Examining the litmus test of “full control” in the Digital Asset Custody guidelines.

by Edmund Yong

Are you planning to become a custodian of digital assets for other people? There is now a legal path for you to do so. The Guidelines of Digital Assets (GoDA) introduced in October 2020 by the Securities Commission of Malaysia allow for such custodians to operate in Malaysia and are open for applications.

This is a four-part primer to give you the “lie of the land” so to speak and to address frequently asked questions. It is non-exhaustive so you should still consult professionals for tech and legal matters. Please do not treat this as advice.

Why does this fall under Section 76A of CMSA?

In any well-functioning financial system, there needs to be “plumbers” to slosh funds around and “warehouses” to store them away securely. As these are capital market services that complete a capital market transaction or complement a regulated activity (such as digital asset trading or fundraising), they need to be registered under section 76A of the Capital Markets & Services Act (CMSA) 2007. Trustees are also registered under this section [1].

According to GoDA, a digital asset custodian (DAC) provides the services of “safekeeping, storing, holding or maintaining custody of digital assets for the account of another person”. The minimum paid-up capital requirements of a DAC are the same as a trustee: RM500,000. Though a DAC is required to maintain minimum shareholders’ funds of RM500,000 at all times compared to RM1 million for a trustee.

It should be noted that a trustee must have “sufficient financial resources to operate efficiently” and also obtain professional indemnity insurance (PII) that is “adequate and commensurate with the nature, activity, complexity and risk of the business undertaken”, which may be at least RM10 million in some cases [2]. Insurance requirements are not exacted upon the DAC, however.

What is the concept of ‘full control’ of assets?

The crux of what it means to be a DAC is whether the asset owner has “full control”. While this may seem straightforward at first glance, it is not so when you examine the elements closely. The GoDA clarifies what it means to have ‘full control’:

  • “A person who merely offers a system by whatever means, which enable the asset owner to hold digital assets and the asset owner has full control of his digital assets, is not deemed to be a digital asset custodian for the purposes of paragraph 23.02.”
  • “An asset owner is considered as having full control of his digital assets when he holds the private key(s) to the wallet and the digital asset custodian does not have the ability to effect a unilateral transfer of the asset owner’s digital assets.”

Generally if the asset owner places his or her digital assets in a storage or custodial system but the asset owner still retains full control, with the right to exclude everyone else from transferring the assets, then the system is not deemed to be a DAC. The DAC shall have the ability to transfer the assets unilaterally without the necessary involvement of the asset owner.

Though what is not made sufficiently clear is whether the DAC can prevent the asset owner from moving his or her own assets or refuse an instruction from the asset owner to do so. Now if the DAC has the ability to effect a unilateral transfer, while the asset owner cannot do so without the DAC signing off on it, it will appear that the DAC holds the mandatory private key in the custodial relationship and the asset owner holds the optional key.

Referring to the waterfall diagram above: First of all (on the far left), if the system does not hold digital assets, then it does not provide services stipulated in Para 23.01 of GoDA and is therefore not qualified to be a DAC. If it does provide said services, then the question is whether the asset owner has ‘full control’ or not. Based on the Guidelines, the DAC has to deny the asset owner full control. A mere online or hardware wallet provider which just holds the keys but is not involved any transfer of digital assets will fail the DAC criteria.

On the far right is a scenario where the asset owner does not hold the private keys to the wallet and does not have full control of their assets. How can this be? This is the typical case of custodial wallets which are hosted at digital asset exchanges (DAX). The asset owner places their assets in the DAX for the dual purpose of trading and safekeeping rather than DAC. While DAX and DAC are both different purpose-built platforms – there is nothing to stop a DAX from becoming a DAC eventually. Coinbase Custody and Gemini Custody are fine examples. More on this in the follow-up article.

(Note: Under Para 23.03 of GoDA, a registered recognized market operator such as a DAX can be deemed to be a DAC if they meet the requirements).

Why is private key management so important?

There are important legal underpinnings as to why managing private keys matters more than the system of storage itself. If you don’t have a proper walleting mechanism, you can still store your digital assets on the public blockchain directly and relatively safely. But if you don’t have a private key, or it is damaged or lost, then you can kiss your digital assets goodbye. They are gone forever.

The private key is not just a password. You can reset passwords when you forget them. It is not like losing your safe deposit box key. The bank keeps a master key and there are locksmiths. It is a piece of code which you are practically unable to memorise, and not advised to store online or pass to anyone. So help you God.

In the crypto world, digital assets are unregistered and unregistrable. They are bearer-based for the most part, though exceptions apply. It is unclear what ‘full control’ here means legally, as the mere possession of something such as the private keys, and the proprietary right to exclude the world at large (or “erga omnes” in Latin legalese) from using the private keys are different animals in law. It is also unclear how legal title and beneficiary interest of the assets will be ascertained and how exactly is the trust relationship constructed. Our next article will touch more on this.

And if you are an aspiring DAC applicant, make sure you don’t skip or short shrift your response to Chapter 28 of the Guidelines on key management. They are deliberately drafted in a principles-based manner such as having “sufficiently and verifiably secured storage”, “effective policies and procedures”, “adopting industry standards and practices” etc. – which means you have to fill in all the details with as much granularity as possible. It is safer to err on the side of over-explaining instead of under-explaining since you only have one chance with your application.

[Read Part 2]

For feedback, enquiries or assistance, please write to edmund@celebrusadvisory.

[1] Guidelines on the Registration and Conduct of Capital Market Services Providers SC-GL/5-2018.

[2] Ibid, Section 4.09.