The SEC issued a statement and is requesting comment regarding the custody of digital asset securities by broker-dealers. In its statement, the SEC provides a five-year no-action position in which broker-dealers that limit their business to digital asset securities and operate under certain other circumstances can deem themselves to have obtained and maintained physical possession or control of digital asset securities for purposes of Exchange Act Rule 15c3-3 (the Customer Protection Rule).
Update: On February 26, 2021, the SEC's statement was published in the Federal Register. The statement will become effective on April 27, 2021.
On December 23, 2020, the SECissued a statement and requested comment regarding the custody of digital asset securities by broker-dealers. In its statement, the SEC provides a five-year no-action position under which broker-dealers that limit their business to digital asset securities and operate under certain other circumstances can deem themselves to have obtained and maintained physical possession or control of digital asset securities for purposes of Exchange Act Rule 15c3-3 (the Customer Protection Rule).
The statement will become effective 60 days after publication in the Federal Register.
Background on Digital Asset Securities and the Customer Protection Rule
The Customer Protection Rule requires broker-dealers to ensure that customer property is safeguarded and is available to satisfy customer claims in the event that the broker-dealer fails. The SEC has previously noted, and this statement reiterates, that the application of the Customer Protection Rule's requirements to digital asset securities has raised questions. Specifically, paragraph (b)(1) of the Customer Protection Rule requires broker-dealers to maintain physical possession or control of all fully-paid and excess margin securities it carries for the account of customers, but it may not be possible for broker-dealers to establish control over a digital asset security in the same manner as traditional securities.
The SEC had previously made clear its position that broker-dealers who take custody of digital asset securities must comply with the Customer Protection Rule and outlined unique custody risks presented by digital asset securities for broker-dealers to consider (see Legal Update, SEC and FINRA Issue Joint Statement on Broker-Dealer Custody of Digital Asset Securities). However, it did not specify circumstances under which broker-dealers transacting in digital asset securities could meet the requirements of the Customer Protection Rule.
The SEC's statement now provides guidance on measures broker-dealers can take to mitigate risks presented by digital asset securities, as well as the circumstances under which they can deem themselves to be operating in compliance with the Customer Protection Rule's physical possession or control requirements.
SEC No-Action Position
The SEC's statement provides a no-action position, which will expire five years after the statement's publication in the Federal Register, that is expressly limited to paragraph (b)(1) of the Customer Protection Rule.
Under the SEC's position, broker-dealers operating under the below circumstances will not be subject to an SEC enforcement action on the basis that the broker-dealer deems itself to have obtained and maintained physical possession or control of customer fully-paid and excess margin digital asset securities:
The broker-dealer has access to the digital asset securities and the capability to transfer them on the associated distributed ledger technology.
The broker-dealer limits its business to dealing in, effecting transactions in, maintaining custody of, or operating an alternative trading system (ATS) for digital asset securities, provided the broker-dealer may hold proprietary positions in traditional securities solely for the purpose of:
meeting the firm's minimum net capital requirements under Rule 15c3-1; or
hedging the risks of its proprietary positions in traditional securities and digital asset securities.
The broker-dealer establishes, maintains, and enforces reasonably designed written policies and procedures to conduct and document an analysis of:
whether a particular digital asset is a security offered and sold pursuant to an effective registration statement or an available exemption from registration; and
whether the broker-dealer meets its requirements to comply with the federal securities laws with respect to effecting transactions in the digital asset security, before undertaking to effect transactions in and maintain custody of the digital asset security.
The broker-dealer establishes, maintains, and enforces reasonably designed written policies and procedures to conduct and document an assessment of the characteristics of a digital asset security's distributed ledger technology and associated network prior to undertaking to maintain custody of the digital asset security and at reasonable intervals thereafter. Such assessments could examine at least the following aspects of the distributed ledger technology and its associated network:
performance;
transaction speed and throughput;
scalability;
resiliency (the ability to absorb the impact of a problem in one or more parts of its system and continue processing transactions without data loss or corruption);
security and the relevant consensus mechanism (the ability to detect and defend against malicious attacks, such as 51% attacks or denial-of-service attacks, without data loss or corruption);
complexity;
extensibility (the ability for new functionality to be added without data loss or corruption);
visibility and transparency (are its associated code, standards, applications, and data publicly available and well documented);
governance and how protocol updates and changes are agreed to and implemented, including the impacts of events such as protocol upgrades, hard forks, airdrops, exchanges, or staking to the digital asset security.
