United States: Broker-Dealers Beware: SEC Division Of Trading And Markets And FINRA Office Of General Counsel Highlight Obstacles To Broker-Dealer Custody Of Digital Assets

On July 8, 2019, the Division of Trading and Markets (SEC DTM) of the U.S. Securities and Exchange Commission (SEC) and the Office of General Counsel (FINRA OGC) of the Financial Industry Regulatory Authority, Inc. (FINRA) issued a "Joint Statement on Broker-Dealer Custody of Digital Asset Securities" (the Joint Statement).  

While the Joint Statement states that SEC DTM and FINRA OGC (and the respective staffs of SEC DTM and FINRA) "are aware of, and encourage and support, efforts to address" issues arising from application of certain existing SEC and FINRA rules¹ to broker-dealer custody of "digital assets,"² it emphasizes that:

• in general, "the application of the federal securities laws, FINRA rules, and other bodies of laws to digital assets, digital asset securities, and related innovative technologies raise novel and complex regulatory and compliance questions and challenges;" and
• in particular, "established laws and practices regarding the loss or theft of a security...may not be available or effective in the case of certain digital assets."

While it does not expressly say so, the Joint Statement appears to take the position that, at least at present, the regulatory and compliance issues, questions, and challenges associated with broker-dealer custody of digital asset securities have not been addressed to the satisfaction of SEC DTM and FINRA OGC and, consequently, broker-dealers will not be allowed to take custody of digital assets unless and until they are.³

The Issues

The Joint Statement, drawing upon "key principles" to which the staffs of SEC DTM and FINRA have historically adhered in their approach to broker-dealer regulation and investor protection, highlights three basic issues that arise under existing SEC and FINRA rules when broker-dealers seek to have custody of digital asset securities. The Joint Statement also addresses scenarios in which broker-dealers participate in activities related to digital asset securities but do not have custody of those securities in connection with such activities.  

1. The Customer Protection Rule

Background

The Joint Statement explains that the Customer Protection Rule has three key goals:

• to safeguard customer securities and funds;
• to prevent investor loss or harm in the event of a broker-dealer's failure; and
• to enhance the SEC's ability to monitor and prevent unsound business practices.

To accomplish these goals, the Customer Protection Rule requires a broker-dealer not only to implement appropriate safeguards for customer assets, but to keep those assets separate from the broker-dealer's own assets so as to increase the likelihood that customer assets will be returned to customers, and not be subject to the claims of the broker-dealer's creditors in the event of the broker-dealer's failure. If the broker-dealer fails, customer securities and cash should be readily available to be returned to customers. If the broker-dealer were to be liquidated under the Securities Investor Protection Act of 1970 (SIPA), the SIPA trustee would be expected to step into the shoes of the broker-dealer and be able to transfer, sell, or otherwise dispose of assets in accordance with SIPA. 

According to the Joint Statement, among the "core protections" provided by the Customer Rule is the requirement that a broker-dealer must physically hold customers' fully paid and excess margin securities or maintain them free of lien at a good "control location,⁴ generally, a third-party custodian (e.g., the Depository Trust Company or a clearing bank) or, in the case of uncertificated securities (e.g., shares of mutual funds), the issuer or the issuer's transfer agent.⁵ The important factor is that there be a third party that controls the transfer of the securities. Under the "traditional securities infrastructure (including, for example, related laws of property and security)," there are also processes to reverse or cancel mistaken or unauthorized transactions.

Concerns Raised by Digital Asset Securities Under the Customer Protection Rule

The Joint Statement cites the following concerns arising from the "many significant differences in the mechanics and risks associated with custodying traditional securities and digital asset securities," any or all of which "could cause securities customers to suffer losses, with corresponding liabilities for the broker-dealer, imperiling the firm, its customers, and other creditors." Because of these risks, a broker-dealer that has custody of digital asset securities is obligated to carefully consider how it can be in a position to demonstrate that it holds possession or control of such securities in a manner that complies with the Customer Protection Rule.

• The manner in which digital asset securities are issued, held, and transferred may create greater risk that a broker-dealer maintaining custody of them could be victimized by fraud or theft; and, in the event of such fraud or theft, the broker or dealer may have no meaningful way to identify and seek recovery from the fraudster or thief.
• A broker-dealer could lose a "private key" necessary to transfer a client's digital asset securities (in which case the securities themselves are effectively lost and cannot be recovered, unless and until such key is found).
• A broker-dealer could accidentally transfer a client's digital asset securities to an unknown or unintended address, without meaningful recourse to correct the error. Similarly, a person associated with the broker-dealer could engage in an unauthorized transfer of a client's digital asset securities, and the broker-dealer would not have the ability to reverse the unauthorized transaction. 
• If a broker-dealer (or its third-party custodian) holds the private key, the fact that it does so may not be sufficient evidence by itself that the broker-dealer has exclusive control of the related digital asset security, because the broker-dealer may not be able to demonstrate that no other party has a copy of the private key.

