Safeguarding Advisory Client Assets: Our Take on Crypto Treatment Under the SEC's Proposed Rule
On February 15, 2023, the Securities and Exchange Commission (SEC) voted 4-1 to propose amendments to the investment adviser custody rule, Rule 206(4)-2 under the Investment Advisers Act of 1940 (Act), and redesignate it as Rule 233-1 under the Act (Proposal). The Proposal would amend: (1) certain provisions of the current custody rule,[1] (2) corresponding provisions of the recordkeeping rules under the Advisers Act,[2] and (3) Form ADV for investment adviser registration. Comments on the Proposal are due 60 days after publication in the Federal Register.
Rule 206(4)-2 specifies when a registered investment adviser (RIA) is deemed to have custody of client funds or securities and requires an RIA that has such custody to maintain those assets at a "qualified custodian." The Proposal would expand the scope of assets that an RIA with custody of client assets would have to maintain at a qualified custodian to include, in addition to funds and securities, "other positions" held in the client's account, which would include crypto assets (crypto). The Proposal would also require the qualified custodian to meet specified, rigorous standards designed to provide enhanced investor protections.
While the Proposal's broader focus on investor protection and improving the custody's rule efficacy are sound goals, the Proposal poses significant hurdles for state-chartered trust companies that custody crypto and seek to maintain "qualified custodian" status. Although the Proposal does not rule out this possibility as a technical matter (i.e., state-chartered companies are not specifically excluded from who may qualify), Chair Gensler's statement accompanying the Proposal is clear:
Make no mistake: Based upon how crypto platforms generally operate, investment advisers cannot rely on them as qualified custodians.
Our initial take provides an overview of the Proposal's crypto-related aspects and focuses on these three questions:
- Could a qualified custodian hold crypto in compliance with the Proposal?
- Could state-chartered trust companies providing crypto custody services meet the conditions for being a "qualified custodian" under the Proposal?
- Are RIAs that currently custody crypto in violation of the current custody rule?
Overview of the Proposal
Purpose. The Proposal is a direct response to the "evolution of financial products and services . . ." that "has led to new entrants and new services in the custodial marketplace, including newly launched state-chartered trust companies, as well as established bank and broker-dealer custodians seeking to develop new practices to safeguard assets."[3] It is also designed to incorporate the rise of crypto and the perception that certain RIAs "may not maintain their client's crypto assets with a qualified custodian, instead attempting to safeguard their client's crypto assets themselves—a practice that is not compliant with the custody rule . . . ."[4]
Crypto generally relies on distributed ledger or blockchain technology that uses public and private cryptographic key pairings. The Proposal notes that crypto may not be restored or recovered in the event the keys are lost, forgotten, misappropriated, or destroyed. The finality of blockchain transactions also "often makes it difficult or impossible to reverse erroneous or fraudulent crypto asset transactions," unlike traditional assets held in custody. As a result, RIA clients could be left "without meaningful recourse to reverse erroneous or fraudulent transactions, recover or replace lost crypto assets, or correct errors that result from their adviser having custody of these assets."[5]
The core purpose of the proposal is to protect client assets from "loss, misuse, theft or misappropriation by . . . the adviser."[6]
Key Provisions. The Proposal would, among other things:
- Extend the custody rule's coverage beyond client "funds and securities" to client "assets," which would include "investments such as all crypto assets, even in the instances where such assets are neither funds nor securities."[7]
- Specify that a qualified custodian does not "maintain" a client asset for purposes of the rule if it does not have "possession or control" of that asset, which is defined as "holding assets such that the qualified custodian is required to participate in any change in beneficial ownership of those assets."[8]
- Require RIAs to enter into a written agreement with and receive certain assurances from the qualified custodian to make sure the qualified custodian provides specified custodial protections when maintaining client assets.
