SEC and Finra joint statement on custody of crypto assets

The SEC and FINRA released a joint statement with regards to custody of digital assets. As they mentioned, market participants have raised questions concerning the application of the federal securities laws and the rules of the Financial Industry Regulatory Authority (“FINRA”) to the potential intermediation—including custody—of digital asset securities[1] and transactions.  The staffs of the Division of Trading and Markets (the “Division”) and FINRA (collectively, the “Staffs”)—drawing upon key principles from their historic approach to broker-dealer regulation and investor protection—have articulated various considerations relevant to many of these questions, particularly under the SEC’s Customer Protection Rule applicable to SEC-registered broker-dealers.[2] 

As a threshold matter, it should be recognized by market participants that the application of the federal securities laws, FINRA rules and other bodies of laws to digital assets, digital asset securities and related innovative technologies raise novel and complex regulatory and compliance questions and challenges.  For example, and as discussed in more detail below, the ability of a broker-dealer to comply with aspects of the Customer Protection Rule is greatly facilitated by established laws and practices regarding the loss or theft of a security, that may not be available or effective in the case of certain digital assets.

Recently SEC and Fira staff have been engaged with industry participants regarding how industry participants believe a particular custody solution for digital asset securities would meet the possession or control standards prescribed in the SEC’s Customer Protection Rule.  Entities seeking to participate in the marketplace for digital asset securities must comply with the relevant securities laws.[3]  An entity that buys, sells, or otherwise transacts or is involved in effecting transactions in digital asset securities for customers or its own account is subject to the federal securities laws, and may be required to register with the Commission as a broker-dealer and become a member of and comply with the rules of a self-regulatory organization (“SRO”), which in most cases is FINRA.  Importantly, if the entity is a broker-dealer, it must comply with broker-dealer financial responsibility rules,[4] including, as applicable, custodial requirements under Rule 15c3-3 under the Securities Exchange Act of 1934 (the “Exchange Act”), which is known as the Customer Protection Rule.

The purpose of the Customer Protection Rule is to safeguard customer securities and funds held by a broker-dealer, to prevent investor loss or harm in the event of a broker-dealer’s failure, and to enhance the Commission’s ability to monitor and prevent unsound business practices.  Put simply, the Customer Protection Rule requires broker-dealers to safeguard customer assets and to keep customer assets separate from the firm’s assets, thus increasing the likelihood that customers’ securities and cash can be returned to them in the event of the broker-dealer’s failure.  The requirements of the Customer Protection Rule have produced a nearly fifty year track record[5] of recovery for investors when their broker-dealers have failed.  This record of protecting customer assets held in custody by broker-dealers stands in contrast to recent reports of cybertheft,[6] and underscores the need to ensure broker-dealers’ robust protection of customer assets, including digital asset securities.

Various unregistered entities that intend to engage in broker-dealer activities involving digital asset securities are seeking to register with the Commission and have submitted New Membership Applications (“NMAs”) to FINRA.  Additionally, various entities that are already registered broker-dealers and FINRA members are seeking to expand their businesses to include digital asset securities services and activities.  Under FINRA rules, a firm is prohibited from materially changing its business operations (e.g., engaging in material digital asset securities activities for the first time) without FINRA’s prior approval of a Continuing Membership Application (“CMA”).[7] 

Some of these entities have met with the SEC and FINRA staffs to discuss how they propose to custody digital asset securities in order to comply with the broker-dealer financial responsibility rules.  These discussions have been informative.  The specific circumstances where a broker-dealer could custody digital asset securities in a manner that the Staffs believe would comply with the Customer Protection Rule remain under discussion, and the Staffs stand ready to continue to engage with entities pursuing this line of business. 

As noted, some entities contemplate engaging in broker-dealer activities involving digital asset securities that would not involve the broker-dealer engaging in custody functions.  Generally speaking, noncustodial activities involving digital asset securities do not raise the same level of concern among the Staffs, provided that the relevant securities laws, SRO rules, and other legal and regulatory requirements are followed.[8]  The following are examples of some of the business activities of this type that have been presented or described to the Staffs.

