What are the key risks associated with digital asset custody, and how can these be mitigated in order to ensure there is trust in a digital asset custody solution?
Operational approach to custody and resilience
Key to ensuring trust is knowing that the custodian offers a resilient service - in other words, it is able to protect client assets in the event of a disaster or other unforeseen event.
Risks can be mitigated by implementing certain operational measures. For example, if the custodian has segregated the assets of each client, then this presents a higher level of protection for clients (even if it may result in certain operational inefficiencies in relation to the ability of the custodian to execute a client’s orders). In contrast, certain custodians may employ an omnibus model which offers operational efficiencies but may increase the risk for clients of either a security breach or custodian failure or insolvency. Customers will need to be able to assess the details of a structure, which may sometimes be difficult to discern without additional due diligence, and then weigh any potential risks against the commercial benefits.
For institutions that are evaluating digital asset custodians, existing principles relating to the evaluation of critical outsourced service providers may prove to be a useful tool.
Robustness can also be significantly enhanced by the implementation of appropriate security measures in the event of an incident and business contingency planning such as developing a methodology and/or to ensure there is sufficient technical expertise at hand (whether internally or externally) to recover/replace/restore private keys in the event of a disaster.
Security Risk
Cyber security risk is fundamentally interlinked with weakness of trust in the provision of digital asset custody services - digital asset custodians have been subject to a spate of recent hacks, which in many cases have resulted in the looting of customers’ digital asset wallets which has clearly negatively impacted trust. Cybersecurity risk is not a new concept, but the manner in which hackers are able to access and misappropriate assets and funds has evolved alongside the technology itself.
In these cases as things currently stand, customers are reliant on the terms presented by the digital asset custodian, and to some extent the custodian’s goodwill to make whole stolen assets. Importantly (and in general terms), there is no regulatory obligation upon the custodian to make whole the customer in this scenario.
While there may be some pre-existing legal principles that seek to assign responsibility and liability which apply in certain jurisdictions in such scenario, those principles may not neatly apply in the digital asset context. Over US $6.2 billion worth of digital assets were lost to hackers and scammers in digital asset-related scams in 2021, demonstrating the extent of this issue.
It is therefore essential, in order to develop trust in a digital asset custody solution, to implement and maintain robust security measures that are fit for purpose (i.e. noting the significance of private keys in digital asset custody versus traditional forms of custody). A key consideration in this respect relates to the custodian’s approach to hot and cold wallet storage, and other applicable security mechanisms (such as sharding or multi-signature wallets). Customers need to understand what steps the custodian has implemented to ensure that the ratio of hot-to-cold digital asset storage is appropriate given that cold wallet storage will offer stronger security resilience but less functionality and these features need to be balanced.
Client protection on insolvency
Client protections in relation to private key storage are not currently commonplace. Nor are digital assets or private keys recognized for special treatment in custodian insolvency.
This contrasts with other forms of asset that clients may be used to dealing with. One example would be “e-money” in the EU and UK, which benefits from a Special Administration regime for payments and e-money firms, designed to facilitate return of customer funds as soon as reasonably practicable.
Broadly, such protections are not available in relation to digital assets that are not regulated as regulated instruments (for example, as e-money is regulated in the EU and UK).
Given that custodian policies regarding segregation differ, and there is no specific regulatory regime providing for protection of customer assets in a digital assets custodian insolvency scenario, there is a risk of the relevant client ranking with unsecured general creditors in the event of insolvency of the third party custodian. This means that the client sits much lower in the pecking order when the insolvent party’s assets are distributed to its creditors. As a result, the client is less likely to receive the full amount of its digital assets upon the insolvency of the digital asset custodian.
Effective segregation can offer some protection in this regard - where assets have been transferred to a third party custodian’s wallet on the basis of outright title transfer to that custodian, customers should seek to ensure that appropriate contractual terms are in place to govern that relationship to ensure that the client’s interests are protected and that the assets are properly segregated from the custodian’s own assets (e.g. via a trust arrangement).
We also further consider digital assets property rights in chapter Digital Property.
Digital Asset Custody Paper