Virtual Assets Custody Services

It is paramount for VASPs to establish and rigorously maintain policies and procedures, specifically designed to address situations in which the seed or cryptographic keys of any VA Wallet are lost or otherwise compromised.

FOREWORD

The dynamic realm of VAs custody services has introduced its unique complexities, setting it apart markedly from the custody of conventional securities and assets. As the landscape of VAs continues to grow, custodians have progressed in their journey toward institutionalization.

Against this backdrop, Virtual Asset Service Providers (VASPs) now bear the crucial responsibility of securing these VAs, meeting the demands of heightened adoption and evolving complexities.

This article delves into the landscape of the VA Activity of Custody Services and the role of independent full-service custodians in the safekeeping of investors’ VAs in the Dubai. It places particular emphasis on the pivotal elements of security, compliance and insurance that are integral to the VASP and client relationship, as outlined in the Custody Services Rulebook issued by Virtual Assets Regulatory Authority (VARA).

THE CUSTODY SERVICES RULEBOOK: NAVIGATING THE VASP-CLIENT CONTRACTUAL DYNAMICS

As delineated in Schedule 1 of the Virtual Assets and Related Activities Regulations 2023 (the “Regulations”), outlining the VA Activities, Custody Services means safekeeping VA for or on behalf of another Entity and acting only on verified instructions from or on behalf of such Entity.

VAs held by a VASP are not depository liabilities or assets of the VASP. Moreover, the Custody Services Rulebook explicitly prohibits VASPs from practicing re-hypothecation of VAs for which they provide Custody Services, even if the client provides consent.

Bearing in mind the overarching requirements set out in the Market Conduct Rulebook which govern client agreements, the provision of Custody Services shall be a contractual arrangement between a VASP and a client. Under this arrangement a client lawfully in control of, or entitled to control a VA, transfers control of the VA to a VASP, solely for the purpose of receiving Custody Services.

Notably, the arrangement does not transfer to the VASP, any legal interest in the VA, or any discretionary authority not explicitly authorized in the Client Agreement or otherwise agreed to by the client.

From the given definition, it can be inferred that custodians function akin to vaults holding investors’ VAs. In return for their service, custodians charge a fee from investors. Furthermore, custodians do not in any way assert any proprietary interest in the VA. This implies safeguarding them in a manner that ensures they remain separate from the custodian’s assets.

VASPs shall comply with any and all licensing conditions as communicated by VARA in its License, and only carry out a VA Activity, or attempt to carry out a VA Activity, in relation to the classifications of investors permitted by VARA, such as the authorization to serve only Institutional Investors and Qualified Investors.

CUSTODY VS. NON-CUSTODY

Before we explore the regulatory obligations for Custody Service Providers, it is important to establish a clear distinction between custody and non-custody services.

Self-custody (non-custodial) wallet services enable a user to hold the cryptographic keys necessary to control their own crypto assets. Users have ultimate control over their private keys, which are essential for accessing and managing their virtual assets. The unfortunate occurrence of key loss or theft, results in the irretrievable loss of funds.

In contrast, custody services involve a dedicated custody service provider, wherein the responsibility for holding and safeguarding VAs is delegated to them by clients. Clients may be able to recover funds in the case of lost access data. Custodians manage the security and storage of VAs and have control of the private keys.

SAFE CRYPTOGRAPHIC KEY MANAGEMENT

Custodians play a vital role in providing investors with a safe and regulated storage platform for their VAs, thus achieving high standards of asset security and protection.

A private key serves as a confidential alphanumeric credential, crucial for authorizing the transmission of the VAs to another address. Analogous to a physical key that grants access to one’s home, this unique key is indispensable for accessing and managing VAs securely.

An entity has custody of a digital asset by holding the private key on behalf of the client’s asset. At its core, ownership is tied to control over the asset, particularly the private key. Consequently, those who exercise control also hold ownership by design.

Correspondingly, custodians acquire control through the private key and are entrusted with the security of the asset delegated to them. Custodians are responsible for implementing a robust key management system ensuring the cryptographic security of assets. Custodians are also required to limit and monitor access to private keys and employ cryptography that adheres to industry best practices.

Moreover, it is paramount for VASPs to establish and rigorously maintain policies and procedures, specifically designed to address situations in which the seed or cryptographic keys of any VA Wallet are lost or otherwise compromised.

These policies and procedures shall address matters including the recovery of affected VAs, timely communications with all clients and counterparties regarding consequences arising from incidents, measures taken to remedy these consequences, cooperation with law enforcement agencies and regulatory bodies, and where applicable, preparation of wind-down arrangements and public disclosure of such arrangements.

Clients Agreements should include a description of the overall custodial framework used by the VASP, including but not limited to security, risk mitigation, safeguarding procedures, and address what will happen when source code versions underlying a VA supported by the VASP materially change in a way that may affect the Custody Services provided [e.g., a fork of the network protocol].