• One example is where the broker-dealer sends the trade-matching details (e.g., identity of the parties, price, and quantity) to the buyer and issuer of a digital asset security—similar to a traditional private placement—and the issuer settles the transaction bilaterally between the buyer and issuer, away from the broker-dealer.  In this case, the broker-dealer instructs the customer to pay the issuer directly and instructs the issuer to issue the digital asset security to the customer directly (e.g., the customer’s “digital wallet”). 
   
• A second example is where a broker-dealer facilitates “over-the counter” secondary market transactions in digital asset securities without taking custody of or exercising control over the digital asset securities.  In this example, the buyer and seller complete the transaction directly and, therefore, the securities do not pass through the broker-dealer facilitating the transaction.
   
• Another example is where a secondary market transaction involves a broker-dealer introducing a buyer to a seller of digital asset securities through a trading platform where the trade is settled directly between the buyer and seller.  For instance, a broker-dealer that operates an alternative trading system (“ATS”) could match buyers and sellers of digital asset securities and the trades would either be settled directly between the buyer and seller, or the buyer and seller would give instructions to their respective custodians to settle the transactions.[9]  In either case, the ATS would not guarantee or otherwise have responsibility for settling the trades and would not at any time exercise any level of control over the digital asset securities being sold or the cash being used to make the purchase (e.g., the ATS would not place a temporary hold on the seller’s wallet or on the buyer’s cash to ensure the transaction is completed).

Whether a security is paper or digital, the same fundamental elements of the broker-dealer financial responsibility rules apply.  The Staffs acknowledge that market participants wishing to custody digital asset securities may find it challenging to comply with the broker-dealer financial responsibility rules without putting in place significant technological enhancements and solutions unique to digital asset securities.  As the market, infrastructure, and law applicable to digital asset securities continue to develop, the Staffs will continue their constructive engagement with market participants and to gather additional information so that they may better respond to developments in the market[10] while advancing the missions of our respective organizations: for the SEC, to protect investors; maintain fair, orderly, and efficient markets; and facilitate capital formation; and for FINRA, to provide investor protection and promote market integrity.

TA broker-dealer seeking to custody digital asset securities must comply with the Customer Protection Rule.  As noted, the rule is designed principally to protect customers of a registered broker-dealer from losses and delays in accessing their securities and cash that can occur if the firm fails.  The rule requires the broker-dealer to safeguard customer securities and cash entrusted to the firm, as discussed below.  If the broker-dealer fails, customer securities and cash should be readily available to be returned to customers.[11]  In the event the broker-dealer were to be liquidated under SIPA, the SIPA trustee would be expected to step into the shoes of the broker-dealer and expected to be able to transfer, sell, or otherwise dispose of assets in accordance with SIPA.[12] 

Among its core protections for customers, Rule 15c3-3 requires a broker-dealer to physically hold customers’ fully paid and excess margin securities or maintain them free of lien at a good control location.[13]  Generally, a broker-dealer may custody customer securities with a third-party custodian (e.g., the Depository Trust Company or a clearing bank),[14] and uncertificated securities, such as mutual funds, may be held at the issuer or at the issuer’s transfer agent.[15]  In either case, there is a third party that controls the transfer of the securities.  This traditional securities infrastructure (including, for example, related laws of property and security) also has processes to reverse or cancel mistaken or unauthorized transactions.

There are many significant differences in the mechanics and risks associated with custodying traditional securities and digital asset securities.  For instance, the manner in which digital asset securities are issued, held, and transferred may create greater risk that a broker-dealer maintaining custody of them could be victimized by fraud or theft, could lose a “private key” necessary to transfer a client’s digital asset securities, or could transfer a client’s digital asset securities to an unknown or unintended address without meaningful recourse to invalidate fraudulent transactions, recover or replace lost property, or correct errors.  Consequently, a broker-dealer must consider how it can, in conformance with Rule 15c3-3, hold in possession or control digital asset securities.

