February 28, 2023

Digital Asset Custody and the SEC’s Proposed Safeguarding Rule: Significant Potential Implications and Unanswered Questions

On February 15, 2023, the Securities and Exchange Commission (SEC) released a proposed rulemaking (the Proposal) that would transform existing Rule 206(4)-2 (the Custody Rule) under the Investment Advisers Act of 1940 (the Advisers Act) into a new proposed Rule 223-1 (the Safeguarding Rule). As recently discussed, the proposed Safeguarding Rule would represent a radical change in the custodial obligations of SEC-registered investment advisers (RIAs). As we highlight in more detail below, the implications of the proposed Safeguarding Rule with respect to digital assets are particularly far-reaching and include the following:

  • All digital assets, not only those digital assets that constitute “securities” or “funds,” would be in-scope and subject to the requirements of the Safeguarding Rule.
  • Moving digital assets out of a qualified custodian into an account with an exchange or trading venue that does not qualify as a qualified custodian for purposes of transacting would violate the Safeguarding Rule, seemingly limiting compliant models for trade execution for RIAs to transactions involving settlement directly into and out of a qualified custodian.
  • No clear exceptions exist for digital assets that are not supported for custody by any qualified custodian.
  • Potentially significant repapering burdens in order for existing custodial documentation to be brought into compliance with the proposed written agreement and written assurances requirements of the Safeguarding Rule.

The workability and implications of the proposed Safeguarding Rule for digital assets raised concerns from both Commissioner Hester M. Peirce and Commissioner Mark T. Uyeda, with Commissioner Uyeda asking, “How could an adviser seeking to comply with this rule possibly invest client funds in crypto assets after reading this release?”

Consistent with other recent SEC rulemaking proposals, public comments on the proposed Safeguarding Rule are due 60 days after publication in the Federal Register. This drew particular comment from Commissioner Peirce, who questioned whether this allows the public enough time to analyze all aspects of this sweeping Proposal.

All Digital Assets In-Scope

The existing Custody Rule applies only to client “funds” and “securities.” In comparison, the proposed Safeguarding Rule is broader in scope and would apply to client “assets,” a term defined to mean “funds, securities, or other positions held in the client’s account.”[1] As the SEC noted in the Proposal, this definition of “assets” would include “all crypto assets, even in the instances where such assets are neither funds nor securities.”[2] Thus, even digital assets such as Bitcoin that are not securities would be subject to the custody requirements of the Safeguarding Rule.

Beyond the immediate implications of the scope of the Safeguarding Rule, the Proposal is noteworthy for a number of sweeping statements reiterating the SEC’s current expansive views on the “security” status of digital assets. For example, in discussing the scope of the current Custody Rule, the SEC stated its view that “most crypto assets are likely to be funds or crypto asset securities covered by the current rule.”[3] These statements drew particular comment from Commissioner Peirce, who expressed her disagreement “with the main premise that most crypto assets are securities and the sub-premise that crypto assets sold in a securities offering are necessarily themselves securities.”

Qualified Custodians

The core requirement of the proposed Safeguarding Rule is a requirement that client assets be maintained with a “qualified custodian.”[4] Like the existing Custody Rule, the proposed Safeguarding Rule would define the term “qualified custodian” to mean a bank or savings association, SEC-registered broker-dealer, CFTC-registered futures commission merchant, or certain foreign financial institutions meeting specified conditions and requirements.[5]

At least on first impression, this aspect of the Safeguarding Rule is likely to be well received by existing providers of institutional digital asset custody services, which, as the SEC noted in its economic analysis, include a number of federally chartered banks and trust companies, state-chartered trust companies, and at least one futures commission merchant.[6] With that said, while retaining such institutions within the definition of “qualified custodian,” the circumstances in which the enumerated categories of qualified custodians are permitted to custody digital assets by their own regulators remains subject to uncertainty. Indeed, the SEC itself expressed doubts regarding the permissible digital asset activities of such entities. For example, the SEC noted that federal banking regulators have recently expressed safety and soundness concerns regarding crypto-asset-related activities of federally chartered banks and trust companies, and indicated with respect to state chartered trust companies that the SEC will “be mindful of the extent to which many of these new entrants to the custodial marketplace offer, and are regulated to provide, the types of protection . . . a qualified custodian should provide under the rule.”[7] Furthermore, within the SEC’s own regulatory ambit, while broker-dealers are included in the definition of “qualified custodians,” it must be noted that pursuant to existing SEC guidance, only special purpose broker-dealers that limit their business exclusively to digital asset securities are permitted to custody digital asset securities.[8]

Possession and Control in a Digital Asset Context

The requirement under the Safeguarding Rule that a qualified custodian maintain “possession and control” of client assets warrants particular attention in the digital asset context.[9] As currently drafted, “possession and control” would be defined to mean holding assets such that:[10]

(i) The qualified custodian is required to participate in any change in beneficial ownership of those assets. 

