CUSTODY-Workshop

Proposal for the workshop (email from Marley Gray)

"Marley has been engaged in a couple of custody scenarios and would like to see if CMSIG would be open to workshopping custody using the framework to see if we could come up with a draft and start circulating it for review and comment. Marley could create the initial artifacts and we could spin up a collaborative session so he can guide you through updating and extending it so you can ultimately taking charge of the artifacts related."

  • Custody: Condensed version of what was discussed during CMSIG call on December 4th 2019. Full audio available in link.

What is custody: It is a delegated possession of securities on behalf of the owner. In retail crypto-currencies, if you have an account with an exchange, and you let your account hold crypto-currency or cash; the exchange has "custody" of your assets. There is legal hair-splitting on whether possession or control implies custody. The latest ruling by the SEC on custody by Investment Advisors goes into this in depth.

Digital Asset custody -

Centralized: models similar to what happens with dematerialized securities. Usually, this constitutes having control of the private key that can move the securities. The actual mechanics of this movement for securities can be achieved without a private key; if the system for accounting is held closely by a single entity like the DTCC who have their own procedures and processes for the movement of assets.

Between centralized and decentralized: One of the key principles of accounting as applied to computer security is segregation of duties; a way to bring in more eyes and hands into the execution a vital and sensitive task to prevent fraud. Removing agency from just a single actor or role. This implies some form of shared control over the private key for moving the security. This translates to multi-party computation (MPC) where agreement (or a signature) from multiple parties are required, with variants like m of k signatures. In practice this may involve several steps. One MPC in practice unlocks a master key which is then used to move the security (Fidelity - anecdotal). Other considerations:

    • Bankruptcy of the custodian
    • Bankruptcy of the owner
    • Insurance held by custodian against inadvertent losses (loss of key, theft of funds etc)
    • Use of HSMs to do the signing (or on the cloud PKCS11 based approaches)
    • Regulation governing the custodian; what are the requirements (look at SEC requirements for custodians); how deep a balance sheet do they need to have?
    • Lending of the digital asset-

Reference to SEC/FINRA guidance on custody of digital assets: https://www.sec.gov/news/public-statement/joint-staff-statement-broker-dealer-custody-digital-asset-securities