Before the stock market crash of 1929, investors typically secured their own paper stock certificates. After the crash, the risks of self-custody played a key role in the development of financial institutions and trading infrastructure to handle the ever-growing variety and volume of assets. In a similar fashion, the risks associated with the self-custody of digital assets have been a significant driving force in the development of custodial services within the digital asset sphere.
The custody of digital assets has seen a monumental paradigm shift in recent years. In its infancy, investors were storing their digital assets on paper wallets, (whereby the private key is written down and stored by the user), similar to that in 1929.
However, this method contains some basic inherent issues. There is the risk of loss, such as the unlucky individual in England, who in 2013, accidentally binned a hard dive containing 7,500 Bitcoin (valued at an eyewatering £101,606,796.68 at time of writing). Aside from naiveite lies the constant threat of theft from a wide range of nefarious individuals. As cryptocurrency surged in value, crypto-criminals became ever more audacious and willing to use force. Cryptosecurity advocate Jameson Lopp has documented almost 100 incidents of significant physical Bitcoin attacks which range from theft, kidnapping and in some instances torture and murder of Crypto-asset owners.
Online storage has not proven a solution to these issues, according to a report conducted by cybersecurity firm Carbon Black, Crypto thieves got away with $1.1 billion in the first half of 2018 alone. A driving factor behind this, is that unlike wire transfers at banks, which leave digital trails and can therefore be recovered when stolen, blockchain-based transactions leave no trace and are therefore nearly impossible to recover.
Geographically the United States is the most vulnerable country to online digital asset theft, with the Carnegie Endowment for International Peace outlining three major incidents in 2022, including the decentralized finance platform Beanstalk Farms losing $180 million in April in a cryptocurrency heist. This is followed by China and the UK, who have also suffered significant crypto-theft incidents in the past year. It appears clear, that the safest place to store your crypto keys is not online, where if compromised they can be pillaged by thieves with little room for any recourse.
This simple vulnerability at the heart of digital assets has triggered an arms race in digital asset security, with people putting their private keys in increasingly elaborate locations and forms of security, from putting thumb drives in safety deposit boxes to printing the private keys on steel plates and burying them. Take the Swiss Crypto Vault as an example, who have buried their servers within a secret bunker in the Swiss Alps which wouldn’t look out of place in a James Bond movie. Another business, Vo1t, have utilized an abandoned nuclear bunker in Southern England to set up their data center, flanked by twenty-four-hour ex-military security personnel to ensure maximum protection.
Forms of Digital Asset Storage
It is important to distinguish between the three different types of storage: Hot, Cold and Warm. Hot storage indicates the keys are connected to the internet and are therefore always online. Cold wallet storage describes when the device is not connected to the internet and human involvement is needed to sign the document. Warm wallets are online but need human involvement to sign the transaction, thus adding a layer of protection.
As shown in figure 1.1, there has been an evolution from paper wallets to major banks offering custodial services.
The services provided by the aforementioned, Vo1t, offer a demonstration of the benefits in using cold storage. Vo1t utilize a global network of underground crypto bunkers, protected by layers of digital, physical and human security. The servers at Vo1t’s secret data center are rigged, not to explode but to erase the digital fortunes they hold, if any of their hidden trip switches are touched so that even if the private keys in one vault are deleted, the team can run duplicate data centers around the world, spread across different jurisdictions and continents to protect against criminals, so they can simply switch to the next one. This data center is also entirely disconnected from the internet, sealed within a Faraday cage to block the hint of a radio wave that might try to connect with Vo1t’s servers, the electricity which hums through their circuit boards has even been passed through military-grade filters as a precaution. And, for further peace of mind, each of their clients’ holdings will be covered by a specialist crypto insurance policy from Aon.
These services offer a clear alternative to the vulnerabilities of storing your digital assets simply online, whilst they also protect against the threat of personal attack as the system is designed in a way that there is no way of overriding its security. David Allen, the CEO of Equity Trust has likened this to “no tools left in the van overnight”, and therefore no point in targeting.
However, such services are in no way cheap and there is hope that as the digital asset marketplace continues to mature that these issues can instead be resolved by compliances and law, in order to bring down criminal activities.
