Joint Staff Statement on Broker-Dealer Custody of Digital Asset Securities
Division of Trading and Markets, U.S. Securities and Exchange Commission
Office of General Counsel, Financial Industry Regulatory Authority
July 8, 2019
Market participants have raised questions concerning the application of the federal securities laws and the rules of the Financial Industry Regulatory Authority (“FINRA”) to the potential intermediation—including custody—of digital asset securities and transactions. In this statement, the staffs of the Division of Trading and Markets (the “Division”) and FINRA (collectively, the “Staffs”)—drawing upon key principles from their historic approach to broker-dealer regulation and investor protection—have articulated various considerations relevant to many of these questions, particularly under the SEC’s Customer Protection Rule applicable to SEC-registered broker-dealers.
As a threshold matter, it should be recognized by market participants that the application of the federal securities laws, FINRA rules and other bodies of laws to digital assets, digital asset securities and related innovative technologies raise novel and complex regulatory and compliance questions and challenges. For example, and as discussed in more detail below, the ability of a broker-dealer to comply with aspects of the Customer Protection Rule is greatly facilitated by established laws and practices regarding the loss or theft of a security, that may not be available or effective in the case of certain digital assets.
The Staffs are aware of, and encourage and support, efforts to address these issues such that compliance with the Customer Protection Rule and other federal securities laws and FINRA rules is reasonably practicable. In recent months, the Staffs have been engaged with industry participants regarding how industry participants believe a particular custody solution for digital asset securities would meet the possession or control standards prescribed in the SEC’s Customer Protection Rule. The Staffs have found these discussions to be very informative and appreciate market participants’ ongoing engagement on these issues. The Staffs encourage and support innovation and look forward to continuing our dialogue as market participants work toward developing methodologies for establishing possession or control over customers’ digital asset securities. Contact information for Commission and FINRA staffs is provided at the end of this statement.
Importance of the Customer Protection Rule
Entities seeking to participate in the marketplace for digital asset securities must comply with the relevant securities laws. An entity that buys, sells, or otherwise transacts or is involved in effecting transactions in digital asset securities for customers or its own account is subject to the federal securities laws, and may be required to register with the Commission as a broker-dealer and become a member of and comply with the rules of a self-regulatory organization (“SRO”), which in most cases is FINRA. Importantly, if the entity is a broker-dealer, it must comply with broker-dealer financial responsibility rules, including, as applicable, custodial requirements under Rule 15c3-3 under the Securities Exchange Act of 1934 (the “Exchange Act”), which is known as the Customer Protection Rule.
The purpose of the Customer Protection Rule is to safeguard customer securities and funds held by a broker-dealer, to prevent investor loss or harm in the event of a broker-dealer’s failure, and to enhance the Commission’s ability to monitor and prevent unsound business practices. Put simply, the Customer Protection Rule requires broker-dealers to safeguard customer assets and to keep customer assets separate from the firm’s assets, thus increasing the likelihood that customers’ securities and cash can be returned to them in the event of the broker-dealer’s failure. The requirements of the Customer Protection Rule have produced a nearly fifty year track record of recovery for investors when their broker-dealers have failed. This record of protecting customer assets held in custody by broker-dealers stands in contrast to recent reports of cybertheft, and underscores the need to ensure broker-dealers’ robust protection of customer assets, including digital asset securities.
Various unregistered entities that intend to engage in broker-dealer activities involving digital asset securities are seeking to register with the Commission and have submitted New Membership Applications (“NMAs”) to FINRA. Additionally, various entities that are already registered broker-dealers and FINRA members are seeking to expand their businesses to include digital asset securities services and activities. Under FINRA rules, a firm is prohibited from materially changing its business operations (e.g., engaging in material digital asset securities activities for the first time) without FINRA’s prior approval of a Continuing Membership Application (“CMA”).
The NMAs and CMAs currently before FINRA are diverse: Some of the NMAs and CMAs cover proposed business models that would not involve the broker-dealer engaging in custody of digital asset securities. On the other hand, some NMAs and CMAs include the custodying of digital asset securities, and therefore implicate the Customer Protection Rule, among other requirements.
Some of these entities have met with the Staffs to discuss how they propose to custody digital asset securities in order to comply with the broker-dealer financial responsibility rules. These discussions have been informative. The specific circumstances where a broker-dealer could custody digital asset securities in a manner that the Staffs believe would comply with the Customer Protection Rule remain under discussion, and the Staffs stand ready to continue to engage with entities pursuing this line of business.
