Capital markets News Opinion

Does the Blocktower crypto hack justify the SEC’s custody accounting rule?

crypto digital asset custody

On Wednesday Bloomberg reported that Blocktower Capital’s main hedge fund was allegedly ‘compromised’ and partially drained. It cited insider sources and said limited partners were informed. In public so far there’s been a deafening silence from Blocktower, which has $1.7 billion in assets under management across all funds according to Pitchbook. There are many smart people in the crypto world, but few are smarter than the Blocktower team. This raises the question of who is safe if Blocktower isn’t.

Without details of what happened, it’s hard to assess the cause. Even super smart  people are human and make mistakes. Does this shed light on the risks of digital asset custody? We don’t know. Blocktower uses several custodians  and security is not entirely up to the custodians. It’s also the responsibility of the people authorized to access the wallets to safeguard that access.

The same week that the Senate overturns SAB 121

There’s some irony in the timing. Yesterday the Senate passed a resolution to overturn the Securities and Exchange Commission’s (SEC) staff accounting bulletin, SAB 121. The SEC’s bulletin instituted a flawed rule requiring listed companies to put digital assets under custody on the balance sheet. The net effect was to prevent banks from getting involved in crypto custody. It’s hard to imagine this was an accidental side effect that wasn’t envisioned.

The SEC’s motivation was that safeguarding crypto-assets carries ‘unique risks’. One of those risks is people can run off with them, and they’re hard to recover. If that happened to a bank, it could impact the core financial system. Protecting banks seems like a good idea for the large group of people who have no interest in cryptocurrencies or think they’re dodgy.

Except protecting banks is not the SEC’s job. That’s the role of bank prudential regulators.

There’s also a pretty big difference between Blocktower Capital and bank custodians who look after tens of trillions of client assets. Smart people are fallible. To safeguard assets it’s necessary to have boring, pedantic processes that limit risks. Banks have large teams whose entire job is to manage risks, including cybersecurity. It has been previously noted that these banks also have larger budgets to address risks than the likes of Coinbase, which looks after custody for the Bitcoin that underpins Blackrock’s $18 billion IBIT ETF.

Even a Blocktower hack does not justify SAB 121

If the SEC’s intent with SAB 121 was to protect banks from hacks, both the content of SAB 121 and the process were flawed. 

Starting with the process, the SEC claimed its bulletin did not amount to a rule that should be reported to Congress or the Comptroller General. The Government Accountability Office disagreed, judging that SAB 121 is a rule implemented without the proper process because it was “designed to interpret and prescribe policy.” As a result of the inappropriate process, this ‘policy’ was not even approved by the full Commission, let alone subject to external comment. That part of the process might have highlighted some of the issues of tampering with fundamental accounting rules. 

Moving on to the content of the rule, assets under custody should not go on the balance sheet. Period. Balance sheets have features that are designed for managing risks. The most common example is making a provision. Banks frequently make provisions to allow for unpredictable losses against loans they’ve granted. Another way is to disclose details about crypto-assets held in custody as part of the notes.

Frankly, the SEC’s action in reinventing accounting procedures without consultation smacks of arrogance.

By corrupting the accounting rules, the SEC’s bulletin could lead to unintended consequences. In fact, it could result in a risk it expressly claims to address such as bankruptcy. For example if an asset is on the balance sheet, can it be subject to a claim by the custodian’s creditors in bankruptcy?

Beyond accounting, another way to safeguard banks is to require crypto custody to be conducted through ring-fenced subsidiaries. For example, Standard Chartered and Northern Trust founded Zodia Custody. While it’s not a bank, Nomura co-founded Komainu

Custody of digital (traditional) securities is less risky

The SEC also applied the rules to all crypto-assets. Per SAB 121, “‘crypto-asset’ refers to a digital asset that is issued and/or transferred using distributed ledger or blockchain technology using cryptographic techniques.”

Cryptocurrencies may be harder to recover, but the vast majority of tokenized traditional securities require KYC and blockchain-based allow lists.  The smart contracts frequently enable token issuers to block or even change tokenized asset ownership. In other words, if there is a hack, not only will the beneficiary be identifiable and arrested, but the issuer can reach in and give the tokens back to the rightful owner. Given KYC is already required, it makes more sense to stipulate the requirement that the issuer has the ability to make corrections rather than making it prohibitive for banks to provide custody.

It’s unclear why the SEC chose not to differentiate between the two groups. Of course, the SEC considers most cryptocurrencies as securities, which means it can’t use the term ‘tokenized securities’. The Basel Committee found a simple way to differentiate between them – tokenized traditional assets versus unbacked crypto-assets.

Image Copyright: bluebay / 123rf