Regulatory and Operational Considerations
While Digital Asset Custody is developing fast, currently there are no worldwide standards for this service. Consideration must be given to regulatory requirements and operational complexities by Wallet and digital asset custody service providers, including adherence to the applicable Financial Action Task Force (FATF) standards for Anti-Money Laundering (AML) and Combating the Financing of Terrorism (CFT). In order to operate in a safe and ethical manner, providers should also consider deploying independent 3rd party AML monitoring services to secure their processes.
During 2020 and 2021, guidance clarifying that nationally chartered banking institutions and trusts could offer custody services for digital assets, as well as issuing stablecoins was put forward in the United States of America by the Office of the Comptroller of the Currency, in a bid to normalize transaction of digital assets. Likewise, in 2020 the European Union proposed a regulatory framework known as the Markets in Crypto-Assets (MiCA). This landmark law requires cryptocurrencies to meet the same transparency, licensing, compliance, and oversight as other financial products. Moreover, the UK regulates custodian services in such a way that an entity holding private cryptographic keys on behalf of its customers may be subject to custodian provider regulation.
Next Steps for Digital Asset Custody
The growth of the digital assets market is clear to see with its projected total amount estimated to rise to US$82,710.00m by 2027. Despite this, the custody of digital assets remains a nascent market in which there exists no common approach. To normalize the growth and adoption of digital assets from beyond the ‘wild west’ experienced by its young innovators to global usage, a reliable, accessible, trustworthy, and affordable service of custody is required. All market participants, ranging from individual investors, to large institutional investor groups, will benefit from a globalized system which can guarantee asset security alongside the ease of transacting. Underpinning this change will require input from financial regulators, tasked with fostering the continued innovation of digital assets, whilst ensuring the marketplace is stable and safe for customers to participate in.
This evolving regulation is reflective of the wider appetite to increase use of custodial services by the traditional financial giants who are beginning to wake up to the opportunities presented by digital asset custodianship. Banks such as Goldman Sachs, JP Morgan Chase, and Morgan Stanley now have digital asset teams. Other banks entering the arena include Bank of America, Citigroup and Deutsche Bank. Banks are taking different approaches in navigating digital assets due to their more heavily regulated industry. Their challenges include catching up to the fintech companies who have established a market and have developed the blockchain technology required for digital asset transactions.
Bank of NY Mellon, America’s oldest bank and world’s largest custodian bank, launched a new digital asset custody platform in October 2022 for institutional clients, and have plans to launch the first multi-asset platform to bridge digital and traditional asset custody. BNY “currently touch more than 20% of the world’s investable assets”, and hope to use this significant market scale to become a leader in the digital asset management space. “BNY Mellon will now be able to provide those fund managers with storage of the keys necessary to access and move around their bitcoin (BTC) and ether (ETH), as well as the other traditional bookkeeping functions.”
This is illustrative of the opportunities that will arise for traditional banking institutions to utilize their assets, history and brand, to establish themselves as leading custodians who will possess more accessibility and reliability over the young innovators storing digital assets in James Bond style caves.
Banking Change Management experts such as Treliant, can assist institutions such as these in setting up appropriate operating models and regimes, to operate in a compliant and secure manner.
Avoiding the Pitfalls
It is important for the digital asset custody service providers to avoid the pitfalls encountered by the traditional custody service providers that have resulted in both operational failures attracting substantial regulatory penalties. Common breaches include failure by firms to:
- Identify when client money is held. The regulatory action taken against many of the traditional custody service providers demonstrates that even a few hours of risk to clients will not be tolerated.
- Ensure that when client money is held, it is protected by way of segregated account.
- Have robust client money procedures relating to reconciliations and records in place.
- Train staff so that they are fully familiar with client money rules and guidance and relevant law (especially trust law).
- Provide client money information and reports to senior management.
- Provide trust letter notifications and obtain acknowledgment of client money trust status from third party banks with whom client monies are placed.
- Outright fraud where a firm uses client money for its own purposes and has complete disregard for the Client Assets Sourcebook rules.
As the value of the digital assets industry continues to soar, the usage of digital custodian services by the wider retail market will normalize in parallel. This presents both challenges and opportunities to the traditional financial institutions as they develop their digital asset custodial services.
The challenge is to offer digital asset custody which can alleviate the risks of loss or targeted crime which marked the emergence of the digital asset landscape, whilst maintaining the affordable and accessible features of traditional banking services. On the other hand, in leveraging the trustworthiness held in established traditional banks, and availing of regulatory and technological expertise, the opportunity to become leaders in digital asset custodianship awaits.