MENU

SEC Crypto Task Force Roundtable on Crypto Custody — April 25, 2025

May 5, 2025 Uncategorized

SECURITIES & EXCHANGE COMMISSION CRYPTO TASK FORCE ROUNDTABLE 

For questions on the note below, please contact the Delta Strategy Group team. 

On April 25, the Securities and Exchange Commission’s (SEC) Crypto Task Force held a roundtable entitled, “Know Your Custodian: Key Considerations for Crypto Custody.”  The agenda and panelists’ biographies can be found here.   

Key Takeaways

The following is a summary of the main topics explored in the hearing. 

  • Chairman Atkins emphasized the need for focus and urgency in addressing challenges SEC registrants face when attempting to safely custody crypto assets for their customers in compliance with the federal securities laws.  He stressed that clear regulatory frameworks are essential to provide market certainty and pathways for innovation, with the benefits of efficiency, cost reduction, transparency, and risk mitigation.  He questioned if the “special purpose broker-dealer” regime workable for market participants, or if a new crypto asset broker-dealer framework needed, pointing to market indications necessitating a fit-for-purpose regulatory framework.  
  • Commissioner Peirce called for a modernized regulatory framework that accommodates both custodial and self-custodial models, allows for adviser discretion in fulfilling fiduciary duties, and permits both qualified custodians and self-custody options where appropriate.   
  • Commissioner Uyeda emphasized that while proper custody protections must apply equally to crypto assets under federal securities laws, the Commission should expand custodial options to promote competition and regulatory clarity.  He encouraged allowing advisers to use state-chartered limited purpose trust companies, authorized by state banking regulators, as qualified custodians under the Advisers Act Custody Rule, noting that federally chartered banks are already authorized to custody crypto assets.  
  • Commissioner Uyeda recognized that many crypto assets are not securities, urging the SEC to clarify these classifications, and raised enhancing competition by modifying or sunsetting the special purpose broker-dealer regime and issuing interim guidance on how firms can custody both crypto asset securities and non-security crypto assets in compliance with customer protection rules.   
  • Commissioner Crenshaw questioned whether the differences between crypto and traditional assets justify different standards, raising concerns about heightened risks such as hacking, smart contract failures, and the lack of exclusive control mechanisms for blockchain-based assets.  She stressed the need to maintain investor protections, ensure clarity about the risks of crypto custody compared to traditional custody, and address gaps in protections like Securities Investor Protection Corporation (SIPC) coverage if custodians become insolvent.   

PANEL I: CUSTODY THROUGH BROKER-DEALERS & BEYOND 

Panelists 

  • Jason Allegrante, Fireblocks 
  • Rachel Anderika, Anchorage Digital Bank 
  • Terrence Dempsey, Fidelity Digital Asset Services, LLC 
  • Mark Greenberg, Kraken 
  • Veronica McGregor, Exodus Movement, Inc. 
  • Baylor Myers, BitGo, Inc. 
  • Brandon Russell, Etana Custody Inc. 
  • Tammy Weinrib, Copper Technologies Ltd. 

