"The SEC Permits Some Broker-Dealers to Custody Customers' Digital Asset Securities," Blockchain Law Center
The U.S. Securities and Exchange Commission (the "Commission") recently issued guidance that permits a so-called "special purpose broker-dealer" (an "SPBD") to custody digital asset securities in a manner that complies with the Commission's customer protection rule, Rule 15c3-3 under the Securities Exchange Act of 1934 (the "Exchange Act").[i] The Commission refers to its guidance as a "statement" (the "Statement") and couches the Statement as a no-action position, effective for five years, under which an SPBD will not be subject to a Commission enforcement action if the SPBD custodies its customers' digital asset securities in compliance with the criteria set out in the Statement. The Commission notes, however, that the Statement "is an agency statement of general applicability with future effect designed to implement, interpret, or prescribe law or policy." It further notes that its "Office of Information and Regulatory Affairs has designated this statement as a 'major rule' as defined by 5 U.S.C. 804(2)." Thus, in contrast to a no-action position issued by the Commission's staff, which is not legally binding on the Commission, the Statement appears to be binding Commission guidance. The Statement becomes effective 60 days after it is published in the Federal Register and expires five years later.
The Commission's position is predicated on a broker-dealer's satisfaction of nine conditions.[ii] Below is brief summary of the Statement:
- An SPBD has to limit its business solely to digital asset securities;[iii] it cannot maintain a business in "traditional" securities.
- An SPBD's business can include dealing in, effecting transactions in, maintaining custody of, and/or operating an alternative trading system for digital asset securities.
- An SPBD must:
- Establish, maintain, and enforce written policies and procedures reasonably designed to analyze whether the digital asset securities it trades were issued in compliance with applicable securities laws and regulations;
- Have in place written supervisory procedures ("WSPs") to assess the characteristics of the digital asset security's distributed ledger technology and associated network (and confirm no operational problems or weaknesses with respect to that distributed ledger technology) before undertaking to maintain custody of digital asset securities, and make such assessments thereafter at regular intervals;
- Have WSPs that are consistent with industry best practices establishing that the SPBD has exclusive control over the digital asset securities it holds;
- Have in place WSPs to detect and address security threats, such as 51% attacks; comply with court-ordered seizures and allow for transfers to another SPBD if the transferor broker-dealer has to be wound down; and provide disclosures to customers regarding the risks of investing in digital asset securities;
- Have a customer agreement in place governing trading, custody, and other matters; notify customers that digital asset securities may not be "securities" subject to coverage under the Securities Investor Protection Act ("SIPA"); and inform investors that investment contracts not registered under the Securities Act of 1933 (the "Securities Act") are excluded from the definition of security under SIPA.
The Statement leaves a number of questions unanswered and issues unaddressed.
- Guidance permitting broker-dealers to custody digital asset securities is certainly welcome, but the scope of the Statement is somewhat unclear, including the permissible digital asset security brokerage models.
- The Statement appears to require a broker-dealer to be an SPBD and, thus, to limit its brokerage activities to digital asset securities only if it custodies digital asset securities. In Part IV of the Statement, the Commission notes that its guidance "is expressly limited to paragraph (b) of Rule 15c3-3 under the Exchange Act of 1934." The Commission further states, however, that a broker-dealer "would not be subject to a Commission enforcement action on the basis that the broker-dealer deems itself to have obtained and maintained physical possession or control of customer fully paid and excess margin digital asset securities" if it "limits its business to dealing in, effecting transactions in, maintaining custody of, and/or operating an alternative trading system for digital asset securities." The limiting language is written in both the conjunctive and disjunctive and could be read to require a broker-dealer to be an SPBD if it engages in any of the listed activities with respect to digital asset securities. The Commission's focus in the Statement, however, seems to be on custody.
- It is not clear why the Commission would not allow an SPBD to engage in a traditional securities business on a non-custodial basis, e.g., where it introduces customer accounts to a third-party clearing and carrying broker-dealer.
- The Statement, combined with a recent no-action position issued by the staff of the Commission's Division of Trading and Markets[iv] and guidance from the Office of the Comptroller of the Currency,[v] suggests three brokerage models with respect to digital asset securities:
- A broker-dealer custodial model. A broker-dealer (SPBD) may custody digital asset securities and engage in other activities with respect to digital asset securities, provided that it does not engage in activities with respect to "traditional" securities.
- A non-custodial model. A broker-dealer that does not custody digital asset securities may operate an ATS that facilitates trading of digital asset securities, provided that such ATS does not play any role in clearing and settling such trades.[vi] The participants in this non-custodial model should not be subject to the SPBD requirements of the Statement.
