Crypto custody in the time of MiCA

This article was written in partnership with Zodia Custody.

The EU’s Markets in Crypto-assets Regulation (MiCA) officially came into force on 29 June 2023 and will begin to apply for issuers of stablecoins in June 2024 and for other crypto-asset service providers (CASPs) by the end of 2024.

This new regime brings several services within the scope of regulation, including the provision of custody of crypto-assets. This is defined in MiCA as the safekeeping of crypto-assets on behalf of clients or, more specifically, the means of access to such crypto-assets.

TradFi custody vs. crypto custody

Crypto-asset custodians, in the same manner as traditional financial (TradFi) custodians, are responsible for the safekeeping of assets, but the two differ in some important ways.

Unlike traditional financial assets, crypto-assets have no centralised entity acting as a clearing house. Additionally, safekeeping is provided for the private keys which control an individual or institution’s access to its crypto-assets. These private keys can be stored through either ‘hot’ or ‘cold’ wallets. Hot wallets are an online means of storage, and cold wallets have no direct access to the internet and are usually stored on physical devices like hard drives or, in certain cases, simply written down or printed on paper. Typically, cold wallets allow for a higher level of control given their offline nature but tend to be slower when it comes to usability and processing speeds. They do not serve institutional requirements, especially with regard to auditing.

It is critical for an institution with crypto-assets in the custody of a service provider to be able to prove ownership or control over their private keys. This will usually take the form of a trust arrangement or a certificate of beneficial interest in the private keys to the crypto-asset.

As it stands, the regulatory landscape is also different for traditional custody and crypto-asset custody. In a number of jurisdictions, technical advancements have superseded legal principles where regulatory frameworks for crypto are not yet in place. This has allowed crypto custodians fewer regulatory burdens and more legal freedoms than custodians in traditional finance.

Non-custodial wallets vs. exchange wallets

There are also different types of crypto-asset custody. Self-custody, also referred to as non-custodial wallets, allows individuals to store and manage private keys without the help of a third party. Non-custodial wallets range from physical devices to paper documents or mobile apps. This type of custody puts users in charge of their own security and access arrangements.

Alternatively, exchanges may custody their users’ private keys directly on an exchange platform. While this allows for direct accessibility, individuals rely on the exchange platform to ensure the protection of their crypto-assets. There are security risks to consider in addition to counterparty risk and potential conflicts of interest associated with offering both custody and trading services to clients.

Some specialist third-party solutions, which could be software (tech) providers or custodians, minimise these risks by using hot or cold wallets that offer 24-hour availability. These providers can offer greater IT security measures, are auditable and remove any central points of compromise that can be prevalent in exchange wallets or self-custody.

MiCA vs. the rest of the world

In the absence of dedicated regimes, the provision of custody of crypto-assets for most of the EU is currently brought under the scope of each Member State’s AML regime (under 5AMLD), which does not comprehensively address prevalent risks associated with crypto-asset custody. Until now, crypto custodians have only been able to operate in the EU jurisdictions in which they have obtained a regulatory licence or registration.

The MiCA regulations will harmonise the EU’s regulatory stance on crypto-asset custodians and introduce a passporting regime for service providers to access the entire EU market. By providing a clear and detailed regulatory regime, MiCA sets up the EU as a favourable destination for businesses looking to offer or engage in crypto-asset custody.

Other jurisdictions have also brought crypto-asset custody services within the scope of their regulatory regimes. For example, Hong Kong has set out prescriptive guidelines covering the custody of crypto-assets while the Virtual Assets Regulatory Authority (VARA) in Dubai has included a dedicated rulebook for custody in their comprehensive crypto regulatory framework. In the midst of this first-mover arbitrage, other jurisdictions, such as the UK and Singapore, are closely following these developments and harnessing industry insights to create their own practical frameworks.

Custody under MiCA

Custody requirements set out in MiCA can be divided into two parts. The first involves the procedures that an issuer of stablecoins must take in relation to the custody of their reserve assets, which may include both crypto-assets and financial instruments such as securities. MiCA requires that the custodian of these reserves must be a legal person different from the issuer and that this should be undertaken by either a CASP, a credit institution under the EU’s Capital Requirements Directives, or an investment firm under MiFID II.

