On the opening day of the 2021 City Week conference, Freshfields partners Mark Kalderon and Cyrus Pocha, and senior associate Claire Harrop, chaired a session looking at the complex legal and regulatory situation surrounding the custody of cryptoassets. The discussion focused on three key topics – how custodians hold cryptoassets (including what they are in a legal sense), what custodians can do with them (and how this affects their legal position), and what (if any) financial regulations apply. Here are some highlights.
What are cryptoassets in the eyes of the law?
Cryptoassets are intangibles, which under English law are typically not regarded as property that can be possessed. However, in 2019 the UK Jurisdiction Taskforce – a body comprised of members of the judiciary and government officials that was formed to advance legal thinking around fintech – concluded that cryptoassets can be considered a form of property under English law, a position that has subsequently been validated by the courts (see our blog post here).This determination is important in the context of crypto-custody.
Having said this, there is currently no agreed legal methodology to determine which law or legal structure should be applied to cryptoassets. In order to advance the ability of institutional investors, funds, custodians and depositaries to play a more active role in the space, such questions need to be resolved.
Who owns cryptoassets?
The issues of ownership and control are important ones for custodians, to prevent fraudulent transfer and guard against third parties claiming title. Cryptoassets are typically accessed by a combination of a public key (a numerical code held on the distributed ledger) and a private key which is required in order to affect transfer of the cryptoasset. Holding the private key is therefore a means of controlling the asset, but is it an indication of ownership, too? Again, the UK Jurisdiction Taskforce concluded that under English law, the answer is ‘yes’. For a custodian looking to gain good title over the asset, the identity of the private key-holder is therefore the best way to determine ownership. But the position is not clear cut and there are some within the industry who suggest that an entity can only show ownership by holding the private key and taking reasonable steps to ensure that there isn’t a duplicate or something else that can be used to move the assets around. The question of ownership is important in the context of a cyber-attack in which cryptoassets are stolen – if the possession of the private key equates to ownership, does the legal title of the cryptoasset transfer to the hacker that hacks the private key?
How is ownership of cryptoassets transferred?
Legal theories have built up over time to safeguard the transferees of traditional assets, but no body of law exists in relation to cryptoassets. In practice, applying the private key to the public key creates a new piece of code, which in essence creates a new asset. From a legal perspective this may provide some comfort in ascertaining good title, since no one else, by definition, can hold or can have held that asset. In other words, once the private key has been applied and the transfer of the asset has been recognised on the ledger, there’s little likelihood of someone else being able to assert a conflicting interest.
What can custodians do with cryptoassets?
Assuming cryptoassets are a type of property (at least under English law), the way they are held, and the legal relationship between custodian and client, goes to the heart of the client’s rights and the protections that exist should things go wrong.
Depending on the asset in question and the ledger involved, the custodian may be listed on the ledger as the person holding the asset or to whom the asset has been transferred. In this scenario, the most likely relationship is one of trustee and beneficiary, although there are other potential legal characterisations including outright transfer, quasi-bailment and simple contractual obligations, each with differing implications.
Rather than holding the asset absolutely, the custodian holds the asset on trust for the client (ie on its behalf). In this scenario, the custodian holds the legal title to the assets but is not the beneficial owner. Under English law, trustees are subject to a set of obligations: to act in the best interests of the client, to avoid conflicts of interest, and to observe a duty of care (ie to take precautions of the type an ‘ordinary man of business’ would take in managing his own affairs). For a trust relationship to arise there need to be three certainties – certainty of object, of subject matter and of intention – and what must be intended is that the custodian cannot have free use of the asset in question. If cryptoassets are held on trust they do not appear on the custodian’s balance sheet, and were the custodian to fall insolvent, the assets would simply be returned to the client as the beneficial owner.
Outright legal transfer
This is similar to a traditional banker/customer relationship, where English case law states that outright title to, and beneficial interest in, the asset is transferred to the custodian (ie the customer deposits money with the bank, whose only legal (contractual) obligation is to return an equivalent sum on demand.) Here, the client only has a contractual claim in the event the custodian becomes insolvent, and the custodian is subject to capital gains tax (and potentially also a capital charge) as the assets are held on its balance sheet. This type of relationship is therefore unlikely to be favoured in relation to cryptoassets, particularly given the recent papers published by Basel committee around the likely capital charge of doing so (which could be prohibitively expensive for riskier assets such as bitcoin and dogecoin – see our recent blog post here).
A third potential scenario would be a quasi-bailment relationship, whereby the client voluntarily transfers possession of the asset, but not the legal title, to the custodian. Under English law you cannot have a bailment of intangible assets, but there has recently been a call for evidence by the Law Commission which includes questions around how the bailment of digital assets might work in practice. If such a relationship were to exist, certain common law duties would apply (such as a general duty not to convert the goods and to protect them from theft, loss or damage), although the extent of these duties would be determined by the contractual relationship between the custodian and its client.
Simple contractual obligations
In this scenario there is no outright title transfer, trust or quasi-bailment. The legal relationship between client and custodian (whereby the custodian is authorised to deal with the client’s cryptoassets on its behalf) is only in contract and does not relate to the client’s property rights. This could be the legal analysis for intermediaries who claim they are ‘providers of technology’ rather than custodians, and therefore have no legal obligations in relation to the asset other than as service providers.
What regulatory rules apply?
There is a growing acceptance that certain fund types should be able to invest in cryptoassets, and therefore increasing pressure on the providers of custody and depository services to extend their offering to include cryptoassets. However, the complex legal and regulatory backdrop that surrounds them makes it hard for these entities to calculate the risk they are exposed to by being part of the cryptoasset value chain. How does the law view the assets in question, and indeed which law applies? Whether or not the asset can actually be held in custody will determine which provisions of the EU’s Alternative Investment Fund Managers Directive (AIFMD) and the UK’s on shored regime will be engaged.
In Germany for example, bitcoin is considered a financial instrument and is therefore within the regulatory perimeter. By contrast, in the UK bitcoin is unregulated, which dramatically changes the risk position for the custodian and depositary on the one hand and the fund on the other. The proposed EU Markets in Cryptoassets Regulation (MICA) includes within it a liability regime for custodians, making them liable for the entire market value of assets they hold in the event of a loss but the position in the UK is far less clear. Getting comfortable with these risks (or at least being able to quantify them) is a major challenge when considering the unclear legal position and the unique risks that apply in this area including, for example, the risk of cyber attacks.