New SEC Proposed Safeguarding Rule: Inadvertent Crypto Casualties
The Securities and Exchange Commission (the “SEC”) recently proposed revamping Rule 206(4)-2 (the “Custody Rule”) under the Investment Advisers Act of 1940 (the “Advisers Act”) to enhance the protection of customer assets managed by registered investment advisers, in light of changes in technology, advisory services and custodial practices.1 However, these enhancements, which are proposed to be embodied in new rule 223-1 under the Advisers Act (the “Proposed Safeguarding Rule”), would also have unintended consequences. As detailed below, the Proposed Safeguarding Rule could cripple crypto custodians2 and investment advisers—and harm their clients—prompting the need to exempt investment advisers from certain aspects of the Proposed Safeguarding Rule.
History and the Proposed Safeguarding Rule
The Custody Rule, which is approximately 60 years old, was originally adopted to insulate client funds and securities from loss, misuse, misappropriation, and an adviser’s financial deterioration. Despite its age, the Custody Rule has only been updated once to reflect (then-modern) custodial practices. Under the 2003 Amendments,3 the SEC amended the Custody Rule to expand the types of entities eligible to serve as qualified custodians and make other changes to adapt to changes in custodial practices. Currently, certain banks, savings associations, broker-dealers, registered futures commission merchants (“FCMs”) and foreign financial institutions are eligible to serve as qualified custodians.4
Under the Custody Rule, an SEC-registered investment adviser that has custody5 of client funds and securities generally must (1) maintain those funds and securities with a qualified custodian,6 (2) have a reasonable basis for believing that the qualified custodian sends an account statement, at least quarterly, to each client of the adviser7 and (3) have an independent public accountant verify those funds or securities in a surprise examination (among other things).8
The Proposed Safeguarding Rule seeks to modernize and expand the scope of the existing Custody Rule. As noted in the Proposing Release, a “growing number of assets are not receiving custodial protections as a result of the current rule’s exceptions… particularly the exception for privately offered securities.”9 In response to this observation, the Proposed Safeguarding Rule seeks to require advisers with custody of client assets (not merely funds or securities) to maintain such assets with a qualified custodian. To further promote the protection of client assets—and in what has been described as a substantial departure from current industry practice10—the Proposed Safeguarding Rule would require investment advisers to enter into a written agreement11 with, and obtain written assurances from,12 a qualified custodian.
While qualified custodians would continue to provide critical safeguards for client assets under the Proposed Safeguarding Rule, they would also be subject to an enhanced standard for maintaining client assets.13 The Proposed Safeguarding Rule also seeks to modify the criteria for satisfying the definition of “qualified custodian” for banks, savings associations and foreign financial institutions.
The Proposed Safeguarding Rule’s requirements may be too burdensome for crypto custodians
Unsurprisingly, crypto custodians would be required to incur significant costs to comply with the Proposed Safeguarding Rule. For example, crypto custodians would incur costs (including legal fees) in negotiating and drafting the written agreement to be entered into with an investment adviser. After the agreement is executed, crypto custodians would bear the costs of complying with the covenants under the agreement and of periodic interactions with investment advisers, who must monitor the qualified custodians’ compliance with certain aspects of the agreement.
The Proposed Safeguarding Rule may also pose hurdles that are impossible for crypto custodians to overcome. Given that the market for crypto asset insurance is in the very early stages of development (particularly for crypto assets issued by decentralized finance (“DeFi”) protocols), it may not be possible for a qualified custodian to obtain an insurance policy that satisfies the requirements of the Proposed Safeguarding Rule. Insurance that is available may be costly, and qualified custodians may seek to increase fees to their clients in order to offset any increase in insurance-related expenses. Crypto custodians may also find it difficult to comply with the segregation requirements under the Proposed Safeguarding Rule, which requires them to identify a client’s assets as such, hold the client assets in a custodial account and segregate these assets from a qualified custodian’s proprietary assets.
The costs and other burdens described above, in conjunction with the low margins and fierce competition14 in the market for crypto custodial services, would deter crypto custodians from seeking to comply with the new requirements of the Proposed Safeguarding Rule.
Ultimately, the Proposed Safeguarding Rule will increase costs to investment advisers and clients, and may subject investors’ crypto assets to greater risk of loss
To the extent crypto custodians are unwilling or unable to satisfy the obligations needed to serve as a qualified custodian under the Proposed Safeguarding Rule, advisory clients that have engaged such custodians would need to transition to a crypto custodian that complies with the Proposed Safeguarding Rule. The transition would require the adviser to spend time and resources vetting the new custodian and would impose other switching costs on the adviser and its clients. In addition, the adviser may be forced to choose an alternative crypto custodian that has weaker private key security and other practices—subjecting client assets to a greater risk of loss and requiring the adviser to increase its monitoring of the custodian.
To the extent the Proposed Safeguarding Rule leaves no qualified custodians that satisfy its requirements, investment advisers may be forced to cease managing crypto assets on behalf of clients. Ironically, such an impact would undermine a key facet of the SEC’s mission: to promote capital formation.
