Yesterday, the U.S. Securities and Exchange Commission (SEC) sanctioned Galois Capital Management LLC, a former registered investment advisor based in Florida that primarily invested in crypto assets. The SEC found that Galois Capital failed to comply with the custody rules under the Investment Advisers Act of 1940, particularly showing significant lapses in the management of crypto assets. Specifically, Galois Capital did not ensure that the crypto assets it managed were held by qualified custodians, instead storing them on non-compliant cryptocurrency platforms, which resulted in the loss of most assets during the collapse of the FTX exchange. Additionally, Galois misled investors by providing inconsistent redemption terms.

Aiying predicts that such incidents will become increasingly common in the crypto asset management sector in the future. As crypto assets gain popularity, investment advisory firms managing such assets remain largely self-regulated due to early regulatory gaps and the rising cost of compliance. Consequently, the likelihood of black swan events or regulatory sanctions following complaints is expected to rise.

1. Applicability and Expansion of U.S. Custody Rules

Origin and Purpose of Custody Rules

The U.S. custody rules are essentially a set of legal provisions aimed at protecting investors’ assets. These rules originated from the Investment Advisers Act of 1940, with the goal of preventing any misconduct by investment advisory firms when managing client assets. According to these rules, if an investment advisory firm has the authority to control or manage client assets, those assets must be held by a qualified custodian, such as a regulated bank or financial institution.

The core idea of the custody rules is simple: investment advisory firms must not mix client assets with their own funds, and they must manage them separately. If there is any change in client assets, the custodian is required to notify the client promptly and provide regular reports on the asset status. These measures are designed to ensure the safety of investors’ funds and prevent any losses due to advisor errors or misconduct.

Expansion to Virtual Assets

With the rise of virtual assets like Bitcoin and Ethereum, the financial markets have undergone significant changes. Due to their decentralized nature, anonymity, and price volatility, virtual assets have introduced new challenges to traditional asset management. Recognizing these changes, the SEC realized the need to expand the scope of custody rule protections to cover these emerging virtual assets.

In recent years, the SEC has made it clear that the custody rules apply not only to traditional financial assets like stocks and bonds but also to virtual assets. This means that if an investment advisory firm manages client cryptocurrencies, these assets must also be held by a qualified custodian. Qualified custodians must not only meet traditional regulatory requirements but also possess the technical capabilities to address risks specific to virtual assets, such as preventing hacking or the loss of cryptocurrencies.

2. Requirements for Qualified Custodian License in the United States

The SEC and other relevant regulatory agencies in the United States have begun to pay attention to and regulate the emerging field of qualified custodians for virtual currency assets. Qualified custodians of digital assets must meet the requirements of traditional custodians while also possessing specialized capabilities to manage and protect these digital assets. The following are some key standards and requirements for qualified custodians related to digital assets:

Types of Qualified Custodians for Digital Assets

1. Banks and Trust Companies:
   • Banks and trust companies regulated by federal or state governments may provide custody services for digital assets. To meet the requirements of a qualified custodian, these institutions must have the technology and infrastructure to protect and manage digital assets.
2. Specialized Digital Asset Custody Companies:
   • Some companies specialize in providing custody services for cryptocurrencies and other digital assets. These companies may be registered at the state or federal level and are subject to strict regulation. For example, companies like Coinbase Custody and BitGo Trust have provided custody services for digital assets and obtained custodian qualifications in specific states or at the federal level.
3. Registered Broker-Dealers:
   • Broker-dealers regulated by FINRA may offer digital asset custody services, but they must ensure that they possess the specialized technical capabilities required to manage digital assets.
4. Other Regulated Financial Institutions:
   • Some regulated financial institutions, such as futures commission merchants or foreign financial institutions, may also be considered qualified custodians if they meet the requirements for digital asset custody.

Key Requirements for Digital Asset Custodians

1. Security Technology Infrastructure:
   • Digital asset custodians must possess advanced cybersecurity technology to prevent hacking and asset loss. This typically includes the use of cold storage, multi-signature technology, and hardware security modules (HSMs).
2. Asset Segregation and Independent Accounts:
   • Digital assets must be stored separately from the custodian’s other assets, and clients’ assets must be held in independent accounts, clearly identified as client assets.
3. Regular Audits and Reporting:
   • Digital asset custodians should undergo regular third-party audits to ensure the security of assets and compliance with custody services. Additionally, they need to provide clients with regular asset status reports.
4. Compliance Capabilities:
   • Digital asset custodians must adhere to the same compliance requirements as traditional asset custodians, including anti-money laundering (AML), know your customer (KYC), and other applicable financial regulations. They must also follow specific compliance frameworks for digital assets, such as the transparency and traceability of blockchain transactions.
5. Insurance and Safeguards:
   • To further protect client assets, digital asset custodians typically purchase insurance to prevent losses due to hacking or operational errors.

