By Aiying
Yesterday, the U.S. Securities and Exchange Commission (SEC) took enforcement action against Galois Capital Management LLC, a former registered investment adviser based in Florida that primarily invested in crypto assets. The SEC found that Galois Capital failed to comply with custody rules under the Investment Advisers Act of 1940, particularly demonstrating serious deficiencies in managing crypto assets. Specifically, Galois Capital did not ensure its clients' crypto assets were held by qualified custodians; instead, it stored these assets on non-compliant cryptocurrency exchanges, resulting in substantial losses during the collapse of the FTX exchange. Additionally, Galois misled investors by providing inconsistent redemption terms.
Aiying believes such incidents will become increasingly common in the field of crypto asset management. As crypto assets grow more widespread, investment advisory firms continue to operate largely under self-regulation due to early regulatory gaps and rising compliance costs later on. Consequently, the likelihood of black swan events or whistleblower reports leading to regulatory penalties is only increasing.
1. Applicability and Expansion of U.S. Custody Rules
Origins and Intentions of Custody Rules
U.S. custody rules are essentially legal provisions designed to protect investor assets. Originating from the Investment Advisers Act of 1940, these rules were initially established to prevent misconduct or hidden practices by investment advisers when managing client funds. According to this regulation, if an investment adviser has authority over client assets, those assets must be held by a qualified custodian—such as a regulated bank or financial institution.
The core principle is simple: an investment adviser must not commingle client assets with its own funds; they must be managed separately. Any changes to client assets must be promptly reported by the custodian, along with regular account statements. These safeguards aim to ensure investor funds remain secure and protected from losses caused by adviser negligence or misconduct.
Extension to Virtual Assets
With the rise of virtual assets like Bitcoin and Ethereum, the financial landscape has evolved significantly. Due to their decentralized nature, anonymity, and high volatility, virtual assets present new challenges for traditional asset management. Recognizing this shift, the SEC has determined that the protections offered by custody rules must extend to these emerging digital assets.
In recent years, the SEC has clearly stated that custody rules apply not only to traditional securities such as stocks and bonds but also to virtual assets. This means that any investment adviser managing clients’ cryptocurrencies must hold those assets with a qualified custodian. Qualified custodians must meet standard regulatory requirements and possess specialized technical capabilities to manage the unique risks associated with virtual assets—such as protection against hacking or loss of cryptographic keys.
2. Requirements for U.S. Qualified Custodian Licenses
The SEC and other relevant regulatory bodies have begun focusing on and regulating the emerging space of digital asset custody. A qualified custodian for cryptocurrency assets must satisfy both traditional custodial requirements and demonstrate specific expertise in securing digital assets. Below are key standards and requirements for qualified digital asset custodians:
Types of Qualified Digital Asset Custodians
Banks and Trust Companies: Federally or state-regulated banks and trust companies may offer digital asset custody services. To qualify as a custodian, these institutions must possess the technological infrastructure and security measures necessary to safeguard and manage digital assets effectively.
Specialized Digital Asset Custody Firms: Some companies focus exclusively on providing custody services for cryptocurrencies and other digital assets. These firms may already be registered at the state or federal level and subject to strict oversight. For example, firms like Coinbase Custody and BitGo Trust provide digital asset custody services and have obtained custodial licenses from specific states or federal authorities.
Registered Broker-Dealers: Broker-dealers regulated by FINRA may offer digital asset custody, provided they can demonstrate adequate technical capability to manage digital assets securely.
Other Regulated Financial Institutions: Certain regulated entities such as futures commission merchants or foreign financial institutions may also qualify as custodians if they meet the required standards for digital asset custody.
Key Requirements for Digital Asset Custodians
Secure Technical Infrastructure: Digital asset custodians must employ advanced cybersecurity technologies to prevent hacking and asset loss. This typically includes cold storage (offline storage), multi-signature technology, and hardware security modules (HSMs).
Asset Segregation and Independent Accounts: Digital assets must be stored separately from the custodian’s own assets, with client holdings placed in distinct, individually identified accounts.
Regular Audits and Reporting: Custodians must undergo periodic third-party audits to verify asset security and regulatory compliance. They must also provide clients with regular reports on the status of their holdings.
Compliance Capabilities: Custodians must adhere to the same compliance obligations as traditional custodians, including anti-money laundering (AML) and know-your-customer (KYC) regulations, as well as other applicable financial laws. They must also follow digital asset-specific compliance frameworks, ensuring transparency and traceability of blockchain transactions.
Insurance and Safeguards: To further protect client assets, digital asset custodians often obtain insurance coverage to mitigate potential losses from cyberattacks or operational errors.
