Op Ed: The Latest on FINRA and SEC Security Token and Custody Rules

What does the SEC and FINRA joint statement on broker-dealer custody of digital asset securities mean for the cryptocurrency space?
What does the SEC and FINRA joint statement on broker-dealer custody of digital asset securities mean for the cryptocurrency space?
What does the SEC and FINRA joint statement on broker-dealer custody of digital asset securities mean for the cryptocurrency space?

What does the SEC and FINRA joint statement on broker-dealer custody of digital asset securities mean for the cryptocurrency space?

On July 8, 2019, the U.S. Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA) put out a joint statement discussing broker-dealer custody of digital asset securities. 

These organizations aspire to address compliance issues faced by companies wishing to transact in “digital asset securities” (any kind of asset that is issued and transferred on a distributed ledger or blockchain and meets the definition of a security under federal security laws — also known as “security tokens”). One SEC law in particular, the Customer Protection Rule, poses a unique challenge for broker-dealers (BDs) trying to interact with security tokens because it requires strict standards for the custody of customer assets.

The Customer Protection Rule 

This rule was adopted in 1972 for the purpose of safeguarding securities held by a BD, in order to prevent investor loss in the event of the BD’s failure. It also enhances the ability for the SEC to monitor against unsound business practices. To comply, the BD must keep the customer’s assets separate from the firm’s assets so that it’s easy to return them in the event of a problem with the BD. 

According to CipherTrace, approximately $1.7 billion worth of bitcoin and other digital assets were stolen in 2018. Approximately $950 million of this was from hacks of bitcoin trading platforms. According to the SEC, the Customer Protection Rule has been a large factor in the much stronger 50-year track record for customers getting their assets back when a BD fails.

The SEC and FINRA have received several new membership applications from existing BDs looking to expand into the security token space with a business model that involves holding custody over customers’ assets. At this time, the SEC and FINRA are still engaging in discussions with crypto-industry professionals, fleshing out how to handle the custody of security tokens in a fashion that complies with the Consumer Protection Rule. 

Notably, if the business is attempting to engage in BD activity without taking custody of their customers’ security tokens, so long as they comply with the other SEC regulations, the regulators are not as concerned. Noncustodial activity is described in general as when customers buy the securities directly from the issuer as in a private placement, and when a BD facilitates a peer-to-peer transaction without ever taking custody or placing any holds on the security tokens. 

STO Custody Considerations 

When custody of a security token is involved, the SEC and FINRA are currently unwilling to change the rules to accommodate for digital securities, meaning that firms wanting to enter this arena may need to enhance their technology in order to comply with the financial responsibility rules. The regulators are continuing to gather information from market participants to figure out how best to advance their missions of protecting investors; maintaining fair, orderly and efficient markets; facilitating capital formation and promoting market integrity. 

To comply with the Customer Protection Rule, the BD must safeguard their customers’ securities and cash by keeping them in separate accounts so they can be returned to customers easily should the BD fail. The BD must physically hold the customers’ securities or maintain them free of lien at a good control location — typically the Depository Trust Company or a clearing bank — and uncertificated securities, such as mutual funds, may be held at the issuer or at the issuer’s transfer agent. This adds a layer of protection in which a third party controls the transfer of the securities and can recall them from the BD if there is ever a mistake. 

Custody Concerns for Security Tokens

When applying this method to security tokens, the concern is that the BD or third party controlling the tokens could be hacked, lose a private key or accidentally send them to the wrong address and not be able to recall the trade. 

There are also concerns that there is no way for the SEC to verify that the security tokens are actually being held in a separate account for each customer or that the BD truly has exclusive control over the assets, as multiple parties could have access to the private keys and could potentially make a transfer without the BD’s consent. 

The Books and Records and Financial Reporting Rules

BDs are required to create several varieties of financial statements and keep detailed ledgers reflecting all assets and liabilities, as well as a list of each security they carry for each customer. The rules surrounding these obligations allow the SEC and FINRA to spot-check the BD for compliance. When dealing with security tokens, the SEC and FINRA are concerned that it would be very difficult to accurately maintain these types of records.

Insurance 

If a BD fails, it is liquidated through the Securities Investor Protection Act of 1970 (SIPA), and the customer has first priority to their own cash and securities. Customers are eligible for up to $500,000 in protection, but the current SIPA security definition does not encompass security tokens; therefore, there is no protection available for security token customers. 

Control Location Applications

When crypto companies, including alternative trading systems (ATSs), have tried to use a transfer agent as a control location in order to comply with the Customer Protection Rule, it has created confusion as to how to deal with “uncertificated securities.” Traditionally, the issuer or transfer agent keeps a master list of security holders. There has been exploration around the idea of using distributed ledger technology to maintain this list for security tokens, but the BDs have asserted that the distributed ledger is not an authoritative record of share ownership. This has not been ruled out entirely, however, and it will be contemplated on a case-by-case basis. 

Implications for Bitcoin

Bitcoin is not considered a security token; therefore, the SEC and FINRA rules do not generally apply. With respect to altcoins, if individuals still have any left after the number of hacks we’ve seen, they may be wise to subscribe to the “not your keys, not your coins” ideology and safeguard their own assets. 

It is encouraging that regulators are working on these types of solutions because, once solved, they will allow institutional investors to hold bitcoin in investment vehicles such as ETFs and mutual funds, building easier access for financial advisors to allocate a percentage of their clients’ portfolios to bitcoin. Ultimately, this is likely to create some serious upward pressure on bitcoin’s price. 

The challenges are pretty significant though. Getting SIPA’s definition of a security rewritten to include tokens, solving for the fact that you can’t recall a mistaken transfer and solving the hacking problem are pretty tall orders. Perhaps multisig wallets could help with some of the concerns, or these type of investors can continue to access Grayscale Bitcoin Trust.

The SEC encourages industry participants to engage with them on the SEC’s FinHub webpage or by contacting Thomas K. McGowan, associate director, at (202) 551-5521; Raymond Lombardo, assistant director, at (202) 551-5755; or FINRA staff using FINRA’s FinTech webpage; or contacting Kosha Dalal, associate general counsel, at (202) 728-6903.

This is a guest post by Sasha Hodder. Opinions expressed are entirely her own and do not necessarily reflect those of BTC Inc or Bitcoin Magazine.