Regulation and Certification

• Certification in Specific States: In the United States, some states, such as New York, have enacted the New York State Financial Services Law (NYDFS), which allows eligible companies to provide custody services for crypto assets through the BitLicense. This has been detailed in Aiying’s previous article, “In-Depth Analysis: Two Major Licenses for Web3 Companies Engaging in Virtual Currency Business in New York—BitLicense and Limited Purpose Trust Company License.“
• Federal-Level Regulation: Although federal-level regulation has not yet fully covered all types of digital asset custody services, regulatory agencies like the SEC and CFTC are gradually formulating relevant rules and overseeing the market. This can be referenced in Aiying’s earlier article, “In-Depth Analysis of the Legal Basis and Requirements for Cryptocurrency Payment Licenses in the United States.“

There are currently a total of 12 institutions that have obtained custody licenses:

(Source: New York State Department of Financial Services NYDFS)

3. Policies in other regions

Hong kong

1. Background Introduction

As an international financial center, Hong Kong is gradually strengthening its regulation in the digital asset sector. With the proliferation of cryptocurrencies and blockchain technology, Hong Kong’s regulatory authorities have begun to formulate corresponding regulations to standardize the custody and trading services of crypto assets. The Trust or Company Service Provider (TCSP) license is one of the licenses that digital asset custody service providers must obtain. For more details, refer to the article “Understanding the Latest Application Policies for Virtual Asset Custody Service Providers (TCSP) in Hong Kong in 2024.“

2. Specific Requirements

• TCSP License: In Hong Kong, companies providing crypto asset custody services need to apply for and hold a TCSP license. This license is regulated by the Hong Kong Companies Registry (CR) and aims to ensure that institutions providing trust or company services comply with anti-money laundering (AML) and counter-terrorism financing (CFT) requirements.
• Asset Segregation and Independent Accounts: Custodians holding a TCSP license must ensure that clients’ crypto assets are strictly stored separately from their own assets, typically requiring client assets to be held in independent accounts. This practice helps prevent the custodian’s financial issues from impacting the safety of client assets.
• Security Technology and Compliance Requirements: Companies holding a TCSP license must also have robust cybersecurity measures in place to protect clients’ digital assets. This includes using cold storage, multi-signature technology, and establishing strict compliance procedures to ensure asset security.
• Regular Audits and Reporting: Custody service providers need to conduct regular audits and provide clients with detailed asset status reports to ensure transparency and clients’ right to information.

3. Regulatory Authorities

• Hong Kong Companies Registry (CR): The Companies Registry is responsible for issuing and supervising TCSP licenses, ensuring that companies providing custody services comply with relevant laws and regulations. The CR’s main responsibilities include reviewing applications, conducting onsite inspections, and supervising licensed companies’ compliance with anti-money laundering and anti-terror financing legal requirements.

4. Industry Practices

• In Hong Kong, many fintech companies and traditional financial institutions have obtained TCSP licenses to legally provide crypto asset custody services. For example, companies like OSL, BC Group, and Hashkey have already engaged in compliant custody operations in Hong Kong, providing secure digital asset management services for domestic and international institutional investors.

Singapore

1. Background Introduction

• Singapore attracts numerous digital asset companies with its open financial policies and innovative environment. The Monetary Authority of Singapore (MAS) is a key regulatory body for digital asset custody, having established a series of regulations to ensure that crypto asset custody meets international standards. For further details, refer to the article “Comprehensive Analysis of Singapore’s Payment Services Regulatory Framework and Virtual Asset DPT License Requirements.”

2. Specific Requirements

• Payment Services Act (PSA): In 2020, Singapore implemented the Payment Services Act (PSA), which brings crypto asset services (including custody services) under regulatory oversight. According to the PSA, companies providing crypto asset custody services must obtain the “Digital Payment Token Service” license issued by MAS.
• Custodian Qualifications: In Singapore, custodians must ensure that their technology and operational frameworks meet strict security standards. MAS requires custodians to have sufficient funds, a robust risk management system, and strong cybersecurity measures.
• Compliance and Auditing: Custodians must comply with anti-money laundering (AML) and counter-terrorism financing (CFT) regulations and establish strong customer due diligence (KYC) procedures. They are also required to conduct regular internal and external audits to ensure transparency and compliance in their operations.
• Client Asset Protection: Custodians must store clients’ crypto assets separately from their own and provide independent account management services. This requirement aims to ensure the safety of client assets, protecting them from the custodian’s financial status.

3. Regulatory Authorities

• Monetary Authority of Singapore (MAS): MAS is Singapore’s central bank and primary financial regulatory authority, responsible for overseeing the compliance of crypto asset custody services. MAS has established a clear regulatory framework for crypto asset custody through the implementation of the Payment Services Act.

4. Industry Practices

• The digital asset custody market in Singapore is rapidly evolving, with many internationally renowned digital asset companies establishing custody operations in the region. For instance, Propine became the first digital asset custody company to receive a “Full Custody” license from MAS, marking Singapore’s leading position in this field.

Reference information: https://www.sec.gov/newsroom/press-releases/2024-111

Disclaimer：

1. This article is reproduced from [AiYing Compliance], the copyright belongs to the original author [AiYing Compliance], if you have any objections to the reprint, please contact the Gate Learn team, and the team will handle it as soon as possible according to relevant procedures.

2. Disclaimer: The views and opinions expressed in this article represent only the author’s personal views and do not constitute any investment advice.

3. Other language versions of the article are translated by the Gate Learn team and are not mentioned in Gate.io, the translated article may not be reproduced, distributed or plagiarized.