- A bank custodial model. The Office of the Comptroller of the Currency (the "OCC")guidance confirmed that national banks and national trust banks may custody digital assets, including securities. Paragraph (c)(5) of Rule 15c3-3 permits a broker-dealer to rely on a bank, as that term is defined in Section 3(a)(6) of the Exchange Act, as a control location for its customers' securities, i.e., to custody securities. Paragraph (c)(5) is self-effecting, meaning that a broker-dealer does not need to seek the permission of the Commission or its staff to use a bank as a control location. Neither the Commission nor its staff, however, has taken a public position on whether a broker-dealer can rely on a bank as a control location for its customers' digital asset securities. To challenge a broker-dealer's use of a bank as a control location, however, the SEC staff arguably would have to challenge the bank's ability to maintain custody or control over digital asset securities consistent with the OCC's guidance. Further, a broker-dealer relying on a bank as a control location for its customers' digital asset securities presumably would not need to be an SPBD because the broker-dealer would not be custodying such securities and, therefore, would not raise the concerns that the Commission identified in the Statement.
- The Statement suggests that the cash leg of a purchase and sale of a digital asset security must settle in a regular way, i.e., by movement of cash between the bank accounts of the buying and selling broker-dealers. Request for comment number 5 in the Statement seems to indicate that an SPBD would not be permitted to use non-security digital assets, e.g., a stablecoin, to facilitate settlement of a digital asset security transaction.
- The Commission does not explain why an SPBD could not conduct a non-custodial business in non-security digital assets, such as cryptocurrencies.
- As noted, the Statement requires an SPBD to notify its customers that digital asset securities may not be "securities" for purposes of protection under SIPA, which protects customers from lost or stolen securities in the event of a broker-dealer insolvency. Although investment contracts that are not issued in an offering registered under the Securities Act are specifically excluded from the definition of "security" under SIPA, the Commission does not explain why other digital asset securities, such as equity securities, might not be protected under SIPA, and such a position would seem to be contrary to the plain language of the statute.
- An entity that intends to operate as an SPBD that facilitates transactions in digital asset securities presumably needs FINRA permission to do so. It is not clear if FINRA is going to issue guidance on the permission process (e.g., does an existing broker-dealer need to file a Form CMA with FINRA to obtain approval to be an SPBD?) or when such guidance may be forthcoming.
Request for Comment
The Commission also requested comment on seven topics in the Statement. The first two requests focus on industry best practices with respect to private keys. In particular, the SEC seeks input on the following:
- Industry best practices in protecting private keys necessary for accessing and transferring digital asset securities against theft, loss or unauthorized or accidental use;
- Industry best practices in addressing events that could impact a broker-dealer's custody of digital asset securities, such as a hard fork, airdrop or 51% attack;
- Process, software and hardware systems, and other formats or systems that allow broker-dealers to create, store, or use private keys and to protect those keys from loss, theft or misuse;
- Accepted practices or model language for disclosing the risks associated with digital asset securities and use of private keys and whether the practices and language have been used with customers;
- Whether the Commission should expand its position to include traditional securities business and non-security digital assets. The Commission specifically asks whether non-security digital assets should be permitted as a means of payment for digital asset securities;
- Description of the differences between clearance and settlement of traditional securities and digital asset securities that could increase or decrease clearance and settlement risk for digital asset securities as compared to traditional securities; and
- Specific benefits and/or risks implicated by a broker-dealer operating a digital asset ATS that the Commission should consider for any future measures it may take.
Additional guidance from the Commission and FINRA will be needed in the near future on the scope of the Statement and the process for broker-dealers to be approved as SPBDs. It is not clear, for example, whether FINRA will create a new membership category for SPBDs.
[i] Custody of Digital Asset Securities by Special Purpose Broker-Dealers, Exchange Act Release No. 90788 (Dec. 23, 2020) available here.
[iii] Consistent with prior Commission/Commission staff guidance, the Statement provides as follows:
the term "digital asset" refers to an asset that is issued and/or transferred using distributed ledger or blockchain technology ("distributed ledger technology"), including, but not limited to, so-called "virtual currencies," "coins," and "tokens." The focus of this statement is digital assets that rely on cryptographic protocols. A digital asset may or may not meet the definition of a "security" under the federal securities laws. See, e.g., Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934: The DAO, Exchange Act Release No. 81207 (July 25, 2017). As used in this statement, a "digital asset security" means a digital asset that meets the definition of a "security" under the federal securities laws. A digital asset that is not a security is referred to herein as a "non-security digital asset."
Id. at 2 n.1.
[iv] No-Action Letter, ATS Role in Settlement of Digital Asset Security Trades (Sept. 25, 2020) available here (the "No-Action Letter").
[v] Authority of a National Bank to Provide Cryptocurrency Custody Services for Customers, OCC Interpretive Letter #1170 (July 2020) available here (the "OCC Guidance").