Noncustodial Broker-Dealer Models for Digital Asset Securities
As noted, some entities contemplate engaging in broker-dealer activities involving digital asset securities that would not involve the broker-dealer engaging in custody functions. Generally speaking, noncustodial activities involving digital asset securities do not raise the same level of concern among the Staffs, provided that the relevant securities laws, SRO rules, and other legal and regulatory requirements are followed. The following are examples of some of the business activities of this type that have been presented or described to the Staffs.
- One example is where the broker-dealer sends the trade-matching details (e.g., identity of the parties, price, and quantity) to the buyer and issuer of a digital asset security—similar to a traditional private placement—and the issuer settles the transaction bilaterally between the buyer and issuer, away from the broker-dealer. In this case, the broker-dealer instructs the customer to pay the issuer directly and instructs the issuer to issue the digital asset security to the customer directly (e.g., the customer’s “digital wallet”).
- A second example is where a broker-dealer facilitates “over-the counter” secondary market transactions in digital asset securities without taking custody of or exercising control over the digital asset securities. In this example, the buyer and seller complete the transaction directly and, therefore, the securities do not pass through the broker-dealer facilitating the transaction.
- Another example is where a secondary market transaction involves a broker-dealer introducing a buyer to a seller of digital asset securities through a trading platform where the trade is settled directly between the buyer and seller. For instance, a broker-dealer that operates an alternative trading system (“ATS”) could match buyers and sellers of digital asset securities and the trades would either be settled directly between the buyer and seller, or the buyer and seller would give instructions to their respective custodians to settle the transactions. In either case, the ATS would not guarantee or otherwise have responsibility for settling the trades and would not at any time exercise any level of control over the digital asset securities being sold or the cash being used to make the purchase (e.g., the ATS would not place a temporary hold on the seller’s wallet or on the buyer’s cash to ensure the transaction is completed).
Considerations for Broker-Dealer Custody of Digital Asset Securities
Whether a security is paper or digital, the same fundamental elements of the broker-dealer financial responsibility rules apply. The Staffs acknowledge that market participants wishing to custody digital asset securities may find it challenging to comply with the broker-dealer financial responsibility rules without putting in place significant technological enhancements and solutions unique to digital asset securities. As the market, infrastructure, and law applicable to digital asset securities continue to develop, the Staffs will continue their constructive engagement with market participants and to gather additional information so that they may better respond to developments in the market while advancing the missions of our respective organizations: for the SEC, to protect investors; maintain fair, orderly, and efficient markets; and facilitate capital formation; and for FINRA, to provide investor protection and promote market integrity.
The Customer Protection Rule
A broker-dealer seeking to custody digital asset securities must comply with the Customer Protection Rule. As noted, the rule is designed principally to protect customers of a registered broker-dealer from losses and delays in accessing their securities and cash that can occur if the firm fails. The rule requires the broker-dealer to safeguard customer securities and cash entrusted to the firm, as discussed below. If the broker-dealer fails, customer securities and cash should be readily available to be returned to customers. In the event the broker-dealer were to be liquidated under SIPA, the SIPA trustee would be expected to step into the shoes of the broker-dealer and expected to be able to transfer, sell, or otherwise dispose of assets in accordance with SIPA.
Among its core protections for customers, Rule 15c3-3 requires a broker-dealer to physically hold customers’ fully paid and excess margin securities or maintain them free of lien at a good control location. Generally, a broker-dealer may custody customer securities with a third-party custodian (e.g., the Depository Trust Company or a clearing bank), and uncertificated securities, such as mutual funds, may be held at the issuer or at the issuer’s transfer agent. In either case, there is a third party that controls the transfer of the securities. This traditional securities infrastructure (including, for example, related laws of property and security) also has processes to reverse or cancel mistaken or unauthorized transactions.
Considerations for Digital Asset Securities
There are many significant differences in the mechanics and risks associated with custodying traditional securities and digital asset securities. For instance, the manner in which digital asset securities are issued, held, and transferred may create greater risk that a broker-dealer maintaining custody of them could be victimized by fraud or theft, could lose a “private key” necessary to transfer a client’s digital asset securities, or could transfer a client’s digital asset securities to an unknown or unintended address without meaningful recourse to invalidate fraudulent transactions, recover or replace lost property, or correct errors. Consequently, a broker-dealer must consider how it can, in conformance with Rule 15c3-3, hold in possession or control digital asset securities.
