Custody in a digital asset world

Institutional money requires institutional-level custody. Third-party custody of traditional assets is an established and secure service offering, but these services are not readily applicable to digital assets, says Jeanette Turner, chief regulatory officer, Compliance Solutions Strategies.

Digital assets such as Bitcoin or other cryptocurrencies are fundamentally different from traditional assets, and institutional investors in digital assets have particularly challenging needs with respect to custody. Custody firms are evolving, trying to determine how best to meet the needs of such institutional customers.

Each owner of a digital asset has a private key—a unique number generated by a digital asset wallet. The key enables the key holder to transact the specific digital asset. Third-party custody of digital assets is not custody of the currency itself—the currency is on the blockchain. Rather, custody involves holding the wallets that store the keys to the assets.

Because they are built on blockchain technology, digital assets are by nature highly secure and essentially hack-proof. The problem is that the wallets are not. Digital assets are bearer instruments—whoever has the key is the owner of the asset. This makes them hard to track or recover if lost or stolen. The risk of financial loss is significant and over the past few years millions of Bitcoin have been lost due to hacking and fraud.

Third-party custody options are growing for digital assets, but there is a lot of noise among the offerings. How can an owner of digital assets evaluate whether a custodian is institutional-grade? Although there is no clear model for what constitutes institutional-grade custodianship, there are some common features and best practices.

Hot wallet vs cold storage

Digital keys are held in wallets. The type of wallet you should use depends on your risk profile. A hot wallet is online and connected in some way to the internet, making it easy to transact the digital assets. Cold storage (aka cold wallet) involves generating and storing private keys in an offline environment, away from the internet. The key could be printed on paper, stored on a USB, or in a special hardware storage product. Hot wallets are vulnerable to hacking, while cold storage might be exposed to physical harm where the wallet is located, such as weather or a break-in.

For purposes of security, it is better to hold digital assets in cold storage, says Adam Capon, EVP, operations at Digital Asset Custody Company, which provides institutional custody for digital assets with technology and services purpose-built to protect. “You need air-gapped cold storage, meaning that the keys are not stored anywhere near the internet and are not on a device that has touched the internet,” he explains.

Tom Jessop, head of Fidelity Digital Assets, which offers enterprise-quality custody and trade execution services for digital assets, makes clear that, “Given that the assets are digital and can be easily transferred, the only way to safeguard them is to hold your own keys.”

This level of security comes at the cost of convenience. You eventually need to be online to use your digital assets. If stored in cold storage, the keys must be imported into a hot wallet before being used. Any change will be sent to the hot wallet, not the cold storage. Any file transfer between online and offline machines will defeat the purpose of air-gapped cold storage, so reconciliation adds another process.

Dominic Longman, chief product officer at Trustology, a London-based company that focuses on crypto custody services, likens cold storage to exchanging stock certificates in the 1960s, meaning that you have to wait anywhere from hours to a couple days to access your assets. “Cold storage is an old school approach to a technical problem,” he says. “People choose it out of misunderstanding the risk vectors or because it is easier to price for insurance purposes.”

Some investors might prefer to use both hot wallets and cold storage, depending on the need for immediate withdrawal. In that case, an institutional investor looking for institutional-grade custody would keep the majority of the assets in cold storage and only a small amount in hot wallets, for use and trading.

Multi-level approach to security

 When it comes to digital assets, security is front and centre. Digital assets are uniquely challenging from a technology perspective and you need a layered approach where the layers all work together. The most critical layers are technology, security, and operational security. The three must work together. After that, an institutional owner might want additional layers of custodial expertise and services.

Regardless of storage type, cyber hygiene is critical. Generally speaking, most cryptocurrency losses are due to carelessness rather than hacking or fraud. The same goes for institutions.  Clients of third-party custodians should ask many questions, including how the network is configured and how the systems are protected. If a device is infected by malware, the keys can be lost.

Defending physical threats

With keys to digital assets stored offline in vaults, the focus is on defending against physical threats such as theft and weather.  Here, you need to think about the domain of where the keys are stored. “What does it take to get into those locations and are there several levels of physical security protecting those locations?” asks Fidelity’s Jessop.

Operational

When it comes to operational security, people and processes are key. Jessop points out these key considerations for your custodian: “What are your policies and procedures? Who can access cold storage? How do you ensure division of labour and enforce information barriers between people involved in the key management workflow? Capon adds that “key-man risk” is important: “No one person should have a complete view of how things work or be able to obtain a key.”

You want as many speedbumps in the process as possible. This includes a lot of checking before assets are transferred, from various levels of authorisation and multi-signature requirements to time blocks. Capon explains: “For the highest security, you don’t want instant access. You want it to take fifteen minutes to withdraw your key, and you want a human in the middle of the process.” As for time locks, “the owner of the assets can choose to have the process take two days rather than fifteen minutes.”

Trustology takes a different approach. “Customers should focus more on technology and how it has been implemented rather than people,” says Longman. “Custodians should take people out of the process to minimise operational risk. People collude, make mistakes and slow down the process.” He adds that, “Custodians for existing asset classes have looked to remove human / operational risk for years, and this is similar. It is likely even more important with current digital assets as there is no recourse.”

Technology speedbumps are similar to people roadblocks in that they include multi-signature requirements (more than one key is required to access the digital assets), time locks (you dictate how long the transaction should take), and geo-location fencing (you can only sign a transaction when in a certain location). The difference is the removal of people, which again is about security versus convenience. Regardless of the speedbumps involved, make sure there is an audited control process.

Knowledgeable custodian

Whether the third-party custodian is a newcomer or an established custodian of traditional assets, it is clear that you want people who know what they are doing. There is no definition for “qualified custodian” when it comes to digital assets. The custodian does not need to be a broker-dealer, but most agree that it should act like one. Satisfying US government standards for holding assets is considered by most to be validation of an institutional-grade custodian.

Capon suggests that investors also look at the background and experience of the people at the company as well as the institutions they work with. Jessop adds that investors should also look at whether the custodian is well capitalised and has insurance to cover assets under its control.

Custodians traditionally provide a multitude of services, but, providing services for digital assets is different. As Longman points out, “Nobody is providing full custodial services at this point. They are doing safe-guarding and safe-keeping. Custodial services for cryptocurrency will come later.” Over time, he adds, custodians and others will develop ancillary services like trading and lending to broaden the value proposition to investors.

The needs of institutional holders of digital assets are quickly evolving, and the growing field of third-party custodians is trying to adapt their offerings as well as develop new services for future uses of digital assets. It is critical for holders to conduct thorough due diligence of custodians to ensure that the appropriate procedures are in place. The stakes are high as the losses are unrecoverable.

«