Cold Storage Won't Stand up to Regulation

by Anthony Foy, CEO at Qredo

Published May 29, 2019 10:13:45 AM

As awareness of cryptocurrency grows, forward-thinking governments have put the ecosystem under the regulatory spotlight, and are beginning to issue guidelines, erect regulatory frameworks, and enact laws to govern this new asset class.

Some of the most progressive regulators—from Mauritius to Wyoming—are recognizing the unique decentralized nature of cryptocurrency, and issuing guidance that suggests existing custodial solutions like cold storage will be unable to stand up to the next wave of regulation.

In the current storage paradigm, custodians receive their customer’s cryptocurrency to addresses owned by the exchange, and then rely on inaccessible cold storage vaults to safeguard the private keys that created these wallet addresses. While this is marketed as being secure, it represents a transfer of ownership—turning exchanges from simple crypto custodians, into unregulated depositories that effectively have full ownership over the assets in their care.

This direct form of ownership is not only against the ethos of bitcoin, but is ultimately not viable from both a practical and regulatory standpoint.


Practical problems

Just like grandma stashing cash under the mattress, cold storage is designed to make private keys as inaccessible as possible — protected by air-gapped hardware wallets, completely disconnected from the internet, or even scattered over several different geographic locations in reinforced safety deposit boxes.

But taking the “internet of money” offline means that many of the promises of decentralization — like round the clock availability and instant transactions — are lost.

This style of storage might be suitable on a small scale for individual investors looking after their own funds, but represents a backwards move for digital asset custodians who might hold billions  of dollars worth of assets on behalf of clients.

Cold storage is not only against the ethos of bitcoin, but is ultimately not viable from both a practical and regulatory standpoint. Tweet this

When these assets are shunted offline to cold storage, a trade off is made between security and convenience, and one that loses out on the some of the advantages of decentralization.

Instead of being readily available, crypto assets are made illiquid; divided between multiple hardware wallets, many of which can often only support a few currencies each, and protected by a bureaucratic withdrawal process.

When the funds are needed, the keys must be imported into a hot wallet before being used, and for this process to be secure, crypto assets must pass over several speed bumps along the way.

Depending on the setup, this might involve multiple different parties checking the assets, various levels of authorisation, or multi-signature requirements that must completed in a specific order before assets can be transferred. All in all, a process that can take from two hours up to seven days, and incur transaction fees on the underlying blockchain.

For exchanges relying on liquidity, this process is far from ideal, and can result in clients losing out on immediate access to important trading or commercial opportunities.

The lack of transparency and openness, and shared custodial accounts of cold storage make it more difficult to provide the audit-ready records and transparency that can immediately satisfy regulators. Tweet this

What is gained in security, is lost in convenience, and also in functionality — assets locked in cold storage are unable to take immediate advantage of blockchain dividend schemes, receive  freshly forked cryptocurrencies, or participate in blockchain governance.

While these might be annoyances, the biggest problem with custodial cold storage is the paradigm itself  — exchanges storing crypto with this method hold users cryptocurrency in an address on the blockchain that is under exchange ownership, and then credit the customer with the appropriate amount of cryptocurrency.

In terms of legacy finance, this means they are acting not as a custodian — which holds customers' assets for safekeeping, but as a depository — which has legal ownership over those assets and is responsible for controlling them according to the established laws and regulations.

Sitting in a custodial cold wallet, the crypto assets are under exchange ownership, meaning customers have no way to accurately check that their balance matches the amount of crypto in custody, and must place absolute trust in the exchange.

This is not only antithetical to the ideal of crypto, removing the autonomy and privacy of market participants, but is also incompatible with emerging custodial regulations.

Find out more about the importance of decentralized custody in the Qredo white paper.

Get the white paper

Regulatory Problems

Since the Investment Advisers Act of 1940, any Fiduciary — that is any person or institution that holds assets on behalf of another entity —  must use an independent custodian if they hold more than $150 million in assets.

But fiduciaries cannot choose just any custodian. This custodian must be regulated, which creates a barrier to institutions wanting to enter the crypto space, where regulations are still emerging.

But while they might not yet be fully defined, authorities around the world are starting to formulate the rules that will soon define how crypto custodians must act.

In January 2018 the SEC published a letter asking how cryptocurrency funds would prove exclusive ownership and safekeeping of digital assets, and how custodians would maintain the liquidity of a high proportion of those assets — both concerns that are difficult to resolve using cold storage.

Federal regulator FInCEN issued a guidance sheet in May that applies to all manner of businesses dealing with cryptocurrency. This distinguishes between two types of storage: unhosted wallets—where the private keys and associated value remains under control of the owner, and hosted wallets—where the host has total independent control over the private keys controlling the assets, and is only “contractually obligated to access the value only on instructions from the owner.”

These hosted wallets, which represent the most common storage method of cryptocurrency platforms, are considered subject to Money Services Business (MSB) regulation, putting them in effectively the same category as banks, and making them subject to the same stringent application process.

Since then, several smaller states have started to push ahead with regulations that respect the idea of a directly owned peer-to-peer currency, and suggest that custodial cold storage is an inadequate solution.

Some of the most progressive regulators — from Mauritius to Wyoming — are recognizing the unique decentralized nature of cryptocurrency, and issuing guidance that suggests existing custodial solutions like cold storage will be unable to stand up to the next wave of regulation. Tweet this

Wyoming, the cowboy state synonymous with rugged individualism, has pioneered laws that recognize direct property rights for individual owners of digital assets, applying the very same rules that are used for ordinary currency.

The proposed custodial framework reflects this. Unlike the present situation, where investors must effectively surrender ownership of assets, Wyoming custodian investors will still own the digital assets held with the exchange as a bailment, meaning that although control over the assets is given up, ownership is retained, just like leaving your car with a valet — a form of custody that is not possible when private keys are surrendered to cold storage vaults.

As part of a drive to be the fintech hub of Africa, the Republic of Mauritius is also pushing ahead, and has devised the world’s first digital asset custody regulatory framework.

Developed following consultations with the Organisation for Economic Cooperation and Development (OECD), this gives a clear indication of what will be required of crypto custodian services, which will be expected to comply with anti-money laundering (AML) rules that continues to get more stringent.

Licensed custodians would have to follow guidelines for the storage of digital asset keys and seeds that are in line with international AML guidance. This includes demonstrable security procedures for onsite storage of assets, and a system for the detection and reporting of suspicious transactions.

While this isn’t necessarily impossible to achieve with cold storage, the lack of transparency and openness, and shared custodial accounts, make it more difficult to provide the audit-ready records and transparency that can immediately satisfy regulators.

While Bitcoin has ushered in a new era of monetary sovereignty, it is now time for custodians to step up and provide the infrastructure that allows this to be reflected in practice — a cause that the rulemakers seem to be fully onboard with.


New call-to-action