On Monday, July 8th, FINRA and the SEC took the unusual step of issuing a joint statement on broker-dealer custody of digital asset securities. In doing so, the Staffs of the SEC’s Division of Trading and Markets and of FINRA’s Office of General Counsel made clear that the SEC and FINRA will continue to apply the existing regulatory framework to the rapidly evolving world of digital assets.

The joint statement notified market participants that any entity that buys, sells, or otherwise transacts in, or effects transactions in, digital asset securities, may be subject to federal regulations, including regulations that may require them to register with the SEC as a broker-dealer and become a member of FINRA.

The joint statement focuses on the Customer Protection Rule, noting that any entity that acts as a broker-dealer must comply with that rule. The Customer Protection Rule requires broker-dealers to safeguard customers’ assets and keep them separate from the firm’s assets, which makes it more likely that a customer’s assets will be returned if the broker-dealer fails. Given the potential for cyberattacks on digital assets trading platforms, and given the way digital asset securities are issued and exchanged, the Customer Protection Rule can present challenges to broker-dealers operating in the digital asset space.

FINRA has received New Membership Applications and Continuing Membership Applications from new and existing broker-dealers that wish to engage in broker-dealer activities involving digital assets. The Applications show that broker-dealers are considering two types of business models. Some broker-dealers are considering providing non-custodial services when it comes to digital assets, which means that the broker-dealer would engage in transactions without ever taking custody of the digital assets (for example, by trade-matching or providing introductions).

Other broker-dealers are pursuing a business model that involves custodying assets. The joint statement noted that broker-dealers that wish to custody assets may find it difficult to comply with the Customer Protection Rule. Fundamentally, the unique way that digital asset securities are issued, held, and transferred makes it challenging to comply with the requirements of the Rule, which requires that a good control location is established and verified. There is an increased risk to the assets from cyberattacks and resulting fraud or theft. Further, transfers to unknown or unintended addresses may leave the broker-dealer without a means to reverse the transaction or otherwise recover the assets. The statement also acknowledges that the issues of establishing the existence of the asset, or establishing that it is in a good control location, also present challenges for the firm’s independent auditor in completing the audit and evidencing their review. The staffs of the SEC and FINRA expressed their desire to engage with market participants, as market participants continue to develop technology that might provide solutions to custody issues.

While it is unusual for the SEC and FINRA to issue joint statements, this statement is similar to other SEC pronouncements in the fintech field in that it expresses a desire to engage with, and learn from, market participants, and makes clear that the existing regulatory framework applies to this rapidly evolving field.