Institutional Custody & Trading Workflows for Digital Assets
Phil Mochan, Koine Founder and Head of Strategy and Corporate Development
The digital asset market is reaching a point at which institutional participation is imminent. It is therefore appropriate to look at the operational aspects of this marketplace and explore how they evolve to encourage institutional participation.
This article will cover:
the nature of the digital assets as bearer assets and the implications for trading and safeguarding;
the normal obligations of an institutional custodian and the special conditions arising because of the nature of the digital assets;
setting out the considerations of an institutional asset manager looking to allocate capital to a digital asset fund;
looking at what the operational models might look like to support institutionally compliant trading;
a checklist to determine whether a digital custodial service is institutionally compliant.
Cryptocurrencies are bearer assets
A bearer asset is one for which ownership is determined by possession alone. If I hold a $10 note, it’s mine. If I hold it $300 million bearer bond, it’s mine. In the same way if I hold a private key to a bitcoin wallet that holds 10 BTC, then it’s mine (probably). We say probably because most bearer instruments are difficult to copy. Various counterfeiting measures have been built into them such as serial numbers, holographic images, stamps, ultraviolet threads etc. A private key for a bitcoin wallet on the other hand is simply a string of 32 alphanumeric characters which can be copied with a pencil, an iPhone camera, or a good memory. A $10 note would have to be stolen to be usable, whereas a bitcoin private key can simply be copied.
Private keys are therefore the most vulnerable form of bearer asset and once they have been exposed to a human, it is impossible to prove unique ownership as they may have been copied and there will be no record of the copy having been made.
The safeguarding of these private keys thus becomes a critical issue for digital assets. The original design for a blockchain record of assets is based around a Wallet model. The use of the word wallet indicates the security issue. In practical terms why would you want to store more value in a digital wallet then you would feel comfortable in a physical wallet. The owner may feel that they have cryptographic security, but do they have physical security? There are numerous examples of people who have been robbed of their digital assets under physical threat. It may be a shock to learn that one very large crypto fund revealed to me that they hold the private key across three bits of paper, held by three individuals. I advised them that for their personal safety never to reveal their methodology again to another person. To illustrate how unsafe, it is perhaps sufficient to say that crypto exchanges in aggregate lose the entire contents of their hot wallets roughly every six months.
Various technical solutions have emerged with the objective of making the Wallet more secure including MPC technology but whilst reducing the risks (supposedly) these fundamentally don’t address the nature of the risk. Robbing $1bn from a bank remains a high cost, high risk exercise : robbing a Bitcoin owner with $1bn held in a hot wallet is significantly easier and much lower risk.
The first implication therefore for safeguarding is that the Wallet model is inadequate for high value (>$1000) as its design and architecture leave it too vulnerable and no technological improvements, however innovative, will ever resolve this challenge - “better” is never going to be “sufficient”.
One alternative model is the Account structure where a trusted third party takes control of the assets and separates the Authorisation processes from the Private Key Management
processes. This is how a bank works and it requires Trust, Regulation and Governance: most of which are an anathema to the progenitors of the cryptocurrency world.
The second problem arising from the specific bearer nature of digital assets is proving unique ownership. The only solution that works is to ensure (and prove) that no humans ever come into contact with a private key. Given that cold stores, the most common form of long term storage for digital assets, require humans to move assets across the airgap (with the commensurate risk of collusion and poor scalability) it would seem such solutions are unacceptable.
A third issue is connected the regulatory rules around bearer instruments (which vary by country). In the USA, any fund >$150m in size is obliged to “dematerialise” bearer assets and record them on a register of ownership maintained by a custodian. This is therefore why nearly all traded bearer assets are indeed dematerialised onto electronic registers normally held by regulated depositories whose records are legally deemed the “truth”. Given these rules and existing models, it is therefore likely that all digital assets would be similarly dematerialised, in this case onto a digital ledger (not for operational reasons likely to be a blockchain) with ownership rights attached, in order to fulfil existing regulations.
Obligations of an Institutional Digital Custodian
Having explored the nature of digital assets and the issues arising from them being bearer instruments we turn the focus to the actual responsibilities of an institutional Custodian.
