CASS in a Crypto World: The Future of Cryptoasset Custody Regulation in the UK

In November 2023 the Financial Conduct Authority (“FCA”) released a Discussion Paper (“DP”) covering the UK’s proposed approach to cryptoasset regulation. The government is taking a phased approach to cryptoasset regulation, with the first phase focusing on security tokens¹ and regulated stablecoins.²

In the DP, the FCA has proposed using the existing custody provisions in the Client Asset (“CASS”) Sourcebook as a basis for designing bespoke custody requirements for cryptoassets. The DP outlines three scenarios where these custody requirements would apply:

1. Backing assets held by a regulated stablecoin issuer;
2. Regulated stablecoins or security tokens held by a custodian or sub-custodian on behalf of clients; and
3. Regulated stablecoins held on behalf of a customer in the process of making a payment.

This blog focuses on the second scenario, the provision of custody services for security tokens and regulated stablecoins.

Deloitte have formulated six key digital asset custody principles that firms engaging in cryptoasset custody may need to take into account to achieve consumer protection. We have developed these by reviewing the proposals in the DP through the lens of the existing CASS rules and applying Deloitte’s extensive experience of working with regulators and regulated firms within the financial services industry.

1. Segregation of Firm and Client Assets

The segregation of assets belonging to the firm from assets belonging to the firm’s clients is fundamental in protecting clients’ rights to their respective assets. This ensures that client assets are clearly identifiable and therefore able to be paid back promptly, instead of being included in the firm’s estate to pay back to general creditors in the event of a firm’s insolvency.

Under the existing CASS requirements, segregation is principally achieved through holding assets belonging to clients in a separate account from assets owned by the firm and registering the legal title of those assets differently from the firm where possible to do so.

The FCA is considering requiring custodians to segregate clients’ cryptoassets from their own through recording of ownership and wallet labelling. The DP also states that the use of omnibus wallets to safeguard clients’ cryptoassets may be permitted, as long as clients’ ownership rights are preserved at all times.

For recording of ownership to be an effective means of segregation, custodians would need to ensure that there are robust controls around off-chain data, including adequate and timely reconciliations between on and off chain records.

2. Adequate organisational arrangements to minimise the risk of loss

In principle, maintaining adequate organisational arrangements to minimise the risk of loss seems like a straightforward requirement. However, in practice some firms can find it difficult to design and implement controls and supporting governance arrangements to meet this requirement. Most firms holding client assets in the UK will have performed a ‘rule-by-rule’ applicability and risk assessment to determine the key risks relating to the loss of clients’ assets and to identify suitable mitigating controls.

Whilst this is one of the initial steps in setting up adequate organisational arrangements, there are a wide range of considerations firms need to make - including the monitoring activities carried out by the second and third lines of defence over client asset protection and fundamentally the adequacy of the firm’s IT infrastructure and control environment.

Cryptoasset specific elements to consider as part of a firm’s control environment may include:

• Controls around distributed ledger protocols and access;
• Controls around the execution of smart contracts, including the oracles (source data) used within a smart contract; and/or
• Cryptoasset evaluation – given the varied nature and purpose of different cryptoassets and the networks used to manage them, firms may need to carry out additional checks to understand the underlying features of each cryptoasset they offer to clients.

3. Use of Third Parties

Under the existing CASS rules, firms that use third parties to hold client assets are required to:

• Undertake adequate due diligence in the selection, appointment and periodic review of the third party;
• Consider the expertise and market reputation of the third party and any legal requirements related to holding custody assets that could adversely affect clients’ rights;
• Ensure that any custody assets deposited with a third party are identifiable separately from the assets belonging to the custodian and assets belonging to the third party; and
• Have a written agreement whenever they place custody assets with a third party, which must clearly set.