(ii) The qualified custodian’s participation would effectuate the transaction involved in the change in beneficial ownership.

(iii) The qualified custodian’s involvement is a condition precedent to the change in beneficial ownership.

In the Proposal, the SEC acknowledged that “it may be difficult actually to demonstrate exclusive possession or control of crypto assets due to their specific characteristics (e.g., being transferable by anyone in possession of a private key).”[11] The SEC seems here to have in mind the difficulty of demonstrating a negative proposition — i.e., that no one else has a copy of the relevant private key. In this regard, the SEC’s discussion did go on to observe that “a qualified custodian would have possession or control of a crypto asset if it generates and maintains private keys . . . in a manner such that an adviser is unable to change beneficial ownership of the crypto asset without the custodian’s involvement.”[12] These observations illustrate that the definition of “possession and control” will warrant particular consideration in digital-asset-related circumstances such as the following:

  • Redundancy & Backups. The proposed definition of “possession and control” would seemingly prohibit any scope for an adviser (or anybody else) to have simultaneous access to the private key generated by the qualified custodian. Any such redundancy or access to private key backups would seem to directly contravene the “possession and control” requirement by allowing the adviser to effectuate digital asset transactions without the qualified custodian’s involvement.[13]
  • Multi-Signature Wallets and Multi-Party Computation. Digital asset custodians employing multi-signature wallets or multi-party computation solutions will need to closely evaluate the implications of the “possession and control” definitions for their custody models if adopted as drafted. Depending on the particular m-of-n transaction signing and key sharding rules employed, some uses of such technologies may potentially be noncompliant. For example, if a qualified custodian controls only one of the keys required to control a 2 of 3 multi-signature wallet, it could not be said that the qualified custodian’s involvement is a condition precedent to a transaction changing beneficial ownership of digital assets in the relevant wallet.

Limited Avenues for Trade Execution

As made clear from the SEC’s observations in the Proposal, the requirement under the Safeguarding Rule that a qualified custodian maintain possession and control of client assets would apply at all times. In this regard, the SEC specifically observed that transferring digital assets out of a qualified custodian into an exchange account for purposes of trading would constitute a violation of the Safeguarding Rule since client assets would not be maintained with a qualified custodian throughout the settlement of the trade.[14] In identifying such circumstances as violative of the Safeguarding Rule, the SEC acknowledged its awareness that much of the trading volume in digital assets currently takes place on exchanges and other trading platforms that directly settle into and require trade funding out of accounts maintained with the exchange.

This aspect of the Safeguarding Rule is likely to have significant implications and if adopted will require consideration of alternative avenues for trade execution that are compliant with the Safeguarding Rule. One potential remaining option would seem to be a bilateral, off-exchange delivery-versus-payment or delivery-versus-delivery settlement model which involves digital assets leaving possession and control of a qualified custodian only in settlement of a transaction and simultaneously with other assets for which the digital assets are being exchanged coming into the possession and control of the qualified custodian. Indeed, the SEC adverted to the noncustodial settlement model employed by alternative trading systems that trade crypto asset securities, noting that this model does not involve the broker-dealer operating the alternative trading system taking custody of the crypto asset securities involved.[15]

DeFi as a Potentially Compliant Trade Execution Avenue?

Interestingly, on-chain transactions and DeFi activity may therefore fare better with respect to this particular aspect of the proposed Safeguarding Rule than trading on centralized digital asset exchanges. For example, one of the benefits of blockchain technology is the prospect of “atomic settlement” — i.e., the instant exchange of two assets or payments whereby the transfer of one leg of the transaction processes if and only if the other leg of the transaction also processes. Unlike the exchange account-based trading model discussed above, on-chain settlement of digital asset transactions (e.g., exchanging one digital asset for another through a decentralized exchange) would seem to potentially avoid the issue of digital assets leaving a qualified custodian other than in exchange for other assets coming into a qualified custodian. Indeed, in discussing a qualified custodian’s exercise of due care, the SEC seemed to acknowledge that depending on the circumstances, such as where a client seeks to trade frequently, it may be consistent with due care for a qualified custodian to use a combination of cold wallets and hot storage in combination with robust policies and procedures.[16]

This aspect of the Proposal will certainly warrant further careful consideration, but it is noteworthy that the SEC’s requests for comment in the Proposal include questions seeking additional information on the meaning of “atomic settlement” of crypto asset trades and the benefits and drawbacks from an investor protection standpoint.[17] In this regard, consideration should be given to whether existing institutional digital asset custody solutions can or will be able to technologically support the necessary DeFi connectivity to enable a trade execution model consistent with the requirements of the proposed Safeguarding Rule.

