The regulators attempt to clarify their position on the possible custody of digital assets by broker-dealers, but questions remain.
The SEC and FINRA recently released a joint staff statement (Joint Statement) addressing the custody of digital asset securities by broker-dealers. For some time, registered broker-dealers and applicants have sought to facilitate digital asset transactions and the accompanying custody of such assets. However, their efforts have been stymied, in part due to a lack of interpretive guidance from the SEC and FINRA regarding how to custody digital assets in compliance with the relevant regulations. The Joint Statement is an initial step by the SEC and FINRA toward clarifying their positions on these issues. It makes clear that broker-dealers that do not seek to custody such assets but seek to otherwise engage in brokerage activities with digital assets (e.g., private placements or if the broker-dealer matches buyers and sellers who conduct settlement between themselves) should be permitted to do so. The bottom line, however, is that the regulators “are just not ready”[i] to approve broker-dealers to custody digital assets.
Joint Statement Does Not Establish or Specify Exact Requirements of Heightened Security for Digital Assets as Required by the Customer Protection Rule
The first two points of the Joint Statement relate to the SEC and FINRA staff’s interpretation of Rule 15c3-3 under the Securities Exchange Act of 1934 (the Customer Protection Rule). As the Joint Statement notes, “The Customer Protection Rule requires broker-dealers to safeguard customer assets and to keep customer assets separate from the firm’s assets, thus increasing the likelihood that customers’ securities and cash can be returned to them in the event of the broker-dealer’s failure.” Accordingly, this “safeguarding” element establishes a general security standard with which broker-dealers must comply. Historically, broker-dealers have approached this requirement by undertaking reasonable procedures regarding the safekeeping of securities. However, due to the risk of criminal cyberattacks on digital asset trading platforms, the Joint Statement implies that heightened standards of security apply to broker-dealers seeking to custody such assets. In fact, it appears that current technological solutions are insufficient to meet this standard, as the Joint Statement provides that “significant technological enhancements and solutions unique to digital asset securities” may be needed for broker-dealers to custody digital assets in accordance with securities laws.
The Joint Statement also makes clear that any broker-dealer seeking to custody digital assets must demonstrate compliance with applicable books, records, and reporting rules. However, compliance with these rules and attendant regulatory testing and audit requests may be more complex for custodians of digital assets, and the specific enhanced actions that a broker-dealer might need to take for compliance are unclear.
Knowledge of a Private Key May Not Demonstrate Adequate Control
The Customer Protection Rule requires broker-dealers to either have physical possession of digital assets or “maintain them free of lien at a good control location.” The Joint Statement interprets “control” to mean exclusive control, noting that maintaining a digital asset’s private key may not evidence exclusive control, as another party could have a copy of the private key and transfer the digital asset security without consent. This was not an issue with traditional securities, as security ownership was represented by possession of original certificates and exclusive control was implicit. The Joint Statement does not provide express guidance on how a broker-dealer may demonstrate control, other than to say that some broker-dealers seeking to custody digital assets have proposed various “control locations” that the SEC and FINRA would be willing to consider as part of its general application evaluation process.
Buyer Beware — SIPA Does Not Cover Digital Assets That Constitute Investment Contracts
The Joint Statement concludes with a discussion of the applicability of the Securities Investor Act of 1970 (SIPA). Generally, SIPA guarantees up to US$500,000 worth of customer assets, which includes up to US$250,000 for cash claims. SIPA defines what constitutes securities for purposes of the regulation, but notably this definition does not include non-listed securities, and thus, all current digital assets. The Joint Statement’s discussion of SIPA is curious, however, as it has never covered unregistered securities. Given the enormous volume of private securities transactions outside of the digital asset marketplace, the SIPA point would seem to warrant more than the status of a footnote. Nonetheless, the regulators likely view the large retail interest in this marketplace as requiring more explicit guidance. Notably, offerings under Reg A+ (one such digital asset offering has made it through the SEC gauntlet) are available to retail investors, but such securities would not be covered by SIPA.
[i] Statement of Elizabeth Baird, Associate Director, Division of Trading and Markets, SEC, at the SIFMA Legal and Compliance Conference, March 26, 2019.