January 23, 2023
TO: Entities Licensed Under 23 NYCRR Part 200 or Chartered as Limited Purpose Trust Companies Under the New York Banking Law That Custody Virtual Currency Assets
FROM: Adrienne A. Harris, Superintendent of Financial Services
RE: Guidance on Custodial Structures for Customer Protection in the Event of Insolvency
The purpose of this Guidance on Custodial Structures for Customer Protection in the Event of Insolvency (“Guidance”) is to emphasize sound custody and disclosure practices to better protect customers in the event of an insolvency or similar proceeding. In issuing this Guidance, the New York State Department of Financial Services (the “Department” or “DFS”) emphasizes the paramount importance of equitable and beneficial interest always remaining with the customer.
Interest in virtual currencies has grown substantially in recent years, as has the demand for virtual currency custody services across both retail and institutional customer segments. Custody services include, without limitation, storing, holding, or maintaining custody or control of virtual currency on behalf of others.1 As stewards of others’ assets, virtual currency entities (“VCEs”) 2 that act as custodians (“VCE Custodians”) play an important role in the financial system and, therefore, a comprehensive and safe regulatory framework is vital to protecting customers and preserving trust. As the prudential regulator of entities engaged in virtual currency business activity in New York and with New Yorkers; under the nation’s first comprehensive virtual currency regulatory framework,3 the Department considers customer protection of the utmost importance.
New York’s virtual currency regulation, 23 NYCRR Part 200, requires BitLicensees to, among other things, hold virtual currency in a manner that protects customer assets; maintain comprehensive books and records; properly disclose the material terms and conditions associated with their products and services, including custody services; and refrain from making any false, misleading or deceptive representations or omissions in their marketing materials.4 DFS places analogous requirements on New York State limited purpose trust companies that engage in virtual currency business activity.5
This Guidance is intended to offer greater clarity regarding standards and practices that, in the Department’s view, will help to ensure that VCE Custodians are providing a high level of customer protection with respect to asset custody under the BitLicense and limited purpose trust company frameworks.6 Specifically, this Guidance focuses on customer protection relating to:
- Segregation of and Separate Accounting for Customer Virtual Currency;
- VCE Custodian’s Limited Interest in and Use of Customer Virtual Currency;
- Sub-Custody Arrangements; and
- Customer Disclosure.
I. Segregation of and Separate Accounting for Customer Virtual Currency
To custody customer virtual currency properly and maintain appropriate books and records, a VCE Custodian is expected to separately account for and segregate customer virtual currency from the corporate assets of the VCE Custodian and its affiliated entities, both on-chain and on the VCE Custodian’s internal ledger accounts. As discussed below in Part IV, the VCE Custodian should clearly and prominently disclose the manner in which the VCE Custodian segregates and accounts for customer virtual currency. It is expected that a VCE Custodian will not comingle customer virtual currency with any of the VCE Custodian’s own virtual currency or with any other non-customer virtual currency.
Customer virtual currency should be maintained in either (i) separate on-chain wallets and internal ledger accounts for each customer under that customer’s name or (ii) one or more omnibus on-chain wallets and internal ledger accounts that contain only virtual currency of customers held under the VCE Custodian’s name as agent or trustee for the benefit of those customers. Where a VCE Custodian chooses to hold customer virtual currency in an omnibus account, the VCE Custodian should maintain appropriate records and maintain a clear internal audit trail to identify customer virtual currency and account for all customer transactions, so that each individual customer’s beneficial interest is always evident and up-to-date.7 Accordingly, VCE Custodians should have clearly documented policies and procedures to evidence that these safeguards are in place. VCE Custodians should also be prepared at all times to demonstrate reconciliation between the virtual currency entity’s books and records and on-chain activity upon request from the Department, whether such request is made as part of ongoing monitoring, routine onsite examination, ad hoc visitation, or otherwise.
