Author: Scott Walker, Kate Dellolio, David Sverdlov Source: a16zcrypto
Translation: Shan Oppa,

Registered Investment Advisors (RIAs) who invest in crypto assets have been facing the dual dilemma of insufficient regulatory clarity and limited viable custody options. More complex is that crypto assets have different ownership and transfer risks than those RIA has previously been responsible for. RIA’s internal teams—operations, compliance, legal, etc.—expend a lot of energy to find third-party custodians willing to meet expectations. Nevertheless, RIA sometimes cannot find a custodian at all, or a custodian that can realize the full economic and governance rights of the assets, which leads to the RIA holding these assets directly. Therefore, the current reality in the crypto-hosting field brings obvious legal and operational risks and uncertainties.

The industry needs a principle-based approach to addressing this critical issue to serve professional investors who hold crypto assets on behalf of their clients. In response to recent information requests from the Securities and Exchange Commission (SEC), we have developed some principles that, if implemented, will extend the objectives of the Investment Advisory Act custody rules—security, periodic disclosure and independent verification—to the new token asset class.

Crypto Assets: What's Differences

The holder's control over traditional assets means that no one else has control. But that's not the case with crypto assets. Multiple entities may have access to private keys associated with a set of crypto assets, and multiple people may be able to transfer those crypto assets regardless of contractual rights.

Crypto assets often also come with a variety of inherent economic and governance rights that are the basis of the assets. Traditional debt or equity securities can earn income (such as dividends or interest) “passively” (i.e., the holder does not need to transfer the assets or take any further action after obtaining them). By contrast, crypto asset holders may need to take action to unlock certain sources of income or governance rights associated with the asset. Depending on the capabilities of a third-party custodian, RIA may need to temporarily transfer these assets from custodians to unlock these rights. For example, certain crypto assets can earn income through pledge or earning farming, or have voting rights in governance proposals for protocols or network upgrades. These differences from traditional assets present new challenges for custodial crypto assets.

To track when self-hosting is suitable, we developed the following flowchart.

in principle

The principles we propose here are designed to eliminate RIA’s sense of mystery about custody while retaining its responsibility to protect client assets. Currently, the market for qualified custodians (such as banks or broker dealers) specializing in crypto assets is very weak; therefore, our primary focus is on the ability of the custodian entity to meet the substantial protections we believe are necessary to custodian crypto assets—not just the legal status of the entity as a qualified custodian under the Investment Adviser Act.

We also recommend that RIAs that can meet substantive protections consider self-hosting when there is no access to third-party hosting solutions that meet these substantive protections, or that these solutions do not support economic and governance rights.

Our goal is not to extend the scope of custody rules beyond securities. These principles apply to crypto assets belonging to securities and sets out the criteria for RIA to perform fiduciary responsibilities for other asset types. RIA should seek to maintain non-security crypto assets under similar conditions and should record custody practices of all assets, including any reason for material differences between different types of asset custody practices.

Principle 1: Legal status should not determine the qualifications of crypto trustees

Legal status and the protections associated with a particular legal status are important to the custodian’s clients, but not all about custodial crypto assets. For example, federal chartered banks and brokerage dealers are subject to custody regulations that provide important protection to clients, but state chartered trusts and other third-party custodians can provide similar levels of protection (we will discuss further in Principle 2).

Registration of a custodian should not be the only determinant of whether he or she is eligible to custody crypto-asset securities. The category of “qualified custodians” in the Hosting Rules should be expanded in the cryptocurrency field to include:

• State chartered trust companies (which means they do not need to meet the criteria defined by the “bank” in the Investment Adviser Act, but only need to be monitored and inspected by state or federal agencies that have regulatory authority over the bank).

• Any entity registered under the (proposed) federal crypto market structure legislation.

• Any other entity, regardless of its registered status, can prove that it meets the strict standards for protecting the customer.

Principle 2: Crypto custodians should establish appropriate protection measures

Regardless of the specific technical tools used, crypto custodians should take certain protections around the custody of crypto assets. These measures include:

• Separation of power:Crypto custodians may not transfer crypto assets from custodian without RIA cooperation (e.g., signing transactions and/or device-based authentication).

• isolation:Crypto Custodians shall not confuse any assets held for RIA with any assets held for other entities. However, registered brokerage dealers can use a single integrated wallet, provided that it always maintains the latest records of ownership of these assets and promptly discloses the facts of such confusion to the relevant RIA.

• Sources of managed hardware:Crypto-hosted hosts should not use any hosting hardware or other tools that increase security risks or pose a risk of intrusion.

• audit:Crypto custodians should undergo financial control and technical audits at least annually. Such audits should include:

• ISO 27001 certification;

• Penetration test ("pen test"); and

• Testing of disaster recovery procedures and business continuity plans.

• Service Organization Control (SOC) 1 Audit;

• SOC 2 audit; and

• Recognition, measurement and presentation of crypto assets from the holder's perspective;

• Financial control audits conducted by auditors registered with the Public Company Accounting Oversight Board (PCAOB):

• Technical Audit:

• Insurance:Crypto custodians should have sufficient insurance coverage (including "umbrella" insurance), and if they are not available, they should establish sufficient reserves, or choose a combination of the two.

• Show off:Crypto custodians must provide RIA with a list of major risks associated with their crypto assets custodians, as well as written oversight procedures and internal controls to mitigate these risks each year. Crypto custodians will evaluate this situation quarterly and determine whether disclosures need to be updated.

