Author: AiYing AiYing, AiYing Compliance

Yesterday, the U.S. Securities and Exchange Commission (SEC) punished Galois Capital Management LLC, a former registered investment advisor in Florida that primarily invests in crypto assets. The SEC found that Galois Capital failed to comply with the custody rules in the Investment Advisers Act of 1940 when managing client assets, especially in the management of crypto assets. Specifically, Galois Capital failed to ensure that the crypto assets it managed were stored in qualified custodians, but instead placed these assets on non-compliant cryptocurrency trading platforms, resulting in the loss of most of its assets during the collapse of the FTX exchange. In addition, Galois misled investors and provided inconsistent redemption terms.

Aiying believes that such incidents will occur frequently in the field of crypto asset management in the future. With the increasing popularity of crypto assets, investment advisory companies are still in a state of self-regulation in the management of such assets due to the lack of early supervision and the increase in compliance costs in the later period. Therefore, the probability of black swan events or reports leading to regulatory penalties in the future will only increase.

I. Applicability and Extension of U.S. Custody Rules

The origin and original intention of the custody rules

In simple terms, the U.S. custody rules are a set of legal provisions to protect investor assets. These rules originated from the Investment Advisers Act of 1940, and their goal at the time was to prevent investment advisory firms from engaging in any "tricks" when managing client assets. According to this provision, if an investment advisory firm has the right to control or manage client assets, these assets must be kept by a qualified custodian, such as a regulated bank or financial institution.

The core idea of ​​the custody rules is simple: investment advisory firms cannot mix client assets with their own money and must manage them separately. If there are any changes in client assets, the custodian must also notify the client in a timely manner and provide regular asset status reports. These measures are all to ensure that investors' funds are safe and will not suffer losses due to mistakes or misconduct by investment advisors.

Expanding to virtual assets

With the popularity of virtual assets such as Bitcoin and Ethereum, the financial market has undergone great changes. Virtual assets have brought new challenges to traditional asset management due to their characteristics such as decentralization, anonymity and large price fluctuations. Seeing this change, the SEC realized that it was necessary to expand the protection scope of the custody rules to these emerging virtual assets.

In recent years, the SEC has made it clear that custody rules apply not only to traditional financial assets such as stocks and bonds, but also to virtual assets. In other words, if an investment advisory firm manages clients' cryptocurrencies, these assets also need to be placed with a qualified custodian. Qualified custodians must not only meet traditional regulatory requirements, but also have the technology to deal with risks unique to virtual assets, such as the ability to prevent hacker attacks or the loss of cryptocurrencies.

2. Requirements for a US Qualified Custodian License

The SEC and other relevant regulatory agencies in the United States have begun to pay attention to and regulate this emerging field as qualified custodians of virtual currency assets. Qualified custodians of digital assets need to meet the requirements of traditional custodians, and must also have specialized capabilities to manage and protect these digital assets. The following are some key standards and requirements for qualified custodians related to digital assets:

Types of Qualified Custodians of Digital Assets

  1. Banks and Trust Companies:

    • Banks and trust companies regulated by the federal or state governments may provide custody services for digital assets. To meet the requirements of a qualified custodian, these institutions must have the technology and infrastructure to protect and manage digital assets.

  2. Dedicated digital asset custody companies:

    • Some companies specialize in providing custody services for cryptocurrencies and other digital assets. These companies may already be registered at the state or federal level and are subject to strict regulation. For example, companies like Coinbase Custody and BitGo Trust already provide custody services for digital assets and have obtained custodian qualifications in specific states or federal jurisdictions.

  3. Registered Broker-Dealers:

    • FINRA-regulated broker-dealers may offer digital asset custody services, but they must ensure they have the specialized technical capabilities necessary to manage digital assets.

  4. Other regulated financial institutions:

    • Some regulated financial institutions, such as futures commission merchants or foreign financial institutions, can also be considered qualified custodians if they meet the requirements for digital asset custody.

Key Requirements for Digital Asset Custodians

  1. Security technology infrastructure:

    • Digital asset custodians must have advanced cybersecurity technology to prevent hacker attacks and asset loss. This usually includes the use of offline storage, multi-signature technology, hardware security modules (HSM), etc.

  2. Separation of assets and separate accounts:

    • Digital assets must be stored separately from the custodian’s other assets, and customer assets must be placed in separate accounts and clearly identified as customer assets.

  3. Regular audits and reporting:

    • Digital asset custodians should undergo regular third-party audits to ensure the security of assets and the compliance of custody services. In addition, they are required to provide customers with regular asset status reports.

  4. Compliance capabilities:

    • Digital asset custodians must comply with the same compliance requirements as traditional asset custodians, including anti-money laundering (AML), know your customer (KYC), and other applicable financial regulations. In addition, they must also follow specific digital asset compliance frameworks, such as transparency and traceability of blockchain transactions.

  5. Insurance and Safeguards:

    • To further protect customer assets, digital asset custodians typically purchase insurance to prevent asset losses due to hacker attacks or operational errors.

