Source: AiYing Compliance
Yesterday, the U.S. Securities and Exchange Commission (SEC) fined Galois Capital Management LLC, a former registered investment advisor in Florida that primarily invests in crypto assets. The SEC found that Galois Capital failed to comply with the custody rules in the Investment Advisers Act of 1940 when managing client assets, especially in the management of crypto assets. Specifically, Galois Capital failed to ensure that the crypto assets it managed were deposited with qualified custodians, but instead placed these assets on non-compliant cryptocurrency trading platforms, resulting in the loss of most of its assets during the collapse of the FTX exchange. In addition, Galois misled investors and provided inconsistent redemption terms.
Aiying believes that such incidents will occur frequently in the field of crypto asset management in the future. With the increasing popularity of crypto assets, investment advisory firms are still in a state of self-regulation in managing such assets due to the absence of early supervision and the increase in compliance costs in the later period. Therefore, the probability of regulatory penalties due to black swan events or reports in the future will only increase.
1. Applicability and expansion of US custody rules
Origin and original intention of custody rules
In simple terms, US custody rules are a set of legal provisions to protect investors' assets. These rules originated from the Investment Advisers Act of 1940, and the goal at the time was to prevent investment advisory firms from having any "tricks" when managing client assets. According to this provision, if an investment advisory firm has the right to control or manage client assets, these assets must be kept by a qualified custodian, such as a regulated bank or financial institution.
The core idea of the custody rules is simple: Investment advisory firms cannot mix client assets with their own money and must manage them separately. If there are any changes in the client's assets, the custodian also needs to notify the client in a timely manner and provide regular asset status reports. These measures are all aimed at ensuring that investors’ funds are safe and will not suffer losses due to mistakes or misconduct by investment advisors.
Expansion to Virtual Assets
With the popularity of virtual assets such as Bitcoin and Ethereum, the financial market has undergone great changes. Virtual assets have brought new challenges to traditional asset management due to their characteristics such as decentralization, anonymity and large price fluctuations. Seeing this change, the SEC realized that it was necessary to expand the protection of the custody rules to these emerging virtual assets.
In recent years, the SEC has made it clear that the custody rules apply not only to traditional financial assets such as stocks and bonds, but also to virtual assets. In other words, if an investment advisory firm manages clients’ cryptocurrencies, these assets also need to be placed with qualified custodians. Qualified custodians must not only meet traditional regulatory requirements, but also have the technology to deal with risks unique to virtual assets, such as the ability to prevent hacker attacks or the loss of cryptocurrencies.
II. Requirements for Qualified Custodian Licenses in the United States
The SEC and other relevant regulatory agencies in the United States have begun to pay attention to and regulate this emerging field for qualified custodians of virtual currency assets. Qualified custodians of digital assets need to meet the requirements of traditional custodians, and must also have specialized capabilities to manage and protect these digital assets. The following are some key standards and requirements for qualified custodians related to digital assets:
Types of Qualified Custodians of Digital Assets
Banks and Trust Companies:
Banks and trust companies regulated by the federal or state governments may provide custody services for digital assets. In order to meet the requirements of qualified custodians, these institutions must have the technology and infrastructure to protect and manage digital assets.
Specialized Digital Asset Custody Firms:
Some companies specialize in providing custody services for cryptocurrencies and other digital assets. These companies may already be registered at the state or federal level and are subject to strict regulation. For example, companies like Coinbase Custody and BitGo Trust already provide custody services for digital assets and have obtained specific state or federal custodian qualifications.
Registered Broker-Dealers:
Other regulated financial institutions:
Some regulated financial institutions, such as futures commission merchants or foreign financial institutions, can also be considered qualified custodians if they meet the requirements for digital asset custody.
Key requirements for digital asset custodians
Secure technology infrastructure:
Digital asset custodians must have advanced cybersecurity technology to prevent hacker attacks and asset loss. This usually includes the use of offline storage, multi-signature technology, hardware security modules (HSM), etc.
Asset Separation and Separate Accounts:
Regular Audits and Reports:
Compliance Capabilities:
Digital asset custodians must comply with the same compliance requirements as traditional asset custodians, including anti-money laundering (AML), know your customer (KYC), and other applicable financial regulations. In addition, specific digital asset compliance frameworks must be followed, such as transparency and traceability of blockchain transactions.