Discussion 

  • Zweihorn asked whether there should be more clarity on what other forms of financial institutions, including state trust companies as Commissioner Uyeda alluded to, qualify as qualified custodians.  He asked if physical possession or control is even the right standard for broker dealers when it comes to digital assets, with Greenberg noting that crypto assets are the safest when they are at rest and more segregation could mean diminished effective control.  Weinrib noted that while custody rules do identify state-chartered trusts as qualified custodians, explicit regulatory clarity is still needed within the comprehensive and cohesive framework necessitated.   
  • Zweihorn questioned whether it should matter if a broker is holding a digital asset that is a security versus one that is not. Dempsey responded that the risk profiles are different: a tokenized asset that qualifies as a security is likely registered or exempt, subject to specific requirements, and issued by a controlling entity, which can introduce additional controls and affect the asset’s risk profile.  He said he would view them differently from an oversight perspective as while the custody solution might be partially the same, the level of oversight, governance, or rigor applied could justifiably differ.  Weinrib said the goal is not to fundamentally dismantle agencies like the CFTC, cautioning against expanding oversight to include non-securities as she noted differing risk profiles and custody requirements add further complexity and layering non-securities into the regulatory structure risks introducing even greater complications. 
  • Greenberg highlighted that the more GI Based segregation versus wallet or key based segregation, the better, alongside an effective control standard versus one around physical possession.  He said the focus on keys in the regulatory regime is the wrong one, taking regulators out of an effective control principles based standard and into a specific technical component.  He emphasized the importance of ensuring that regulatory frameworks do not artificially exclude certain organizations by requiring specific licenses that may have no bearing on their ability to safely hold crypto assets. 
  • Anderika discussed how custody within the digital asset space is inherently a security activity, with possession and exclusive control over that asset as how the security solution was built.  She gave examples of how those obligations of proof of existence and exclusive control over the asset can be met, referencing the custodial solutions and fiduciary segregation of assets.  She emphasized that exclusive control over the assets is part and parcel to the custodial solution provided.  On third-party custody, she discussed how banks are subject to a high degree of regulatory scrutiny and standards from a physical security and control perspective. 
  • McGregor noted variances in end-user preferences and ability as she emphasized the importance of preserving optionality in custody of crypto assets.  She warned against creating fragmented regulation or fragmented markets and emphasized the need to harmonize regulatory frameworks to avoid forcing market participants to comply with multiple regimes that share objectives. 
  • Allegrante outlined the industry impulse to set self-custody solutions up against custodial solutions and bank custody solutions.  He called for the introduction of qualitative standards principle- based standards for SEC registrant firms that want to engage in digital asset custody, noting that it can be principle based at a very high level that then cascades down into supervisory guidance.  
  • Allegrante argued that the use of MPC (multi-party computation) technology should not be mandated, emphasizing the importance of maintaining a dynamic and evolving technological landscape.  He explained that eliminating single points of failure, such as splitting a password into multiple parts and distributing them, enhances security, since a malicious actor obtaining only one part would not control the asset.  He distinguished between custodial and non-custodial relationships, explaining the nature of the relationship evidences a custodial relationship, while Fireblocks’ contracts resemble Software as a Service (SaaS) agreements that allocate responsibility and liability differently.   
  • Weinrib argued that if the SEC determines an asset is a security, then custody should fall under the SEC’s authority based on the broker-dealer’s soundness, compliance, and cybersecurity framework, questioning why custody is treated as a product-based issue rather than through a principles- and rules-based approach. 
  • Russell explained that providers offering self-custody functions and can operate within a regulatory framework offer clients a level of choice, where regulatory and reporting responsibilities fall on the regulated entity interfacing with regulators.  He said allowing clients to conduct their own due diligence, and emphasized that as assets move across multiple systems, having proper settlement systems, oversight, and reporting is crucial to avoid tax and regulatory risks.  He said that to attract regulated money and grow the digital asset space, Congress would need to expand SIPA’s mandate so SIPC can provide an insurance layer, offering the investor protections necessary for orderly markets. 
  • Dempsey stated that custodians can demonstrate control through their custody practices by implementing and auditing key generation, maintaining policies and procedures for key storage, control, and use.  He said that while they may not prove exclusive control, they can provide transparency and safeguards to show how control over assets is maintained. 

PANEL II: INVESTMENT ADVISOR & INVESTMENT COMPANY CUSTODY

Panelists

  • Justin Browder, Simpson Thacher & Bartlett LLP 
  • Mike Didiuk, Partner, Schulte Roth & Zabel, LLP 
  • Larry Florio, 1kx 
  • Susan Gault-Brown, Allen Overy Shearman Sterling LLP 
  • Adam Levitin, Georgetown University Law Center 
  • Ryan Louvar, WisdomTree, Inc. 
  • Neel Maitra, Dechert LLP 
  • Charles Mooney, University of Pennsylvania Carey Law School 