- Require that RIAs obtain reasonable assurances that the qualified custodian will:
- Exercise due care in accordance with reasonable commercial standards in discharging its duty as custodian and implement appropriate measures to safeguard client assets from theft, misuse, misappropriation, or other similar type of loss;
- Indemnify the client against losses caused by the qualified custodian's negligence, recklessness, or willful misconduct;
- Not be excused from its obligations to the client as a result of any sub-custodial or other similar arrangements;
- Clearly identify and segregate client assets from the custodian's assets and liabilities; and
- Not subject client's assets to any right, charge, security interest, lien, or claim in favor of the qualified custodian or its related persons or creditors, except to the extent agreed to or authorized in writing by the client.[9]
- Require that RIAs with custody of client assets segregate those assets by:
- Titling or registering the assets in the client's name or otherwise holding the assets for the client's benefit;
- Not commingling the assets with the adviser's or any of its related persons' assets; and
- Not subjecting the assets to any right, charge, security interest, lien, or claim of any kind in favor of the investment adviser or its related persons or creditors except to the extent agreed to or authorized in writing by the client.[10]
Open Questions
First, it is not clear whether and how crypto could be custodied in compliance with the proposed rule because of the Proposal's interpretation of "exclusive possession or control."
The Proposal states that "proving exclusive control of a crypto asset may be more challenging than for assets such as stocks and bonds. For example, while we understand that it is possible for a custodian to implement processes that seek to create exclusive possession or control of crypto assets (e.g., private key creation, maintenance, etc.), it may be difficult to actually demonstrate exclusive possession or control of crypto assets due to their specific characteristics (e.g., being transferable by anyone in possession of a private key)."[11] The Proposal is also wary of models where an advisory client and a qualified custodian might "simultaneously hold copies of the advisory client's private key material to access the associated wallet with the client's crypto assets, and thus both have authority to change beneficial ownership of those assets."[12]
The Proposal sets a high bar for demonstrating exclusive possession or control over any crypto asset. It highlights the potential for "anyone to transfer a private key."[13] The characteristic of transferability is no different from a qualified custodian/broker-dealer's ability to, e.g., transfer a security from one account to another on a book-entry basis or outside the qualified custodian/broker-dealer.
Reading this test too strictly, however, would call into question the existing crypto custody services provided by federally regulated qualified custodians. We would therefore expect the Proposal leave some room for demonstrating "exclusive possession or control" over any crypto asset, particularly since a number of qualified custodian/national banks provide crypto custody services for their customers following regulatory approval by the Office of the Comptroller of the Currency (OCC).
Additional clarity on "transferability" (in addition to any other perceived and unique crypto characteristics) would therefore be helpful in understanding whether any qualified custodian could meet the Proposal's "exclusive possession or control" test.
It seems fair to conclude that crypto wallet models where the custodian and the client each hold physical or electronic copies of a private key would likely fail the "exclusive possession or control" test. SEC staff has consistently taken the position in the broker-dealer context that a broker-dealer does not have control of customer assets unless it has exclusive control.[14] Therefore, to the extent a crypto custodian could "actually demonstrate exclusive possession or control," these instances may be limited to custodial wallet models where all private keys are maintained at all times by the custodian (typically offline in cold storage).
Second, it is not clear whether "new entrants" like state-chartered trust companies providing crypto custody currently meet (or could ever meet) the conditions for being a "qualified custodian" under the Proposal.
Although the Proposal does not directly address whether a state-chartered trust custodying crypto could meet the conditions for being a qualified custodian, Chair Gensler has clear views about crypto platforms generally: "Make no mistake: Based upon how crypto platforms generally operate, investment advisers cannot rely on them as qualified custodians."[15]
The "crypto platforms" Chair Gensler was potentially referring to here are the recently bankrupt crypto companies that "failed to segregate investors' crypto" and have "commingled those assets with their own crypto or investors' crypto."[16] This reading would appear to not preclude certain state-chartered trusts (e.g., centralized digital asset exchanges, digital asset companies that provide custody services to institutional clients ) that are well-regulated and maintain strict segregation protocols (consistent with the custodial protections included in the Proposal).
