Guest post by Sara Hanks, CEO and Founder of  CrowdCheck, Inc. 

On July 8, the SEC and FINRA issued a Joint Staff Statement on Broker-Dealer Custody of Digital Asset Securities. This was a welcome move to those of us who have had conversations with the SEC Staff about these issues in the past. While there is welcome guidance in the Joint Staff Statement, there are still many issues to be settled with respect to the SEC’s ongoing focus on custody.

Custody, in effect, means safekeeping of assets. There are several provisions of securities law that affect the safekeeping of securities. Some of these are explicit and detailed, but there are other areas of securities law that do not provide such robust protection, as discussed below. In general, the objective of these rules is to make sure that it is clear who owns the security and that securities cannot be mischievously removed from their rightful owner.

Let’s start by looking at traditional asset safekeeping in the public securities world. Typically, a public company will apply to the Depositary Trust Company (DTC) for its securities to be eligible for the custody and clearance and settlement services operated by DTC and its affiliates. The securities are issued in the name of DTC’s nominee, Cede & Co. To the extent there is a physical certificate, it’s held at DTC. The rest of the system from this point is “book-entry.” On its stock register, the public company records Cede & Co. as the holder of record. On DTC’s records, broker-dealers who are “DTC participants” (most large brokers) are shown as holding the securities that their retail and institutional clients own. Thus, a retail investor rarely shows up as a shareholder on the public company’s stock register. Instead, her broker records her name as beneficial owner of the shares on its own books, and then the broker shows up as holder of the shares on DTC’s books. This structure makes “DWAC” (deposit/withdrawal at custodian) possible. If Amy, a client of Merrill Lynch, wants to sell to Ben, a client of Schwab, the transaction is swept into all the other transactions between Merrill and Schwab’s clients, netted out, and the balance transferred into the DTC account of the net gainer between the two DTC participants.

DTC holds trillions of dollars of securities, and its physical and cyber security arrangements are accordingly extensive.

Arrangements in the private markets are less elaborate. While according to the SEC’s DERA, the private markets are larger than the public markets, the recording of ownership and safekeeping of securities can be variable and unreliable, unless a regulated entity is involved. In most offerings, shares are uncertificated, and all record-keeping is book-entry, although it may be using the term too generously, when the “books” range from (at the good end) cap table management kept online by a registered stock transfer agent, through an Excel spreadsheet, to some internally inconsistent notes kept on the laptop of one of the founders.

Securities safekeeping and the sanctity of records of securities holdings matters to several stakeholders in the online capital formation universe:

• Broker-dealers are subject to the “Customer Protection Rule.” This requires broker-dealers to safeguard customer assets and keep them separate from their own assets. They are also subject to strict recordkeeping rules with respect to securities carried for their clients.
• Investment advisers are subject to the “Custody Rule.” Where investment advisers have the ability to direct transactions, the securities have to be held by a qualified custodian—a bank or broker.
• Transfer agents are subject to surprisingly little regulation, and what regulation exists tends to be “regulation by inspection.” Responsible agents, however, do have a stake in establishing reliable records of ownership.
• Issuers wishing to make digital securities offerings that are registered with the SEC or exempt from registration under Regulation A have seen the SEC Staff ask in the review process about how ownership of the securities will be recorded, maintained and transferred.

The SEC has been considering questions of custody for some time. It has grappled with, and been unable to get comfortable with, questions of custody in the context of funds holding digital asset securities. In March, the SEC Staff sought input from investment advisers and other market participants on the Custody Rule. Noting that it is a violation for an investment adviser to have custody of client funds or securities unless they are maintained in accordance with the Custody Rule, and that “custody” includes authority and access to clients’ funds, the Staff asked advisers about the risks posed by having authority over assets such as digital assets that do not settle on a “delivery versus payment” basis, as most of the securities in the DTC system do. The request for comment stated that the Staff is concerned about the risks of misappropriation “inherent” in non-DVP arrangements.

The new Statement, the most substantive general guidance so far, is for broker-dealers and what it says is somewhat limited but good news for some. First, if a broker doesn’t actually hold or control securities, it isn’t subject to the Customer Protection Rule or have recordkeeping obligations with respect to securities not held. But a broker that does want to hold or control securities is still on its own in figuring out compliance.