II. VCE Custodian’s Limited Interest in and Use of Customer Virtual Currency
When a customer transfers possession of an asset to a VCE Custodian for the purposes of safekeeping, the Department expects that the VCE Custodian will take possession only for the limited purpose of carrying out custody and safekeeping services, and that it will not thereby establish a debtor-creditor relationship with the customer. The Department expects VCE Custodians to structure their custodial arrangements in a manner that preserves the customer’s equitable and beneficial interest in the customer’s virtual currency. A VCE Custodian should treat customer virtual currency in its possession or control as belonging solely to customers and not employ customer virtual currency for the VCE Custodian’s own use. For example, under no circumstances should a VCE Custodian use customer virtual currency to secure or guarantee an obligation of, or extend credit to, the VCE Custodian or any other person. Further, VCE Custodians are expected to act upon the instructions of their customers or authorized representatives and not acquire general discretion over custodied assets beyond those terms clearly expressed in the VCE Custodian’s customer agreement, as further described below.
III. Sub-Custody Arrangements
A VCE Custodian may elect, after appropriate due diligence, to arrange for the safekeeping of customer virtual currency through a sub-custody arrangement with a third party, so long as that arrangement is consistent with this Guidance. The Department generally views the establishment of any new sub-custody or third-party arrangement as a material change to a VCE’s business, and therefore requires the Department’s approval prior to implementation. In support of a request for such prior approval, the Department generally expects to receive for review, at a minimum:
- the applicable risk assessment performed by the VCE Custodian;
- the proposed service agreement(s) between the parties; and
- the VCE Custodian’s updated policies and procedures reflecting the processes and controls to be implemented around the proposed arrangement.
Applicants for a BitLicense or limited purpose trust company charter may seek the required approval during the application process, while currently-regulated VCE Custodians may submit requests as a material change in business proposal.8
IV. Customer Disclosure
A VCE Custodian is expected to (i) clearly disclose to each customer in writing the general terms and conditions associated with its products, services and activities, and (ii) obtain acknowledgment of receipt of such disclosure prior to entering into an initial transaction with the customer, consistent with this Guidance.9 In addition, the VCE Custodian’s customer agreement should make clear the parties’ intentions to enter into a custodial relationship, rather than a debtor-creditor relationship. For example, the VCE Custodian should clearly disclose how it segregates and accounts for customer virtual currency, the property interest the customer retains in custodied assets, how the VCE Custodian may use custodied virtual currency while in its possession, and what limitations on the use of custodied virtual currency by the VCE Custodian apply. If a VCE Custodian makes use of a third-party, sub-custody arrangement, the customer agreement should, consistent with this Guidance, clearly disclose the terms of that arrangement and the material risks. Further, the Department expects a VCE Custodian to make its standard disclosures and customer agreement readily accessible to customers on its website, in a manner consistent with New York laws and regulations.
Note: This guidance is not intended to limit the scope or applicability of any law or regulation. For further information, virtual currency entities should contact their relationship manager or point of contact with the Department.
1 See 23 NYCRR § 200.2(q)(2).
2 VCEs include entities licensed under 23 NYCRR Part 200 (also known as “BitLicensees”), as well as entities chartered as limited purpose trust companies under the New York Banking Law, to engage in virtual currency business activity, including custody services. See, e.g., 23 NYCRR §§ 200.2(q), 200.3(c)(1).
3 See 23 NYCRR Part 200 (the “BitLicense” Regulation or “Part 200”).
4 See, e.g., 23 NYCRR §§ 200.9, 200.12, 200.18, 200.19.
5 The Department enters into supervisory agreements with virtual currency entities, including limited purpose trust companies, that specify required, restricted, and prohibited activities. In addition, the Department has, for example, the authority to order the discontinuance of unsafe and unsound practices in order to maintain public confidence and protect the public interest. See, e.g., NY Banking Law §§ 10, 39.
6 This Guidance pertains to custodial safekeeping activity generally and is not intended to address in detail ancillary activities associated with custodial services such as staking or on-chain governance.
7 To the extent that a VCE may fund transaction costs (e.g., gas fees) on behalf of their customers, the VCE should consider these as customer funds for the purposes of this Guidance.
8 See, e.g., 23 NYCRR § 200.10.
9 See, e.g., 23 NYCRR § 200.19.