In addition, the Proposal does not go so far as to eliminate state-chartered trusts from the "bank" definition incorporated under the Advisers Act. The definition of "qualified custodian" in proposed Rule 223-1 incorporates the Advisers Act definition of "bank" and leaves the "bank" definition unchanged. "Bank" continues to include trust companies "doing business under the laws of any State . . . a substantial portion of the business which consists of . . . exercising fiduciary powers similar to those permitted to national banks."[17] Therefore, as a technical matter, the proposed rule does not foreclose the possibility that a state-chartered trust company could meet the qualified custodian requirements.
At the same time, "we must be mindful of the extent to which many of these new entrants to the custodial marketplace offer, and are regulated to provide, the types of protections we believe a qualified custodian should provide under the rule."[18] On balance, we view the Proposal as demonstrating the SEC's willingness to push back on the notion that state-chartered trusts custodying crypto could be qualified custodians.
The Proposal could have provided clear guidance on how state-chartered trusts could meet the qualified custodian requirements but did not. In the absence of any future clarity on this point, we think the better course is for state-chartered trusts to submit a comment and not only explain how they fall under the "bank" definition under the Act, but also how they meet each of the enumerated custodial protections included in the Proposal summarized above.
Third, the Proposal suggests that RIAs that currently custody client crypto "are likely already in violation of the current custody rule."
The Proposal states that an adviser with custody of a client's crypto assets, where those crypto assets have traded on platforms that are not qualified custodians, would "generally result" in an adviser "being in violation of the current custody rule because custody of the [crypto asset] would not be maintained by a qualified custodian from the time the [crypto asset] was moved to the trading platform through the settlement of the trade."[19]
We note that Rule 206(4)-2 applies only to funds and securities; thus, the SEC's conclusion that RIA customers are already in violation of the custody rules rests on its belief that crypto assets are generally securities. To avoid status issues with respect to individual tokens (i.e., whether a given token is a security), RIAs should consider working with custodians to help ensure that those custodians are qualified custodians within the meaning of the Proposal. RIAs should not wait for the Proposal to be adopted in some form to take this step.
Conclusion
We see the following potential impacts resulting from the Proposal:
- RIAs will engage with their existing crypto custodian counterparties to seek needed clarity in a final rule through the notice and comment process and to better understand to what extent their counterparties meet the custodial protections outlined in the Proposal.
- To the extent any final rule fails to provide needed clarity on the "qualified custodian" status of state-chartered trust companies, national banks authorized to custody crypto may see an influx of crypto custody business.
- State-chartered trust companies will need to carefully review their custody operations to ensure that they (1) comply with the custodial protections outlined in the Proposal and (2) can clearly demonstrate such compliance.
- State regulators may individually or collectively seek additional clarity on the SEC's position vis-à-vis state-chartered trust companies and are likely to take the position that a "bank" as defined under the Act includes state-chartered trust companies custodying crypto.
While the Proposal leaves open several critical questions, it accomplishes at least three things, namely, it: (1) casts doubt on the ability of "new entrants" providing crypto custody services to obtain "qualified custodian" status, (2) poses significant hurdles to such "new entrants" to obtain such status, and (3) could make federally regulated national banks a more attractive option for crypto custody services.
If there is one positive takeaway, it is that notice and comment rulemaking is a far better alternative than regulation by enforcement.
[1] 17 C.F.R. §275.206(4)-2.
[2] 17 C.F.R. §275.204-2.
[3] Proposal at 16.
[4] Id. at 18.
[5] Id. at 17.
[6] Id.
[7] Id. at 28.
[8] Id. at 21.
[9] Id. at 23.
[10] Id. at 24.
[11] Id. at 66 (emphasis in original).
[12] Id.
[13] Id.
[14] Custody of Digital Asset Securities by Special Purpose Broker-Dealers, 86 Fed. Reg. 11627, 11631 (Feb. 2021) available here.
[16] Id.
[17] 15 U.S.C. 80b-1(a)(2).
[18] Proposal at 76.
[19] Id. at 68.