After Coinbase, Investors Look to Secure Custody Solutions to Promote Greater Institutional Adoption of Digital Assets


May 2021

With Coinbase, the largest cryptocurrency exchange in the U.S., surpassing a $100-billion valuation after its public debut on Nasdaq last month, the digital-asset platform’s direct listing is being hailed as a “watershed moment” for the blockchain industry.

No longer viewed as “funny money” by the Street, Bitcoin has propelled Coinbase’s leap into public markets, perpetually rising since its launch 12-years ago and earning its seat at the table with institutional investors. The largest of some 4,000 traded crypto assets, Bitcoin’s market cap hovers around $1 trillion today, or roughly half of the broader $2 trillion cryptoeconomy.

In the last year, Bitcoin has appreciated by over 500 percent. Canadian asset managers like Purpose Investments, Evolve, CI Global Asset Management have established first-mover advantage in the Bitcoin Exchange Traded Fund (ETF) arms race. Both Purpose and Evolve launched their ETFs in February, while CI Global released its own ETF the following month.

American investment firms like Bridgewater Associates, Paul Tudor Jones, Morgan Stanley, and most recently, JPMorgan Chase have also become believers, either recommending Bitcoin to their clients or packaging it into retail fund products offered by their private wealth divisions.

Most notably, Morgan Stanley’s wealth management division announced that it was giving its accredited investor clients access to three funds that enable ownership of Bitcoin this past March, becoming the first big Wall Street firm to incorporate the asset onto its platform.

Last month, JPMorgan, the largest Wall Street bank by assets, followed suit, announcing that it was preparing to offer an actively managed Bitcoin fund to its private wealth clients as well. This is quite an about-face for the firm led by chief executive Jamie Dimon, who in 2017, famously called Bitcoin a “fraud” that is “worse than tulip bulbs.”

Despite current regulatory ambiguity in Canada, the U.S., and globally, think tank World Economic Forum estimates that 10 percent of global GDP will be stored on a blockchain, the distributed ledger operating system that underpins crypto assets, by 2025.

As more firms look to capitalize on the crypto bull market and offer Bitcoin to their wealthy clients, they are beginning to familiarize themselves more with the specific nuances and challenges that digital-asset custody presents.


What is Custody?

Custodians are like vaults, which are entrusted by investors with safeguarding their assets both digitally and physically. To this end, secure custody is the most foundational risk-management and compliance function for banks and investment advisors, as well as the basis for trust between institutions and clients.

Managing client funds necessarily demands that custodians mitigate the risk of fraud and theft, while conducting five primary functions to generate fees from investor assets. Custodial banks earn revenues primarily through the following: Investment services, asset and issuer servicing, treasury services, clearance and collateral management, and asset/wealth management.

When managing traditional asset classes like cash, stocks, and bonds, however, custody has become a rudimentary, commoditized, and low-fee-generating business line. Additionally, legacy custody models have come under greater fee pressure as low-to-zero-fee brokerages like Wealthsimple and Robinhood have become the norm.


A New Kind of Infrastructure

But custodying cryptocurrencies requires an entirely new kind of infrastructure from what banks and investment managers have historically used. The infrastructure of secure crypto-custody entails the skillful implementation of distributed ledger technology (DLT), off-premise cloud-based server architectures, public-private key encryption, and multi-signature authentication schemes.

U.S.-based crypto-custody provider BitGo notes that custodians in their industry are expected to provide the “first line of defense with software, hardware, rigorous security policies and procedures, and physical security measures.”

Key considerations include offline, or ‘cold,’ wallet storage arrangements, access provisioning, and secure data transport layers for emerging regulatory-reporting mandates. Key to cold storage are the following three items: Safeguarding of digital keys in physical, bank-grade vaults, the fractional distribution, or sharding, of keys across multiple vault locations, and the availability of multiple people who are authorized to unlock institutional funds.

Yet another consideration for custody is the emergence of data localization regimes throughout the world. Governments today are increasingly demanding that data be stored within national or jurisdictional borders. That is to say regulators could impose mandatory, onshore cold-storage requirements for crypto-custodians.

How this could impact the traditional offshore-master, onshore-feeder-fund structure of most hedge-fund managers remains to be seen. But in the broader cryptoverse, the other risk considerations indicate that cybersecurity and rigorous blockchain-auditing have become essential to promoting trust with retail and institutional clients. These factors will also eventually be mandatory compliance requirements for all firms selling digital-asset products to clients.