An exception to the Proposed Safeguarding Rule should be provided to give investment advisers the flexibility to self-custody crypto assets and promote capital formation
Given the anticipated impact of the Proposed Safeguarding Rule on crypto custodians, advisers and their clients, an exception to the qualified custodian requirement (as described below, the “Crypto Qualified Custodian Exception”) would be invaluable to registered investment advisers that manage crypto assets on behalf of clients.
Crypto Qualified Custodian Exception
Advisers subject to the Proposed Safeguarding Rule and who have custody of a client’s “digital assets” (as that term is defined under the Proposed Safeguarding Rule)15 are exempt from the requirement to maintain such digital assets with a qualified custodian if:
- The adviser reasonably determines and documents in writing that the ownership of a digital asset cannot be recorded and maintained in a manner in which a qualified custodian can maintain possession, or control transfers of beneficial ownership, of such assets;
- The adviser reasonably safeguards the assets from loss, theft, misuse, misappropriation, or the adviser’s financial reverses, including the adviser’s insolvency;
- An independent public accountant, pursuant to a written agreement between the adviser and the accountant, (i) verifies any transfer of beneficial ownership of such assets, promptly upon receiving the notice from the adviser of any transfer of beneficial ownership of such assets and (ii) notifies the SEC by electronic means directed to the Division of Examinations within one business day upon finding any material discrepancies during the course of performing its procedures;
- The adviser notifies the independent public accountant engaged to perform the verification of any transfer of beneficial ownership of such assets within one business day; and
- The existence and ownership of the client’s digital assets that are not maintained with a qualified custodian are verified during the annual independent verification conducted pursuant to paragraph (a)(4) of the Proposed Safeguarding Rule or as part of a financial statement audit performed pursuant to paragraph (b)(4) of the Proposed Safeguarding Rule.
Rationale for Crypto Qualified Custodian Exception
The market for digital asset custodial services—similar to the market for custodial services for privately offered securities—is fairly thin.16 In some cases, such as custodial services for tokens issued by certain DeFi protocols, there may be no qualified custodians willing to provide custodial services.17 While the traditional custodial service industry is characterized by high barriers to entry and low margins,18 new entrants seeking to penetrate the crypto custodial services market face significant additional burdens, including the time and cost involved in analyzing and mitigating the risks of the blockchains and smart contracts associated with the digital assets to be custodied. Given the market dynamics facing crypto custodial services providers, the additional burdens imposed by the Proposed Safeguarding Rule may eventually leave investment advisers with few, if any, providers that comply with the rule.
The Crypto Qualified Custodian Exception would provide sufficient safeguards against the kinds of abuse the Proposed Safeguarding Rule seeks to prevent (i.e., the lack of protections and transparency that could result without the role of a qualified custodian), while also giving investment advisers the flexibility to custody the crypto assets of their clients.
To address any potential concern that the loss of digital assets excepted from the qualified custodian requirement could be undetected for an indeterminate amount of time, the Crypto Qualified Custodian Exception relies heavily on independent public accountants—an approach which mirrors the privately offered securities exception under the Proposed Safeguarding Rule.
While certain aspects of the Proposed Safeguarding Rule enhance the protection of client assets, they also present significant issues that may harm clients whose digital assets are managed by registered investment advisers. We continue to follow this space closely and will share further research regarding digital asset custodial services. Should you have questions about the Proposed Safeguarding Rule or the proposed Crypto Qualified Custodian Exception, please do not hesitate to reach out to us.
1 Safeguarding Advisory Client Assets, SEC Release No. IA-6240, 88 FR 14672 (proposed February 15, 2023), available at https://www.sec.gov/rules/proposed/2023/ia-6240.pdf (the “Proposing Release”).
2 The term “crypto custodian” refers to entities that serve as qualified custodians of digital assets under the Custody Rule, and that may seek to serve in a similar capacity under the Proposed Safeguarding Rule.
3 Custody of Funds or Securities of Clients by Investment Advisers, SEC Release No. IA-2176, 68 FR 56692 (effective November 5, 2003) (the “2003 Amendments”).
4 These entities were selected in part because they were the types of financial institutions that customarily provided custodial services and they were subject to extensive regulation and oversight. See Custody of Funds or Securities of Clients by Investment Advisers, SEC Release No. IA-2044, 67 FR 48579, 48582 (proposed July 18, 2002), available at https://www.sec.gov/rules/proposed/ia-2044.htm (the “2002 Proposing Release”) (“‘Qualified custodians’ under the proposed rule would include the types of financial institutions that customarily provide custodial services and are regulated and examined by their regulators with respect to those services.”); see also 2002 Proposing Release at 48582 n. 30 (noting that “[r]egulatory agencies or self-regulatory organizations require (either by rule or by supervisory policy) these financial institutions to carry fidelity bonds to cover possible losses caused by their employees’ fraudulent activities”); see also Custody of Funds or Securities of Clients by Investment Advisers, SEC Release No. IA-2876, 74 FR 25354, 25354-55 n.4 (proposed May 20, 2009) available at https://www.sec.gov/rules/proposed/2009/ia-2876.pdf (noting that (1) rule 15c3-3 under the Securities Exchange Act of 1934 (the “Exchange Act”) requires a broker-dealer to segregate customer funds held by the broker-dealer for the accounts of customers and to take certain steps to protect customer assets, (2) rules 17a-3 and 17a-4 under the Exchange Act require a broker-dealer to create and maintain current, specified books and records to allow the broker-dealer to easily identify what assets belong to each customer and (3) national banks, federal savings associations, and other U.S. banking institutions are subject to extensive regulation and oversight).