In particular, a broker-dealer may face challenges in determining that it, or its third-party custodian, maintains custody of digital asset securities. If, for example, the broker-dealer holds a private key, it may be able to transfer such securities reflected on the blockchain or distributed ledger. However, the fact that a broker-dealer (or its third party custodian) maintains the private key may not be sufficient evidence by itself that the broker-dealer has exclusive control of the digital asset security (e.g., it may not be able to demonstrate that no other party has a copy of the private key and could transfer the digital asset security without the broker-dealer’s consent). In addition, the fact that the broker-dealer (or custodian) holds the private key may not be sufficient to allow it to reverse or cancel mistaken or unauthorized transactions. These risks could cause securities customers to suffer losses, with corresponding liabilities for the broker-dealer, imperiling the firm, its customers, and other creditors.
The Books and Records and Financial Reporting Rules
The broker-dealer recordkeeping and reporting rules require a broker-dealer, among other things, to make and keep current ledgers reflecting all assets and liabilities, as well as a securities record reflecting each security carried by the broker-dealer for its customers and all differences determined by the count of customer securities in the broker-dealer’s possession or control compared to the result of the count with the broker-dealer’s existing books and records. The financial responsibility rules also require that broker-dealers routinely prepare financial statements, including various supporting schedules particular to broker-dealers, such as Computation of Net Capital under Rule 15c3-1 and Information Relating to the Possession or Control Requirements under Rule 15c3-3 under the Exchange Act.
The books, records, and financial reporting requirements are designed to ensure that a broker-dealer makes and maintains certain business records to assist the firm in accounting for its activities. These rules also assist securities regulators in examining for compliance with the federal securities laws and as such are an integral part of the financial responsibility program for broker-dealers.
Considerations for Digital Asset Securities
The nature of distributed ledger technology, as well as the characteristics associated with digital asset securities, may make it difficult for a broker-dealer to evidence the existence of digital asset securities for the purposes of the broker-dealer’s regulatory books, records, and financial statements, including supporting schedules. The broker-dealer’s difficulties in evidencing the existence of these digital asset securities may in turn create challenges for the broker-dealer’s independent auditor seeking to obtain sufficient appropriate audit evidence when testing management’s assertions in the financial statements during the annual broker-dealer audit. We understand that some firms are considering the use of distributed ledger technology with features designed to enable firms to meet recordkeeping obligations and facilitate prompt verification of digital asset security positions (e.g., regulatory nodes or permissioned distributed ledger technologies). Broker-dealers should consider how the nature of the technology may impact their ability to comply with the broker-dealer recordkeeping and reporting rules.
Securities Investor Protection Act of 1970
Generally, a broker-dealer that fails and is unable to return the customer property that it holds would be liquidated in accordance with SIPA. Under SIPA, securities customers have a first priority claim to cash and securities held by the firm for securities customers. Customers also are eligible for up to $500,000 in protection (of which up to $250,000 can be used for cash claims) if the broker-dealer is missing customer assets. These SIPA protections apply to a “security” as defined in SIPA and cash deposited with the broker-dealer for the purpose of purchasing securities. They do not apply to other types of assets, including, importantly, assets that are securities under the federal securities laws but are excluded from the definition of “security” under SIPA.
Considerations for Digital Asset Securities
In the case of a digital asset security that does not meet the definition of “security” under SIPA, and in the event of the failure of a carrying broker-dealer, SIPA protection likely would not apply and holders of those digital asset securities would have only unsecured general creditor claims against the broker-dealer’s estate. Further, uncertainty regarding when and whether a broker-dealer holds a digital asset security in its possession or control creates greater risk for customers that their securities will not be able to be returned in the event of a broker-dealer failure. The Staffs believe that such potential outcomes are likely to be inconsistent with the expectations of persons who would use a broker-dealer to custody their digital asset securities.
Control Location Applications
As a related matter, the Staffs have received inquiries from broker-dealers, including ATSs, wishing to utilize an issuer or transfer agent as a proposed “control location” for purposes of the possession or control requirements under the Customer Protection Rule. As described to the Staffs, this would involve uncertificated securities where the issuer or a transfer agent maintains a traditional single master security holder list, but also publishes as a courtesy the ownership record using distributed ledger technology. While the issuer or transfer agent may publish the distributed ledger, in these examples, the broker-dealers have asserted that the distributed ledger is not the authoritative record of share ownership. To the extent a broker-dealer contemplates an arrangement of this type, the Division will consider whether the issuer or the transfer agent can be considered a satisfactory control location pursuant to an application under paragraph (c)(7) of Rule 15c3-3.
