The global consensus is growing in favour of regulation for crypto-assets[1], driven by the growth of over 23,000 cryptocurrencies and daily trade volumes exceeding $275 billion on more than 400 platforms.[2] This rapid expansion in the crypto industry, coupled with high-profile collapses, has heightened the need for regulations aimed at protecting investors, ensuring market integrity, and preventing money laundering.

This paper, the latest from the World Federation of Exchanges examining crypto-assets, specifically addresses the critical issue of crypto-asset custody. This is a concern brought to the forefront by the FTX collapse and longstanding worries about insufficient custody controls in the crypto industry, which pose risks to both market integrity and investor protection.

Due to the lack of a well-defined regulatory framework for crypto-assets globally, the services offered by crypto custodial wallet providers can differ widely. There are regulated crypto custody providers, but the regulatory scheme differs from jurisdiction to jurisdiction, so a patchwork of crypto custody requirements is being created real-time and this causes problems. As a result, what is marketed as “crypto custody services” may not actually provide genuine custody, potentially placing it under a different legal category. This has significant implications for how a customer’s assets are treated, especially during insolvency. This inconsistency is not necessarily due to deceptive practices by the service provider, though that could be an issue, but more often stems from legal ambiguities. This uncertainty makes traditional institutions reluctant to enter the crypto sector, thereby hindering market growth.

This paper looks at custody services in traditional financial services and compares them with custody services in crypto-markets trying to find lessons that crypto-custody providers can learn from traditional finance (TradFi) and traditional markets. It is intended to be a valuable resource for those looking to establish crypto-custody solutions. It is also intended as a useful blueprint for policymakers to use when developing regulation in keeping with the "same activity, same risk, same regulation" principle.

The paper concludes that crypto custody providers can:

  • Consider segregating client assets to ensure they are protected in the event of a company’s bankruptcy.
  • Ensure client assets remain bankruptcy-remote, ie, separate from those of other persons, whether legal or natural.
  • Address cyber risks through thoughtful technology architecture decisions and the operation of mature cyber security programmes
  • Provide more than a place to hold or administer assets.
  • Ensure that conflicts of interest are adequately managed and addressed.
  • Manage all aspects of operational resilience across their support model.
  • Disclose risks in a way that is clear and understandable, particularly for retail customers.
  • Have adequate insurance and/or surety bonds and disclose these policies in clear understandable terms.
  • Seek independent audits from reputable and credible auditors to provide an assessment of financial statements, process and controls.

[1] There are varying definitions for crypto-assets. For the purposes of this paper, a crypto-asset is:

a type of private asset that depends primarily on cryptography and DLT or similar technology as part of its perceived or inherent value,

and is not a tokenised version of a traditional asset.

The purpose of this definition is to include the largely unregulated sphere of DLT-based assets but exclude those assets that use DLT but are already regulated.

[2] https://www.nortonrosefulbright.com/en/knowledge/publications/10fba6f7/crypto-asset-regulation-in-hong-kong