2. Books and Records and Financial Reporting Rules

Background

The Record-Keeping Rule, the Record Retention Rule, and the Financial Reporting Rule require a broker-dealer to (among other things):

• make and keep current ledgers reflecting all assets and liabilities, as well as a securities record reflecting each security carried by the broker-dealer for its customers and all differences determined by the count of customer securities in the broker-dealer's possession or control compared to the result of the count with the broker-dealer's existing books and records; and
• routinely prepare financial statements, including various supporting schedules particular to broker-dealers, such as Computation of Net Capital under the Net Capital Rule and Information Relating to the Possession or Control Requirements under the Customer Protection Rule.

These requirements are designed to ensure that a broker-dealer makes and maintains certain business records to assist it in accounting for its activities. These rules also assist the SEC and FINRA in examining for compliance with the federal securities laws and are therefore are an integral part of the financial responsibility program for broker-dealers.

Concerns Raised by Digital Asset Securities Assets Under the Record-Keeping, Record Retention, and Financial Reporting Rules

The Joint Statement believes that "the nature of distributed ledger technology, as well as the characteristics associated with digital asset securities, may make it difficult for a broker-dealer to evidence the existence of digital asset securities for the purposes of the broker-dealer's regulatory books, records, and financial statements, including supporting schedules." This difficulty, in turn, creates challenges for the broker-dealer's independent auditor when it seeks to obtain sufficient appropriate audit evidence in connection with testing management's assertions in the financial statements during the annual broker-dealer audit.⁶

The Joint Statement discusses its understanding that some broker-dealers are considering the use of distributed ledger technology with features designed to enable them to meet recordkeeping obligations and facilitate prompt verification of digital asset security positions (for example, in the form of "regulatory nodes" or "permissioned" distributed ledger technologies). The Joint Statement cautions broker-dealers that they should consider how the nature of the technology may affect their ability to comply with the Record-Keeping and Financial Reporting Rules.

3. Concerns Under SIPA

The Joint Statement expresses concern that if a particular digital asset held in custody by a broker-dealer does not meet the definition of "security" under SIPA,⁷ the investor protections afforded under that Act would not apply to such asset, with the result that the investor would (with respect to that asset) become a general creditor of the broker-dealer in the event of the broker-dealer's insolvency.⁸  Further, uncertainty regarding when and whether a broker-dealer holds a digital asset security in its possession or control "creates greater risk for customers that their securities will not be able to be returned in the event of a broker-dealer failure."

The Joint Statement believes that "such potential outcomes are likely to be inconsistent with the expectations of persons who would use a broker-dealer to custody their digital asset securities." The Joint Statement, however, does not go on to discuss (or even suggest) whether, through appropriate disclosure to customers, a broker-dealer could appropriately inform customers that, to the extent digital assets held in custody by the broker-dealer are not "securities" (as defined in SIPA), customers should not expect to be afforded SIPA protection. Further, the SIPA concerns articulated by the Joint Statement are simply inapplicable to the many digital asset securities that are offered, sold, and issued as "investment contracts" in transactions that are not registered under the Securities Act, because these securities are not entitled to SIPA protection in the first place.

4. Situations Where Broker-Dealers Do Not Have Custody of Digital Asset Securities   

The Joint Statement notes that certain broker-dealers engage in activities with respect to digital asset securities that do not involve the broker-dealers taking custody of those securities. The Joint Statement concludes that "generally speaking" these non-custodial activities "do not raise the same level of concern" as activities that involve the broker-dealers taking custody (as long, of course, as relevant securities laws, self-regulatory organization rules, and other legal and regulatory requirements are followed). The Joint Statement provides the following examples of non-custodial activities that "do not raise the same level of concern:" 

