Ask the Expert: What risk management practices do Qualified Custodians employ to safeguard digital assets?
We sat down with Sam Auch, our Group Product Manager, Institutional Services, for a discussion about which risk management practices institutions should look for when selecting a qualified custodian.
There will always be a need to protect valuable items from theft or destruction, and cryptocurrency is no exception. However, the unique aspects of cryptocurrency that make it revolutionary also make it challenging to adequately secure. The poor management that leads to failures of businesses like FTX and Prime Trust have made crypto custody a focal point for retail and institutional investors alike.
Bakkt’s Wave 2 Crypto Tracker found that the most important area of concern for retail customers when assessing crypto service providers are risk management practices.1 Unfortunately, the security practices across custodians vary greatly and choosing where to store your assets should be taken seriously.
Institutions and their customers should carefully evaluate several essential aspects to ensure peace of mind and the protection of their holdings. So, what should institutions look for when it comes to selecting a crypto custodian? In this article, we'll explore the most important considerations including company structure, systems architecture, and operational policies. Here are the three key takeaways:
1. Company structure
Custodians fall into two buckets: qualified and unqualified. Qualified custodians (QCs) are companies chartered as state or federal trust companies or banks. These institutions undergo extensive reviews by the relevant governing bodies to ensure technical and operational best practices. Bakkt has earned QC status by forming a separate Trust company subsidiary, incorporated in New York state where the digital asset regulatory regime is most comprehensive. Additionally, Bakkt installed a separate Board of Managers to help enforce Bakkt Trust LLC’s status as its own autonomous entity focused on the security of customer funds.
2. Systems architecture
Cryptocurrency is tracked on a blockchain through cryptographically secure wallet addresses. It can only be moved by using a long string of letters and numbers called a private key -- and custody revolves around the management of cryptocurrency private key material. Bakkt employs robust encryption techniques, multi-signature wallets and multi-party computation (MPC) as well as secured enclaves to safeguard private keys. Regular security audits, penetration testing, and SOC testing are all used to ensure the system is operating as it should.
3. Operational policies
Even the most well laid custody systems require people to manage them. Custody providers should have an educated operations team whose responsibility is to manage and maintain the custody system. Teams should have segregation of duties, and no single person should have super user rights. Operations teams with experience in the industry and deep understanding of the unique aspects of the digital asset ecosystem are a massive value add. It's a good idea for institutions to speak with the custodian's operations team before sending over any digital assets. The Bakkt® Custody operational team and its procedures draw from experience at the Intercontinental Exchange, and are designed from the ground up to employ information security best practices.
Selecting the right crypto custodian is a critical decision that demands meticulous assessment. Institutions should always prioritize company structure, systems architecture, and operational polices when evaluating potential custodians. Institutions should have a comprehensive understanding of these key aspects to make an informed choice that aligns with investment goals and risk tolerance, safeguarding digital assets for years to come. Retail investors should review their service providers' custody due diligence to ensure that their institutions take the matter seriously. At the end of the day, great custody mitigates risk and benefits everyone.
Sam Auch is Bakkt’s Group Product Manager, Institutional Services. He most recently served as Product Manager for Exodus, a premier retail wallet company where he worked with leadership, engineering, and customer support to help support the most desired assets and networks. Prior to Exodus Sam spent almost four years working for the international account firm RSM’s digital asset team. Sam helped develop and grow the digital asset practice at the firm first through audit, tax, and consulting work— helping clients correctly account for digital assets on their balance sheet, understand the tax consequences associated with decentralized finance activity, and review controls around wallet key management. Sam ended his time at RSM designing, creating, and leading their blockchain and crypto fellowship program which was designed to take employees at all levels from zero to bitcoin. He is a former CPA and holds a BBA in Accounting from James Madison University.