Analysis of the Custody Requirements and Compliance for Crypto Assets in the U.S., Hong Kong, and Singapore Based on SEC's Charges Against Asset Management Company Galois Capital

Author: AiYing, AiYing Compliance

Yesterday, the U.S. Securities and Exchange Commission (SEC) penalized Galois Capital Management LLC, a former registered investment advisor based in Florida that primarily invested in crypto assets. The SEC found that Galois Capital failed to comply with the custody rules under the Investment Advisers Act of 1940, particularly showing serious lapses in the management of crypto assets. Specifically, Galois Capital failed to ensure that the crypto assets it managed were held by qualified custodians, instead placing these assets on non-compliant cryptocurrency exchanges, resulting in significant asset losses during the collapse of the FTX exchange. Additionally, Galois misled investors by providing inconsistent redemption terms.

AiYing believes that such incidents will become more frequent in the field of crypto asset management in the future. As crypto assets become increasingly popular, investment advisory firms remain in a state of self-regulation due to the early absence of regulation and the rising costs of compliance, thus the probability of black swan events or regulatory penalties due to reports will only increase.

I. Applicability and Expansion of U.S. Custody Rules

Origin and Intent of Custody Rules

The U.S. custody rules, simply put, are a set of legal provisions designed to protect investors' assets. These rules originated from the Investment Advisers Act of 1940, which aimed to prevent any "shenanigans" by investment advisory firms in managing client assets. According to this regulation, if an investment advisory firm has the authority to control or manage client assets, those assets must be held by a qualified custodian, such as a regulated bank or financial institution.

The core idea of the custody rules is straightforward: investment advisory firms cannot mix client assets with their own funds; they must manage them separately. If there are any changes to client assets, the custodian must promptly notify the clients and provide regular reports on the status of the assets. These measures are all designed to ensure the safety of investors' funds, preventing losses due to the advisor's mistakes or misconduct.

Expansion to Virtual Assets

With the popularity of virtual assets like Bitcoin and Ethereum, significant changes have occurred in the financial markets. Due to characteristics such as decentralization, anonymity, and high price volatility, virtual assets pose new challenges to traditional asset management. Recognizing this change, the SEC realized the necessity of expanding the protective scope of custody rules to these emerging virtual assets.

In recent years, the SEC has made it clear that custody rules apply not only to traditional financial assets like stocks and bonds but also to virtual assets. This means that if an investment advisory firm manages clients' cryptocurrencies, those assets must also be held by qualified custodians. Qualified custodians must not only meet traditional regulatory requirements but also possess the technical capabilities to address the unique risks associated with virtual assets, such as preventing hacking or loss of cryptocurrencies.

II. U.S. Qualified Custodian License Requirements

The SEC and other relevant regulatory bodies have begun to focus on and regulate this emerging field concerning qualified custodians for virtual currency assets. Qualified custodians of digital assets must meet the requirements of traditional custodians while also possessing specialized capabilities to manage and protect these digital assets. Below are some key standards and requirements for qualified custodians of digital assets:

Types of Qualified Custodians for Digital Assets

1. Banks and Trust Companies:

• Banks and trust companies regulated by federal or state governments may provide custody services for digital assets. To meet the requirements of qualified custodians, these institutions must have the technology and infrastructure to protect and manage digital assets.

1. Specialized Digital Asset Custody Companies:

• Some companies specialize in providing custody services for cryptocurrencies and other digital assets. These companies may be registered at the state or federal level and are subject to strict regulation. For example, companies like Coinbase Custody and BitGo Trust have provided custody services for digital assets and obtained specific state or federal custodian qualifications.

1. Registered Broker-Dealers:

• Broker-dealers regulated by FINRA may offer digital asset custody services, but they must ensure they possess the specialized technical capabilities required to manage digital assets.

1. Other Regulated Financial Institutions:

• Some regulated financial institutions, such as futures traders or foreign financial institutions, may also be considered qualified custodians if they meet the requirements for digital asset custody.

Key Requirements for Digital Asset Custodians

1. Secure Technical Infrastructure:

• Digital asset custodians must have advanced cybersecurity technologies to prevent hacking and asset loss. This typically includes the use of cold storage, multi-signature technology, hardware security modules (HSM), etc.

1. Asset Segregation and Independent Accounts:

• Digital assets must be stored separately from the custodian's other assets, and clients' assets must be held in independent accounts clearly identified as client assets.

1. Regular Audits and Reporting:

• Digital asset custodians should undergo regular third-party audits to ensure the security of assets and compliance of custody services. Additionally, they need to provide clients with regular reports on asset status.

1. Compliance Capability:

• Digital asset custodians must comply with the same regulatory requirements as traditional asset custodians, including anti-money laundering (AML), know your customer (KYC), and other applicable financial regulations. They must also adhere to specific digital asset compliance frameworks, such as the transparency and traceability of blockchain transactions.

1. Insurance and Safeguards:

• To further protect client assets, digital asset custodians typically purchase insurance to guard against asset loss due to hacking or operational errors.