As noted, the Staffs encourage and support innovation in the securities markets and look forward to continuing to engage with investors and industry participants as the marketplace for digital asset securities develops. To contact Commission staff for assistance, please visit the Commission’s FinHub webpage or contact Thomas K. McGowan, Associate Director, at (202) 551-5521 or Raymond Lombardo, Assistant Director, at (202) 551-5755. To contact FINRA staff for assistance, please visit FINRA’s FinTech webpage or contact Kosha Dalal, Associate General Counsel, at (202) 728-6903.
 For the purposes of this statement, the term “digital asset” refers to an asset that is issued and transferred using distributed ledger or blockchain technology, including, but not limited to, so-called “virtual currencies,” “coins,” and “tokens.” A digital asset may or may not meet the definition of a “security” under the federal securities laws. For the purposes of this statement, a digital asset that is a security is referred to as a “digital asset security.”
 This statement represents staff views of the Division of Trading and Markets and FINRA. This statement is not a rule, regulation, guidance, or statement of the U.S. Securities and Exchange Commission (“SEC” or “Commission”) or FINRA, and the Commission and FINRA’s Board have neither approved nor disapproved its content. This statement does not alter or amend applicable law and has no legal force or effect.
 For purposes of this statement, the Staffs use the term “entities” to refer to both firms and individuals.
 The financial responsibility rules include Rule 15c3-1 (the net capital rule), Rule 15c3-3 (the customer protection rule), Rule 17a-3 (the record making rule), Rule 17a-4 (the record retention rule), Rule 17a-5 (the financial reporting rule), and Rule 17a-13 (the quarterly securities count rule) under the Securities Exchange Act of 1934 (“Exchange Act”). This statement does not address all federal securities laws that may be implicated by a broker-dealer seeking to maintain custody of digital asset securities. Further, this statement does not address other securities laws or rules that may apply to digital asset securities.
 Rule 15c3-3 was adopted by the Commission in 1972. See Broker-Dealers; Maintenance of Certain Basic Reserves, Exchange Act Release No. 9856 (Nov. 10, 1972), 37 Fed. Reg. 25224 (Nov. 29, 1972).
 For example, one blockchain forensic analysis firm estimated that approximately $1.7 billion worth of bitcoin and other digital assets had been stolen in 2018, of which approximately $950 million resulted from cyberattacks on bitcoin trading platforms. The estimate of total losses in 2018 is 3.6 times higher than the estimate of such losses in 2017. See CipherTrace, Cryptocurrency Anti-Money Laundering Report, 2018 Q4, at 3 (Jan. 2019) (available at: https://ciphertrace.com/crypto-aml-report-2018q4/).
 Firms can discuss with FINRA whether a contemplated change in business operations such as engaging in digital asset securities activities may require the filing of a CMA through the materiality consultation process.
 These business models and transactions must comply with other provisions of the securities laws or regulations. The Staffs offer no views about whether such business models would be in compliance with other securities laws or regulations.
 Entities that perform functions to facilitate the clearance and settlement of transactions in digital asset securities may be required to register as a clearing agency under Section 17A of the Exchange Act. See 15 U.S.C. 78q-1.
 See, e.g., Statement on Digital Asset Securities Issuance and Trading, Division of Corporation Finance, Division of Investment Management, and Division of Trading and Markets, Commission (Nov. 16, 2018) (available at: https://www.sec.gov/news/public-statement/digital-asset-securites-issuuance-and-trading); see also e.g., Engaging on Non-DVP Custodial Practices and Digital Assets, letter issued by staff, Division of Investment Management, Commission, dated Mar. 12, 2019 (available at: https://www.sec.gov/investment/engaging-non-dvp-custodial-practices-and-digital-assets).
 See Financial Responsibility Rules for Broker-Dealers, Exchange Act Release No. 70072 (July 30, 2013), 78 Fed. Reg. 51824, 51826 (Aug. 21, 2013). In addition, if the broker-dealer is liquidated in a formal proceeding under the Securities Investor Protection Act of 1970 (“SIPA”), the securities and cash held by the broker-dealer for its customers would be isolated and readily identifiable as “customer property” and, consequently, available to be distributed to customers ahead of other creditors. Id.