The broker-dealer does not undertake to maintain custody of a digital asset security if the firm is aware of:
any material security or operational problems or weaknesses with the distributed ledger technology and associated network used to access and transfer the digital asset security; or
other material risks posed to the broker-dealer's business by the digital asset security.
The broker-dealer establishes, maintains, and enforces reasonably designed written policies, procedures, and controls that are consistent with industry best practices to demonstrate the broker-dealer has exclusive control over the digital asset securities it holds in custody and to protect against the theft, loss, and unauthorized and accidental use of the private keys necessary to access and transfer the digital asset securities the broker-dealer holds in custody. These policies, procedures, and controls could address matters such as:
the on-boarding of a digital asset security such that the broker-dealer can associate the digital asset security to a private key over which it can reasonably demonstrate exclusive physical possession or control;
the processes, software and hardware systems, and any other formats or systems utilized to create, store, or use private keys and any security or operational vulnerabilities of those systems and formats;
the establishment of private key generation processes that are secure and produce a cryptographically strong private key that is compatible with the distributed ledger technology and associated network and that is not susceptible to being discovered by unauthorized persons during the generation process or thereafter;
measures to protect private keys from being used to make an unauthorized or accidental transfer of a digital asset security held in custody by the broker-dealer; and
measures that protect private keys from being corrupted, lost or destroyed, that back-up the private key in a manner that does not compromise the security of the private key, and that otherwise preserve the ability of the firm to access and transfer a digital asset security it holds in the event a facility, software, or hardware system, or other format or system on which the private keys are stored and/or used is disrupted or destroyed.
The broker-dealer establishes, maintains, and enforces reasonably designed written policies, procedures, and arrangements to:
specifically identify, in advance, the steps it will take in the wake of certain events that could affect the firm's custody of the digital asset securities, including, without limitation, blockchain malfunctions, 51% attacks, hard forks, or airdrops;
allow for the broker-dealer to comply with a court-ordered freeze or seizure; and
allow for the transfer of the digital asset securities held by the broker-dealer to another special purpose broker-dealer, a trustee, receiver, liquidator, or person performing a similar function, or to another appropriate person, in the event the broker-dealer can no longer continue as a going concern and self-liquidates or is subject to a formal bankruptcy, receivership, liquidation, or similar proceeding.
The broker-dealer provides written disclosures to prospective customers that the firm is deeming itself to be in possession or control of digital asset securities held for the customer for the purposes Rule 15c3-3 based on its compliance with this SEC position.
The broker-dealer provides written disclosures to prospective customers about the risks of investing in or holding digital asset securities that, at a minimum:
prominently disclose that digital asset securities may not be "securities" as defined in the Securities Investor Protection Act of 1970 (SIPA) – and in particular, digital asset securities that are "investment contracts" under the Howey test but are not registered with the SEC are excluded from SIPA's definition of "securities" – and thus the protections afforded to securities customers under SIPA may not apply (for more information Howey, see Practice Note, Security Defined: SEC v. Howey);
describe the risks of fraud, manipulation, theft, and loss associated with digital asset securities;
describe the risks relating to valuation, price volatility, and liquidity associated with digital asset securities; and
describe, at a high level that would not compromise any security protocols, the processes, software and hardware systems, and any other formats or systems utilized by the broker-dealer to create, store, or use the broker-dealer's private keys and protect them from loss, theft, or unauthorized or accidental use.
The broker-dealer enters into a written agreement with each customer that sets forth the terms and conditions with respect to receiving, purchasing, holding, safekeeping, selling, transferring, exchanging, custodying, liquidating and otherwise transacting in digital asset securities on behalf of the customer.
Broker-dealers will be subject to examination by FINRA and SEC staff to review whether firms are operating in a manner consistent with the above circumstances.
Request for Comment
In connection with its no-action position, the SEC is also requesting comment to assist with potential future rulemaking. Questions the SEC is expressly seeking comment on relate to:
Industry best practices and formats or systems, if applicable, with respect to:
protecting against theft, loss, and unauthorized or accidental use of private keys necessary for accessing and transferring digital asset securities;
addressing events affecting a broker-dealer's custody of digital asset securities, such as a hard fork, airdrop, or 51% attack.
Accepted practices with respect to disclosing the risks of digital asset securities and the use of private keys.
The expansion of the SEC's position in the future to include other businesses, such as traditional securities or non-security digital assets.
Clearance and settlement risks for digital assets compared to traditional securities.
Special benefits or risks implicated in a broker-dealer operating a digital asset ATS.