On December 23, 2020, outgoing Chairman Jay Clayton’s last day in office, the Securities and Exchange Commission (“SEC”) released a framework (the “Framework”) for public comment that would permit certain specialized broker-dealers to custody digital asset securities with a guarantee that the SEC will not bring an enforcement action for violating paragraph (b)(1) of Rule 15c3-3 (the “Customer Protection Rule”) of the Securities and Exchange Act of 1934, as amended (the “Exchange Act”), provided such broker-dealers comply with the guidelines set forth in the Framework. The Framework is formulated as a “statement” and “request for comment” rather than a notice of proposed rulemaking; therefore, the Framework itself cannot become a rule (though a future rule may be based on the Framework).
The Customer Protection Rule requires a broker-dealer to “promptly obtain and thereafter maintain physical possession or control of all fully paid and excess margin securities it carries for the account of customers.” The Framework is the SEC’s first attempt to provide concrete instruction to broker-dealers on how they can comply with the custody-related provisions of the Customer Protection Rule with respect to digital asset securities.
The Framework is only applicable to a broker-dealer that limits its business to digital asset securities because the SEC does not believe that the risks about custody of digital asset securities can be isolated within a full-service broker-dealer. The SEC recognizes that while the presence of financial intermediaries in the clearance and settlement process for traditional securities provides inherent controls, no direct analog for control exists for digital asset securities that are issued, held or transferred using distributed ledger technology (“DLT”), and that most digital assets that utilize DLT do not provide a mechanism to reverse or cancel fraudulent or unauthorized transactions.
The Framework is only valid for a period of five years from publication. This period will ostensibly provide the industry with an opportunity to develop best practices regarding custody of digital asset securities and afford the SEC time to observe the Framework’s effectiveness and propose permanent regulations.
The Framework sets forth the following conditions (the Framework uses the term “circumstances”) for a broker-dealer to qualify for no-action relief from the custody-related provisions of the Customer Protection Rule. The wording of the Framework makes it unclear whether all of the circumstances must be present to be exempt from such enforcement, but the context indicates that the SEC expects a broker-dealer to satisfy each circumstance. The circumstances are:
- The broker-dealer must have access to the digital asset securities and the capability to transfer them on the associated DLT;
- The broker-dealer must limit its business to dealing in, effecting transactions in, maintaining custody of, and/or operating an alternative trading system for digital asset securities;
- The broker-dealer must establish, maintain, and enforce reasonably designed written policies and procedures to conduct and document an analysis whether a particular digital asset is a security offered and sold pursuant to an effective registration statement or an available exemption from registration, and whether the broker-dealer meets its requirements to comply with the federal securities laws with respect to effecting transactions in the digital asset security, before undertaking to effect transactions in and maintain custody of the digital asset security;
- The broker-dealer must establish, maintain, and enforce reasonably designed written policies and procedures to conduct and document an assessment of the characteristics of a digital asset security’s DLT and associated network prior to undertaking to maintain custody of the digital asset security and at reasonable intervals thereafter;
- The broker-dealer cannot undertake to maintain custody of a digital asset security if the broker-dealer is aware of any material security or operational problems or weaknesses with the DLT and associated network used to access and transfer the digital asset security, or is aware of other material risks posed to the broker-dealer’s business by the digital asset security;
- The broker-dealer must establish, maintain, and enforce reasonably designed written policies, procedures, and controls that are consistent with industry best practices to demonstrate the broker-dealer has exclusive control over the digital asset securities it holds in custody and to protect against the theft, loss, and unauthorized and accidental use of the private keys necessary to access and transfer the digital asset securities the broker-dealer holds in custody;
- The broker-dealer must establish, maintain, and enforce reasonably designed written policies, procedures, and arrangements to:
- specifically identify, in advance, the steps it will take in the wake of certain events that could affect the broker-dealer’s custody of the digital asset securities;
- allow for the broker-dealer to comply with a court-ordered freeze or seizure; and
- allow for the transfer of the digital asset securities held by the broker-dealer to another special purpose broker-dealer, a trustee, receiver, liquidator, or person performing a similar function;
- The broker-dealer must provide written disclosures to prospective customers:
- that the broker-dealer is deeming itself to be in possession or control of digital asset securities under the Customer Protection Rule; and
- about the risks of investing in or holding digital asset securities that, at a minimum:
- prominently disclose that digital asset securities may not be protected under the Securities Investor Protection Act;
- describe the risks of fraud, manipulation, theft, and loss associated with digital asset securities;
- describe the risks relating to valuation, price volatility, and liquidity associated with digital asset securities; and
- describe, at a high level that would not compromise any security protocols, the processes, software and hardware systems, and any other formats or systems utilized by the broker-dealer to create, store, or use the broker-dealer’s private keys and protect them from loss, theft, or unauthorized or accidental use; and
- The broker-dealer must enter into a written agreement with each customer that sets forth the terms and conditions with respect to receiving, purchasing, holding, safekeeping, selling, transferring, exchanging, custodying, liquidating and otherwise transacting in digital asset securities on behalf of the customer.