The heightened cyber-complexities and risks associated with digital-asset custody and transaction settlement also indicate that custodians with more reliable solutions will be in a position to charge fees that are much higher than the “couple of basis points” typically assessed by investment managers who deal in traditional equities and fixed income.

The latter is further muddied by the fact that regulatory clarity on digital-asset custody is still lacking in both Canada and the U.S. Irrespective of prevailing regulatory guidance, the consequences for poor custodial governance in crypto are severe.

Highlighting custody risk in crypto-asset management is the notorious demise, or exit scam depending on who you ask, of Canadian crypto-exchange QuadrigaCX. After the alleged 2018 death of exchange founder Gerald Cotten, who cut his teeth in dubious boiler-room precious metals sales, exchange users were left holding the bag for $145 million.

Cotten allegedly died nine days into his honeymoon in India. The exchange founder’s widow filed for creditor protection in Nova Scotia Supreme Court in 2019, claiming that QuadrigaCX was unable to recover customer funds because only Cotten possessed the private keys to access them.

This particular event highlights the risks associated with access-provisioning controls cited above. When it comes to custodying crypto assets, recovering client funds cannot be a function that is singularly designated to one person.

During the virtual Consensus conference last year, organizers polled attendees and found that 60 percent of respondents believed Cotten had faked his death and was still alive. Beyond QuadrigaCX’s custodial governance debacle, the epic theft of some $500 million in Bitcoin from Japanese crypto-exchange Mt. Gox, and which led to its collapse in 2014, remains the most infamous institutional insolvency in crypto history.

Additionally, there were five major crypto-exchange hacks last year, with threat actors pilfering roughly $287 million worth of Bitcoin, Ether, and other digital assets from trading platforms like Altsbit, Cashaa, Eterbase, and Kucoin.


The Race to Hegemony  

While exchange hacks are a declining trend, next-generation custodial controls are becoming even more essential for deeper institutional participation in the crypto industry. This category of service offering is still relatively new, with no single dominant player in the market.

Notable early entrants into in the digital-asset custody space include Coinbase, Fidelity, Anchorage, and Gemini. Some emerging U.S. custodians are BitGo, Paxos, and Casa. In Canada, early entrants include Balance, Knox, and Brane Capital.

Meanwhile, incumbent fiat custodians like State Street, Northern Trust and BNY Mellon have also been exploring ways to offer digital-asset custody to their clients. State Street has been partnering with, providing fund administration services for, or funding crypto ETFs and other market infrastructures since 2019 when it teamed up with Gemini. Last December, in partnership with Standard Chartered, Northern Trust launched Zodia, a cryptocurrency custodian for institutional investors. In February, BNY Mellon announced that it had created a dedicated digital assets unit to “accelerate the development” of their crypto “solutions and capabilities.”

In the U.S., custody is regulated by the Office of the Comptroller of the Currency, which gave federally chartered banks the greenlight to custody digital assets last summer, and the Securities and Exchange Commission. The SEC is currently working on clarifying its guidance for the definition of “Qualified Custodians.” Canada’s crypto oversight is currently less defined than it is in the U.S., but capital markets watchdog, the Canadian Securities Administrator, issued disclosure guidance for crypto investors in March.

Ultimately, cybersecurity and insurance will be key differentiators for the eventual leaders of the crypto-custody market. Given the growing sophistication of crypto-threat actors and the rise of SolarWinds-styled supply-chain attacks, commercial insurance has become a necessary financial backstop to reduce the counterparty risks faced by crypto-investors and depositors.

BitGo recommends that custodians and exchanges explore multiple policies that offer coverage for cyber-risk, commercial crime, high-value portable assets, errors and omissions, directors and officers, and co-insurance. BitGo currently offers up to a $100 million insurance policy via Lloyds of London, but the $200-million limit offered by American exchange Gemini is currently the highest the world.

Beyond cryptography, cold storage, and insurance, broader cyber-risk management trends involving the migration to off-premise and diversified cloud environments will be critical. With calls for enhanced crypto anti-money-laundering (AML) regulations in the U.S., secure purpose-built private data warehouses to facilitate emerging regulatory-reporting mandates will also be vital.

But in the era of cyber supply-chain attacks and emerging quantum hacks that can crack encryption, custodial solutions that practice rigorous ledger auditing and penetration testing, eschew the online storage of private keys, and view asset management as an evolving cyber-threat model above all else, will win market share.

As the crypto asset class continues to grow and progress towards institutional adoption, digital asset custody will be a crucial piece of the value-chain and an area we will continue to monitor closely.

By Hasan Basrai and the Information Venture Partners Team