To enhance security measures, VASPs shall maintain an accurate register, and record of reconciliation of each client’s positions that correspond to the client’s rights to the VA that are subject to the Custody Services.

Also, all key and seed backups must be stored in a separate location from the primary key and seed. VASPs must also conduct routine assessments to ensure the effectiveness of backup and recovery procedures.

VA WALLET MANAGEMENT

A VA Wallet according to Law No. 4 of 2022 Regulating Virtual Assets in the Emirate of Dubai is a digital application, or any other digital or electronic medium, through which the VAs owned by a Beneficiary are managed and transferred, and through which all the transactions conducted on behalf of the Beneficiary to transfer VAs between accounts are made.

Only VASPs which segregate each client’s assets in separate VA Wallets will qualify for a Custody Services License.

It is absolutely critical for VASPs to safeguard the VAs against hacking and other cyber security risks. This involves conducting a risk-based analysis to determine the method of VA storage, employing encryption for key and seed backups, segregating duties to prevent single points of failure, using multi-signature approaches, providing insurance in the event of asset compromise, and managing liquidity with round-the-clock access to the asset.

Additionally, VASPs may safeguard customer deposits by placing them in a frozen wallet, whereby withdrawals are limited exclusively to approved internal wallets. VASPs may also employ a scalable ledger for the purpose of reconciling client transactions with the external blockchain.

INSURANCE

Insurance serves as an important mechanism to protect against the risks to which a VASP may be exposed, enhancing client confidence in the established safeguards and controls.

Pursuant to Rule VI.D.1 of the Company Rulebook, VASPs must maintain the hereinafter listed types of insurances as part of the prudential requirements. VASPs must hold and maintain insurances adequate to the size and complexity of the business and VA Activities and in the manner specified by VARA in its Licence.

(a) Professional indemnity insurance;

(b) Directors’ and officers’ insurance;

(c) Commercial crime insurance or similar types of insurance for all VAs stored in hot wallets; and

(d) Any other type of insurance as assessed by VARA to be appropriate for a VASP’s business and VA Activities and stipulated in the conditions to its Licence.

SEGREGATION

In our examination of VARA’s rulebooks, emphasis on the segregation mechanism becomes apparent, spanning diverse areas such as fund assets and governance. The objective is to establish clear ownership rights and an adequate level of protection for VAs. Specifically, the VASP shall:

1. Segregate the VAs of each client in separate VA Wallets;

2. Segregate between operations relating to Custody Services on one hand, and all other businesses or services relating to VA Activities – excluding Custody Services – on the other. This segregation is particularly relevant for VASPs that are members of a Group;

3. Be established as a separate legal entity from other members of their Group;

4. Establish operational and physical segregation between individuals handling operations for Custody Services and their other core business activities, including other VA Activities, conducted by their Group;

5. Establish a separate team to handle the VASP’s Custody Services only consisting of individuals who have no conflicting duties to access information which may give rise to any conflicts of interest; and

6. Segregate between internal review functions and operational duties in order to avoid abuses of certain functions and the potential for conflicts or errors.

DEFINITIONS

“AML/CFT”: means anti-money laundering, combating the financing of terrorism, counter proliferation financing and financial sanctions compliance.

“Beneficiary”: means a person who acquires the ownership of a Virtual Asset as it is transferred to his Virtual Asset Wallet and is recorded and validated through the Distributed Ledger Technology.

“Client Agreements”: has the meaning ascribed to it in Rule II.A.1 of the Market Conduct Rulebook.

“Emirate”: means all zones across the Emirate of Dubai, including Special Development Zones and Free Zones but excluding the Dubai International Financial Centre.

“Entity”: means any legal entity or individual.

“Group”: means a VASP and any Entity under the same Control with the VASP.

“Institutional Investor”: has the meaning ascribed to it in the Market Conduct Rulebook issued by VARA.

“Insurance”: has the meaning ascribed to it in the Company Rulebook issued by VARA.

“Licence”: means a licence granted by VARA to an Entity under which VARA explicitly authorizes such Entity to carry out one or more VA Activity(ies) in the Emirate.

“Qualified Investor”: has the meaning ascribed to it in the Market Conduct Rulebook issued by VARA.

“Virtual Assets” or “VA”: a digital representation of value that may be digitally traded, transferred, or used as an exchange or payment tool, or for investment purposes. This includes Virtual Tokens, and any digital representation of any other value as determined by VARA.

“VA Activity”: means any of the activities that require a Permit from VARA and are subject to its oversight, as stated in Article (16) of Law No. (4) of 2022 Regulating Virtual Assets in the Emirate of Dubai.

“Virtual Asset Service Provider” or “VASP”: means an Entity Licensed by VARA to provide Custody Services in the Emirate.