Regulation and Certification
-
State-Level Certification: In the U.S., certain states like New York have enacted regulations such as the New York Department of Financial Services (NYDFS) framework, under which the BitLicense permits qualified companies to provide crypto asset custody services. Aiying previously covered this in detail in “Detailed Analysis: The Two Key Licenses for Web3 Companies Conducting Virtual Currency Business in New York State—BitLicense and Limited Purpose Trust Company License”
-
Federal Oversight: While federal regulation does not yet fully cover all types of digital asset custody, agencies such as the SEC and CFTC are progressively developing rules and supervising market activities. See Aiying's earlier article: “[Payments] Legal Foundations and Requirements for U.S. Cryptocurrency Payment Licenses Explained”
Currently, there are 12 institutions that have obtained custodial licenses:
(Source: New York State Department of Financial Services - NYDFS)
3. Policies in Other Regions
Hong Kong
1. Background
As an international financial hub, Hong Kong is gradually strengthening its regulatory approach toward digital assets. With growing adoption of cryptocurrencies and blockchain technology, Hong Kong regulators have started establishing corresponding rules to govern crypto asset custody and trading services. The Trust or Company Service Provider (TCSP) license is one of the essential permits required for digital asset custodians in Hong Kong. For more details, see “A Comprehensive Guide to Hong Kong’s 2024 Virtual Asset Custodian (TCSP) Licensing Policy”
2. Specific Requirements
-
TCSP License: Companies offering crypto asset custody services in Hong Kong must apply for and hold a TCSP license. Supervised by the Companies Registry (CR), this license ensures service providers meet anti-money laundering (AML) and counter-terrorism financing (CFT) requirements.
-
Asset Segregation and Independent Accounts: TCSP-licensed custodians must strictly separate client crypto assets from their own. Client assets are typically held in independent accounts to protect them even if the custodian faces financial difficulties.
-
Security Technology and Compliance: Licensed firms must implement robust cybersecurity measures to protect digital assets, including cold storage, multi-signature wallets, and rigorous internal compliance procedures.
-
Regular Audits and Reporting: Custody providers must conduct regular audits and issue detailed asset reports to clients, ensuring transparency and informed participation.
3. Regulatory Authority
-
Companies Registry (CR): The CR oversees the issuance and supervision of TCSP licenses, ensuring compliance with relevant laws and regulations. Its responsibilities include reviewing applications, conducting on-site inspections, and monitoring adherence to AML and CFT requirements.
4. Industry Practices
-
In Hong Kong, numerous fintech and traditional financial institutions have obtained TCSP licenses to legally offer crypto asset custody services. Companies such as OSL, BC Group, and Hashkey are already operating compliant custody businesses, delivering secure digital asset management solutions to institutional investors globally.
Singapore
1. Background
Singapore has attracted many digital asset firms thanks to its open financial policies and innovation-friendly environment. The Monetary Authority of Singapore (MAS) plays a central role in regulating digital asset custody, having implemented a series of regulations to bring crypto custody in line with international standards. For further reading, refer to “[In-depth Visual Guide] Full Interpretation of Singapore’s Payment Services Regulatory Framework and DPT License Requirements for Virtual Assets”
2. Specific Requirements
-
Payment Services Act (PSA): Enacted in 2020, Singapore’s PSA brings crypto-related services—including custody—under regulatory oversight. Under the PSA, firms providing crypto asset custody must obtain a "Digital Payment Token Service" license issued by MAS.
-
Custodian Qualifications: Custodians in Singapore must ensure their technological and operational frameworks meet stringent security standards. MAS requires sufficient capitalization, comprehensive risk management systems, and strong cybersecurity defenses.
-
Compliance and Auditing: Custodians must comply with AML and CFT regulations and maintain robust KYC processes. They are also required to perform regular internal and external audits to ensure operational transparency and regulatory compliance.
-
Client Asset Protection: Custodians must keep clients’ crypto assets segregated from their own and offer independent account management. This requirement protects client holdings from being affected by the custodian’s financial condition.
3. Regulatory Authority
-
Monetary Authority of Singapore (MAS): As Singapore’s central bank and primary financial regulator, MAS oversees compliance in crypto asset custody. Through the PSA, MAS has established a clear regulatory framework for digital asset custodianship.
4. Industry Practices
-
Singapore’s digital asset custody market is rapidly expanding, with many internationally recognized firms establishing custody operations in the country. For instance, Propine became the first digital asset custodian to receive a “full-scope” license from MAS, marking Singapore’s leadership in this domain.
Aiying Compliance