In particular, a broker-dealer may face challenges in determining that it, or its third-party custodian, maintains custody of digital asset securities.[16]  If, for example, the broker-dealer holds a private key, it may be able to transfer such securities reflected on the blockchain or distributed ledger.  However, the fact that a broker-dealer (or its third party custodian) maintains the private key may not be sufficient evidence by itself that the broker-dealer has exclusive control of the digital asset security (e.g., it may not be able to demonstrate that no other party has a copy of the private key and could transfer the digital asset security without the broker-dealer’s consent).[17]  In addition, the fact that the broker-dealer (or custodian) holds the private key may not be sufficient to allow it to reverse or cancel mistaken or unauthorized transactions.  These risks could cause securities customers to suffer losses, with corresponding liabilities for the broker-dealer, imperiling the firm, its customers, and other creditors.

The broker-dealer recordkeeping and reporting rules[18] require a broker-dealer, among other things, to make and keep current ledgers reflecting all assets and liabilities,[19] as well as a securities record reflecting each security carried by the broker-dealer for its customers and all differences determined by the count of customer securities in the broker-dealer’s possession or control compared to the result of the count with the broker-dealer’s existing books and records.[20]  The financial responsibility rules also require that broker-dealers routinely prepare financial statements,[21] including various supporting schedules particular to broker-dealers, such as Computation of Net Capital under Rule 15c3-1 and Information Relating to the Possession or Control Requirements under Rule 15c3-3 under the Exchange Act.[22] 

The books, records, and financial reporting requirements are designed to ensure that a broker-dealer makes and maintains certain business records to assist the firm in accounting for its activities.  These rules also assist securities regulators in examining for compliance with the federal securities laws and as such are an integral part of the financial responsibility program for broker-dealers.

The nature of distributed ledger technology, as well as the characteristics associated with digital asset securities, may make it difficult for a broker-dealer to evidence the existence of digital asset securities for the purposes of the broker-dealer’s regulatory books, records, and financial statements, including supporting schedules.  The broker-dealer’s difficulties in evidencing the existence of these digital asset securities may in turn create challenges for the broker-dealer’s independent auditor seeking to obtain sufficient appropriate audit evidence when testing management’s assertions in the financial statements during the annual broker-dealer audit.[23]  We understand that some firms are considering the use of distributed ledger technology with features designed to enable firms to meet recordkeeping obligations and facilitate prompt verification of digital asset security positions (e.g., regulatory nodes or permissioned distributed ledger technologies).  Broker-dealers should consider how the nature of the technology may impact their ability to comply with the broker-dealer recordkeeping and reporting rules. 

In the case of a digital asset security that does not meet the definition of “security” under SIPA, and in the event of the failure of a carrying broker-dealer, SIPA protection likely would not apply and holders of those digital asset securities would have only unsecured general creditor claims against the broker-dealer’s estate.[26]  Further, uncertainty regarding when and whether a broker-dealer holds a digital asset security in its possession or control creates greater risk for customers that their securities will not be able to be returned in the event of a broker-dealer failure.[27]  The Staffs believe that such potential outcomes are likely to be inconsistent with the expectations of persons who would use a broker-dealer to custody their digital asset securities.   

As a related matter, the Staffs have received inquiries from broker-dealers, including ATSs, wishing to utilize an issuer or transfer agent as a proposed “control location” for purposes of the possession or control requirements under the Customer Protection Rule.  As described to the Staffs, this would involve uncertificated securities where the issuer or a transfer agent maintains a traditional single master security holder list, but also publishes as a courtesy the ownership record using distributed ledger technology.  While the issuer or transfer agent may publish the distributed ledger, in these examples, the broker-dealers have asserted that the distributed ledger is not the authoritative record of share ownership.  To the extent a broker-dealer contemplates an arrangement of this type, the Division will consider whether the issuer or the transfer agent can be considered a satisfactory control location pursuant to an application under paragraph (c)(7) of Rule 15c3-3.[28]