What it means to be a qualified crypto custodian
Qualified crypto custodians are regulated financial entities that hold and safeguard crypto assets on behalf of individuals or institutions. They are subject to rigorous security and operational checks in order to protect the assets they hold. Qualified custody regulations generally aim to improve investor protection and secure assets against being lost, misused, or stolen.
In this article, we go over the different types of custody services available and explain what it means to be a qualified custodian for crypto assets. We also detail how Finoa fulfills those requirements and the scope of Finoa’s licenses.
What are custody services?
Custody services refer to the safekeeping and management of assets, typically by a third-party service provider. These services involve holding and possessing assets on behalf of clients, including commodities, securities, and digital assets such as cryptocurrencies.
A variety of entities, including banks, trust companies, and specialized custody providers offer custody services. Custodians provide a range of services, from asset safekeeping, asset transfers, arrangement with an investment adviser, and account administration, while under certain conditions giving investment adviser ownership of or access to client funds or securities.
Definition of a qualified custodian
A qualified custodian is an entity that has been authorized by law to hold and manage securities or other assets on behalf of others. In traditional banking, qualified custodians are typically banks or trust companies that hold securities, cash, or other valuables for their clients. Qualified custodians are responsible for safeguarding their clients' assets, ensuring that they are secure and accounted for. They are also required to maintain accurate records and provide regular reports to their clients.
In the United States, where the term is most commonly used, a qualified custodian generally is a federal or state-chartered bank or savings association, certain trust companies, a registered broker-dealer, a registered futures commission merchant, or certain foreign financial institutions (“FFI”).
Requirements for qualified crypto-asset custodians
In the crypto space, custody providers have emerged to fill the need for secure storage and management of digital assets. These providers typically offer a range of security measures, including cold storage, multi-signature wallets, and insurance coverage. Although the concept of qualified custodianship is relatively new in cryptocurrency, regulators are starting to take notice and issue guidance on what constitutes a qualified custodian in the crypto space.
In general, custodians of crypto assets that are considered financial instruments are subject to the same rules as traditional custodians. These requirements include having adequate insurance, maintaining accurate records, investment fund protection in case of insolvency, and implementing appropriate security measures to protect digital assets from theft or loss.
In the EU, crypto-asset service providers, which are almost an equivalence of qualified custodians in the US, are regulated under the European MiCA Regulation, which harmonizes the rules for the issuance, trading, exchange of crypto-assets, and administration and custody of crypto assets on behalf of third-parties.
Criteria for qualified custodians in the US
Under US law, a qualified custodian maintains the funds and securities of the clients in a separate account for each client under the client's name.
Although the US Securities and Exchange Commission (SEC) has not established specific requirements for qualified crypto custodians, it has issued extensive guidance in the past. In general, custodians of digital assets considered securities or financial instruments must comply with the same requirements as traditional custodians of securities. This includes complying with the SEC's custody rule, which requires advisers to:
- maintain client assets in a segregated account, and
- undergo regular audits.
In 2023, the SEC submitted a new draft concerning the regulation of custodians. The draft also details seven criteria that non-US custodians must comply with to be recognized as a Foreign Financial Institution (“FFI”) that can provide qualified custody for US persons or entities in the US market. As explained in a previous statement that details the seven criteria, Finoa has extensive safeguards in place and complies fully with the requirements of German law, many of which are in line with the SEC’s proposed requirements for qualified crypto custodians.
The SEC has also indicated that it expects custodians of digital assets to implement robust security measures to protect against theft, loss, and unauthorized access. This includes measures such as
- implementing strong access controls,
- multi-factor authentication,
- regular testing of security systems.
Some US states have also established their own regulatory framework for working with crypto asset custodians, such as the New York's Department of Financial Services (DFS) licensing framework for "BitLicense" holders. This includes requirements for capital reserves, cybersecurity, and compliance with anti-money laundering (AML) and know-your-customer (KYC) regulations.
Why institutions need qualified custodians
Licensing ensures that crypto service providers are operating within the bounds of the law for the services they perform and adhering to industry best practices. Licensed providers like Finoa typically undergo regular audits and are required to maintain adequate capital reserves and implement robust security measures to safeguard client funds.
Here are five key advantages of working with a qualified custodian:
Qualified crypto custodians like Finoa implement asset segregation and enable transparent record-keeping that is verifiable on-chain. Additionally, they undergo regular internal and external audits that strengthen operational reliability and transparency.
For licensed providers, adherence to local AML and KYC regulations, as well as Risk and compliance frameworks (MaRisk and BAIT), is ensured by federal or state-level oversight under local banking laws (in the case of Finoa, the German Banking Act (KWG)) and validated by annual external audits.
Strong governance controls
Robust governance structures ensure a resilient organization that puts security and risk management at the core. With a risk strategy that leverages three lines of defense, the company operates under a compliant system of internal controls and segregation of duties.
Private keys must be adequately stored, such as on encrypted hardware security modules (HSMs). Users must be able to leverage advanced access controls including multi-factor authentication and quorum-based approvals. App security is kept to a high standard using a sophisticated cybersecurity strategy that includes regular penetration testing.
The company offering custodial services should hold strong capital reserves and implement off-balance-sheet accounting for client funds. Under German law, client assets are treated as Special Assets that are segregated and exempt from a company’s insolvency estate in the unlikely event of bankruptcy (“Bankruptcy Remoteness”).
In addition to providing clients with greater peace of mind and security, licensing can also help improve the industry’s reputation by promoting transparency and accountability. As a regulated institutional crypto service provider licensed by the BaFin, Finoa operates at a high standard of operational security and welcomes the ongoing regulatory effort to align requirements for the creation of a safe crypto market.