In November 2023 the Financial Conduct Authority (“FCA”) released a Discussion Paper (“DP”) covering the UK’s proposed approach to cryptoasset regulation. The government is taking a phased approach to cryptoasset regulation, with the first phase focusing on security tokens1 and regulated stablecoins.2
In the DP, the FCA has proposed using the existing custody provisions in the Client Asset (“CASS”) Sourcebook as a basis for designing bespoke custody requirements for cryptoassets. The DP outlines three scenarios where these custody requirements would apply:
This blog focuses on the second scenario, the provision of custody services for security tokens and regulated stablecoins.
Deloitte have formulated six key digital asset custody principles that firms engaging in cryptoasset custody may need to take into account to achieve consumer protection. We have developed these by reviewing the proposals in the DP through the lens of the existing CASS rules and applying Deloitte’s extensive experience of working with regulators and regulated firms within the financial services industry.
The segregation of assets belonging to the firm from assets belonging to the firm’s clients is fundamental in protecting clients’ rights to their respective assets. This ensures that client assets are clearly identifiable and therefore able to be paid back promptly, instead of being included in the firm’s estate to pay back to general creditors in the event of a firm’s insolvency.
Under the existing CASS requirements, segregation is principally achieved through holding assets belonging to clients in a separate account from assets owned by the firm and registering the legal title of those assets differently from the firm where possible to do so.
The FCA is considering requiring custodians to segregate clients’ cryptoassets from their own through recording of ownership and wallet labelling. The DP also states that the use of omnibus wallets to safeguard clients’ cryptoassets may be permitted, as long as clients’ ownership rights are preserved at all times.
For recording of ownership to be an effective means of segregation, custodians would need to ensure that there are robust controls around off-chain data, including adequate and timely reconciliations between on and off chain records.
In principle, maintaining adequate organisational arrangements to minimise the risk of loss seems like a straightforward requirement. However, in practice some firms can find it difficult to design and implement controls and supporting governance arrangements to meet this requirement. Most firms holding client assets in the UK will have performed a ‘rule-by-rule’ applicability and risk assessment to determine the key risks relating to the loss of clients’ assets and to identify suitable mitigating controls.
Whilst this is one of the initial steps in setting up adequate organisational arrangements, there are a wide range of considerations firms need to make - including the monitoring activities carried out by the second and third lines of defence over client asset protection and fundamentally the adequacy of the firm’s IT infrastructure and control environment.
Cryptoasset specific elements to consider as part of a firm’s control environment may include:
Under the existing CASS rules, firms that use third parties to hold client assets are required to:
The DP calls out the same four requirements for cryptoasset custodians using third parties. However, firms may need to consider additional elements when considering cryptoasset custody such as:
The requirement to maintain accurate books and records is key in ensuring customer funds are able to be returned to the correct customers and in a timely manner in the event of an insolvency. For traditional financial services firms, this can be achieved through operating controls over static data input, controls over data feeds, inter-system reconciliations and external reconciliations with third parties with whom client assets are deposited.
The FCA are considering requiring custodians holding cryptoassets to:
Adequate off-chain record management will be crucial, particularly to ensure firms are able to maintain a client specific cryptoasset record. In addition to timely on/off chain reconciliations, firms would need to ensure adequate controls around the input and storage of off chain data.
To achieve ‘Accurate Books and Records’ as discussed above, firms must perform regular reconciliations to ensure they are holding the correct amount of assets for the correct client.
For reconciliations of cryptoassets on a distributed ledger, firms may also need to:
The current CASS rules specify a number of instances in which firms are required to disclose specific information to clients. The DP proposes custodians may need to disclose their safeguarding controls and their liability if at fault for loss of clients’ cryptoassets, as well as their Proof of Reserves. Given the additional complexities that the use of a distributed ledger gives rise to, firms may also need to consider additional, more detailed disclosures to clients, which may include:
Whilst the specifics of cryptoasset custody regulation in the UK have not been finalised, the DP highlights the FCA’s plans to design these based on the existing CASS rules, which are some of the most stringent across the globe. The final consultation on the rules is scheduled for the second half of 2024, with implementation in 2025. Both incumbent financial services firms and crypto-native firms will need to start planning how they will be able to ensure compliance in a highly regulated and prescriptive regulatory environment; in which even mature CASS firms require ongoing enhancements to their CASS governance and control environments to keep abreast with an ever-raising high bar set by the FCA and auditors alike.
1Security Token: Cryptoassets which use a technology such as DLT to support the recording or storage of data and already meet the definition of a specified investment under the RAO and are therefore already subject to regulation.
2Regulated stablecoin: A category of a stablecoins that seeks to maintain a stabilised value of the cryptoasset by reference to, and which may include the holding of, one or more specified fiat currencies.
And, is issued by a firm which is authorised by the FCA.