The Statement addresses non-custodial broker models. A broker matching buyers in an offering and sending their details to the issuer (as in traditional private placements or Regulation A offerings) does not raise custody concerns. Nor does secondary market transactions where the securities are transferred from the seller’s control (account or wallet) to the buyer’s. Note, however, that a broker operating an alternative trading system or ATS could not place a hold on the seller’s wallet or the buyer’s cash to ensure that the transaction is completed – that would be a type of control over the securities. Providing that the broker doesn’t involve itself in the transaction in that way, this is the model that probably best serves brokers in the digital asset world right now.

However, if the broker wants to control or hold the securities, things are as murky as ever. As the Statement says, “the ability of a broker-dealer to comply with aspects of the Customer Protection Rule is greatly facilitated by established laws and practices regarding the loss or theft of a security, that may not be available or effective in the case of certain digital assets.” Broker-dealers are required to physically hold customers’ securities or to maintain them at a “good control location.” Third party custodians such as DTC or banks are good control locations. And where the issuer of the securities or its transfer agent “hold” the securities, that works too. In those cases, there is a third party that controls the transfer of the securities, as well as processes to reverse or cancel mistaken or unauthorized transactions.

The Statement flags the differences between traditional manners of holding securities and the ways digital securities are held. When a broker-dealer holds or controls its customers’ digital securities, it is subject to risks that don’t exist in the traditional securities world, including loss of private keys and vulnerability to theft and fraud, with no way to reverse unauthorized transactions. The Statement also focuses on a broker’s inability to prove that it has exclusive control over a private key, or the ability to reverse mistaken or unauthorized transactions. The Statement further says that the nature of distributed ledger technology makes it difficult for a broker to evidence the existence of digital asset securities for the purpose of the broker’s regulatory books.

So, as the Statement says, “The specific circumstances where a broker-dealer could custody digital asset securities in a manner that the Staffs believe would comply with the Customer Protection Rule remain under discussion…” These discussions are likely to continue as this market evolves. The statement that “market participants wishing to custody digital asset securities may find it challenging to comply with the broker-dealer financial responsibility rules without putting in place significant technological enhancements and solutions unique to digital asset securities” seems to indicate that the regulators have not seen any tech solutions that they like so far.

Thus, while we have some clarity on non-custodial operations, for all the other open questions regarding custody and record control, we are still waiting.

However, we do want to encourage the SEC to get to some point of certainty. Fittingly for an SEC Commissioner sometime deemed “crypto-Mom,” Commissioner Hester Pierce has acknowledged that innovation can be messy and maybe we have to live with some mess in order to foster innovation. Brokers following the non-custodial model in the Statement are going to be living with the messiness of ownership structures and records established by issuers and stock transfer agents, and we have to note that many issuers and some STAs are just not that good at structuring and record-keeping. Moreover, we already live with some messiness in other areas of securities laws. For example, the private markets discussed above. There are essentially no controls in the private markets and in smaller deals especially we do see disputes resulting from sloppy recordkeeping. And then there are American Depositary Receipts, or ADRs. The ADR structure permits foreign securities to be traded in the United States. The foreign securities underlying the ADRs are held in their home country by a custodian, who is often but not always an affiliate of the US bank that arranges for the issuance of the depositary receipts in the United States. The custodian is supposed to hold the underlying securities under a trust arrangement, but custodians are generally banks subject to home country regulations and if the authorities in that home country suddenly decide that the custodied securities are custodian assets and subject to seizure because of some real or trumped-up violation of law by the custodian, no amount of arguing that the securities don’t really belong to the custodian will get them back. Law suits along these lines have occurred in the past, and yet we still live with this messiness and potential risk in a market accounting for hundreds of billions of dollars.

The end result of the regulators’ stance right now is to force custody or control into the hands of entities that are either hardly-regulated (issuers, who just have to comply with the law of their state of organization in this regard) or lightly-regulated (transfer agents, who are subject to shockingly few regulations). So isn’t it worth the risk of a mess in order to foster innovation and permit more control to be in the hands of regulated gatekeepers?

© CrowdCheck, Inc. 2019