The recent failures of FTX, Voyager, Celsius and other cryptocurrency exchanges have rocked the already fragile confidence of the crypto market. The hope that crypto can remain largely unregulated, or even lightly regulated, certainly ended with the FTX flameout.
Industry advocates, which until recently included FTX founder Sam Bankman-Fried, have been calling for reasonable regulation of the crypto market in hopes that being part of the conversation would help achieve a more modest level of regulation. Based on articles and commentary in this publication, crypto advocates have long argued against designating the Securities and Exchange Commission as the industry's primary regulator. The dream would be an industry run self-regulatory body.
Called by some the worst case of financial fraud in U.S. history — a pretty high bar considering the many instances of financial fraud in our history — FTX laid bare the reality that without effective regulation any hope of preventing hucksters and dilettantes from making off with customer assets is a pipe dream.
FTX, Voyager and other defunct crypto exchanges have one thing in common: a complete failure to hold assets credited to customer accounts, including crypto and cash, safely in custody. Indeed, Voyager even made the preposterous claim that customer cash it held was insured by the Federal Deposit Insurance Corp. if Voyager failed, a claim that has already prompted regulatory action by the FDIC.
Crypto exchanges dealing in products that are not "securities" under the federal securities laws are currently regulated as "money transmitters" by one or more state banking authorities. Let's agree that these laws were not designed to regulate firms facilitating trading in investment assets.
We can also agree that an agency regulating firms holding financial assets for customers, including crypto, should have the authority to: (i) adopt regulations establishing requirements for holding customer assets in custody (ii) regularly examine market participants for compliance with those regulations; and (iii) enforce regulatory violations. All the federal banking regulators, as well as the SEC and Commodity Futures Trading Commission, have this authority over the firms they supervise.
If a new agency is created, it would need the same regulatory authority.
Debates over whether crypto that is not a "security" should be regulated by an existing regulatory body or by a new regulatory body are inevitable. But the debate should also focus on how to ensure that customer assets are being held securely.
No matter which direction Congress decides to take in designating an agency to regulate crypto, it should consider the SEC's so-called financial responsibility regulations in establishing standards for crypto custody. While the federal banking regulators examine banks for their custodial activities, they have not adopted rules with the same level of specificity.
The SEC's financial responsibility regulations, known as 15c3-3, set forth a broker's obligations with respect to holding customer assets. The regulations start with the common-sense concept that a broker must maintain "possession or control" of customer securities and cash. This must be accomplished by the broker either holding the securities itself (possession) or in one of the enumerated control locations, such as a bank or a registered clearing corporation (control).
To ensure that the broker is holding the same amount of securities as are credited to its customer accounts, the broker must regularly reconcile its customer records with the records of the issuers, if it is holding the securities, and the records of any intermediaries holding securities for it.
A broker may borrow customer securities, but only with specific authorization from the customer. In doing so, the broker must post liquid collateral, limited to cash or government securities, equal to the market value of the securities, adjusted daily.
Uninvested customer cash, typically funds resulting from interest and dividend payments and the liquidation of securities, must be placed (locked up) in a segregated account at a bank if a customer has not provided direction on investment.
The rules also address arrangements where a customer has authorized the broker to automatically invest, or "sweep," uninvested funds into shares of a money market mutual fund or deposit accounts at one or more banks. Customers must provide written authorization to the broker to sweep the funds after being provided a description of the product.
A broker claiming FDIC insurance coverage for customer funds deposited in banks through a sweep program must obtain an opinion of outside counsel that FDIC insurance is available.
It's also worth noting that custodial risk — i.e., the risk that a broker will lose or steal customer securities — is insured by the Securities Investor Protection Corp. within specified limits. While the SIPC is not without controversy, customers of Bernie Madoff did receive some protection from it. A similar insurance arrangement is worth considering for crypto.
Brokers are examined by the SEC and the Financial Industry Regulatory Authority specifically for compliance with the 15c3-3 rules and violations are taken seriously. Unfortunately, in the case of Madoff, the examiners ignored the red flags that Madoff was not holding securities in compliance with the rules. This failure substantiates the need for rigorous examinations to ensure regulatory compliance.
While the SEC may not be the appropriate agency to regulate crypto that is not a security, its approach to regulating custodial relationships should serve as a model for policymakers.