Insurance and Safeguards:
Regulation and certification
State-specific certification: In the United States, some states such as New York have passed the New York Financial Services Law (NYDFS), under which BitLicense allows qualified companies to provide custody services for crypto assets.
Federal-level regulation: Although federal-level regulation has not yet fully covered all types of digital asset custody services, regulatory agencies such as the SEC and CFTC are gradually formulating relevant rules and supervising the market.
Currently, there are 12 institutions that have obtained custody licenses:
(Source: New York State Department of Financial Services NYDFS)
III. Policies in other regions
Hong Kong
1. Background
As an international financial center, Hong Kong is also gradually strengthening its supervision in the field of digital assets. With the popularity of cryptocurrency and blockchain technology, Hong Kong's regulators have begun to formulate corresponding regulations to regulate the custody and trading services of crypto assets. Hong Kong's Trust or Company Service Provider (TCSP) license is one of the licenses that digital asset custody service providers must obtain.
2. Specific requirements
TCSP license: In Hong Kong, companies that provide crypto asset custody services need to apply for and hold a TCSP license. This license is regulated by the Hong Kong Companies Registry (CR) and is intended to ensure that institutions providing trust or company services meet anti-money laundering (AML) and counter-financing of terrorism (CFT) requirements.
Asset separation and separate accounts: Custodians who obtain a TCSP license must ensure that clients' crypto assets are stored strictly separately from their own assets, usually by storing client assets in separate accounts. This practice prevents the custodian from affecting the security of clients' assets in the event of financial problems.
Security technology and compliance requirements: Companies holding a TCSP license must also have strong cybersecurity measures in place to protect clients' digital assets. This includes using cold storage, multi-signature technology, and establishing strict compliance procedures to ensure the security of assets.
Regular audits and reports: Custody service providers need to conduct regular audits and provide clients with detailed asset status reports to ensure transparency and clients’ right to know.
3. Regulatory agencies
Hong Kong Companies Registry (CR): The Companies Registry is responsible for the issuance and supervision of TCSP licenses to ensure that companies providing custody services comply with relevant laws and regulations. The main responsibilities of the CR include reviewing applications, conducting on-site inspections, and supervising licensed companies to comply with anti-money laundering and anti-terrorist financing legal requirements.
4. Industry practices
In Hong Kong, many fintech companies and traditional financial institutions have obtained TCSP licenses to legally provide crypto asset custody services. For example, OSL, BC Group, Hashkey and other companies have carried out compliant custody business in Hong Kong, providing safe digital asset management services for domestic and foreign institutional investors.
Singapore
1. Background
Singapore has attracted many digital asset companies with its open financial policies and innovative environment. The Monetary Authority of Singapore (MAS) is an important institution for regulating digital asset custody. It has formulated a series of regulations to ensure that the custody of crypto assets meets international standards.
2. Specific requirements
Payment Services Act (PSA): Singapore implemented the Payment Services Act (PSA) in 2020, which brought crypto asset services (including custody services) under the scope of regulation. Under the PSA, companies that provide crypto asset custody services must obtain a "Digital Payment Token Service" license issued by MAS.
Custodian Qualifications: In Singapore, custodians need to ensure that their technical and operational frameworks meet strict security standards. MAS requires custodians to have sufficient funds, a sound risk management system, and strong cybersecurity measures.
Compliance and Audit: Custodians must comply with Anti-Money Laundering (AML) and Countering the Financing of Terrorism (CFT) regulations and establish strong customer due diligence (KYC) procedures. Custodians are also required to conduct regular internal and external audits to ensure the transparency and compliance of their operations.
Customer Asset Protection: Custodians must keep clients' crypto assets separate from their own assets and provide independent account management services. This requirement is intended to ensure the safety of client assets and is not affected by the custodian's financial situation.
3. Regulatory bodies
4. Industry practices
Singapore's digital asset custody market is developing rapidly, and many internationally renowned digital asset companies have established custody businesses in Singapore. For example, Propine became the first digital asset custody company to obtain a "full custody" license issued by MAS, marking Singapore's leading position in this field.