In two or three years, mainstream stock exchanges like the ASX and SIX will be using blockchain and distributed ledger technology (DLT) for settlement. With global equity markets alone amounting to $85 trillion of assets, the security of the cryptographic keys that control these digital assets is paramount. London-based startup Trustology plans to meet that security need by providing an institutional grade safeguarding solution.
Trustology is currently a spoke of Consensys, but it’s in the process of being spun out into a separate entity. Trustology founder and CEO Alex Batlin joined from BNY Mellon and previously worked at UBS. During his stint at UBS he was part of the team that conceived the Utility Settlement Coin, the institutional “stable coin” where collateral is held at central banks. Trustology’s leadership team previously worked at RBS, Barclays, UBS, JP Morgan, Nomura, and, most recently, BNY Mellon, the world’s largest custodian bank.
Addressing a pain point
Scalability and security are two of the main technical barriers to enterprise adoption of blockchain and DLT. Last week the DTCC announced that two protocols, Digital Asset’s and R3’s Corda are capable of supporting stock settlement transaction rates that are sufficient to support the DTCC’s needs at 6,300 per second.
While there has been progress on scalability, security remains a concern. This year alone hackers have stolen more than $800 million from cryptocurrency exchanges. That’s approaching 0.5% of the total market capitalization. By comparison, if stock market hacks happen, we never hear of them. In 2015 it was discovered that hackers accessed stock market news wires before their release, but that’s not the same as attacking the system itself.
But the size of the nascent cryptocurrency market is small compared to the conventional capital markets. The capitalization of the global Derivates, Equity, and Bond markets totalled $798.2 trillion at the end of 2017 versus $0.2 trillion today for cryptocurrencies or $0.8 trillion at their peak.
Trustology envisages servicing these larger trillion-dollar markets. “What would market participants need in order to use those assets safely? To translate the current assets into something that is supported by blockchain?” asked Boris Spremo, Head of Operations at Trustology. “If somebody steals your key then you’ve lost the asset. And that’s a very difficult challenge, a very high barrier to adoption in the regulated industry.”
For cryptocurrencies, most people store a small amount of money in their “Hot” wallets, which are considered relatively insecure because of the internet connection on your phone or computer. Larger amounts of money are usually stored in “Cold” wallets such as Trezor or Ledger USB sticks that have hardware safeguards and are kept disconnected from the internet most of the time. These or paper printouts of the keys are often stored in safe deposit boxes.
In normal trading conditions, it’s impractical for institutions to spend the time accessing a safe before they can trade. To exploit market opportunities, instant access is essential.
“Cold wallets leave the human in the equation. Then the only attack vector is human,” Spremo explained. “And that means if you hold a lot of value as an investor, private, institutional, or otherwise, you are exposing yourself to all sorts of stuff.”
So what Trustology aimed to do was get the convenience of a hot wallet with the security of a cold wallet but also remove the human risk.
How it works
Trustology’s solution has two versions. There’s a mobile app targeted at high net worth individual (HNWI) investors and an API for institutions.
For the private investor version, instead of using a mobile app to store the digital asset keys, it’s used for identification. For now, the Trustology app will only be available on iPhones because it has a special hardware Secure Enclave feature which is similar to the USB stick cold storage wallets.
A few Android phones are coming out with similar features such as HTC’s Exodus, though it remains to be seen if they will meet the same security threshold.
Trustology’s phone authentication process includes biometrics such a face or touch id, multi-factor authentication like SMS messages, and more.
Once a user authenticates and initiates a transaction, the message is protected against tampering and securely sent to one of Trustology’s military-grade data centers. Trustology’s solution processes the instruction that was received from the app, and if all is in order, a real blockchain transaction is executed. The whole procedure takes under a second.
And if a user loses their phone, they have to call Trustology to go through identity and verification checks, in a similar way to when someone steals your wallet. The old phone will be barred from initiating transactions.
Trustology’s infrastructure secures both the keys and the secure code that generates transactions. The data centers don’t allow entry to strangers and people cannot access the equipment. If someone attempts to tamper with the equipment, it will wipe itself.
However, there’s full redundancy so if the contents are deleted or an entire data center fails, it will switch to equipment at a different location.
If the honeypot is secure, what other attack vectors could there be? It likely would come back to a human attacker, something that Trustology claims it has several safeguards against.
Instead of hosting in the data center, institutions can choose to host Trustology’s technology stack on their own infrastructure as they do with their current systems. And in addition to communicating via APIs, they’re also exploring using the sort of messaging systems common in current securities trading platforms. That might include SWIFT MX or MT messages.
There’s a difference between providing technology that safeguards the assets and acting as legal custodian. In Trustology’s case, its responsibilities are purely technological, and they have no legal hold over the assets. Hence, they don’t have the same fiduciary duties and capital requirements that custodians take on.
That begs the question, if something goes wrong, who pays? Trustology is considering
insurance as an add-on service. The final details are not yet settled and Spremo commented: “The insurance market, I would say at this point, is constrained and driven by supply. At the same time, as regulated assets migrate to DLTs, insurers will follow suit, thus giving our clients the assurance that they need.”
At the moment, with cryptocurrencies live and primary capital markets waiting to migrate to DLT, Trustology is beta testing its system with friends and family. Trustology plans to roll out a private release in the next few months, with a public launch earlier next year.
But Trustology faces considerable competition. Not least from BitGo which last week announced a $57.5 million series B round that includes Goldman Sachs. BitGo already boasts $15 billion in transactions a month and several high-profile clients. Yesterday Coinbase revealed it has landed a New York custody license. Last week, security company G4S announced a U.K. crypto custody service for offline storage.
However, Trustology has the pedigree of both its former BNY Mellon team and Consensys backing. Additionally, it appears to have a different technical approach. Time will tell whether that’s sufficient. But Trustology is off to a good start because as Spremo said: “it’s really about making things accessible.”