Defining Qualified Custody: Anchorage Digital’s Letter to the SEC

Late last year, the SEC requested formal comment on the definition of “qualified custodian” as it relates to digital assets. Anchorage Digital offered a comprehensive response, based on our expertise in handling digital assets and our experience as a once-state-chartered-entity-turned-national-bank. What follows is a high-level overview of our position and our full letter below.

While the law is unambiguously clear that federally chartered banks under the purview of the Office of the Comptroller of the Currency (OCC) meet the definition of qualified custodian, it is not possible to make a blanket declaration as to whether state trusts universally do under the policy goals of the rule. As such, to determine whether or not a state-chartered trust meets the definition of qualified custodian under the Custody Rule requires a facts and circumstances determination on a case-by-case basis and relies on an analysis of 1) an entity’s ability to adequately provide custody services specific to digital assets, 2) the level of government oversight that entity receives, as compared to the OCC, and 3) an entity’s internal processes and controls.

Technical capabilities

Because digital assets are qualitatively different from legacy financial instruments from a technological perspective, we believe that the definition of Qualified Custody in the digital asset space should reflect that fact and include the following as baseline requirements:

Proof of exclusive control. A qualified custodian of digital assets needs to be able to prove exclusive control of private keys. Custodians that rely on redundancy (maintaining multiple physical or electronic copies) and physical security cannot definitively demonstrate this. Because there can be multiple copies of private key material, showing ownership of a key does not prove exclusive control over the associated assets. By relying on air-gapped hardware security modules (HSMs) to generate and secure custody of private keys, proof of exclusive control is definitively provable.

Proof of existence. Beyond proof of exclusive control, a qualified custodian should always be able to prove the existence of assets held under custody when requested as an essential consumer protection. Doing so validates that private keys exist, that the private keys are functional, and that they are held exclusively in the name of the right parties.

Hardware security. There are already existing federal requirements when it comes to managing cryptographic data through the use of HSMs, providing a best practices standard. We believe that HSMs, a mature and proven technology used by the military, NATO, and large financial institutions globally to secure private key material, best meet the security standards that should be required of a qualified custodian. HSMs easily meet goals of exclusive control, regular existence proofing, and are also easily auditable by clients and third-party vendors.

Blockchain monitoring. A qualified custodian should be able to regularly track and monitor the blockchain of any digital asset they custody. It is the responsibility of a qualified custodian to assess the unique security concerns and vulnerabilities to exploits inherent in digital assets. An inability or unwillingness to assess or monitor a given blockchain’s integrity puts consumers at risk for material loss. We believe a qualified custodian should implement clear policies and procedures for monitoring blockchain activity for the assets they support on a regular cadence.

Regulatory oversight and fiduciary requirements

Beyond technical capabilities, to determine whether an entity meets the definition of qualified custodian in the digital asset space, it is also important to assess the level of oversight that entity receives. For instance, the OCC, the preeminent regulatory authority in the banking sector, has a number of structural requirements for fiduciary banks under its purview that may or may not be prioritized by state regulatory bodies, including:

Financial and legal independence from parent entity and affiliates. Operating in the best interest of consumers, the market, and capital formation requires a bank to operate unencumbered by the legal or financial structure of a parent entity or affiliates. This includes requiring a clear demarcation between a parent entity and chartered bank,¹ as well as ensuring affiliate transactions happen at market terms on an arm’s length basis.²

Credible challenge. For federally-regulated trust banks, independent operation is augmented by the concept of credible challenge, or “the method that directors use to hold management accountable by being engaged and asking questions and eliciting any facts necessary, when appropriate, to satisfy themselves that management’s strategies are viable.”³ In short, board oversight needs to be independent and informed enough to be able to exert influence over the bank itself — all essential for operating in the best interest of consumers, markets, and capital formation.

Consumer protection. Federally-chartered banks are required to protect consumer privacy information through adherence to the Gramm-Leach-Bliley Act (GLBA),⁴ and maintain a Fiduciary Audit Committee⁵ to ensure fiduciary activities are independently reviewed and monitored. This level of consumer protection requirement varies from state to state and requires case-by-case analysis.

Three lines of defense. The OCC expects banks under its purview to maintain three lines of defense against improper bank management: operations, compliance, and independent audit function. From day-to-day operations through an independent audit function, the three lines of defense each operate independently of each other, helping to best ensure that a bank is well protected against mismanagement and eliminating the single points of failure that exist in other operational structures.

A risk-based approach to capital adequacy requirements. The capital adequacy spectrum across states today includes on one end somewhat arbitrary fixed sums required and infinitely scaling capital on the other. A better, more holistic approach involves assessing a wide range of potential risks and setting capital adequacy requirements based on that assessment.⁶ We believe that this is the most effective way to protect consumers from a wide range of risks in the digital asset space.

In closing, we believe that, to meet the stated policy goals of the Custody Rule specifically and the SEC more broadly, requiring all of the above is in the best interest of consumer protection, the maintenance of fair, orderly, and efficient markets, and facilitating capital formation.

If you’d like to read the letter in full, you can find it here.