Regulation and certification

  • Certification in a specific state: In the United States, some states such as New York have passed the New York Financial Services Act (NYDFS), under which BitLicense allows qualified companies to provide custody services for crypto assets. Aiying Aiying has detailed this in a previous article, "In-depth Analysis: Two Major Licenses for Web3 Companies to Conduct Virtual Currency Business in New York State—BitLicense and Limited Purpose Trust Company License"

  • Federal regulation: Although federal regulation has not yet fully covered all types of digital asset custody services, regulatory agencies such as the SEC and CFTC are gradually formulating relevant rules and regulating the market. For more information, please refer to Aiying’s previous article "【Payment】In-depth Analysis of the Legal Basis and Requirements of US Cryptocurrency Payment Licenses"

Currently, there are 12 institutions that have obtained custody licenses:

(Source: New York State Department of Financial Services NYDFS)

III. Policies in other regions

Hongkong

1. Background

As an international financial center, Hong Kong is also gradually strengthening its supervision in the field of digital assets. With the popularity of cryptocurrencies and blockchain technology, Hong Kong's regulators have begun to formulate corresponding regulations to regulate the custody and trading services of crypto assets. Hong Kong's Trust or Company Service Provider (TCSP) license is one of the licenses that digital asset custody service providers must obtain. For details, please read "One article to understand the latest application policy of Hong Kong Virtual Asset Custody Service Provider (TCSP) in 24 years"

2. Specific requirements

  • TCSP license: In Hong Kong, companies that provide crypto asset custody services need to apply for and hold a TCSP license. This license is supervised by the Hong Kong Companies Registry (CR) and is designed to ensure that institutions providing trust or company services comply with anti-money laundering (AML) and counter-terrorism financing (CFT) requirements.

  • Asset separation and independent accounts: Custodians who obtain TCSP licenses must ensure that clients’ crypto assets are strictly separated from their own assets, usually by storing client assets in independent accounts. This practice prevents the custodian from affecting the security of client assets when financial problems occur.

  • Security technology and compliance requirements: Companies holding TCSP licenses must also have strong cybersecurity measures to protect customers’ digital assets. This includes using cold storage, multi-signature technology, and establishing strict compliance procedures to ensure the security of assets.

  • Regular audits and reporting: Custody service providers are required to conduct regular audits and provide clients with detailed asset status reports to ensure transparency and client information.

3. Regulatory bodies

  • Hong Kong Companies Registry (CR): The Companies Registry is responsible for the issuance and supervision of TCSP licenses, ensuring that companies providing custodial services comply with relevant laws and regulations. The main responsibilities of the CR include reviewing applications, conducting on-site inspections, and supervising licensed companies to comply with anti-money laundering and anti-terrorist financing legal requirements.

4. Industry Practice

  • In Hong Kong, many fintech companies and traditional financial institutions have obtained TCSP licenses to legally provide crypto asset custody services. For example, OSL, BC Group, Hashkey and other companies have carried out compliant custody business in Hong Kong, providing secure digital asset management services for domestic and foreign institutional investors.

Singapore

1. Background

Singapore has attracted many digital asset companies with its open financial policies and innovative environment. The Monetary Authority of Singapore (MAS) is an important institution that regulates digital asset custody. It has formulated a series of regulations to ensure that the custody of crypto assets meets international standards. For details, please read "【Long Article and Illustrations】 Comprehensive Interpretation of Singapore's Payment Business Regulatory Framework and Virtual Asset DPT License Requirements"

2. Specific requirements

  • Payment Services Act (PSA): Singapore implemented the Payment Services Act (PSA) in 2020, which brings crypto asset services (including custody services) under regulatory scope. Under the PSA, companies providing crypto asset custody services must obtain a "Digital Payment Token Services" license issued by MAS.

  • Custodian qualifications: In Singapore, custodians need to ensure that their technology and operational frameworks meet strict security standards. MAS requires custodians to have sufficient funds, a sound risk management system, and strong cybersecurity measures.

  • Compliance and Audit: Custodians must comply with Anti-Money Laundering (AML) and Countering the Financing of Terrorism (CFT) regulations and establish strong customer due diligence (KYC) procedures. Custodians are also required to conduct regular internal and external audits to ensure the transparency and compliance of their operations.

  • Client asset protection: Custodians must store clients’ crypto assets separately from their own assets and provide independent account management services. This requirement is intended to ensure the safety of client assets and is not affected by the custodian’s financial situation.

3. Regulatory bodies

  • Monetary Authority of Singapore (MAS): MAS is Singapore’s central bank and primary financial regulator responsible for overseeing compliance for crypto asset custody services. MAS has established a clear regulatory framework for crypto asset custody by implementing the Payment Services Act.

4. Industry Practice

  • Singapore's digital asset custody market is developing rapidly, and many internationally renowned digital asset companies have set up custody operations in Singapore. For example, Propine became the first digital asset custody company to obtain a "full custody" license issued by MAS, marking Singapore's leading position in this field.