In the depth of a crypto winter, the New York State Department of Financial Services (DFS) issued guidance (the Guidance) on custodial standards for those with a BitLicense or that are registered as New York state limited purpose trust companies that engage in virtual currency (VC) business activity (VC Trust Companies and, together with BitLicensees, VC Custodians). In addition to providing customer segregation and compliance standards, DFS also announced in the Guidance its position that a VC Custodian that enters into a sub-custody arrangement must obtain prior DFS approval before the arrangement’s implementation.
DFS Expectations for VC Custodians
The Guidance, issued on January 23, 2022, establishes customer protection and disclosure standards for compliance with VC custody requirements. DFS notes that “customer funds” include gas fees or other transaction costs that a VC Custodian funds on behalf of its customers, meaning that VC Custodians need to apply the Guidance more broadly than they may otherwise do currently. VC custody services include storing, holding, or maintaining custody or control of VC on behalf of others.
1. Segregation of and Separate Accounting for Customer Virtual Currency
DFS expects VC Custodians to separately account for and segregate customer VC from the custodian’s and its affiliates’ corporate assets, including both on-chain and on the custodian’s internal ledger accounts. Specifically, DFS expects that a VC Custodian will:
- not comingle customer VC with its own or other non-customer VC;
- maintain customer VC in separate on-chain wallets and internal ledger accounts for each customer under that customer’s name, or an omnibus on-chain wallet and internal ledger account that contains only VC of customers held under the custodian’s name as agent or trustee for the benefit of those customers;
- with respect to omnibus accounts, maintain appropriate records and a clear internal audit trail to identify customer VC and account for all customer transactions;
- disclose how it segregates and accounts for customer VC;
- establish and maintain policies and procedures to evidence that it has these safeguards in place; and
- be prepared, “at all times,” to demonstrate the reconciliation between the custodian’s books and records and on-chain activity upon DFS request (which may be made as part of ongoing monitoring, routine onsite examination, ad hoc visitation, or otherwise).
2. Custody Does Not Establish a Debtor-Creditor Relationship
VC Custodians should hold customer VC in a way that preserves a customer’s equitable and beneficial interest in the customer’s VC. Thus, custody services should not establish a debtor-creditor relationship with a customer. VC Custodians should treat customer VC that they hold as belonging solely to customers and should not use customer VC to secure or guarantee an obligation of, or extend credit to, the custodian or any other person. DFS also expects that VC Custodians will act upon customer instructions.
3. A Sub-Custody Arrangement Is a Material Change to Business That Requires DFS Approval
To the extent that a VC Custodian arranges for customer VC to be held through a sub-custody arrangement, the custodian must obtain DFS approval before implementing any such arrangement. This is because DFS views sub-custody arrangements to be a material change to a firm’s business that triggers DFS approval requirements.
To request approval, a VC Custodian should provide DFS for its review:
- the applicable risk assessment that the custodian performed on the third party;
- the proposed service agreement(s) between the parties; and
- the custodian’s updated policies and procedures reflecting the processes and controls to be implemented around the proposed arrangement.
DFS does not state whether VC Custodians that entered into sub-custody arrangements without obtaining DFS approval should retroactively seek approval. It is unclear what the repercussions are for VC Custodians that have not obtained approval for sub-custody arrangements.
Disclosure Requirements
Customer disclosure is part of any effective customer protection regime. VC Custodians should provide customers with disclosures about their services and products and obtain customer acknowledgment of receipt of the disclosure before entering into any transaction with the customer. The VC Custodian’s agreement with its customers should be unambiguous that the arrangement is custodian and is not a debtor-creditor relationship.
In addition, VC Custodians should disclose:
- how they segregate and account for customer VC;
- the property interest the customer retains in custodied assets;
- how they may use custodied VC while it is in their possession;
- applicable limitations on the use of custodied VC by the VC Custodian; and
- to the extent that a VC Custodian makes use of a third-party, sub-custody arrangement, the terms of that arrangement and the material risks.
Disclosures should be included in customer agreements. DFS expects VC Custodians to make the standard disclosures and customer agreement readily accessible to customers on their websites.
What's Next?
VC Custodians should make sure that they comply with the Guidance and update their policies and procedures accordingly. DFS notes that it has authority to order the discontinuance of unsafe and unsound practices to protect the public interest and maintain public confidence. VC Custodians are on notice that their custody practices should comply with the standards sets forth in the Guidance or be subject to such an order to discontinue a practice that DFS finds unsafe and unsound. Finally, with the collapse of various VC exchanges, we expect a continued focus on custody practices and customer protection is expected, not only at the state level but ultimately at the federal level.