The Markets in Crypto Assets Regulation “MiCAR” (2020/0265(COD) sets out, as one of its crypto asset services, the “custody and administration of crypto-assets on behalf of third parties" 1. Custody as a crypto asset service offered by Crypto Asset Service Providers, has been a topic of tumultuous debate for a long period of time, one which MiCAR has attempted to address by virtue of its custody-specific provisions.
The custody and administration of crypto assets on behalf of third parties is defined by MiCAR as follows: "the custody and administration of crypto-assets on behalf of third parties’ means safekeeping or controlling, on behalf of third parties, crypto-assets or the means of access to such crypto-assets, where applicable in the form of private cryptographic keys;” 2
Custody Policy, Position Registers and Facilitation of Rights
Crypto Asset Service Providers that intend on offering custody and administration of crypto-assets on behalf of third parties (hereinafter referred to as “Custody Service/s”), must necessarily enter into an agreement with their clients specifying their duties and responsibilities in regard to the Custody Services being offered.3
MiCAR stipulates that the aforementioned agreement shall at least include the following:
- The identity of the parties to the agreement;
- The nature of the service provided and a description of that service;
- The means of communication between the Crypto Asset Service Provider and the client;
- The client’s authentication system;
- A description of the security systems used by the Crypto Asset Service Provider;
- Fees, costs and charges applied by the Crypto Asset Service Provider;
- The law applicable to the agreement; and
- The custody policy.
The aforementioned custody policy needs to necessarily contain rules and procedures aimed at minimising the risk of any loss of crypto assets or any rights in relation thereto. An interesting obligation outlined by MiCAR is that of safeguarding the rights attached to the crypto assets held in custody. However, Crypto Asset Service Providers must not only safeguard the aforementioned rights, but shall also facilitate the exercise of the rights attached to such crypto assets and record any event that is like to create or modify the client’s rights in relation to the custodied crypto assets in the client’s position register.
Furthermore, where the underlying blockchain of the crypto asset in custody creates or modifies the client’s rights, the client shall be entitled to any crypto assets or any rights newly created. By way of an example, Ethereum’s transition to ‘Proof of stake’ resulted in the airdrop of Ethereum PoW (ETHW) tokens to all wallets holding Ether. In such a scenario, all authorised Crypto Asset Service Providers under MiCAR would have been obliged to credit all accounts holding Ether with Ethereum PoW (ETHW).4
Crypto Asset Service Providers shall open and maintain a register of positions of each client corresponding to each client’s right to the crypto assets. Any movements of the crypto assets held in custody on behalf of the client shall be recorded in this register and evidenced by a transaction regularly registered in such register.5 A statement of the client’s position register shall be provided to the client by Crypto Asset Service Providers at least once every three months and at the request of the client. The aforementioned statement shall contain the crypto assets, their balance, value and any transfers in relation thereto.6
Segregation of Crypto Assets and Third Party Custodians
Crypto Asset Service Providers are obliged to segregate crypto assets held on behalf of clients from their own crypto asset holdings. Thus, MiCAR stipulates that crypto assets held on behalf of clients shall be held on separate addresses from those on which the Crypto Asset Service Provider’s own crypto assets are held.7 Furthermore, crypto assets held on behalf of clients shall also be insulated and segregated from the Crypto Asset Service Provider’s own estate. This ensures that, should the Crypto Asset Service Provider undergo insolvency proceedings, creditors would not have any recourse in relation to clients’ crypto assets.8
Only custodians authorised in accordance with Article 53 of MiCAR are allowed to act as third-party custodians. Where a Crypto Asset Service Provider engages with a third-party custodian to take custody of clients’ crypto assets, such clients would need to necessarily be informed of such an arrangement.
Proof of Reserves
Recital 59 of MiCAR states that Crypto Asset Service Providers offering Custody Services should have an agreement in place specifying the nature of the Custody Service being offered. Furthermore, Recital 59 goes on to state that Crypto Asset Service Providers shall not use customers’ crypto assets for their own account and shall always ensure that all held crypto assets are always unencumbered.
On this point, there has been a recent surge in publications of ‘Proof of Reserves’. These typically take the form of on-chain-based audits aimed at verifying whether a custodian of customers' crypto assets actually holds the crypto assets it claims to have custody of. Proof of Reserves via Merkle Tree proofs have been touted as providing an effective means of proving custodian transparency. However, they merely offer a partial solution to a bigger problem. This on-chain audit, albeit providing a high level of transparency for users to ensure that the crypto assets they have deposited are actually in the custodian’s possession, does little in providing assurance that such crypto assets are unencumbered. The Proof of Reserves audit merely addresses the objective existence of the crypto assets on the custodian’s balance sheet but, naturally, does not offer any clarification as to whether such crypto assets have been encumbered by the Crypto Asset Service Provider through any underlying contractual agreements.
1 MiCAR, Article 3(1)(9)(a)
2 MiCAR, Article 3(1)(10)
3 MiCAR, Article 67(1)
4 MiCAR, Article 67(3)(4)
5 MiCAR, Article 67(2)
6 MiCAR, Article 67 (5)
7 MiCAR, Article 67(7)
8 MiCAR, Article 67 (10)(10a)