Unsupported Digital Assets

Neither the discussion in the Proposal nor the proposed text of the Safeguarding Rule grapples with the fact that there may be no qualified custodian offering custody services for particular digital assets. There may be certain digital assets that most or even all qualified custodians will support — for example, digital assets such as BTC and ETH that represent the native digital assets of the largest and most well-known blockchain networks. However, there are likely to be many other digital assets that are not universally supported, or not supported at all, by qualified custodians, especially given the proliferation of both competing base-layer blockchain networks and the issuance of many different forms of tokens on such networks (including fungible tokens like ERC-20 tokens and non-fungible tokens).

The SEC did recognize in the Proposal that there may be certain assets that are unable to be maintained with a qualified custodian. For example, the Safeguarding Rule would provide an exception from certain requirements for client assets that are (i) “privately offered securities” that cannot be transferred without the prior consent of the issuer or other holders of the outstanding securities of the issuer or (ii) “physical assets,” such as artwork, real estate, precious metals, or physical commodities such as oil or lumber.[18] However, the SEC seems to have foreclosed the application of these exceptions to digital assets, observing that “crypto asset securities issued on public, permissioned blockchains” would not satisfy the conditions of the privately offered securities exception and that “Crypto assets that are not crypto asset securities would not qualify for the exception because they do not satisfy the definition of privately offered security.”[19]

Accordingly, as currently drafted, the Safeguarding Rule appears likely to place RIAs in an unfortunate position because there may be no qualified custodian able or willing to custody certain digital assets as is required for compliance with the rule.

Repapering Implications

Although not specific to digital assets, the documentation requirements of the proposed Safeguarding Rule are also worth noting. By way of summary, the Safeguarding Rule would require RIAs to (i) maintain client assets with a qualified custodian pursuant to a written agreement between the RIA and the qualified custodian;[20] and (ii) obtain reasonable assurances in writing from the qualified custodian regarding certain protections for the safeguarding of client assets.[21] These documentation requirements would encompass certain guardrails and minimum custodial protections, such as requiring a standard of due care; addressing indemnity for negligence, recklessness, or willful misconduct; asset identification and segregation obligations; and certain recordkeeping, reporting, and internal control requirements.

The SEC acknowledged in the Proposal that requiring a written agreement between an RIA and each qualified custodian represents a departure from market practice, under which custodial agreements are more commonly entered into between the advisory client and the qualified custodian.[22] For example, consistent with this recognition, in our experience it is common for private funds in the digital asset space to have the fund entity (e.g., the limited partnership) in contractual privity with the custodian rather than the investment adviser or manager to that fund entity. Such market practice notwithstanding, the SEC expressed its view in the Proposal that the minimum custodial protections addressed by the documentation requirements of the Safeguarding Rule are best promoted by written agreement between the adviser and the qualified custodian or by the adviser obtaining reasonable assurances in writing from the qualified custodian.[23]

Accordingly, if the Safeguarding Rule is adopted as currently drafted, market participants will likely need to amend or repaper their existing custodial relationship documentation in order ensure compliance. The Proposal currently includes a staggered compliance timetable, which would require (i) RIAs with more than $1 billion in regulatory assets under management to comply within 12 months after publication of a final rule in the Federal Register and (ii) RIAs with less than $1 billion in regulatory assets under management to comply within 18 months of such publication. 


As the discussion above should make clear, if adopted as currently proposed, the Safeguarding Rule would have far-reaching implications for RIAs investing in digital assets and, by extension, for digital asset markets. Despite the narrow comment window, the Proposal is likely to engender considerable discussion and public comment from both traditional asset and digital asset market participants. We will continue to closely scrutinize the development of the Proposal and its evolution toward finalization.



[1] Proposed Rule 223-1(d)(1).
[2] Proposal at *28.
[3] Proposal at *18.
[4] Proposed Rule 223-1(a)(1).
[5] Proposed Rule 223-1(d)(10).
[6] Proposal at *265.
[7] Proposal at *75-76.
[8] Custody of Digital Asset Securities by Special Purpose Broker-Dealers, SEC Release No. 34-90788 (Dec. 23, 2020).
[9] Proposed Rule 223-1(a)(1).
[10] Proposed Rule 223-1(d)(8).
[11] Proposal at *66.
[12] Proposal at *67.
[13] Proposal at *66.
[14] Proposal at *68.
[15] Proposal at *266.
[16] Proposal at *85-86.
[17] Proposal at *73.
[18] Proposed Rule 223-1(b)(2).
[19] Proposal at *135.
[20] Proposed Rule 223-1(a)(1)(i).
[21] Proposed Rule 223-1(a)(1)(ii).
[22] Proposal at *74.
[23] Proposal at *81.