This is the fourth blog in a series about infrastructure for protecting tokenized assets.
To recap: “Do-it-yourself” (DIY) – or in-house, self-built solutions – rely heavily (or exclusively) on internal resources (for setup, execution, and maintenance) to build and maintain their transaction signing and cryptocurrency holding systems. Security-as-a-Service (SaaS) vendors handle the security aspect of tokenized asset management as a rented service.
Since custodians’ needs differ from other digital/tokenized asset services, this article will focus specifically on considerations in the crypto custody space: higher risk and compliance.
The demand for custody services continues to grow, and analysts predict a fully upward trend of mainstreaming cryptocurrencies, security tokens, and tokenized assets into the traditional financial services industry over the next 3-5 years.
Between the growing mainstream adoption of digital assets in the financial sector and the inherent vulnerabilities of blockchain-based assets, robust service availability, security, and resilience will become more important than ever. As the volume of assets protected grows, so does risk – and the security of held assets is the lynchpin for custodian service reputability in any context (fiat or otherwise).
Most regulation regarding custodians centers around rigid compliance measures to lower that risk, and to ensure clients’ considerable account holdings remain protected.
Compliance is important to increase trust as well to decrease crime (i.e. money laundering.)
To properly safeguard assets, digital asset custodians must comply with financial regulations in the regions where they operate (e.g. FCA in the UK, the federal Investment Advisers Act, state-level regulations in the US) by implementing KYC/AML processes, segregation of duties,
The path to compliance is still evolving. To prove their trustworthiness and readiness to serve institutional investors, to date, digital asset custodians are making efforts to comply with existing custody regulations that apply to fiat asset classes and derivatives, or internally enforcing compliance to traditional custody regulatory requirements.
Why Infrastructure Matters
Cold storage still is, and will remain, the gold standard for securing assets of any class in a custody environment. However, while offline storage provides strong key disclosure protection, there are additional aspects to consider such as access controls, transaction approval policies, redundancy and backup architectures. These, too, are critical in keeping clients’ holdings secure – and could make or break the underlying security and efficacy of a holding system in the event of a breach or a sudden regulatory change.
Here are critical questions CISOs should ask when evaluating the efficacy of DIY or SaaS systems in light of the above considerations:
When managing a self-built, in-house system:
- Is your security or IT team able to consistently enforce the same compliance checks across all workflows?
- Would your team be able to quickly change those workflows in the event of a sweeping regulatory change?
- What time/manpower investment is the organization taking to implement, maintain, and change workflows?
- Does your organization have the cryptographic expertise in-house required to ensure risk aversion at scale?
When outsourcing security to a SaaS custody vendor:
- Do you trust your SaaS provider to quickly, safely, and efficiently implement sudden changes to workflows or compliance systems?
- Is the vendor insured?
- Will your SLA cover high losses in the event of a breach?
- What kind of cryptography or key management does the SaaS provider use to protect the assets? Is it tailored to the specific needs of blockchain keys?
In a rapidly-evolving market and regulatory environment, security – and flexibility – are keys to success. The infrastructure your team or infrastructure chooses to secure digital assets must incorporate the specific needs of blockchain key security, added measures of risk aversion and management for the custody space, and strict adherence to compliance and regulation.