5 Under the Custody Rule, “custody” means that the investment adviser, or its related persons, holds, directly or indirectly, client funds or securities, or has any authority to obtain possession of them. See 17 C.F.R. § 275.206(4)-2(d)(2).
6 However, to the extent such adviser has custody of a “privately offered security,” the adviser is not required to maintain such security with a qualified custodian. See 17 C.F.R. § 275.206(4)-2(b)(2).
7 17 C.F.R. § 275.206(4)-2(a)(3) (“account statement requirement”). The Custody Rule’s annual audit provision (17 C.F.R. § 275.206(4)-2(b)(4)) eliminates the need to comply with the account statement requirement.
8 17 C.F.R. § 275.206(4)-2(a)(4). There are exceptions to the surprise examination requirement (e.g., compliance with the annual audit provision under 17 C.F.R. § 275.206(4)-2(b)(4) will eliminate the need for a surprise examination).
9 Proposing Release, supra note 1, at 14.
10 Id. at 77.
11 The Proposed Safeguarding Rule would require such agreement to specify the adviser’s agreed-upon level of authority to effect transactions in the client’s account and to include covenants requiring the qualified custodian to provide records relating to the client’s assets to certain third parties, deliver account statements to clients and provide a written internal control report to the adviser.
12 According to the “written assurances” requirement, qualified custodians would be required to (among other things) (i) indemnify the client (and have insurance arrangements in place that will adequately protect the client) against losses of client assets resulting from the custodian’s negligence, recklessness or willful misconduct, (ii) safeguard client assets and (iii) identify and segregate client assets from the qualified custodian’s proprietary assets and liabilities. The Proposed Safeguarding Rule would also require investment advisers to monitor the qualified custodian’s compliance with these obligations.
13 The Proposed Safeguarding Rule would require qualified custodians to maintain “possession or control” over the client’s assets, such that the qualified custodian is required to participate in any change of beneficial ownership of the client’s assets.
14 See The Evolution of a Core Financial Service: Custodian & Depository Banks, DELOITTE, 1, 10 (2019) available at https://www2.deloitte.com/content/dam/Deloitte/lu/Documents/financial-services/lu-the-evolution-of-a-core-financial-service.pdf (noting that the custody industry is very concentrated due to consolidations and fierce price competition that have historically favored large players); see also Samantha Hurt, Prime Trust Now Charging Zero AUM Fees for Crypto Custody Service, CROWDFUND INSIDER (Jan. 31, 2019) available at
https://www.crowdfundinsider.com/2019/01/143954-prime-trust-now-charging-zero-aum-fees-for-crypto-custody-service/ (announcing Prime Trust’s cryptocurrency custody service).
15 See Proposing Release, supra note 1, at 16 (defining “digital asset” to mean an asset that is issued and/or transferred using distributed ledger or blockchain technology, including, but not limited to, so-called “virtual currencies,” “coins,” and “tokens.”).
16 See id. at 265 (noting that the market for crypto asset custodial services continues to develop and “one OCC-regulated national bank, four OCC-regulated trusts, approximately 20 state-chartered trust companies and other state-chartered, limited purpose banking entities, and at least one FCM currently offer custodial services for crypto assets.”).
17 Given the role played by smart contracts in DeFi protocol tokens, the risks associated with smart contracts and the diligence involved in assessing smart contract risk, this is not surprising. For example, smart contracts are subject to rug pulls. See Financial Stability Oversight Council, Report on Digital Asset Financial Stability Risks and Regulation (2022), available at
https://home.treasury.gov/system/files/261/FSOC-Digital-Assets-Report-2022.pdf (“rug pulls may also involve the coding of an explicit, malicious backdoor into a new crypto-asset smart contract, which allows the developer to pull out all of the liquidity of the crypto-asset at once”) (citing Valerio Puggini, “Crypto rug pulls: what is a rug pull in crypto and 6 ways to spot it,” Coin Telegraph, February 6, 2022, at https://cointelegraph.com/explained/crypto-rug-pulls-what-is-a-rug-pull-in-crypto-and-6-ways-to-spot-it and Koinly, “Rug Pulls: Your Complete Guide,” March 31, 2022, available at https://koinly.io/blog/crypto-rug-pulls-guide/).
18 See Proposing Release, supra note 1, at 257 (noting economies of scale and low margins as factors contributing to the dominance of the custodial services industry by a small number of participants).