Regulation and Certification

• State-Specific Certification: In the U.S., some states, such as New York, have passed the New York State Financial Services Law (NYDFS), under which the BitLicense allows qualified companies to provide custody services for crypto assets. This has been detailed in AiYing's previous article titled In-Depth Analysis: Two Major Licenses for Web3 Companies to Conduct Virtual Currency Business in New York State—BitLicense and Limited Purpose Trust Company License.

• Federal-Level Regulation: Although federal-level regulation has not fully covered all types of digital asset custody services, regulatory bodies like the SEC and CFTC are gradually formulating relevant rules and overseeing the market. This can be referenced in AiYing's previous article In-Depth Analysis of the Legal Basis and Requirements for Cryptocurrency Payment Licenses in the U.S..

Currently, there are a total of 12 institutions that have obtained custody licenses:

*** (Source: New York State Department of Financial Services NYDFS) ***

III. Policies in Other Regions

Hong Kong

1. Background Introduction

As an international financial center, Hong Kong is gradually strengthening its regulation in the digital asset field. With the popularity of cryptocurrencies and blockchain technology, Hong Kong's regulatory bodies have begun to formulate corresponding regulations to standardize custody and trading services for crypto assets. The Trust or Company Service Provider (TCSP) license in Hong Kong is one of the licenses that digital asset custody service providers must obtain. For more details, read A Comprehensive Overview of the Latest Application Policies for Virtual Asset Custody Service Providers (TCSP) in Hong Kong.

2. Specific Requirements

• TCSP License: In Hong Kong, companies providing custody services for crypto assets need to apply for and hold a TCSP license. This license is regulated by the Companies Registry (CR) in Hong Kong and aims to ensure that institutions providing trust or company services comply with anti-money laundering (AML) and counter-terrorism financing (CFT) requirements.
• Asset Segregation and Independent Accounts: Custodians holding a TCSP license must ensure that clients' crypto assets are strictly stored separately from their own assets, typically requiring client assets to be held in independent accounts. This practice can prevent the custodian's financial issues from affecting the safety of client assets.
• Security Technology and Compliance Requirements: Companies holding a TCSP license must also have robust cybersecurity measures to protect clients' digital assets. This includes using cold storage, multi-signature technology, and establishing strict compliance procedures to ensure asset security.
• Regular Audits and Reporting: Custody service providers need to conduct regular audits and provide detailed asset status reports to clients, ensuring transparency and clients' right to information.

3. Regulatory Bodies

• Companies Registry (CR): The Companies Registry is responsible for issuing and supervising TCSP licenses, ensuring that companies providing custody services comply with relevant laws and regulations. The CR's main responsibilities include reviewing applications, conducting on-site inspections, and overseeing licensed companies' compliance with anti-money laundering and anti-terrorism financing laws.

4. Industry Practices

• In Hong Kong, many fintech companies and traditional financial institutions have obtained TCSP licenses to legally provide custody services for crypto assets. For example, companies like OSL, BC Group, and Hashkey have already engaged in compliant custody operations in Hong Kong, providing secure digital asset management services for domestic and international institutional investors.

Singapore

1. Background Introduction

Singapore attracts numerous digital asset companies with its open financial policies and innovative environment. The Monetary Authority of Singapore (MAS) is the key regulatory body for digital asset custody, having established a series of regulations to ensure that custody of crypto assets meets international standards. For more details, read A Comprehensive Illustrated Guide to Singapore's Payment Services Regulatory Framework and Digital Asset DPT License Requirements.

2. Specific Requirements

• Payment Services Act (PSA): Singapore implemented the Payment Services Act (PSA) in 2020, which brings crypto asset services (including custody services) under regulatory oversight. According to the PSA, companies providing crypto asset custody services must obtain a "Digital Payment Token Service" license issued by the MAS.
• Custodian Qualifications: In Singapore, custodians need to ensure that their technology and operational frameworks meet stringent security standards. The MAS requires custodians to have sufficient capital, a comprehensive risk management system, and robust cybersecurity measures.
• Compliance and Audits: Custodians must comply with anti-money laundering (AML) and counter-terrorism financing (CFT) regulations, establishing strong customer due diligence (KYC) procedures. Custodians are also required to undergo regular internal and external audits to ensure transparency and compliance in their operations.
• Client Asset Protection: Custodians must store clients' crypto assets separately from their own assets and provide independent account management services. This requirement aims to ensure the safety of client assets, unaffected by the custodian's financial status.

3. Regulatory Bodies

• Monetary Authority of Singapore (MAS): The MAS is Singapore's central bank and primary financial regulatory authority, responsible for overseeing the compliance of crypto asset custody services. The MAS has established a clear regulatory framework for crypto asset custody through the implementation of the Payment Services Act.

4. Industry Practices

• The digital asset custody market in Singapore is rapidly developing, with many internationally renowned digital asset companies establishing custody operations in Singapore. For instance, Propine has become the first digital asset custodian to receive a "Full Custody" license from the MAS, marking Singapore's leading position in this field.