• A broker-dealer sends trade-matching details (e.g., identity of the parties, price, and quantity) to the buyer and issuer of a digital asset security—similar to a traditional private placement—and the issuer settles the transaction bilaterally between the buyer and issuer, away from the broker-dealer. In this case, the broker-dealer instructs the customer to pay the issuer directly and instructs the issuer to issue the digital asset security to the customer directly (e.g., the customer's "digital wallet"). 
• A broker-dealer facilitates "over-the-counter" secondary market transactions in digital asset securities without taking custody of or exercising control over the digital asset securities. In this case, the buyer and seller complete the transaction directly and, therefore, the securities do not pass through the broker-dealer facilitating the transaction.
• A broker-dealer facilitates secondary market trading in a digital asset security by introducing a buyer to a seller of digital asset securities through a trading platform where the trade is settled directly between the buyer and seller. For example, a broker-dealer might operate an alternative trading system (ATS) that matches buyers and sellers of digital asset securities and the resulting trades either would be settled directly between the buyer and seller, or the buyer and seller would give instructions to their respective custodians to settle the transactions.⁹ In either case, the ATS would not guarantee or otherwise have responsibility for settling the trades and would not at any time exercise any level of control over the digital asset securities being sold or the cash being used to make the purchase (g., the ATS would not place a temporary hold on the seller's wallet or on the buyer's cash to ensure the transaction is completed).¹⁰

By stating that non-custodial activities of the type described above "do not raise the same level of concern" as custodial activities, the Joint Statement implies that SEC DTM and FINRA OGC have at least some level of concern regarding those non-custodial activities. Unfortunately, the Joint Statement does not specify what that level of concern is, nor does it specify any of the factors that contribute to that level of concern, leaving it to market participants to guess what those factors might be.

Conclusion

The Joint Statement, like many (if not all) prior SEC and FINRA statements regarding digital assets, contains the obligatory declaration that the agencies "encourage" and "support" innovation in the securities markets. At the same time, the Joint Statement, like those prior statements, offers little in the way of concrete guidance as to how market participants may comply with existing rules when conducting activities involving digital assets.¹¹ Notably, despite its expression of support for innovation, there is nowhere to be found in the Joint Statement even a suggestion that it may be appropriate for the SEC and FINRA to reconsider and perhaps revamp their rules to enable the innovation they claim to support.¹²  Instead, we are left with a veiled warning that, at present, broker-dealers that have custody of digital asset securities are likely to be found in violation of SEC and FINRA rules:

"In recent months, the Staffs have been engaged with industry participants regarding how industry participants believe a particular custody solution for digital asset securities would meet the possession or control standards prescribed in the SEC's Customer Protection Rule. The Staffs have found these discussions to be very informative and appreciate market participants' ongoing engagement on these issues. The Staffs...look forward to continuing our dialogue as market participants work toward developing methodologies for establishing possession or control over customers' digital asset securities... 

"Various unregistered entities that intend to engage in broker-dealer activities involving digital asset securities are seeking to register with the [SEC] and have submitted New Membership Applications (NMAs) to FINRA. Additionally, various entities that are already registered broker-dealers and FINRA members are seeking to expand their businesses to include digital asset securities services and activities. Under FINRA rules, a firm is prohibited from materially changing its business operations (e.g., engaging in material digital asset securities activities for the first time) without FINRA's prior approval of a Continuing Membership Application (CMA)...

"The NMAs and CMAs currently before FINRA are diverse: Some of the NMAs and CMAs cover proposed business models that would not involve the broker-dealer engaging in custody of digital asset securities. On the other hand, some NMAs and CMAs include the custodying of digital asset securities, and therefore implicate the Customer Protection Rule, among other requirements. 

"Some of these entities have met with the Staffs to discuss how they propose to custody digital asset securities in order to comply with the broker-dealer financial responsibility rules. These discussions have been informative. The specific circumstances where a broker-dealer could custody digital asset securities in a manner that the Staffs believe would comply with the Customer Protection Rule remain under discussion, and the Staffs stand ready to continue to engage with entities pursuing this line of business."  [emphasis added]

Footnotes

1 The Joint Statement specifically references the "Financial Responsibility Rules" relating to broker-dealers under the Securities Exchange Act of 1934 (Exchange Act), including Rule 15c3-1 (Net Capital Rule), Rule 15c3-3 (Customer Protection Rule), Rule 17a-3 (Record-Keeping Rule), Rule 17a-4 (Record Retention Rule), Rule 17a-5 (Financial Reporting Rule) and Rule 17a-13 (Quarterly Securities Count Rule). The Joint Statement does not reference any particular FINRA rule. The Joint Statement cautions that it does not address all federal securities laws that may be implicated by a broker-dealer seeking to maintain custody of "digital asset securities" (see note 2) or other securities laws or rules that may apply to "digital asset securities." 

2 The Joint Statement refers to a "digital asset" as an asset that is issued and transferred using distributed ledger or blockchain technology, including, but not limited to, so-called "virtual currencies," "coins," and "tokens," noting that "a digital asset may or may not meet the definition of a 'security' under the federal securities laws." The Joint Statement refers to a "digital asset" that is a security as a "digital asset security."    