• Hosting location:If local law provides that such custodial assets will become part of the bankruptcy property in the event of a custodian's bankruptcy, the crypto custodian shall not custodial the crypto assets at that location.

Additionally, we recommend that crypto custodians implement protections related to the following processes at each stage:

• Preparation phase:Review and evaluate the crypto assets to be hosted—including the key generation process and transaction signature procedures, whether they are supported by an open source wallet or software, and the source of each piece of hardware and software used in the key management process.

• Key generation:Encryption should be used at all levels of this process and multiple encryption keys are required to generate one or more private keys. The key generation process should be both "horizontal" (i.e., multiple encryption key holders at the same level) and "vertical" (i.e., multiple encryption levels). Finally, the arbitration requirement should also require the physical presence of validators, which should be protected and monitored to prevent interference.

• Key storage:The keys are never stored in plain text, they can only be stored in encrypted form. The key must be physically separated by geographic location or by individuals with different access rights. If a hardware security module (or similar module) is used to maintain a copy of the key, it must comply with the U.S. Federal Information Processing Standard ("FIPS") security rating. Strict physical isolation and authorized measures should be taken to ensure air gap isolation. (See our full reply for example measures). Crypto custodians should maintain redundancy of at least two layers of encryption so that they can maintain operations in the event of natural disasters, power outages or property damage.

• Key usage:Wallets should require authentication; in other words, they should verify that the user is who they claim, and that only authorized parties can access the contents of the wallet. (See our full reply for the sample authentication form). Wallets should use mature open source cryptography libraries. Another best practice is to avoid using one key for multiple purposes. For example, encryption and signature should use different keys. This follows the "minimum permission principle" in case of intrusion, which means that access to any assets, information or operations should be limited to the parties or code that are absolutely required for the system to run.

Principle 3: Crypto-hosting rules should allow RIA to exercise their economic or governance rights related to custody of crypto assets

Unless otherwise directed by the Client, RIA shall be able to exercise its economic or governance rights associated with custody of crypto assets. Under the leadership of the former SEC administration, many RIAs have adopted a conservative strategy to entrust all their crypto assets to qualified custodians (unless no qualified custodians are available). As we mentioned earlier, there is a limited market for optional custodians, which usually results in only one qualified custodian willing to support a specific asset.

In these cases, the RIA may require that it be allowed to exercise its economic or governance rights, but the crypto trustee may choose not to provide these rights based on its internal resources or other factors. In turn, RIA does not consider itself the right to choose other third-party custodians or self-custodial to exercise these rights. Examples of these economic and governance rights include pledge, earning farming or voting.

In accordance with this principle, we believe that RIA should select third-party crypto custodians that comply with relevant protections that allow RIA to exercise its economic or governance rights associated with custodial crypto assets. If a third party fails to meet both requirements, the temporary transfer of assets to self-custody for the exercise of economic or governance rights by RIA should not be considered a transfer of custody—even if the assets are deployed to any non-custody agreement or smart contract.

All third-party trustees shall make every effort to provide the ability of RIA to exercise these rights when the assets are retained at the trustee and upon authorization by RIA, commercially reasonable actions that may be necessary to execute any rights associated with the on-chain assets. This includes the right to expressly delegate any crypto asset to RIA’s wallet to realize any rights associated with that asset.

Before any crypto assets are withdrawn from the custody to exercise rights associated with the asset, the RIA or the custodian, as the case may be, must first reasonably determine in writing whether these rights can be exercised without the custody of withdrawing the assets from the custody.

Principle 4: Crypto-hosting rules should be flexible to allow optimal execution

RIA 在交易资产方面负有最佳执行的义务。 To this end, regardless of the status of the asset or custodian, RIA can transfer the assets to a crypto trading platform to ensure optimal execution of the asset, provided that RIA has taken the necessary steps to ensure the resilience and security of the trading venue, or, RIA has transferred the crypto assets to entities regulated under the crypto market structure legislation after the relevant legislation is finalized.

If the RIA determines that transferring crypto assets to such venues is desirable for optimal execution, transferring crypto assets to trading venues should not be considered withdrawn from custody. This will require the RIA to reasonably determine that the venue is suitable for optimal execution. If the transaction cannot be properly executed in this place, the assets should be returned to the crypto custodian for custodialization in a timely manner.

Principle 5: RIA should be allowed to self-host in certain circumstances

While the use of a third-party custodian should remain the primary option for crypto assets, RIA should be allowed to self-custodial crypto assets in the following circumstances:

• RIA determines that no third-party custodians that meet the protections required by RIA can custodial the crypto asset.

• RIA's own custody arrangements are at least comparable to the level of protection of the crypto asset by reasonably available third-party custodians.

• Self-custody is necessary to optimally exercise any economic or governance rights associated with the crypto asset.

When RIA decides to self-custodial crypto assets for one of the above reasons, RIA must confirm annually that the rationality of self-custodial remains unchanged, disclose self-custodial to clients, and make such crypto assets comply with the audit requirements of the custodial Rules, where the auditor can confirm that the assets are isolated from and fully protected from other assets of RIA.

Principles-based approach to crypto custody ensures that RIAs can fulfill their fiduciary responsibilities while adapting to the unique characteristics of crypto assets. By focusing on substantial protection rather than rigid classification, these principles provide a pragmatic path to protecting customer assets and unlocking asset capabilities. As the regulatory environment develops, clear standards rooted in these protections will enable RIAs to manage crypto investments responsibly.