A Custodian‘s first duty is to safeguard the assets and the second duty is to record unique ownership of the assets. This, as discussed above, will require:
the dematerialisation of the assets onto some form of ledger and the recording of ownership rights;
the creation of a model to allow separation of the Authorisations from the Private Key Management processes e.g. using Account model;
the complete isolation of private key generation, storage and use from the human domain;
ensuring that assets can only be withdrawn to accounts (or wallets) as specified in the Fund Mandate rules - this is to prevent the fund manager from stealing the assets as would be the risk if the funds were held on a trading venue;
ensuring that assets are held in a manner which isolates them from any insolvency of the Custodian normally through a Trust structure (approaches vary by jurisdiction).
It is traditionally the case that Custodians either take out insurance against loss or have a sufficiently large balance sheet to rectify losses from their own resources (whether or not as required by regulators). Fidelity Digital Assets for example has no insurance but relies on its parent’s balance sheet. However, Insurance capacity is a small fraction of the value of digital assets market cap and no claim has yet resulted in a payout, so for the most part insurance remains a tick box requirement for fund managers.
Custodians are obliged by Fund Administrators to be capable of independent audit to meet their obligations to Asset Allocators:
to prove ownership rights to assets (and to prove they are unique);
to show that they have operated the account within the Fund Mandate rules - which may set restrictions on assets and venues for example;
to accurately record the trades (including fees and pricing) and counter parties, to meet regulatory reporting obligations;
to demonstrate robust internal controls and governance processes that would obviate the risks of internal collusion by the Custodian and compliance with regulations.
Custodians are additionally obliged to facilitate asset servicing which aside from Corporate Actions (dividends, interest, splits etc) would also include:
locking collateral to be used as security for borrowing; facilitating forking when it occurs;
managing staking e.g. for Ethereum;
providing cash management services.
This set of responsibilities is normally further augmented (varies by country) with specific regulatory obligations which would include:
compliance with KYC and AML regulations;
compliance with trading regulations that pertain to the asset class e.g. MIFID II for digital securities;
compliance with their regulatory licence e.g. reporting and reserve capital;
Suspicious Activity Reporting (SARs).
Given these various obligations it is important to design Custodians from the top down, starting with the Governance model, then the Regulatory Framework, then the Operating model and finally the Technology. Too many early entrants started with the Technology and are finding it’s quite difficult to retrofit the other elements.
Considerations of an institutional asset manager looking to allocate capital to a digital asset fund
Institutional allocation comes from asset allocators such as pension funds or insurance companies whose first duty is not to lose the assets they manage. They are therefore prefer a standard framework in allocating to a fund manager :
full support for the “Separation of Duties” model to ensure that neither the trading venue nor the fund manager can run off with their assets;
the selection of a custodian that will enforce the fund mandate (as far as is practical) as regards trading and operational risk;
ensures that beneficial legal ownership of the assets is retained at all times and that the insolvency of any party e.g. custodian, venue, fund manager, will lead to a full recovery of assets;
has an information model that supports all the regulatory and other reporting requirements of the fund manager and auditor;
compliant with the rules on trading bearer instruments (Don’t!);
understanding of the operational risk model and will generally want to avoid counter-party risk of venues, credit risk and settlement risk.
In this context, settlement conducted using blockchains, even where Atomic swap is the model, would break the rules on two counts at least:
trading with bearer assets;
loss of continuous legal ownership.
Many funds purporting to be “institutional” are not truly confirming to these principles. Use of asset transfer networks e.g Fireblocks, Curv, to move assets from custodians to trading venues is definitely not “institutional flow” on the following grounds
trading with bearer assets;
loss of continuous legal ownership;
counterparty risk on venue;
insolvency risks of venue and asset transfer networks;
insufficient data on trading counter parties to meet audit standard ;
settlement occurring in an unregulated manner without governance framework on an electronic book (not blockchain);
risk that fund manager will run off with the assets - no separation of duties model.
It’s also not that capital efficient - BTC transfers on-chain can take an hour for example.
It is clear that many proprietary trading firms and family offices have opted to pursue the profit opportunity and several have sophisticated risk models to manage the complexity of such non- institutional operational flows.
Some funds will restrict trading to the CME’s cash settled BTC derivatives which avoids holding digital assets in the first place. In this model the cash collateral is posted with traditional intermediaries. Many of the alternative crypto-derivatives exchanges require collateral to be posted directly with them which of course is a rather risky proposition. The trade off is primarily between trading costs and operational risk.
