Summary:

Situation Overview: The SEC’s Crypto Task Force is advancing its exploration of regulatory frameworks for digital asset custody.

What: The SEC hosted its third roundtable, Know Your Custodian, focusing on challenges and potential updates to custody requirements for broker-dealers, investment advisers, and investment companies in the crypto asset space.

Who: Market participants subject to SEC custody rules—including broker-dealers, investment advisers, and crypto trading platforms—seeking to navigate evolving regulatory expectations.

In Depth:

The SEC Crypto Task Force hosted two previous roundtables:

• On 21 March, the agency hosted How We Got Here and How We Get Out – Defining Security Status, where participants discussed how the agency should determine which crypto assets fall within its jurisdiction by, among other things, distinguishing the characteristics associated with a crypto asset security and a crypto asset commodity.
• On 11 April, the agency convened its second roundtable, Between a Block and a Hard Place: Tailoring Regulation for Crypto Trading, which examined whether and how the SEC’s existing rules that govern trading platforms, such as Regulation Best Interest, should apply to crypto trading platforms.

The SEC will host two more roundtables covering the following topics:

• 12 May: Tokenization: Moving Assets Onchain – Where TradFi and DeFi Meet
• 6 June: DeFi and the American Spirit

The Custody Roundtable began with opening remarks from Chairman Paul Atkins, emphasizing the importance of creating “a rational, fit-for-purpose regulatory framework for crypto assets.”

Custody Through Broker-Dealers

The first panel of the Custody Roundtable examined challenges related to crypto asset custody through broker-dealers. The two key issues discussed on the first panel were: (1) the merits of a technology-neutral and principles-based framework; and (2) the pros and cons associated with omnibus and segregated customer accounts. The panel also discussed the ByBit hack.

Technology-Neutral & Principles-Based Rules

To support continued innovation in the crypto industry, panelists emphasized the importance of adopting a regulatory framework that is both technology-neutral and principles-based. Such an approach should not only be “fit-for-purpose” today, but also durable enough to adapt to the technological developments of the future. One panelist illustrated this point by noting that “the safest way to custody crypto assets ten years ago is no longer the safest way to do so today,” and the safest practices a decade from now will likely differ yet again. Regulation must, therefore, be flexible enough to evolve alongside technological advances.

Omnibus Versus Segregated Accounts

The panel also addressed whether broker-dealers handling crypto assets should be required to maintain segregated customer accounts, consistent with traditional broker-dealer practices, or whether omnibus accounts are more suitable for crypto platforms. Currently, most crypto trading platforms use omnibus wallets to hold multiple customers’ assets together. The discussion centered around which of the two practices was the more secure method of holding crypto assets from an operational perspective. One panelist noted that crypto assets are “safest at rest,” and the netting practices in question enabled by omnibus wallets effectively reduce the operational risk by limiting the total transaction volume needed to meet a client’s demands.

Panelists also discussed whether the SEC should consider a targeted exception to its custody rules specifically for crypto trading platforms. There was a general agreement that some form of an exception to the traditional custody rules would be necessary due to the operational reality that all crypto asset transactions must be prefunded and settled in real-time.

Lessons Learned from the ByBit Hack

The panel concluded by discussing the recent hack of crypto trading platform ByBit, which resulted in the theft of $1.44 billion of ETH from one of the exchange’s wallets. Although some commentary attributed the breach to smart contract vulnerabilities, several panelists emphasized that the root cause was human error and a failure in oversight. One panelist explained that, by using a spoofed URL address and impersonating the exchange’s wallet provider, the hacker was able to deceive those in control of the exchange’s multisig wallets into authorizing a transaction that appeared legitimate but would ultimately turn over full and exclusive control to the hacker. The panel agreed that the exploit could have been avoided had the exchange implemented governance procedures, such as:

• Regular and rigorous smart contract audits;
• Multi-factor authentication for critical operational functions, such as transferring customer funds; and
• Advanced threat detection systems capable of identifying and alerting firms to anomalous activities in real time.

Custody Through Investment Advisers & Companies

The second panel of the Custody Roundtable focused on the unique regulatory considerations surrounding the custody of crypto assets by investment advisers and investment companies. To the extent that crypto assets are considered “securities or funds” of a client, an investment adviser must comply with Rule 206(4)-2 under the IAA—the so-called “Custody Rule”—if the investment adviser is considered to have custody over such assets pursuant to that rule.

Three key issues were discussed in this panel: (1) the blurred line between custodians and technology service providers; (2) expanding the definition of custodian; and (3) the tension between fiduciary duty of care and traditional custody regulations.

Blurred Line Between Custodians & Technology Service Providers

The panel highlighted how the line between “technology service provider” and “custodian” is increasingly blurred. Firms that begin by offering technological solutions, such as wallet management, may also perform functions traditionally handled by custodians. This overlap suggests that existing regulatory frameworks may need to adapt to the hybrid nature of crypto service providers. As one panelist remarked, addressing this evolving landscape may require a novel regulatory approach, rather than modifying rules that were designed for traditional securities firms.

Expanding the Definition of Custodian

Panelists raised concerns about confusion regarding who may qualify as a “custodian” under SEC rules. Several panelists suggested that the SEC broaden the scope of qualified custodians to include state-chartered, limited-purpose trust companies. They reasoned that the current narrow definition of permissible custodians unnecessarily restricts market growth and impedes the ability of broker-dealers and alternative trading systems (ATS) to facilitate crypto trading efficiently.

Tension Between Fiduciary Duty of Care & Traditional Custody Regulations

The panel concluded by examining the tension between the fiduciary duty of care an investment adviser owes to his/her client and the requirements of the traditional custody framework in place. One panelist noted that advisers are being asked to pursue competing goals: choosing a custodian that is best equipped to safeguard client assets while ensuring compliance with often ill-fitting rules that limit an advisers’ options to entities that the SEC has deemed “qualified custodians.” In response, the panel outlined several alternative approaches that would allow advisers to meet their fiduciary obligations without running afoul of their regulatory requirements. Some suggested that the SEC consider doing away with the concept of a qualified custodian in this context and allow custody to occur by the adviser themselves. Others advocated for a hybrid approach, whereby investors are able to choose between custody at the adviser level or custody by a third-party custodian. Most, however, agreed that some form of an alternative to the traditional arrangement is necessary given the unique technological and operational risks associated with custody of crypto assets.

Put Patomak’s Expertise to Work

As the SEC continues to express support for digital asset innovation, the crypto industry is advancing rapidly, offering new products and platforms to meet market demand. In this environment, firms must regularly assess their regulatory frameworks and compliance programs to ensure they are positioned to capitalize on emerging opportunities.

Patomak is uniquely positioned to help firms, developers, and others navigate the rapidly evolving regulatory environment. Our team brings broad expertise in regulatory licensing, having successfully guided clients through the broker-dealer and the ATS registration process.

In addition, Patomak has extensive expertise in building and enhancing compliance programs specifically tailored to crypto-related risks, ranging from establishing governance frameworks to implementing targeted improvements that enhance regulatory readiness. To learn more about how Patomak can support your compliance and strategic goals, please contact Laura Magyar at lmagyar@patomak.com.