The DP calls out the same four requirements for cryptoasset custodians using third parties. However, firms may need to consider additional elements when considering cryptoasset custody such as:

• The results of any service auditor reports over the third party.
• How private keys are generated and managed as well as how they are then stored at the third party – whether this is hot, warm or cold storage.
• The additional cryptoasset specific security protocols in place around the use of private keys. There are several methods that could be implemented to secure private keys such as multi-signature wallets, multi-party computation and hardware security modules. Firms would need to consider which method is most suitable for their business and the level of security they aim to offer to clients.
• Proof of Reserves (“PoR”) methodology – the discussion paper proposes custodians holding cryptoassets may be required to disclose their proof of reserves. As part of the due diligence process firms using third parties to hold clients’ cryptoassets would need to consider the methodology in place and the results of any independent audit over a custodian’s PoR.

4. Accurate Books and Records

The requirement to maintain accurate books and records is key in ensuring customer funds are able to be returned to the correct customers and in a timely manner in the event of an insolvency. For traditional financial services firms, this can be achieved through operating controls over static data input, controls over data feeds, inter-system reconciliations and external reconciliations with third parties with whom client assets are deposited.

The FCA are considering requiring custodians holding cryptoassets to:

• Keep records as necessary to enable the custodian at any time and without delay to distinguish cryptoassets held for one client from cryptoassets held for any other client, and from the firm’s own cryptoassets;
• Maintain records in a way that ensures their accuracy and that they may be used as an audit trail; and
• Maintain a client-specific cryptoasset record.

Adequate off-chain record management will be crucial, particularly to ensure firms are able to maintain a client specific cryptoasset record. In addition to timely on/off chain reconciliations, firms would need to ensure adequate controls around the input and storage of off chain data.

5. Regular Reconciliations of Client Assets

To achieve ‘Accurate Books and Records’ as discussed above, firms must perform regular reconciliations to ensure they are holding the correct amount of assets for the correct client.

For reconciliations of cryptoassets on a distributed ledger, firms may also need to:

• Consider the frequency of the reconciliations they perform. Given the 24/7 nature of some cryptoasset markets, existing reconciliation processes may need to be adapted to transition away from a close of business reconciliation to live intra-day reconciliations, in order for the firm’s internal processes to match real-time activity in the market.
• Consider and document how assets would be returned to a customer in the event of failure and specifically what exactly will be returned – whether that will be a fiat currency or a cryptoasset, and if so which one?
• Take into account the compatibility between internal systems and the distributed ledger in use – cryptoasset holdings may often include many decimal places, so firms should consider if their internal systems can accurately match the records on a distributed ledger.

6. Client disclosures

The current CASS rules specify a number of instances in which firms are required to disclose specific information to clients. The DP proposes custodians may need to disclose their safeguarding controls and their liability if at fault for loss of clients’ cryptoassets, as well as their Proof of Reserves. Given the additional complexities that the use of a distributed ledger gives rise to, firms may also need to consider additional, more detailed disclosures to clients, which may include:

• Disclosing the chain of custody to the client. Including how private keys are dealt with at each stage, the terms of their restitution and the risks involved.
• Where necessary disclosing to the client how different cryptoassets are regulated in different jurisdictions, including any potential risk this may pose to the client.
• Disclosing the risks arising from handling/moving cryptoassets, directly or indirectly, for example through a cross-chain bridge (software applications which allow the transfer of cryptoassets between blockchain networks).

Conclusion

Whilst the specifics of cryptoasset custody regulation in the UK have not been finalised, the DP highlights the FCA’s plans to design these based on the existing CASS rules, which are some of the most stringent across the globe. The final consultation on the rules is scheduled for the second half of 2024, with implementation in 2025. Both incumbent financial services firms and crypto-native firms will need to start planning how they will be able to ensure compliance in a highly regulated and prescriptive regulatory environment; in which even mature CASS firms require ongoing enhancements to their CASS governance and control environments to keep abreast with an ever-raising high bar set by the FCA and auditors alike.

____________________________________________________________________________________

Definitions

¹Security Token: Cryptoassets which use a technology such as DLT to support the recording or storage of data and already meet the definition of a specified investment under the RAO and are therefore already subject to regulation.

²Regulated stablecoin: A category of a stablecoins that seeks to maintain a stabilised value of the cryptoasset by reference to, and which may include the holding of, one or more specified fiat currencies.

And, is issued by a firm which is authorised by the FCA.