Crypto asset secondary service providers: a consultation on proposed licensing and custody requirements

On Monday, 21 March 2022, the Treasury released a Consultation Paper entitled Crypto asset secondary service providers: Licensing and custody requirements (Paper). The Paper follows the Final Report of the Senate’s Select Committee on Australia as a Technology and Financial Centre, released last year.

Our snapshot

The reforms proposed have the potential to give clarity and certainty of regulation for the benefit of industry and to reset the landscape for all secondary service providers within the cryptocurrency ecosystem.

Existing service providers in the cryptocurrency industry including exchanges, market operators, brokers and wallet providers are all in focus for the new regime.

The consultation period is open for submissions until 27 May 2022.

Overview

The Paper provides an insight into how the Government may choose to regulate the growing ecosystem in which crypto assets exist. The Paper also raises a number of questions and requests feedback for various legislative proposals.

The Paper recognises that there is a distinction between crypto assets and financial products, and demonstrates a view towards providing a fit for purpose legislative and licensing regime, which would apply specifically to Crypto asset secondary service providers (CASSPrs).

Notably, the Paper outlines two key legislative principles on which the Government wants to base regulation:

• The regulation of crypto products and services should be connected to the risk they present to consumers; and
• Regulation should be technology neutral and apply consistently.

Put simply, it appears that the Government aims to introduce new legislation that will achieve its stated goals, and rely on existing legislation to regulate products which already meet pre-existing definitions (eg where an asset is a financial product under the Corporations Act 2001 (Cth)) – all while aiming to ensure that where practicable, CASSPrs do not become subject to multiple regulatory regimes. It is suggested that ASIC would administer any regime that is implemented.

The Paper favours a standalone, ASIC administered, regime for the regulation of CASSPrs, but does highlight and seek feedback on alternatives, including:

• regulation under the financial services regime; or
• self-regulation by the crypto industry.

Of course, what will become law will depend on the outcome of the consultation, parliamentary debate and the upcoming federal election.

Proposed definitions

The Government has proposed the following definitions:

1. Crypto asset – a digital representation of value or contractual rights that can be transferred, stored or traded electronically, and whose ownership is either determined or otherwise substantially affected by a cryptograph proof.
2. Crypto asset secondary service provider – any natural or legal person who, as a business, conducts one or more of the following activities or operations for or on behalf of another natural or legal person:

1. 1. exchange between crypto assets and fiat currencies;
   2. exchange between one or more forms of crypto assets;
   3. transfer of crypto assets;
   4. safekeeping and/or administration of virtual assets or instruments enabling control over crypto assets; and
   5. participation in and provision of financial services related to an issuer’s offer and/or sale of crypto asset.

This definition is proposed by the Government as an alternative to the use of ‘digital currency exchange’ (used by the Senate Select Committee), as it is considered a more precise term for capturing the types of service providers in the industry such as brokerage services, dealers and custody services.

Proposed obligations

The paper proposes a CASSPr licensing regime which would be separate from the AFS licensing regime and a number of obligations for CASSPrs and crypto asset custody providers.

The paper assumes that most CASSPrs also provide custodial services and the custodial obligations proposed would also apply, or, if the CASSPrs outsource custody to a third party, the CASSPrs would need to ensure that these entities comply with the custody obligations.

Only one licence type is proposed for CASSPrs who facilitate the buying and selling of crypto assets (exchanges, dealers, brokers) and custodians but the obligations would be graduated depending on the number and type of services offered by the CASSPrs.

The proposed CASSPr obligations largely resemble those which are already imposed on financial service providers, noting that ASIC would also be empowered to grant relief from some or all obligations where warranted.

CASSPr obligations

The proposed obligations for CASSPrs include:

1. do all things necessary to ensure that the services covered by the licence are provided efficiently, honestly and fairly, and any market for crypto assets is operated in a fair, transparent and orderly manner;
2. maintain adequate technological, and financial resources to provide services and manage risks, including by complying with the custody standard proposed in this consultation paper;
3. have adequate dispute resolution arrangements in place, including internal and external dispute resolution arrangements;
4. ensure directors and key persons responsible for operations are fit and proper persons and are clearly identified;
5. maintain minimum financial requirements including capital requirements;
6. comply with client money obligations;
7. comply with all relevant Australian laws;
8. take reasonable steps to ensure that the crypto assets it provides access to are “true to label” eg that a product is not falsely described as crypto asset, or that crypto assets are not misrepresented or described in a way that is intended to mislead;
9. respond in a timely manner to ensure scams are not sold through their platform;
10. not hawking specific crypto assets;
11. be regularly audited by independent auditors;
12. comply with AML/CTF provisions (including a breach of these provisions being grounds for licence cancellation); and
13. maintain adequate custody arrangements as proposed [below].

Custody obligations

The proposed obligations for those who maintain custody of crypto assets (either the provider or via third parties) include:

1. holding assets on trust for the consumer;
2. ensuring that consumers’ assets are appropriately segregated;
3. maintain minimum financial requirements including capital requirements;
4. ensuring that the custodian of private keys has the requisite expertise and infrastructure;
5. private keys used to access the consumer’s crypto assets must be generated and stored in a way that minimises the risk of loss and unauthorised access;
6. adopt signing approaches that minimise ‘single point of failure’ risk;
7. robust cyber and physical security practices;
8. independent verification of cybersecurity practices;
9. process for redress and compensation in the event that crypto assets held in custody are lost;
10. when a third-party custodian is used, that CASSPrs have the appropriate competencies to assess the custodian’s compliance necessary requirements; and
11. any third-party custodians have robust systems and practices for the receipt, validation, review, reporting and execution of instructions from the CASSPr.

While the proposed obligations for CASSPrs and custody providers are similar to those imposed on financial service providers we would expect, given the principles espoused by the paper, for them to be administered in a different manner.

What is your position?

The Paper welcomes submissions in response to the various proposals. The closing date for submissions is Friday, 27 May 2022.

Our Financial Services Advisory team can assist if you would like to understand more about how the proposed changes may impact you or you would like assistance in preparing submissions.

This alert was prepared by Michael Anastas, Partner and Jordan Donaldson, Law Graduate.