Discussion

  • Gault-Brown explained that in the investment adviser context, a major difficulty is that custody requirements are triggered if the asset is a security or a “fund,” but the term “fund” is undefined.  She emphasized the need for legal clarity, arguing that requiring advisers to those determinations is thorny, time-consuming, and expensive.  She suggested that regulations should follow the entity, so if an adviser has custody or control over client assets and is providing investment advice, the safekeeping requirements should apply regardless of the asset type, like the approach under the Investment Company Act. 
  • Gault-Brown stated that a principles-based solution is needed because different advisers have different business models and varying levels of knowledge about handling digital assets. She explained that for some advisers, it will be reasonable to self-custody using comprehensive recordkeeping systems inherent in blockchain technology, while for others it may not be as clear, making the use of a qualified custodian more appropriate. She emphasized the need to define what makes an entity a qualified custodian, noting that simply being a bank does not guarantee expertise in digital asset custody, and suggested factors to consider, such as whether the entity is regulated, maintains proper policies and controls, has capital requirements, is subject to a resolution authority, and undergoes audits by a third party who is an expert in auditing blockchain technology. She added that blockchain itself is an immutable recordkeeping system that can be traced if one knows what they are doing, and that for advisers who have established strong in-house capabilities, self-custody could be a reasonable approach. 
  • Florio noted that while assets at rest are often safest, crypto is not always designed to remain static.  He outlined how technologies like multiparty computation and multi-signature wallets allow for on-chain activity while still addressing many of the risks the custody rule is intended to manage. 
  • Mooney suggested that while custody by investment managers could be analogized to direct holding of a security as a registered owner, in the crypto context there often is no issuer, and recommended looking at the definition of “control” in the new Article 12, which he hopes the SEC will encourage adopting because it provides both a take-free rule for good faith purchasers and perfection by control without needing to file a financing statement. He noted that this approach might need some relaxation but could be effective, and alternatively proposed examining what bank custodians currently do with crypto assets in ETFs and working backward from those best practices to reach a similar outcome. Mooney added that control in this context is the functional equivalent of possession of a tangible asset, which may or may not be accompanied by a property interest, and strongly encouraged the development of self-custody solutions, emphasizing the need for platforms that make self-custody more feasible, user-friendly, and safe. 
  • Maitra noted that in the SEC’s safeguarding proposal, the Commission observed that the entire U.S. crypto custodial landscape consisted of only one OCC-regulated bank, four OCC-regulated trusts, about twenty state-chartered trust companies and other banking entities, and at least one CFTC-registered futures commission merchant, a number that has changed only slightly over time.  Given the limited number of custodians and the eight years without significant guidance for cryptocurrency norms for advisers, Maitra argued there is a strong case for allowing self-custody, especially in a landscape where it remains unclear which assets and functions existing custodians support. 
  • Didiuk stated that in some cases, advisers and their personnel are better positioned to custody assets because they understand both the asset and the underlying technology, noting that many can safeguard assets more effectively.  He argued that allowing the option for self-custody would benefit clients, protect investors, and enhance asset security. He noted that there is already a model for self-custody under the current custody rule, where an adviser or a related person must be a qualified custodian.  
  • Didiuk suggested that the SEC could build on existing structures and safeguards, such as internal control reports, surprise examinations, additional surprise exams, and investor disclosures.  Browder explained that one of the biggest issues with the qualified custodian requirement can force advisers to choose between complying with the technical requirements of the custody rule and fulfilling their fiduciary duty of care, with fiduciary duty always prevailing under the SEC’s 2019 interpretation. He noted that some assets simply cannot be easily placed into qualified custody, citing examples where funds invest in projects that mint new crypto assets without any available qualified custodians to hold them.  He said no custodial solution could fully satisfy both the goals of the custody rule and the fiduciary principles of the Advisers Act, and emphasized that where these goals conflict, the fiduciary duty of care wins based on the SEC’s 2019 fiduciary interpretation. 
  • Browder  pointed out that many crypto exchanges are not set up through a qualified custodian architecture, and given the volatility of crypto markets, advisers need quick access to trade assets to capture opportunities or mitigate downside risks—yet cold storage under qualified custodians can delay asset movement by six to twelve days, putting advisors in a position where they must choose between compliance with custody rules and fulfilling their fiduciary duty to their clients. 
  • Zweihorn asked whether there is a middle ground between self-custody and qualified custodian, where adviser has the asset themselves but cannot move the asset without a third-party qualified custodian or other third-party co-signing on the transaction.  Louvar responded that he certainly thinks multiparty computation can solve the single party risk by sharding the key the adviser has access to, and said he does not think the other shards necessarily need to sit with a qualified custodian, but with a custodial-like entity that has first-principle safeguards associated with it.  He raised that if the custody architecture is impeding the adviser’s overall fiduciary duty, that creates tension between fulfilling the fiduciary duty and maintaining custodial safeguards, and emphasized the importance of finding a middle ground that ensures both are met while allowing the adviser to retain enough control to meet the client’s objectives. 
  • Maitra stated that mechanisms like MPC, sharding, or any control-splitting system are beneficial, but cautioned that it may not be sufficient against true defalcation involving bad intent and elaborate schemes.  Gault-Brown explained that to the extent an adviser shares a key, shard, or any aspect of control with a third party, it introduces an additional element of risk with respect to the security of the keys. 
  • Louvar stated that the core issue under the Advisers Act has traditionally focused on who serves as the qualified custodian, such as a bank or broker-dealer, but argued that the regulatory framework should instead focus on how, specifically the access controls and security measures in place. He explained that if an adviser can meet the necessary policy goals of securing assets, preventing theft, and ensuring assets are not compromised through self-custody, then how those protections are implemented is more important than who provides them.  
  • Levitin explained that in the custody context, there are three main risks: hacking risk, which is external theft; defalcation or misappropriation risk, which is internal theft, as seen in cases like FTX and Celsius; and a third risk of insolvency. He noted that hacking and defalcation risks exist whether custody is handled through self-custody or third parties, but insolvency risk is different because it depends on the broader financial health of the investment adviser or custodian.  He emphasized that ideally custody should be handled by the party with the least insolvency risk, and pointed out that qualified custodian requirements, which generally favor banks, exist because banks operate under a prudential regulatory regime that reduces insolvency risks and provides clear resolution mechanisms.