its custody.
Lastly, insurance is an important mechanism to increase consumer confidence in the safeguards and controls that have been put in place. As the insurance industry continues to mature in the Virtual Assets industry, Ahmad expects to see an evolution in insurance products and offerings that will ultimately underpin custody and asset management.
More insights on risk
We have outlined a set of solutions on how to prevent against the physical and digital risks in virtual assets. If you are interested to know about this topic, you can read Cracking Crypto Custody, KPMG LLP (US) (2019).
Terms of service
VASPs need to have clear legal agreements, or ‘terms of service’, with custody services providers, and these must reflect the operating locations of the custody business. These terms should emphasize compliance with local regulations of factors such as KYC programs and AML, location of private key storage, and have a clear reference to the property and insolvency law that applies to assets in case of a defaulting custodian.
Insurance is often seen as a ‘holy grail’ for the investor’s protection; however, both the attainment of sufficient coverage and any eventual payout depend on the custodian’s ability to achieve high standards of asset protection. Insurance policies are often brokered individually, for a limited period, and covering specific systems and incidents only. Due to a lack of ‘vanilla policies’, industry standards, regulation on custody best-practice, and generally poor historic data sets, fees of 1 percent p.a. of the amount protected are common, making insurance expensive.
The lack of institutional-grade infrastructure and industry standards also hinders custodian services affordability, as insurers remain hesitant to participate. While certainly a challenge, we believe the development of comprehensive guidance from regulators and government agencies in the near-term will increase the attractiveness of virtual assets, driving insurers and third-party providers to expanding their service offerings to meet the needs of institutional grade retail investors.
Some custodians have been able to obtain insurance policies and offer insurance to their customers. The natural evolution would be for VASPs to likewise offer insurance to users, as this would instill confidence, and further assist institutional investors with the due diligence process.
Over time, we expect the custody choices for investors to become easier due to standardization of the industry and the emergence of certification programs. It will be helpful to have more support for institutional investors in their decision making and risk assessment in picking a custody solution that suits their needs best.
Stay up to date with what matters to you
Gain access to personalized content based on your interests by signing up today