No custody without CASS?

As more firms consider venturing into the realm of cryptoasset custody, it is possible that UK authorities decide to leverage the FCA's existing Client Assets Sourcebook (CASS) frameworks. This has been brought to the fore following the recent failure of several prominent cryptoasset service providers. If leveraged, CASS frameworks would need to be adjusted to account for the novel intricacies of the cryptoasset ecosystem and, as such, firms should begin considering how this might affect them. 

At the most basic level, custody describes the process of protecting assets from theft. As such, custodians are third parties who safeguard and administer clients' assets — and they have acted as an important pillar of the traditional financial services system for many years.

Determining how this concept of custody maps to the cryptoasset ecosystem is challenging (as was repeatedly noted during the FCA's Crypto Sprint and more recently in the Law Commission's Digital Assets consultation). Cryptoasset custodians do not technically store any assets, because all data and transactions exist on a blockchain. Instead, they guard users' private “keys”.

Keys allow participants to send and receive cryptocurrency. There are “public” keys and “private” keys which operate as a pair — the former being the address of the wallet, and the latter being an alphanumeric string of character that initiates a transaction. Cryptoasset custodians guard private keys with varying levels of control and across a wide range of business models and arrangements. 

Some providers have the ability to execute, transfer and sign transactions; and block or recover assets / private keys on behalf of a client with their instruction. Although these custodians can provide many benefits for users (managing all technical elements, sometimes offering insurance or interest etc), they also expose users to counterparty risk, and have the power to freeze or limit withdrawals. Some cryptoasset custodians also provide services beyond the safekeeping or holding of cryptoassets on behalf of clients, which include but are not limited to reconciliation, settlement, corporate actions, maintaining bank accounts and cash management. 

Across financial services, whenever consumers hand over their assets to a third party, they take on the risk of potentially losing access to these assets. This could arise as the result of operational outages (including cyber-attacks), asset theft, or insolvency. 

The bankruptcy filing of several systemic institutions during the 2008 financial crisis raised concerns around the safety of assets held on behalf of clients and whether they can be identified swiftly. This led to a strengthening of the Client Assets Sourcebook (CASS) rules in the UK. 

As things stand, the only current financial services regulation that applies to cryptoasset service providers (CASPs) in the UK, is the FCA's AML regulations. 

Participants in the FCA Crypto Sprint suggested that regulators apply the CASS rules as a basis for building a regulatory regime for the custody of cryptoassets. [It's worth noting that the CASS principles already feature prominently and are mirrored closely in the EU's Markets in Cryptoasset Regulation (MiCA)]. 

There are four fundamental principles to CASS:

1. Identification of client assets — i.e. custodians should be able to identify where client assets arise in their business. 

Most cryptoasset custodians in the market typically hold all client tokens / assets in one central combined wallet — with ownership allocated via a back-end database. If the CASS framework were to be applied to these assets, the FCA would likely expect the CASP to implement adequate systems and controls around the maintenance of these databases to abide by the identification principle.

2. Segregation and safeguarding — i.e. ensuring that client assets are registered appropriately and are held separately to the custodian's own assets.

In traditional finance, this is achieved by having segregated client accounts, contractual arrangements (which specify whether assets can be reused) and appropriate record keeping. 

Similar controls could potentially begin to be addressed within cryptoasset custody by requiring different wallet addresses for clients versus the CASP itself. However, it remains to be seen whether this would be deemed sufficient by regulators.

As discussed, crypto custodians often maintain linked databases to record the breakdown of client assets in a wallet. To mirror CASS, there might also consequently need to be requirements facilitating third-party access to these databases in the event of insolvency. 

3. Reconciliation — i.e. of the custodian's independent records to ensure that the account of what is held on behalf of clients corresponds with the firm's obligations.

In theory, due to the unified and immutable nature of blockchain, this reconciliation should be redundant in a cryptoasset context. Moreover, the blockchain ledger would also be transparent and accessible to third-parties such as regulators or insolvency administrators. However, in practice, records of client assets can actually be maintained in offline databases. Therefore, the requirement for reconciliation may still be necessary.

4. Registration and legal title (legal title to a safe custody asset is appropriately registered and maintained as belonging to a client).

In traditional finance, a custodian may hold client assets itself or appoint a sub-custodian. In either case, the original custodian is required to ensure that legal title to a safe custody asset is appropriately registered and maintained as belonging to a client.

In a cryptoasset context, no clear distinction between legal and beneficial ownership exists, as these details are not recorded on the underlying blockchain, introducing legal and contractual ambiguity in the event of an insolvency. A clear legal and regulatory framework would therefore be needed to ensure the appropriate separation and protection of client assets following the default of a wallet provider — and to ensure that clients are not treated as unsecured creditors. There is potential for smart contract technology to operate as a starting point here. 

To give further comfort to regulators, the extension of the CASS principles could also be accompanied by additional checks and balances e.g., CASS audits and / or requirements under the SM&CR regime (i.e. the Responsible Individual having an appropriate cryptoasset skillset).

Crypto Sprint participants noted a further challenge in the bearer nature of private keys — and emphasised the need for custodians to apply robust operational and governance controls to help prevent loss and misuse. They also highlighted the need for clarification around liability in instances where key-loss still happens to occur.

Beyond CASS, the Financial Stability Board (FSB) has proposed that authorities should supervise and regulate custodial wallet service providers, proportionate to their risk, size, complexity and systemic importance, in order to address operational, reputational, financial and consumer / investor protection risks that may arise from the storage of users' private keys. The FSB calls for regulations to assess the adequate safeguarding of cryptoassets, for example, through segregation requirements (including in the case of default / bankruptcy of the custodial wallet service providers).

Other regulatory proposals go much further. In April, an SEC staff accounting bulletin called for cryptoasset custodians to add custodied assets to their balance sheet — as a result of the “increased risks” involved (including around the technological mechanisms supporting how cryptoassets are issued, held or transferred, as well as the remaining legal uncertainties). 

For context, the custody of traditional assets does not generally require recognition as the custodian does not control the assets in the segregated accounts. If other regulators (such as the Basel Committee) concur with the position of this bulletin, crypto custody could become unattractive for banks to offer in practice due to the complex estimates and calculations that would be required.

For now, regulatory dialogue continues to indicate the potential extension of CASS rules to crypto custodians. This is being amplified by demands for increased protection from consumers and clients, in the wake of several prominent crypto platform failures.

As such, firms should begin considering how their business models may be impacted. For support in carrying out a `health check', please reach out to KPMG.