A broker-dealer that seeks to rely on the relief provided for in the Framework will be subject to examination by the Financial Industry Regulatory Authority and the SEC staff to review whether the broker-dealer is operating in a manner consistent with the circumstances described above.
The status of the Framework as a “statement” as opposed to a proposed rule does permit the SEC to revoke the Framework at the expiration of the five-year period. Revoking the Framework prior to the expiration of the five-year period is also possible. However, the SEC would likely be required to adduce some concrete evidence that the Framework is ineffective in order to bring an enforcement action in contravention of the Framework within the five-year period.
Request for Comment
Additionally, the SEC is requesting comment on several issues related to the Framework. In particular, the SEC seeks feedback on:
- Industry best practices and technology to secure private keys;
- The ramifications of hard forks, air drops, etc. on the ability of a broker-dealer to custody digital asset securities;
- Accepted practices or model language to disclose risks to customers;
- Whether, and in what contexts, the SEC should permit other broker-dealers to utilize the Framework;
- The settlement risks involved with digital asset securities relative to traditional securities; and
- The benefits and risks associated with a broker-dealer operating a digital asset alternative trading system.
The fact that the SEC is only now requesting comment on these issues, especially in consideration of alternative trading systems after numerous applications by industry, is a strong indicator of just how cautious the SEC is with respect to broker-dealers engaging in the digital assets securities business.
The SEC and Custody of Digital Asset Securities
The Customer Protection Rule, in part, requires a broker-dealer to “maintain physical possession or control” of securities. In the context of digital asset securities, the question has always been: how does a broker-dealer maintain “physical possession” of an asset that is inherently ethereal and unpossessable?
The SEC, state regulators, and industry have all struggled with the question. On July 8, 2019, the SEC issued guidance on the application of the Customer Protection Rule to digital asset securities, but the guidance was not specific and merely outlined the SEC’s concerns regarding the custody of digital asset securities. The SEC offered no roadmap for custody and promised no regulatory safe harbors.
In the absence of clarity from the SEC, other regulators have attempted to provide a framework to encouraging the digital assets securities industry. On July 22, 2020, the Office of the Comptroller of the Currency (“OCC”) issued an interpretative letter confirming the authority of national banks to provide digital asset custody services on behalf of their customers.
States have also attempted to bring clarity to the industry. Wyoming, for example, recently granted a state banking charter to Kraken. South Dakota has granted trust company charters to several digital asset custodians. These state licenses purport to allow the chartered entities to act as “qualified custodians” for the purposes of the SEC’s “Custody Rule” for investment advisers.
However, the SEC has, to this point, resisted calls for clear guidance. The SEC even went so far as to state, in response to Wyoming’s grant of a banking charter to Kraken, that the SEC is not “bound by statements or views expressed by state regulators.”
It is possible that the actions of these other regulators spurred the SEC’s release of the Framework. The timing of the Framework’s release to coincide with Chairman Clayton’s departure, coupled with the Framework’s cautious wait-and-see approach and its structuring as a “statement” rather than a proposed rule in our view all indicate reluctance by some staff or commissioners to fully embrace the nascent digital asset securities industry.