Security Tokens & Custody Rules:
On July 8, 2019, the Securities & Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA) put out a joint statement discussing broker-dealer custody of digital asset securities.
These organizations aspire to address compliance issues faced by companies wishing to transact in “digital asset securities” (any kind of asset that is issued and transferred on a distributed ledger or blockchain and meets the definition of a security under federal security laws — also known as “Security Tokens”). One SEC law in particular, the Consumer Protection Rule, poses a unique challenge for Broker Dealers (BDs) trying to interact with security tokens because it requires strict standards for the custody of the customer’s assets.
The Customer Protection Rule:
This rule was adopted in 1972 for the purpose of safeguarding securities held by a BD, to prevent investor loss in the event of the BD’s failure, and to enhance the ability for the SEC to monitor against unsound business practices. To comply, the BD must keep the customer’s assets separate from the firm’s assets, so it’s easy to return them in the event of a problem with the BD. According to CipherTrace, approximately $1.7 billion worth of bitcoin and other digital assets was stolen in 2018, approximately $950 million of this was from hacks of bitcoin trading platforms. According to the SEC, the Customer Protection Rule has been a large factor in the much stronger 50-year track record for customer’s getting their assets back when a BD fails.
The SEC and FINRA have received several New Membership Applications, or applications from existing BD’s looking to expand into the security token space with a business model that involves holding custody over customer’s assets. At this time, the SEC and FINRA are still engaging in discussions with crypto-industry professionals flushing out how to handle the custody of security tokens in a fashion that complies with the Consumer Protection Rule. Notably, if the business is attempting to engage in BD activity without taking custody of their customer’s security tokens, so long as they comply with the other SEC regulations, the regulators are not as concerned. Non-custodial activity was described in general as when customer’s buy the securities directly from the issuer like a private placement, and when a BD facilitates a peer-to-peer transaction without ever taking custody or placing any holds on the security tokens.
STO Custody Considerations:
When custody of the security token is involved, the SEC and FINRA are currently unwilling to change the rules to accommodate for digital securities, meaning that firm’s wanting to enter this arena may need to enhance their technology in order to comply with the financial responsibility rules. The regulators are continuing to gather information from market participants to figure out how best to advance their missions of protecting investors, maintaining fair, orderly, and efficient markets, facilitating capital formation, and promoting market integrity.
To comply with the Customer Protection Rule, the BD must safeguard their customer’s securities and cash by keeping them in a separate account so it could be returned to customers easily should the BD fail. The BD must physically hold the customer’s securities or maintain them free of lien at a good control location — typically the Depository Trust Company or a clearing bank — and uncertificated securities, such as mutual funds, may be held at the issuer or at the issuer’s transfer agent. This adds a layer of protection where a third party controls the transfer of the securities and can recall them from the BD if there is ever a mistake.
Custody Concerns for Security Tokens:
When applying this method to security tokens, the concern is that the BD or third party controlling the tokens could be hacked, lose a private key, or accidentally send them to the wrong address and not be able to recall the trade. There are also concerns that there is no way for the SEC to verify the security tokens are actually being held in a separate account for each customer, or that the BD truly has exclusive control over the assets, as multiple parties could have access to the private keys and could potentially make a transfer without the BD’s consent.
The Books and Records and Financial Reporting Rules
BD’s are required to create several varieties of financial statements and keep detailed ledgers reflecting all assets, liabilities, and a list of each security they carry for each customer. The rules surrounding these obligations allow the SEC and FINRA to spot-check the BD for compliance. When dealing with security tokens, the SEC & FINRA are concerned that it would be very difficult to accurately maintain these types of records.
Insurance
If a BD fails, it is liquidated through the Securities Investor Protection Act of 1970 (SIPA), and the customer has first priority to its own cash and securities. Customers are eligible for up to $500,000 in protection, but the current SIPA security definition does not encompass security tokens, therefore there is no protection available for security token customers.
Control Location Applications:
When crypto companies, including ATSs, have tried to use a transfer agent as a control location in order to comply with the Consumer Protection Rule, it has created confusion on how to deal with “uncertificated securities.” Traditionally, the issuer or transfer agent keeps a master list of security holders. There has been exploration around the idea of using distributed ledger technology to maintain this list for security tokens, but the BD’s have asserted that the distributed ledger is not an authoritative record of share ownership. This has not been ruled out entirely, however, it will be contemplated on a case by case basis.
Conclusion:
The SEC encourages industry participants to engage with them on the SEC’s FinHub webpage, or by contacting Thomas K. McGowan, Associate Director, at (202) 551–5521, Raymond Lombardo, Assistant Director, at (202) 551–5755, or FINRA staff using FINRA’s FinTech webpage or contacting Kosha Dalal, Associate General Counsel, at (202) 728–6903.
