In September 2024, the UK government introduced a bill, likely to become law before the end of 2024, to ensure that digital assets “can be considered personal property”. This new bill strives to remove legal uncertainty and so offers clarity as to how digital assets have to be treated in disputes over ownership, such as divorce, liquidations, etc. McKinsey estimates that digitization of assets by 2023 will be $2trillion but could be as much as $4trillion with cash, mutual funds, loans and securitization, and debt instruments leading the way. Therefore it is going to be a growing challenge as regards how you look after digital assets securely and while we are beginning to see global custody services providers such as State Street announcing they are going to offer digital asset custody for some, there is nothing better than looking after your own assets - but how?
Institutional and retail, military grade, hardware wallets storing an assortment of digital assets
(these wallets rely on physical security to safeguard digital assets)
Source: TPX
The challenges of managing physical control of digital assets can be viewed in three simple categories. Each one of these categories has principal differences in physical control, use, legality and insurability. The combination of the categories and the principal differences between them results in a somewhat complex matrix, but it is easily understood once the basics are mastered
1. Addresses: Firstly, let’s start with digital asset addresses and a very simple analogy. Addresses are like a mail/post slot in your front door; anyone with your address can deposit assets through your door but they can’t open your door to get all deposits (post) that have been previously deposited there. If your address is known, anybody can use the public mail system to make a deposit at your home. As a potential risk in this process someone could stand outside your door and then know what has been deposited through your mail/post slot. Additionally, like in many postal systems, your house number can be changed or forwarded to another fraudulent address resulting in all digital asset deposits going to an unintended recipient or fraudster. With today’s digital asset, crypto and blockchain technologies these fraudulent deposits are irreversible. Therefore, the more frequent the deposits then the more opportunities there are to redirect the mail to fraudulent addresses.
2. Keys: Sticking to the above analogy of a mail slot in a door: bespoke keys are created to open your own door to allow you, the owner, to use all of the deposits that have been deposited through your mail slot. Like in a real-world door, it is the owner's responsibility to safeguard their own keys to their own house and therefore their own deposits. Once the keys have been compromised (e.g. a copy made) all of the deposits in the house can be withdrawn immediately with no recourse to the homeowner. With respect to who is managing or is a custodian of your keys (who is creating and storing them) this imputes a direct legal responsibility for all of the deposited assets to the key manager or custodian of your keys.
3. Entitlements: Let’s continue to use the example of the mail slot and keys but instead of a mail slot in your door, your deposits now go to a common communal post office where all of the deposits are collected. Because the third party ‘entitlement’ (I.O.U.) provider has typically had some experience in handling addresses (deposits), keys and security this then seems a reasonable choice to have your deposits collected by them and stored for your later use. All very reasonable and business as usual except that it is not reasonable, and it is not safe in the world of global digital assets.
For the more experienced and more responsible amongst us, we must understand the financial and legal risks:
· entitlements (I.O.U.’s) are not ownership
In our current legal and financial systems, we have traded physical ownership of a thing (a gold bar or a share certificate kept at home) for the ease and facilitation of pooled assets, e.g. mutual funds, ETFs, etc, with a custodian trusted to virtually hold that ownership for us. The challenge is, however, fractional reserve lending and liquidation preferences where ‘all are equal, but some are more equal than others’ when it comes to these liquidation preferences. If all of the customers of a custodian were to ask for the physical assets that each customer had deposited with that custodian, then most custodians would fail and all a customer would get in this scenario would be an indefinite future ‘promise to pay’ with no definitive timeline or hard legal requirement to do so.
· inadequate insurance
One might easily assume online entitlement/custodial companies are the best and most convenient solution available with skills and experience required to handle complex addresses, keys and security. This assumption, however, substitutes a solution with a greater, potentially fatal, risk. Entitlement (I.O.U.) companies normally do not have the $100’s of billions of assets on their balance sheets required to guarantee customer’s deposited assets, nor do they potentially hold the liability insurance they need to cover this risk. If the assets are stolen or lost due to negligence, or if there is an event that causes the equivalent of a bank run, then there is not enough insurance in issuance, or even available in the markets, to cover such losses. Additionally, the entitlement (I.O.U.) companies increase their risk of theft because they appear as a more lucrative target for theft because they have pooled digital assets that are extremely attractive to would-be thieves and fraudsters. Indeed, when it comes to ‘custodian issues’ the UK Share Association report highlighted: “Two online articles by The International Investor explain the position quite nicely, to be found here and here. The following paragraphs are taken from the first of these, after describing how account segregation is meant to protect investors’ interests.
‘Segregation is effectively an honour system, where the broker is expected to do the right thing and keep client and firm assets separate. In some cases, regulators and exchanges will be checking up on their holdings regularly, but obviously they can’t keep an eye on what’s in which account all the time. So the system is open to fraud and abuse. If your stock broker decides to sell or move shares from nominee accounts, they will be able to do so.’
‘And of course, fraud like this is most likely to happen when the firm is on the edge of collapse, needs cash or assets to meet its own liabilities and the temptation to ‘borrow’ client assets for a while to tide them over becomes too great – or simply when the management decides it’s time to loot client assets and retire somewhere with no extradition treaty. So the point at which segregation is likely to offer no protection is just when you need it most.’”· investment in competent resources
With regards to the resource investment and ongoing experience required to adequately manage these assets and any current or future threats to them, the financial commitment is significant. This puts it out of range of only a very few well-funded organisations or agencies. Any delay in providing funding or support for these operations would be gravely serious.
Thus, understanding and mastering digital asset controls is an essential requirement for any individual, institution or organisation seeking to sell, save, operate or use any digital assets in their lives or commercial transactions. The management of every financial institution involved in the digital asset industry equally needs to be fully aware of the limitations, legal and liability issues involved in using these assets on behalf of themselves and of all of their customers. The digital asset industry is increasingly affecting all of our lives and transactions and is offering truly transformative opportunities to our global financial systems and societies. Not understanding their limitations and risks could however have a detrimental outcome to your wealth, health and happiness. As always in the digital asset industry, remember the oft restated adage of ‘not your keys - not your assets’.
This article first appeared in Digital Bytes (1st of October, 2024), a weekly newsletter by Jonny Fry of Team Blockchain.