Bates Research | 02-02-23
NYDFS Guidance on Digital Asset Custody – What It Is and How to Comply
By John Ashley (CIPP/US, CCRS, CRCMP), Senior Consultant
On January 23, 2023, the New York Department of Financial Services (NYDFS) issued new guidance on regulated entities which custody digital assets. The guidance sets forth wide-ranging requirements for these entities, as well as strict limitations on how these entities can use custodied digital assets. This guidance comes at a time of uncertainty for digital assets and cryptocurrencies. 2022 saw the failure of multiple firms dealing in these assets, such as Voyager Digital, Celsius, BlockFi, and (most notoriously) FTX. The guidance issued by NYDFS is likely the first step in a move across regulators to tighten the regulation and supervision of digital asset firms and presents new compliance challenges for these firms.
To Whom Does the Guidance Apply?
The guidance applies to all entities which are regulated by NYDFS, either under its BitLicense regime or as limited purpose trust companies, and which take custody of their customer’s digital assets. The guidance refers to these entities as Virtual Currency Entities that act as custodians, or VCE Custodians.
The guidance does not apply to regulated entities which do not take custody of customer digital assets.
What Does the Guidance Require?
The guidance is intended to offer clarity in regard to NYDFS’s expectations for regulated entities—their custody procedures, processes, practices, and controls over customer digital assets. These expectations can be broken down into four areas:
1. Accounting Controls
The guidance requires that customer digital assets are separately accounted for and segregated from corporate assets. Notably, this applies to both on-chain (e.g. keeping customer assets in a separate wallet from corporate assets) and off-chain (e.g. separated on a VCE Custodian’s internal ledgers). This requirement effectively means that NYDFS requires that customer assets not be commingled with other assets, like commingling prohibitions found in Massachusetts and Nevada regulations. NYDFS notes that it will only accept two methods by which customer assets are separated from corporate assets. VCE Custodians can opt to keep each customer’s assets in a separate wallet/ledger account under that customer’s name. Alternatively, VCE Custodians may keep assets in an omnibus wallet/ledger account which contains only custodied customer assets; however, if a VCE Custodian opts to use this method, it must have controls which can establish an audit trail to identify individual customer assets and transactions. VCE Custodians must establish written policies and procedures regarding these controls and be prepared to reconcile on-chain activity with internal ledger accounts at any time, upon the request of NYDFS.
2. Use of Custodied Digital Assets
The guidance requires that when a VCE Custodian takes custody of a customer’s digital assets, it will do so only for the purpose of custody, and not for any other purpose. The guidance explicitly bans the use of customer funds as collateral for corporate loans, or their use as extension of credit (a major focus of the allegations against FTX). Finally, the guidance expressly requires VCE custodians to act on customer instructions—by extension, this requires VCE Custodians to honor a customer’s withdrawal request at any time. (Blocking customer withdrawals has been a characteristic of all the major cryptocurrency bankruptcies of 2022 and may have lost hundreds of thousands of customers access to billions of dollars in assets).
3. Sub-Custodial Arrangements
NYDFS views the use of sub-custody agreements by VCE Custodians as a material change in the VCE Custodian’s business model. As such, the VCE Custodian is required to go through the NYDFS’s approval process prior to using a sub-custody arrangement. As with other material business model changes, NYDFS expects to receive and review the VCE Custodian’s updated risk assessment and policies and procedures relative to this change before considering approval. In addition, NYDFS will require the VCE Custodian to submit the proposed service agreements governing the arrangement. This is by no means an exhaustive list, and VCE Custodians can expect that NYDFS will require additional documentation and information during the approval process.
Disclosures provided by VCE Custodians to their customers must (i) contain the terms and conditions associated with the VCE’s products and services; (ii) must be provided in writing; and (iii) must be accepted prior to entering into an initial transaction with a customer. The disclosures must make clear that the relationship is purely custodial, and it should include details regarding the VCE Custodian’s controls for the segregation and accounting of customer assets, how the VCE Custodian will use the custodied assets, and the limitations on such use. Disclosures should also note, as applicable, the use of sub-custody arrangements and any associated risk.
How Companies Can Comply with the Guidance
Firms operating as VCE Custodians in New York should assess their policies, procedures, and controls surrounding the custody of customer assets to ensure they are compliant. This assessment should include a review of procedural documentation, documentation of any unwritten or poorly described controls, and an assessment of the firm’s operational model. Firms should ensure that their custodial model meets one of the two forms acceptable to NYDFS and that their disclosures are appropriately up to date and compliant. In addition, firms should assess their compliance resources and their ability to comply with and manage an examination by NYDFS, and they should include in this assessment the possibility of ad hoc visitation or requests by NYDFS to demonstrate compliance, including the production of asset tracing and audit trails.
About the Author:
John Ashley (CIPP/US, CCRS, CRCMP) is a Senior Consultant in Bates Group's Money Services, Fintech and Digital Assets Compliance and AML Practice. He can be reached at email@example.com.
Bates Group’s MSB, FinTech, and Virtual Assets practice offers guidance and services for Money Services Businesses and financial institutions, fintech, digital asset, including virtual and cryptocurrency firms. Our subject matter experts work directly with firms and counsel to design and implement policies and programs and to ensure they are AML-compliant.
Our MSB and AML Teams help obtain and maintain Money Transmitter Licenses nationwide, including BitLicense and engage with firms to development and support BSA/AML/OFAC Program Development, Risk Management, Training, Advisory Services, and Independent Reviews.