The second part details the controls that must be in place when CASPs provide custody of crypto-assets on behalf of clients. CASPs must ensure that crypto-assets are not used for their own account and are always held unencumbered. A client agreement must also be in place that includes a custody policy, a description of the security systems in place, and the fees charged. CASPs providing custody must also maintain a register of positions opened in the name of each client and provide clients with a statement of their position for each crypto-asset recorded in their name at least every three months.

Choosing a custodian

Clearly, selecting the right custodian is an important decision for any crypto-asset business. When looking for the right provider, companies should consider the following:

The custody arrangements in place i.e., the percentage of assets that are kept in either hot, cold, or warm wallets (a hybrid used to store only a portion of the client assets for accessibility purposes). Companies may require flexibility in this regard and a tailored solution allowing access for regular transactions or operational purposes may be more desirable than a fully offline or set percentage arrangement.

Legal treatment over private keys. Companies should seek assurances in relation to ownership and operational control of the private keys they are handing over to the custodian.

Security and access to assets. Companies should understand the process for depositing, withdrawing, and transferring their assets as well as the custodian’s security practices, infrastructure, and track record in protecting client assets from unauthorised access.

Governance, risk & compliance approach. Companies should seek clarity on the custodian’s internal processes, including how they conduct internal audits if they provide regular reports on the status of the assets held under custody. There should also be sufficient disaster recovery and contingency plans to ensure business continuity in the face of unexpected events.

End-to-end service offering. Companies should assess whether the custodian is able to meet all of their needs. Responsive and reliable client support and ancillary services such as staking, reporting and analytics may also be key considerations.

Regulatory authorisation and reputation. Companies should check if the custodian is regulated by reputable regulatory authorities that have the capacity to supervise and that they can demonstrate a track record of responsibility in handling client assets.

Conclusion

MiCA brings within scope the requirement to be authorised if providing custody and administration of crypto-assets on behalf of clients. In certain instances, it is clear that there is a requirement to outsource custodial activities to a separate legal entity. If, for example, you are an issuer of stablecoins, your reserve assets, whether they are made up of crypto-assets or traditional assets, need to be held in custody by a CASP, an authorised credit institution or an investment firm.

MiCA allows for exchange platforms or other crypto-asset businesses to provide their own custodial services directly to clients. Alternatively, using trusted providers specialising in crypto-asset custody services can bring a host of benefits including security assurances and fully segregated wallets whilst also solving some of the typical usability issues usually associated with cold wallets by offering 24-hour real-time access and availability.

‍

^{About XReg Consulting}

^{XReg Consulting is a public policy and regulatory affairs consultancy specialising in crypto. We help governments formulate sound policy, regulators supervise effectively, public authorities build capacity, and virtual asset businesses thrive and follow the rules. Our team of former regulators and policy advisors is located throughout Europe, the Caribbean and South America. For more information, follow us on LinkedIn.}

^{About Zodia Custody}

^{Zodia Custody is the leading institution-first digital asset custodian by Standard Chartered, in association with Northern Trust and SBI Holdings. It enables institutional investors around the globe to realise the full potential of the digital asset future – simply, safely, and without compromise. Through the combination of leading technology, custody, governance and compliance, Zodia Custody satisfies the complex needs of institutional investors.}

^{The company implements the requirements of AMLD5 and applies the same standards as Standard Chartered relating to AML, FCC, and KYC. It also implements the requirements of the FATF Travel Rule. Zodia Custody Limited is registered in the UK with the FCA as a crypto asset business under the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017. Zodia Custody (Ireland) Limited is registered with the Central Bank of Ireland as a VASP under Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (as amended). Zodia Custody (Ireland) Limited was established in Ireland in August 2021. Zodia Custody Limited is registered with the CSSF in Luxembourg as a Virtual Asset Service Provider in accordance with article 7-1 (2) of the law dated 12 November 2004 on the fight against money laundering and terrorist financing, as amended.}