3 The Joint Statement reminds market participants that, under FINRA rules, an entity that intends to engage in broker-dealer activities (including activities that involve digital asset securities) must register with the SEC and submit a New Membership Application (NMA) to FINRA. Similarly, a firm that is currently a member of FINRA is prohibited from materially changing its business operations (e.g., engaging in material digital asset securities activities for the first time) without FINRA's prior approval of a Continuing Membership Application (CMA). The Joint Statement invites firms to discuss with FINRA whether a contemplated change in business operations such as engaging in digital asset securities activities may require the filing of a CMA through FINRA's materiality consultation process. However, even if a firm concludes that it is not required to file a CMA with respect to its digital asset securities activities, this does not relieve it of the responsibility to comply with the Financial Responsibility Rules and other applicable laws, rules, and regulations. As discussed in this article, it appears that, at present, FINRA believes that member firms are not in a position to demonstrate compliance with certain Financial Responsibility Rules in connection with custodying digital assets.

4 The Joint Statement explains that an entity's designation as a good "control location" is based, in part, on its ability to maintain exclusive control over customer securities. For example, under paragraph (c)(5) of the Customer Protection Rule, a "bank" as defined in Section 3(a)(6) of the Exchange Act is deemed to be a good "control location" so long as, among other things, the bank has acknowledged that customer securities "are not subject to any right, charge, security interest, lien, or claim of any kind in favor of a bank or any person claiming through the bank" and the securities are in the custody or control of the bank.

5 The Joint Statement explains that the SEC often receives applications under paragraph (c)(7) of the Custody Protection Rule to designate an issuer or the transfer agent of various types of uncertificated securities as a control location. The SEC DTM has delegated authority to "find and designate as control locations for purposes of Rule 15c3-3(c)(7) [under the Exchange Act] certain broker-dealer accounts which are adequate for the protection of customer securities." See 17 CFR 200.30-3(a)(10)(i). The SEC has stated that shares of mutual funds, in particular, may be held at the issuer or the issuer's transfer agent. SEC DMT has also previously issued no-action letters regarding the maintenance of certain other uncertificated securities at the transfer agent. According to the Joint Statement, these prior no-action letters do not address whether blockchain or distributed ledger technology, in connection with the maintenance of the single master security holder list, establishes control of uncertificated securities by the issuer (or transfer agent). 

6 PCAOB Auditing Standard 1105, Audit Evidence describes sufficient appropriate audit evidence and states that audit evidence consists of information that supports and corroborates management's assertions regarding the financial statements and information that contradicts such assertions.  

7 The Joint Statement points out that the SIPA definition of "security" is different than the federal securities laws definition, because it excludes, among other things, an "investment contract" that is not the subject of a registration statement filed with the SEC pursuant to the provisions of the Securities Act of 1933 (Securities Act). Thus, according to the Joint Statement, there may be digital assets that are: (1) securities under the federal securities laws and SIPA, and thus are protected by SIPA; (2) securities under the federal securities laws, but not under SIPA, and thus not protected by SIPA; or (3) not securities under the federal securities laws and therefore not protected by SIPA. 

8 The Joint Statement explains that, generally, a broker-dealer that fails and is unable to return the customer property that it holds would be liquidated in accordance with SIPA. Under SIPA, securities customers have a first priority claim to cash and securities held by the firm for securities customers. Customers also are eligible for up to $500,000 in protection (of which up to $250,000 can be used for cash claims) if the broker-dealer is missing customer assets. These SIPA protections apply to a "security" as defined in SIPA, as well as cash deposited with the broker-dealer for the purpose of purchasing securities. They do not apply to other types of assets, including, importantly, assets that are securities under the federal securities laws but are excluded from the definition of "security" under SIPA.

9 The Joint statement notes that an entity that performs functions to facilitate the clearance and settlement of transactions in digital asset securities may be required to register as a clearing agency under Section 17A of the Exchange Act. 

10 The Joint Statement cautions that SEC DTM and FINRA OGC offer no views about whether the activities set forth in the examples comply with securities laws or regulations.

11 In addition, the Joint Statement only "...represents staff views of the Division of Trading and Markets and FINRA. This statement is not a rule, regulation, guidance, or statement of the [SEC] or FINRA, and the [SEC] and FINRA's Board have neither approved nor disapproved its content. This statement does not alter or amend applicable law and has no legal force or effect."

12 Quite the contrary. The Joint Statement extols the effectiveness of existing rules, claiming that the Customer Protection Rule, adopted in 1972, has "produced a nearly fifty-year track record of recovery for investors when their broker-dealers have failed. This record of protecting customer assets held in custody by broker-dealers stands in contrast to recent reports of cybertheft...and underscores the need to ensure broker-dealers' robust protection of customer assets, including digital asset securities."

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.