Operational Model for Institutional Digital Asset Trading
Much anticipated, Institutional capital is looking to allocate through their traditional relationships with prime brokers (“PBs”), hedge funds, and even directly. Not all will conform to the standard model for additional assets but it must be presumed that most will seek to do so, where that’s possible.
In an ideal world:-
there is a central depositary offering real-time settlement using DvP with real-time clearing and real-time funds movement between trading venues. This facilitates the highest level of liquidity and trading volume;
the solution confirms to the Separation of duties model, and asset allocators can provide capital directly to the fund manager accounts on the custodian and may monitor the fund mandates in real time;
the instruments traded are dematerialised equivalents of blockchain recorded assets, with fiat money also represented digitally;
a highly efficient pre-trade infrastructure which permits assets to be locked at custodians no more than 10ns before an order hits the market;
has a structure which facilitates real-time allocation of credit, possibly dynamically through an auction process in the flow of Orders to market;
trades are completely private (to avoid revealing trading positions/strategies) yet fully compliant with the information reporting standards such as in MIFID II;
fiat is cleared in real-time;
underlying digital assets are cleared between custodians and sub-custodians regularly (intra-day) on an automated basis without human participation;
service matches or improves upon traditional capital markets requirements in terms of pricing, resilience, interfaces, throughout;
fully compliant with multiple regulatory regimes and global rather than national in construct.
This approach would maximise liquidity, transaction volumes, and confidence. It would set the model for the digitisation of the current securities markets. It would minimise risk, and maximise institutional participation.
In a practical world, the crypto markets are likely to stay as fractured as the FX markets for some time until a single solution with enough powerful backers emerges.
Checklist for evaluating a Digital Custodian
Now is the time when the prime brokers and the institutional Asset allocators are evaluating their choice of operational infrastructure. So here are the basic questions to ask your prospective custodians to support your understanding of the operational risk, and the level of capital efficiency.
Can you ensure that fund mandates are enforced upon fund managers in terms of assets traded, venues traded, leverage, and workflow models?
Can you receive funds directly from asset allocators (and manage reverse flow) to funds accounts on your custody service?
Do you offer a way to trade that does not use bearer assets?
Can you ensure that the fund manager is unable to extract the funds for his own benefit?
Do you fully conform to the separation of duties model?
Do you ensure full beneficial legal ownership is retained throughout the trade lifecycle?
Is settlement occurring (a) on venue, (b) free of payment, (c) blockchain atomic swap, (d) DvP and is it real-time gross or netted?
Can you prove that no human has ever touched a private key holding value?
Can you prove unique ownership of the assets?
In the event of insolvency of any party involved in the trade do we always get our assets back?
Would physical threats on custodian staff, or fund managers create a risk of loss of assets?
How fast is settlement with cleared funds?
How fast can I remove assets from custody post-authorisation? (days, hours or seconds)
Are you compliant with MIFID II assuming all crypto-assets fell within its regulatory boundary?
Are you compliant with 5MLD?
Can you support sub-custodian models?
What % of assets are held in the hot wallet if any and are you fully insured against loss of all assets in the hot wallet including for Internal collusion?
Do you have truly independent directors overseeing the design of your risk frameworks and independent auditors verifying operational compliance with these frameworks?
As the experienced readers will note, the majority of these are identical to selecting a custodian for non-digital assets.
The institutionalisation of the digital asset trading environment is just beginning. The next couple of years will determine whether we have an efficient unitary solution such as for the bond markets, or a more fragmented approach such as exists with the FX markets.
At this time we see in-house solutions being launched by DBS and Standard Charter banks, with the larger banks still considering their options. Should a group of four of five coalesce around a core infrastructure in 2021, the market is likely to develop more rapidly, and the high-frequency trading funds will drive up trading volumes by many multiples.
For the existing mainly retail exchanges, such as Binance and Coinbase, this increased institutional participation will represent a considerable transformation which might rapidly overwhelm some of them not least because their exchange technologies are mostly unsuited to the behaviours of high frequency traders.
As the ratio of spot to derivatives is low the cash settled derivatives exchanges appear to have the most to gain if they can become institutionally compliant, accessible and cost-effective.
In conclusion there will clearly be a shift from crypto evangelism to capital market pragmatism and it’s probable that in doing so the anticipated mass adoption of blockchains will become more grounded in operational reality. Capital markets infrastructure will lead that realignment.