NYDFS Issues Guidance on Virtual Currency Custody Practices
Citing a substantial increase in recent years in the demand for both virtual currencies and virtual currency custody services, the New York Department of Financial Services (NYDFS) on January 23, 2023 released its Guidance on Custodial Structures for Customer Protection in the Event of Insolvency (Guidance).1 The Guidance emphasizes the importance for virtual currency entities (VCEs) that act as custodians (VCE Custodians) to engage in “sound custody and disclosure practices to better protect customers in the event of an insolvency or similar proceeding.”
Virtual currencies are substantively regulated within the state of New York primarily through the “BitLicense” regulatory framework under 23 NYCRR Part 200, with similar substantive requirements imposed on New York State limited purpose trust companies that engage in virtual currency business activity. NYDFS acts as the prudential regulator of VCEs and, in connection with this role, NYDFS considers customer protection to be of “the utmost importance.” NYDFS notes that its intent in issuing the Guidance is to clarify certain standards and practices that will “help to ensure that VCE Custodians are providing a high level of customer protection with respect to asset custody under the BitLicense and limited purpose trust company frameworks.”
Citing the definition of custody services as including, without limitation, “storing, holding, or maintaining custody or control of virtual currency on behalf of others,”2 the Guidance provides that a VCE Custodian must (i) separately account for and segregate customer virtual currency from corporate assets; (ii) take possession of customer virtual currency only for the limited purpose of carrying out custody and safekeeping services; (iii) request NYDFS’s approval before implementing any sub-custody arrangements; and (iv) provide adequate disclosure to customers.
1. Segregation of and Separate Accounting for Customer Virtual Currency
According to the Guidance, a VCE Custodian is “expected to separately account for and segregate customer virtual currency from the corporate assets of the VCE Custodian and its affiliated entities, both on-chain and on the VCE Custodian’s internal ledger accounts.” Consistent with these expectations, the Guidance identifies two approaches for customer virtual currency maintenance. First, customer virtual currency could be maintained in “separate on-chain wallets and internal ledger accounts for each customer under that customer’s name.” Alternatively, it could be maintained through omnibus on-chain wallets and internal ledger accounts that “contain only virtual currency of customers held under the VCE Custodian’s name as agent or trustee for the benefit of those customers.” The Guidance notes that, in the case of omnibus accounts, the VCE Custodian should “maintain appropriate records and maintain a clear internal audit trail to identify customer virtual currency and account for all customer transactions.”
The Guidance reminds VCE Custodians that they should have appropriate policies and procedures in place and “be prepared to demonstrate reconciliation between the virtual currency entity’s books and records and on-chain activity” upon NYDFS’s request.
2. VCE Custodian’s Limited Interest in and Use of Customer Virtual Currency
The Guidance specifies that a VCE Custodian shall take possession of customer virtual currency “only for the limited purpose of carrying out custody and safekeeping services” and shall not “thereby establish a debtor-creditor relationship with the customer.” The VCE Custodians are expected to “structure their custodial arrangements in a manner that preserves the customer’s equitable and beneficial interest in the customer’s virtual currency.” In addition, “[a] VCE Custodian should treat customer virtual currency in its possession or control as belonging solely to customers and not employ customer virtual currency for the VCE Custodian’s own use.”
3. Sub-Custody Arrangements
With appropriate due diligence, a VCE Custodian may arrange for a sub-custody arrangement with a third party to safekeep customer virtual currency with prior NYDFS approval. In reviewing such request, the NYDFS will consider, at a minimum: “(i) the applicable risk assessment performed by the VCE Custodian; (ii) the proposed service agreement(s) between the parties; and (iii) the VCE Custodian’s updated policies and procedures reflecting the processes and controls to be implemented around the proposed arrangement.”
4. Customer Disclosure
Moreover, A VCE Custodian is expected to “(i) clearly disclose to each customer in writing the general terms and conditions associated with its products, services and activities, and (ii) obtain acknowledgment of receipt of such disclosure prior to entering into an initial transaction with the customer, consistent with this Guidance.” The Guidance notes that the VCE Custodian's customer agreement should also clearly state “the parties’ intentions to enter into a custodial relationship, rather than a debtor-creditor relationship.”
The Guidance signals that NYDFS is focused on ensuring that VCE Custodians are accountable to customers whose virtual currency they hold. VCE Custodians must navigate their custodial duties with the understanding that customers have ultimate control over their virtual currency and should continue to strengthen internal processes to ensure transparency in their custodial duties.
The expectation that VCE Custodians must, at all times, possess the ability to reconcile their records upon request from the NYDFS suggests that the immediate priority of VCE Custodians should be a refinement of their internal accounting and/or storage policies. Specifically, VCE Custodians should ensure that written records are up to date and appropriately maintained.
The NYDFS’s delineation of VCE Custodians’ safekeeping function, which eliminates any control VCE Custodians may exercise over a customer’s virtual currency, further demonstrates the NYDFS’s aim of ensuring that regulated entities are safeguarding the beneficial interests of customers. While the Guidance seems to suggest that sub-custody arrangements are permissible, the need for NYDFS approval when establishing new third-party arrangements places them under heightened scrutiny. This may have a disincentivizing effect on VCE Custodians seeking to outsource their safekeeping responsibilities. If a VCE Custodian would, nonetheless, like to outsource this function, it should exhibit a high level of due diligence when selecting a sub-custodian.
Further, a VCE Custodian should be mindful that customer acknowledgments should be received prior to the initial transaction, and that the custody terms disclosed to the customer do not go beyond the VCE Custodian’s safekeeping role. VCE Custodians should also note the need for material risk disclosures when engaging sub-custodial services.
2) See 23 NYCRR § 200.2(q)(2).