With continued growth of interest in cryptoassets across investor segments - from retail to institutional - and, in many cases, non-existent or developing regulatory frameworks governing the asset class, it is worthwhile for investors and sponsors of new investment vehicles to pause and consider legal, operational, and other risk safeguards associated with the custody arrangements they are considering underpinning their investments. Undoubtedly, cryptoassets pose a unique combination of risk management issues. If the custody arrangements represent a substantial single point of failure for an investor, then, regardless of the investment strategy being pursued, investors may be exposed to an unacceptable risk of loss.  In this respect, not all custody service providers are equal.

Trust for investors

The role of the custodian is to reduce risk and provide operational independence to investors. Trust, in its broadest sense, is a key component of custodian engagement. Let us break trust down into its non-legal and legal components. First, trust in the sense that a person is good, honest, sincere and that they will do what you expect of them or do the right thing. While failures of trust are certainly not unique to cryptoasset players, there has been no shortage of well-publicised incidents relating to bad actors, poor operating standards and insecure technologies and processes causing losses to investors or difficulty in recovering manipulated cryptoassets. As the cryptoasset markets mature, investors now have a greater choice of custody provider. Fintech startups are facing competition from custodians with substantial institutional backing in the form of financial and intellectual capital. These custodians present investors with a deep understanding of client segments and utilise institutional-quality frameworks for compliance, risk-management, and governance on a par with those designed to meet or exceed regulated standards in traditional markets. And, of course, longstanding track-records of applying those standards to their markets. As part of their due diligence, investors should ask potential custodians ‘searching questions’ about their risk management frameworks. For example, what are their anti-money laundering standards? 

Do they adhere to FATF Recommendation 16 (known as the travel rule) whereby custodians ought to obtain and exchange accurate originator and beneficiary information prior to effecting transactions and make this information available to the authorities if required as part of the fight against financial crime? In environments where blockchain addresses are public and there is nothing that can be done to prevent improper transfers in to or out of a public address, deployment by the custodian of transaction screening procedures is essential to mitigate the risk of ‘dusting’, whereby a legitimate public address is contaminated by transfer in of a quantity of a cryptoasset from a public address with a dubious history, or simply an erroneous transfer out. More on preventing erroneous transfers below in relation to operational risk. Potential conflicts of interest can arise in service providers that utilise business models combining customer pricing/execution and proprietary trading functions with custody. This risk can be mitigated by selecting a specialist custodian that is dedicated solely to the provision of custody services and managed with transparent and effective governance.

Second, trust in a legal sense. If cryptoassets are not held on legal terms that ring-fence them from a theoretical insolvency of the custodian, then they may be subject to claims by third parties. If the cryptoassets are held by the custodian on a segregated legal trust, this can be an effective way to protect against loss in the event of custodian insolvency. In the UK, the UK Jurisdiction Taskforce[1] published its Legal statement on cryptoassets and smart contracts[2] in 2019 to bring greater certainty to the treatment of cryptoassets under English law. The statement concluded that, in principle, criteria applied under English common law to determine whether tangible or intangible objects can be subject to rights of property - such as ownership - should also be capable of application to cryptoassets domiciled in the UK. Instinctively, this might seem like an obvious conclusion, but it is important that an alternative characterisation - that cryptoassets consist merely of data or information, which is not capable of private ownership - was considered and distinguished. The UKJT’s reasoning and conclusion that cryptoassets can be the subject of legal title or owned has since been cited and recognised in a growing number of cases decided in common law jurisdictions. The importance of establishing a clear legal domicile for cryptoassets recorded on a distributed ledger and corresponding recognition of rights of ownership of cryptoassets is crucial for investors to have confidence that their rights are capable of enforcement against third parties, including the custodian itself. Recognition of title also underpins the ability for cryptoassets to be held by a custodian on trust. If cryptoasset wallets are not legally (and operationally) ring-fenced from insolvency of the custodian or other clients or creditors of the custodian, then the cryptoassets in those wallets might be subject to the claims of other creditors of the custodian.  

A trust, therefore, provides a flexible and robust legal mechanism that is protective of investors’ rights relating to their cryptoassets. But beyond selection of the right legal structure to use for custodianship of cryptoassets must also lie implementation by the custodian of a matching operating framework (paired with a suitable audit right): after all, while the creation of a trust of cryptoassets may well be one effective legal structure for investors to protect against custodian insolvency, the practicalities and procedures for recovering cryptoassets in the event of insolvency may be more complex and specialist than recovery of traditional assets and require deeper insight into the management of the custodian. If, for example, encrypted private keys necessary to transfer cryptoassets from public addresses exist within the confines of hardware security modules, then in the event of a custodian insolvency how would investor assets be moved in accordance with investor’s instructions post-insolvency? In this regard investors should satisfy themselves that there is a credible resolution plan that the custodian has designed and will update to facilitate the task in the event of a worst-case.

Risk management for investors

In relation to fiat currencies, we regularly read of human error or so-called fat-finger syndrome being the cause of erroneous transfers. It is sometimes, and sometimes not, possible for these errors to be traced and unwound. Given the immutable and often anonymous nature of transfers made on the blockchain, any similar error may not be so easy to correct. It is therefore important that the process for effecting a transfer be designed to eliminate human error and that transfers be limited to whitelisted addresses (addresses where the custodian has identified the beneficiary in advance). No single person ought to have sole authority to execute a transfer instruction and the processes for initiating and authorising the instruction should be separated through segregated entitlements while being flexible enough to reflect a client’s own governance and authorization structures. Once an instruction has been correctly initiated and authorised then it should be processed by the custodian without manual intervention to eliminate the possibility of error being introduced. These processes should be efficient, cost effective, and scalable to suit the needs of active investors.

Given cybersecurity risk, insurance is a crucial part of a custodian risk management approach. Insurance will help mitigate the risk of loss from theft, hacking, damage, or destruction of cryptoassets whilst under the custodian’s care. Additionally, insurance solutions should provide protection against the impact of a cyber incident as well as civil and criminal liabilities that may arise from a failure of service. As well as the comfort that certain losses are covered, insurance also provides the custodian with an important economic incentive to ensure that its processes are risk-assessed and managed with the right behaviors in mind. Cybercrime and IT security risks also require close attention. Beyond compliance with international and widely cited security standards such as ISO 27001 (for organisational security) & FIPS 140-2 (for safe storage of private keys), it is essential for custodians to demonstrate a risk management framework for continuous improvement as the threat landscape for cryptoassets evolves. This should involve regular analysis of internal and external threat intelligence and deployment of strategic and operational enhancements to the crypto custody service. This will ensure that the crypto custody service continues to be effective and resilient against evolving threats. Lastly, while the custodian may not be thought of traditionally as having a role to play in mitigating market risk if the custodian has – for the benefit of its clients - innovated by developing connectivity to trading platforms, whether exchanges, brokers or directly with potential counterparties, then it will have facilitated access to liquidity for market risk management purposes. 

In conclusion

Cryptoassets present novel risk management issues for investors and the industry players who support them. The solutions required are a combination of the traditional and the non-traditional. Safe custody is the foundation on which any investment, whether in cryptoassets or otherwise, is built.  Given the range of players and solutions available, both new and traditional, investors should carry out rigorous due diligence on any proposed custody solution. Risk can never be eliminated entirely but due diligence that results in an informed choice of custody solution can provide a trustworthy platform for cryptoasset investors, whilst minimising the level of residual risk.