 See 15 U.S.C. 78fff-1 (setting forth the powers and duties of a SIPA trustee).
 See paragraphs (b) and (c) of Rule 15c3-3. An entity’s designation as a good control location is based, in part, on its ability to maintain exclusive control over customer securities. See, e.g., paragraph (c)(5) of Rule 15c3-3 (deeming a “bank” as defined in Section 3(a)(6) of the Exchange Act to be a good control location so long as, among other things, the bank has acknowledged that customer securities “are not subject to any right, charge, security interest, lien or claim of any kind in favor of a bank or any person claiming through the bank” and the securities are in the custody or control of the bank).
 See paragraphs (c)(1) and (c)(5) of Rule 15c3-3.
 The Commission often receives applications under paragraph (c)(7) of Rule 15c3-3 to designate an issuer or the transfer agent of various types of uncertificated securities as a control location. The Division has delegated authority to “find and designate as control locations for purposes of Rule 15c3-3(c)(7) [under the Exchange Act] certain broker-dealer accounts which are adequate for the protection of customer securities.” See 17 CFR 200.30-3(a)(10)(i). The Commission has stated that mutual funds in particular may be held at the issuer or the issuer’s transfer agent. See, e.g., Broker-Dealer Reports, Exchange Act Release No. 70073 (July 30, 2013), 78 Fed. Reg. 51910, 51951 (Aug. 21, 2013) (stating that “[g]enerally, mutual funds issue securities only in book-entry form. This means that the ownership of securities is not reflected on a certificate that can be transferred but rather through a journal entry on the books of the issuer maintained by the issuer’s transfer agent. A broker-dealer that holds mutual funds for customers generally holds them in the broker-dealer’s name on the books of the mutual fund”). See also Form Custody for Broker-Dealers, 17 CFR 249.639 (providing broker-dealers with a field to indicate that they custody mutual fund securities with a transfer agent). The Division has also previously issued no-action letters regarding the maintenance of certain other uncertificated securities at the transfer agent. See, e.g., letter to Fantex Brokerage Services, LLC from Mark M. Attar, Senior Special Counsel, Division of Trading and Markets, Commission, dated Dec. 19, 2014 (providing that the staff would not recommend enforcement action if a broker-dealer treats a transfer agent for uncertificated securities as a good control location, under certain circumstances). These prior no-action letters do not address whether blockchain or distributed ledger technology, in connection with the maintenance of the single master security holder list, establishes control of uncertificated securities by the issuer (or transfer agent).
 See, e.g., paragraph (d) of Rule 15c3-3 (requiring that, not later than the next business day, a broker-dealer, as of the close of the preceding business day, shall determine the quantity of fully paid securities and excess margin securities in its possession or control and the quantity of such securities not in its possession or control).
 Cf. supra note 13.
 See generally Rules 17a-3, 17a-4, and 17a-5.
 See paragraph (a)(2) of Rule 17a-3.
 See paragraph (a)(5) of Rule 17a-3.
 See generally Rule 17a-5.
 See paragraph (d)(2)(ii) of Rule 17a-5.
 See generally PCAOB Auditing Standard 1105, Audit Evidence (describing sufficient appropriate audit evidence and stating that audit evidence consists of information that supports and corroborates management’s assertions regarding the financial statements and information that contradicts such assertions).
 The SIPA definition of “security” is different than the federal securities laws definitions. See 15 U.S.C. 78lll(14) (excluding from the SIPA definition of “security” an investment contract or interest that is not the subject of a registration statement with the Commission pursuant to the provisions of the Securities Act of 1933). This means there may be digital assets that are: (1) securities under the federal securities laws and SIPA, and thus are protected by SIPA; (2) securities under the federal securities laws, but not under SIPA, and thus not protected by SIPA; or (3) not securities under the federal securities laws and therefore not protected by SIPA.
 If a broker-dealer holds securities that are not protected by SIPA, the broker-dealer must nevertheless comply with the physical possession or control requirements under Rule 15c3-3 with respect to those securities.
 Generally, in a SIPA liquidation, assets not included in customer property (other than customer name securities) are liquidated and paid out to general creditors on a pro rata basis. See 15 U.S.C. 78fff-2(c); 15 U.S.C. 78fff(b).
 See supra note 16.
 See paragraph (c)(7) of Rule 15c3-3.