Custodians: looking after your assets
This is part of our December 2020 report into:
The Unstoppable Rise of Digital Assets
The need for custody
Who holds the keys? Who looks after the digital assets? The person with control has custody. For an exchange, that custodian should be a third party for better risk management, more robust security and improved accountability. There is no shortage of examples of the inherent problems that can arise when exchange and custodian are bundled together.
The early days of the cryptocurrency industry were defined by staggering attacks on crypto exchanges and service providers. An example can be found in Mt. Gox. The exchange, which in 2013 handled around 70% of all of Bitcoin’s transaction volume, collapsed in 2014 after hackers breached the link between the exchange’s hot (online) and cold (offline) wallets, siphoning off bitcoin as they moved between the two. In analog terms, this would be the equivalent of a bank losing track of funds as they moved it from a teller’s desk to its vaults. A later investigation found that the 2014 hack was the work of the same team that conducted an earlier hack in 2011. In total, over 700,000 BTC were stolen, equivalent to over US$7 billion in 2020 figures.
While Mt. Gox holds the record for the sheer scale of an attack, another notable contender can be found in the demise of the Canadian exchange Quadriga CX. The exchange, which ultimately went offline in January 2019, experienced liquidity problems for most of the year prior that culminated in the death of its founder, Gerald Cotten, in December 2018. Insolvency proceedings that followed found that Cotten had sole control over the exchange’s keys, meaning he was, in effect, the principal custodian of the assets. According to a report from Ernst & Young, appointed by the court to facilitate bankruptcy proceedings, the exchange’s users were missing US$190 million in cryptocurrency at the time, which has grown to more than US$470 million as of Q4 2020 as the value of bitcoin continued to rise. Court documents note that the exchange had no basic financial controls or accounting records, and both funds and cryptocurrency were regularly transferred off-platform to accounts controlled by Cotten.
In the legacy financial world, there are assets worth trillions of dollars being traded every day. Although cybersecurity is a major concern for every stakeholder in the financial sector, and there are occasional “Lehman Moments” of institutional failure, retail investors being burned in the same way that those who had assets at Mt. Gox or Quadriga CX is extraordinarily rare.
Why? The presence of custodians.
Whoever has the keys has custody
Within the legacy financial industry, custodians are financial institutions that hold customers’ securities for safekeeping. The custodian may hold stocks or other assets in electronic or physical form. These institutions are third parties that are hired by exchanges, and they come complete with stringent insurance policies. Should the exchange fail, the investors are protected. Should the custodian service fail, insurance will cover the losses.
As digital assets become institutional-grade commodities, the need for custodian services has emerged. Crypto custodians act as an intermediary between the investor and the exchange by holding assets in storage for settlement and payment clearance or even storage.
Crypto custodians store the keys in air-gapped cold storage at an undisclosed location, which hypothetically is as secure as one can get. Custodians also use a multi-signature approach, meaning that to transfer the assets, multiple parties holding different parts of the private key need to sign the transaction together (similar to how a company might require multiple signatures on a check or wire transfer as a control method). Furthermore, the custodian will take out an insurance policy on the holdings. Thus, it must satisfy an insurer about the quality of its security protocols.
More on custodians from this report:
Interview with Phil Mochan of UK custody provider Koine
“The role of a custodian is the administration of assets. A new engineering solution called Digital Airlocks guarantees that humans never touch the private keys, and delivers huge scalability and a lower unit cost without impairing the security model.”
The evolving crypto custody industry
In 2019, Hong Kong’s Securities and Futures Commission created a legal framework for digital asset portfolio managers and custodians. Since then, multiple custodian firms have opened their doors, such as Aegis Custody, OSL and Hex Trust. In early 2020, Hong Kong saw its first entries into the market with virtual asset manager Arrano Capital setting up shop.
Arrano Capital was one of the first firms in Hong Kong to take advantage of this arrangement. In an interview with Forkast.News, CIO Avaneesh Acquilla cited a sizable institutional interest in custody solutions and crypto portfolio management.
More from Forkast.news on this story
Hong Kong SFC approves first digital asset manager crypto fund for Arrano Capital.
“As a designated, approved virtual asset manager, we’re able to have portfolios that invest up to 100% in virtual assets,” Acquilla told Forkast.News. “I think we’re seeing the market very quickly shift from being a retail sort of early adopter market to being one that’s driven by large flows from institutions.”
In July this year, in an unexpected move, the US Office of the Comptroller of the Currency granted US banks and credit unions the right to act as digital asset custodians. US banks, such as BNY Mellon, have signaled interest in opening up crypto custodian desks.
“Well, what I have heard … a number of big crypto custodians – Anchorage, Coinbase and a number of others – have been contacted by banks about whether they’d be willing to be like the third-party custody providers for national banks whose customers want to invest in bitcoin,” Acting Comptroller Brian Brooks said on Laura Shin’s “Unchained” podcast in October 2020. “What they’ll want to do is either buy crypto custodians, or partner with crypto custodians to provide those services on their behalf and now they can legally do that.”