NYDFS to Crypto Custodians: Proceed with Caution – All Things FinReg
In the depths of a crypto winter, the New York State Department of Financial Services (DFS) issued guidance (the Guidance) on custody standards for those with a BitLicense or registered as New York limited purpose trust companies engaged in virtual currency (VC) business activity (VC Trust Companies and, together with BitLicensees, VC Custodians). In addition to providing client segregation and compliance standards, DFS also announced in the guidance its position that a VC custodian entering into a subcustodian arrangement must obtain prior approval from DFS prior to the arrangement’s implementation.
DFS expectations of VC managers
The guidance, issued on 23 January 2022, establishes client protection and disclosure standards for compliance with VC custody requirements. The DFS notes that “client funds” include gas fees or other transaction costs that a VC custodian funds on behalf of its clients, meaning that VC custodians need to apply the guidance more broadly than they may currently do. VC custody services include the storage, custody or maintenance of custody or control of VC on behalf of others.
1. Segregation of and separate accounting for the customer’s virtual currency
DFS expects VC custodians to separately account for and segregate customer VC from the custodian’s and its affiliates’ corporate assets, including both in the chain and in the custodian’s internal financial accounts. Specifically, DFS expects a VC custodian to:
- a customer VC does not come with its own or another non-customer VC;
- maintain customer VC in separate chain wallets and internal ledger accounts for each customer under that customer’s name, or an omnibus wallet and internal ledger account containing only customer VC held under the custodian’s name as agent or trustee for the benefit of those customers;
- in respect of omnibus accounts, maintain appropriate records and a clear internal audit trail to identify customer VC and account for all customer transactions;
- disclose how it differentiates and considers customer VC;
- establish and maintain policies and procedures to demonstrate that they have these safeguards in place; and
- be prepared “at all times” to demonstrate the reconciliation of the custodian’s books and records and activity in the chain upon DFS request (which may be done as part of ongoing monitoring, routine on-site examination, ad hoc visits or otherwise).
2. Custody does not establish a debtor-creditor relationship
VC custodians should hold client VC in a manner that preserves a client’s fair and beneficial interest in the client’s VC. Custodial services should thus not establish a debtor-creditor relationship with a customer. VC custodians should treat client VC they hold as belonging exclusively to customers and should not use customer VC to secure or guarantee an obligation to, or extend credit to, the custodian or any other person. DFS also expects the VC Custodians to act on the client’s instructions.
3. A sub-custodial arrangement is a significant change to the business That Requires DFS approval
To the extent that a VC custodian ensures that customer VC is held through a sub-custodian arrangement, the custodian must obtain DFS approval before such an arrangement is implemented. This is because DFS views sub-custodial arrangements as a material change to a firm’s operations that triggers DFS approval requirements.
To request approval, a VC custodian should provide DFS for its review:
- the applicable risk assessment that the custodian carried out on the third party;
- the proposed service agreement(s) between the parties; and
- the custodian’s updated policies and procedures reflecting the processes and controls to be implemented around the proposed arrangement.
DFS does not disclose VC custodians who entered into sub-custodian arrangements without obtaining DFS approval should retroactively seek approval. It is unclear what the consequences are for VC custodians who have not received approval for sub-custodian arrangements.
Information requirements
Customer disclosure is part of any effective customer protection regime. VC Custodians should provide customers with information about their services and products and obtain customer confirmation of receipt of the disclosure before entering into any transaction with the customer. The VC custodian’s agreement with the customers should be clear that the scheme is a custodian and is not a debtor-creditor relationship.
In addition, VC Custodians should disclose:
- how they differentiate and account for customer VC;
- the ownership interest the customer retains in custody assets;
- how they can use the custody VC while it is in their possession;
- applicable restrictions on the use of the custodial VC by the VC Custodian; and
- to the extent a VC custodian uses a third-party, sub-custodian arrangement, the terms of that arrangement and the material risks.
Information should be included in customer agreements. DFS expects VC Custodians to make the standard disclosures and customer agreement readily available to customers on their websites.
What will be next?
VC managers should ensure they comply with the guidance and update their policies and procedures accordingly. The DFS notes that it has the authority to order the discontinuation of unsafe and unsound practices to protect the public interest and maintain public trust. VC custodians are aware that their custody practices must comply with the standards set out in the guidance, or be subject to such an order to cease a practice that DFS finds unsafe and unsound. Finally, with the collapse of various VC exchanges, we expect a continued focus on custody practices and client protection is expected, not only at the state level, but eventually at the federal level.