If you’re an asset manager or institutional investor venturing into digital assets, you’re probably worrying about custody. The digital asset ecosystem is growing fast, and its value tipped over $3 trillion at one point in 2021 – comparable to the market capitalisation of some of the largest stock exchanges in Europe. We’re no longer just talking about cryptocurrencies and NFTs but also emerging are the tokenised versions of traditional assets like bonds and equities. As the market continues to mature, institutional investors will be holding digital assets in increasingly meaningful amounts and need to hold them securely. However, the recent collapse of FTX, with customer losses potentially in the billions of dollars, is hardly reassuring. What’s more, a record $3.8 billion of cryptocurrency was stolen by hackers in 2022, according to research by Chainalysis.
In this environment, it’s not surprising that many investors are looking to “self-custody” their digital assets. There’s a popular saying in crypto world: “Not your keys, not your coins”. Storage of digital assets is all about keys and wallets, specifically the public and private keys of the asset owner, and the software or hardware devices where the private keys are stored. The argument goes that if you use a third-party provider to store the keys then you don’t really own those assets.
Why the temptation to self-custody?
On the surface, it makes sense that asset owners control their own private keys. Self-custody comes in many forms, from the most basic to the highly sophisticated. You may have come across the terms “hot storage” and “cold storage” for digital assets. Hot storage simply means that the wallet is connected to a network (e.g. the internet). For an individual investor, this could mean downloading software and creating a wallet on a smartphone. This is perceived as more secure than storing keys in an Exchange account. However, as the wallet is online, it is vulnerable to multiple methods of attack. Cold storage, by contrast, is offline and can be anything from specialised hardware in a secure location to a USB stick or printout of private keys kept in a safety deposit box. Cold storage can’t be hacked as it is not connected to the internet but often there are tradeoffs in terms of convenience and accessibility.
For businesses and institutions, there are self-custody solutions on the market that are highly secure and very sophisticated. These can combine hot, cold and “warm” storage, often with additional security features such as Multi-Party Computation (MPC), where private keys are divided and stored across multiple devices, or Multisignature, where transactions must be authorised by multiple parties each with their own private keys.
Whilst these could be a viable solution for some businesses but not, we’d argue, for every business. This isn’t about degrees of security but more a fundamental question about what “custody” really means.
Don’t sleepwalk into a pseudo-solution
Some of the momentum behind self-custody springs from a distrust of the financial system among early advocates of cryptocurrencies. Ironically, the collapse of some crypto exchanges – where many retail investors kept assets in online accounts – have helped to reinforce this point. However, for institutional investors and asset managers, the idea of trusting another financial institution to safeguard client assets isn’t abhorrent but fundamental. Self-custody can be very secure in a technical sense, but it isn’t custody in the way that most financial institutions – and their customers – think about it. Buying some advanced software or hardware doesn’t make you a custodian, and the business of safeguarding assets – particularly digital assets – is more complex and multi-layered than you might imagine.
Firstly, your organisation is now responsible for safeguarding the assets but must rely on a different entity (the technology provider) to do the extensive stress testing, ethical hacking and ongoing system upgrades needed to keep them safe. Have you done the right due diligence, and what recourse do you have if the system fails? If you choose to bring some technology functions in-house, how do you get the right expertise? Secondly, how will you keep any physical hardware safe? If private keys are lost, whether through natural disaster, crime or accident, they are lost forever and the assets with them. And finally, this isn’t just a technical challenge but an organisational one. However strong its governance structure, an institutional investor or asset manager doesn’t have the independence or custody-specific operational procedures of a registered custodian with reputable regulatory entities such as FCA or CSSF. Internal fraud or error by an individual “superadmin” or small group can’t be discounted and, as digital assets grow, could have significant consequences. Finally, many financial institutions do not have the regulatory permissions to hold client assets resulting in having to use a 3rd party custodian. A self-custody solution, rather than relieving stress, might actually cause more sleepless nights.
Sleep easier with an institution-first custodian
Institutional investors or asset managers will naturally turn to 3rd party custodians specialising in safeguarding assets. These firms are more than likely to build digital asset capabilities and provide custodial wallets. However, this isn’t a simple exercise. New digital assets are emerging all the time, storage technologies are highly sophisticated and the regulatory framework is evolving at different speeds across different jurisdictions. Furthermore, even the usual custodial functions like segregation of assets are inevitably more complex. These specialist custodians have the technology to keep the assets safe and, importantly, the licenses, regulatory approval, procedures, governance standards, segregation policies, insurance, anti-money laundering and Travel Rule checks and everything else that you’d expect from a custodian.
When it comes to technology, specialist custodians and self-custody providers can, in theory, use similar technologies for digital asset storage. In practice, however, the structure of an organisation can impact the choice of technology and how it is implemented. For example, a compliant custodian with audited procedures and internal controls is better placed to operate a robust multisignature approach, or to maintain and protect military-grade hardware, than another business using a self-custody solution bought from a third party.
From an institutional perspective, the concern about “Not your keys, not your coins” is misplaced too. Segregating assets is a primary function of a custodian. An authorised digital custodian holds your wallet, on your behalf and not co-mingled with its own or any other clients’. Your assets are your assets, even if you don’t directly hold the keys. Just like a traditional custodian, it also has procedures to identify the owner of the assets in the unlikely event of bankruptcy.
So, if you’re an institutional investor or asset manager looking at digital assets, there are specialist custody providers like Zodia Custody who can help you to invest safely. Please get in touch.
Zodia Custody, a subsidiary of Standard Chartered and in association with Northern Trust, is a global institutional-first digital asset custody partner. Through the combination of leading technology, custody, governance and compliance, Zodia Custody satisfies the complex needs of institutional investors. The company is AMLD5 compliant and applies the same standards as Standard Chartered relating to AML, FCC, and KYC. It is also FATF Travel Rule-compliant. Zodia Custody Limited is registered with the FCA as a crypto asset business under the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017. Zodia Custody (Ireland) Limited is registered with the Central Bank of Ireland as a VASP under Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (as amended).