a16z: 5 Principles of Cryptocurrency Asset Custody
TechFlow Selected TechFlow Selected
a16z: 5 Principles of Cryptocurrency Asset Custody
Cryptocurrency asset custody faces unique legal and operational risks.
Navigating Web3 tides with focused insightsAuthored by: Scott Walker, Kate Dellolio, David Sverdlov
Translated by: Luffy, Foresight News
Registered Investment Advisors (RIAs) investing in crypto assets face a challenging landscape marked by regulatory uncertainty and limited options for asset custody. Compounding this complexity are ownership and transfer risks associated with crypto assets that differ from those of traditional assets RIAs have historically managed. Despite extensive efforts by internal RIA teams—operations, compliance, legal—to identify willing and suitable third-party custodians, qualified providers remain scarce, often forcing RIAs to hold these assets themselves. As a result, the current state of crypto asset custody presents unique legal and operational risks.
The crypto industry requires a principles-based approach to address this critical issue for professional investors entrusted with safeguarding client crypto assets. In response to the U.S. Securities and Exchange Commission’s (SEC) recent request for comment, we outline a set of principles that, if adopted, would extend the objectives of the Custody Rule under the Investment Advisers Act to this new class of crypto assets.
How Crypto Asset Custody Is Different
For traditional assets, an owner's control typically means no other party has control. This is not always true for crypto assets, where multiple entities may have access to the private keys associated with a given set of assets.
Crypto assets also commonly carry intrinsic economic and governance rights essential to their value. Traditional debt or securities can "passively" generate returns (e.g., dividends or interest), requiring no further action from the holder after acquisition. In contrast, holders of crypto assets may need to take active steps to unlock specific yield or governance features tied to the asset. Depending on a third-party custodian’s capabilities, RIAs may need to temporarily move assets out of custody to exercise these rights. For example, certain crypto assets earn yield through staking or yield farming, or grant voting rights on governance proposals for protocol or network upgrades. These distinctions from traditional assets introduce novel challenges for crypto custody.
To help determine when self-custody may be appropriate, we have developed the following flowchart.
Principles
The principles we present here aim to demystify custody for RIAs while preserving their responsibility to protect client assets. The market of qualified custodians focused on crypto assets—such as banks or broker-dealers—is extremely narrow. Therefore, our primary focus is on whether a custody entity can provide the substantive protections we believe are necessary for holding crypto assets, rather than solely on its legal status as a "qualified custodian" under the Investment Advisers Act.
We recommend that RIAs capable of meeting these substantive protection requirements should be permitted to use self-custody when viable third-party custody solutions either do not exist or fail to support economic and governance rights.
Our goal is not to expand the scope of custody rules beyond securities. These principles apply to crypto assets that are securities and establish standards for other asset types to meet RIAs’ fiduciary obligations. RIAs should seek to hold non-security crypto assets under comparable conditions and document all custody practices, including justifications for any material differences in custody approaches across asset types.
Principle 1: Legal Status Should Not Determine Qualification as a Crypto Asset Custodian
While legal status and associated protections matter to clients, they should not be the sole determinant in assessing a custodian’s suitability for crypto assets. For instance, federally chartered banks and broker-dealers are subject to custody regulations and offer strong client protections, but state-chartered trust companies and other third-party custodians can also deliver equivalent levels of protection.
An entity’s registration status should not be the only factor in determining its eligibility to custody crypto asset securities. In the context of crypto, the definition of “qualified custodian” should be expanded to include:
-
State-chartered trust companies (meaning entities that, in addition to being supervised and examined by state or federal banking regulators, need not meet the Advisers Act’s definition of “bank”);
-
Any entity registered under (proposed) federal crypto market structure legislation; and
-
Any other entity able to demonstrate it meets rigorous client protection standards, regardless of registration status.
Principle 2: Crypto Asset Custodians Should Implement Appropriate Protective Measures
Regardless of the technical tools used, custodians should implement robust protective measures for crypto asset custody. These include:
1. **Separation of Control**: A crypto asset custodian should not be able to transfer crypto assets without the RIA’s cooperation.
2. **Asset Segregation**: A crypto asset custodian must not commingle assets held for RIAs with those held for other entities. However, registered broker-dealers may use a single omnibus wallet provided they maintain up-to-date records of asset ownership and promptly disclose such information to the relevant RIAs.
3. **Custodial Hardware**: A crypto asset custodian should not use any hardware or other tools that pose security risks or are susceptible to compromise.
4. **Audits**: A crypto asset custodian should undergo financial and technical audits at least annually. These audits should include:
Financial audit by a PCAOB-registered auditor:
-
Service Organization Control (SOC) 1 audit;
-
SOC 2 audit; and
-
Verification, measurement, and reporting of crypto assets from a holder’s perspective.
Technical audit:
-
ISO 27001 certification;
-
Penetration testing; and
-
Disaster recovery procedures and business continuity planning tests.
5. **Insurance**: A crypto asset custodian should have sufficient insurance coverage. If insurance is unavailable, it should maintain adequate reserves.
6. **Disclosure**: A crypto asset custodian must provide RIAs annually with a list of principal risks related to the custody of crypto assets, along with written supervisory procedures and internal controls designed to mitigate those risks. This disclosure should be reviewed quarterly to determine if updates are needed.
7. **Custody Jurisdiction**: A crypto asset custodian should not custody crypto assets in any jurisdiction where local law would treat the assets as part of the custodian’s bankruptcy estate upon insolvency.
In addition, we recommend that crypto asset custodians implement protective measures across the following stages:
-
Preparation Phase: Review and assess the crypto assets to be custodied, including key generation processes and transaction signing procedures, whether supported by open-source wallets or software, and the provenance of every piece of hardware and software used in key management.
-
Key Generation: Use cryptographic techniques at multiple levels, requiring multiple cryptographic keys to generate a private key. The process should be both “horizontal” (multiple keyholders at the same level) and “vertical” (multiple layers of encryption). Quorum requirements should also ensure physical presence of authorized personnel.
-
Key Storage: Keys should never be stored in plaintext and must only be stored in encrypted form. Keys must be physically isolated by geography or access personnel. If hardware security modules (HSMs) are used to store key copies, they must meet U.S. Federal Information Processing Standards (FIPS) security ratings. Strict physical isolation and authorization protocols should be enforced. Custodians should maintain at least two levels of encrypted redundancy to ensure operational continuity during natural disasters, power outages, or property damage.
-
Key Usage: Wallets should require authentication—verifying the user’s identity—and restrict access to authorized parties only. Wallets should use mature, open-source cryptographic libraries. Another best practice is avoiding multi-use of a single key—for example, maintaining separate keys for encryption and signing. The principle of “least privilege” should be followed, limiting access to any asset, information, or operation strictly to those parties essential for system operation, especially in the event of a security breach.
Principle 3: Crypto Asset Custody Rules Should Allow Registered Investment Advisors to Exercise Economic or Governance Rights
Unless otherwise instructed by clients, RIAs should be able to exercise economic or governance rights associated with custodied crypto assets. During the previous SEC administration, due to uncertainty around token classification, many RIAs adopted conservative strategies, placing all crypto assets with qualified custodians. As noted earlier, the limited pool of available custodians often meant only one qualified provider was willing to support a given asset.
In such cases, RIAs might request to exercise economic or governance rights, but the custodian may decline to offer those capabilities. Consequently, RIAs felt constrained from selecting alternative third-party custodians or opting for self-custody to exercise these rights. Such rights include staking, yield farming, or voting.
Under this principle, we advocate that RIAs should be able to select third-party crypto custodians that support the exercise of economic or governance rights, provided the custodian meets the required protective standards. If no third party satisfies both criteria, then moving assets temporarily into self-custody to exercise these rights should not be considered a departure from custody.
All third-party custodians should make commercially reasonable efforts to enable RIAs to exercise these rights while assets remain in custody and, upon RIA authorization, take commercially reasonable actions to exercise any on-chain rights associated with the assets.
Prior to transferring assets out of custody to exercise rights, the RIA or custodian must first document in writing whether the right can be exercised without removing the asset from custody.
Principle 4: Crypto Asset Custody Rules Should Be Flexible to Enable Best Execution
RIAs have a duty of best execution when trading assets. To fulfill this obligation, RIAs may transfer assets to a crypto trading venue to achieve optimal execution, regardless of the asset or custodian status, provided the RIA has taken necessary steps to ensure the security of the trading venue—or has transferred the crypto assets to an entity regulated under finalized crypto market structure legislation.
So long as the RIA reasonably determines that transferring crypto assets to a trading venue is appropriate for achieving best execution, such a transfer should not be deemed a departure from custody. This requires the RIA to make a reasoned determination that the venue is suitable for best execution. If the trade cannot be properly executed, the assets should be promptly returned to the crypto asset custodian.
Principle 5: Self-Custody Should Be Permitted for RIAs Under Certain Conditions
While third-party custody should remain the primary option for crypto assets, RIAs should be allowed to self-custody under the following circumstances:
-
The RIA determines that no third-party custodian capable of meeting its required protective measures is available;
-
The RIA’s own custody arrangements provide protections at least as effective as those offered by available third-party custodians; and
-
Self-custody is necessary to exercise any economic or governance rights associated with the crypto assets.
When RIAs decide to self-custody crypto assets for these reasons, they must annually reaffirm that the justification for self-custody remains valid, disclose the self-custody arrangement to clients, and ensure such crypto assets are subject to the audit requirements of the Custody Rule.
A principles-based approach to crypto asset custody ensures that RIAs can uphold their fiduciary duties while adapting to the unique characteristics of crypto assets. By focusing on substantive protections rather than rigid classifications, these principles offer a practical path forward for protecting client assets and unlocking asset functionality. As the regulatory environment evolves, clear standards based on these protections will empower RIAs to manage crypto assets responsibly.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News
a16z
