Under lock and key? Regulating private key custody in the crypto industry – Fin Tech

To print this article, all you need is to be registered or login on Mondaq.com.

Following the release of a Treasury Consultation Paper
(TCP), submissions to which closed last week, the Federal
Government will consider feedback on a proposed licensing regime
that would regulate digital currency exchanges and impose
obligations on the custody of private keys, similar to the
Australian Financial Services Licence (AFSL) regime.

Private keys are strings of characters that allow the holder to
execute full control over the crypto assets contained in the
corresponding wallet. Many digital currency exchanges
(DCEs) store users’ private keys to a range of
underlying wallets, allowing them to trade a variety of crypto
assets while only needing to remember a single password to their

Given their sensitivity, the proposed regime would impose
obligations on the storage of private keys by DCEs as well as a
broader range of crypto platforms. The consultation is part of a
series of ongoing reviews into Australia’s payments system,
spurred in part by the concern that new crypto platforms holding
private keys may pose significant risks to consumers, following the
failure of several DCEs in Australia.

In this insight, we discuss the model and alternatives proposed
by the consultation paper and some key implications for

The Treasury Consultation Paper
(TCP) addresses some of the previous

Crypto asset secondary service providers

The Senate Select Committee that predated the TCP only
considered DCEs. Under the TCP’s proposal, the scope of
regulation would be broadened to ‘crypto asset secondary
service providers’ (CASSPrs) – platforms that
facilitate exchange, transfer or storage of crypto assets. This
expansion would capture a much larger variety of service providers
than previously contemplated, including payment gateways and
digital wallets.

Notably, the TCP expressly contemplates the possible capture of
non-fungible token (NFT) platforms. NFT platforms
may not currently have the same level of cybersecurity measures in
place that DCEs do, which would be required under the private key
custodian obligations.

Proposed licensing regime for CASSPrs

The TCP proposes a licensing regime for CASSPrs that would be
similar, but separate to, the Australian Financial Services
licensing regime. This regime forms the foundation for further
obligations that are specific to the custody of private keys. The
conditions of each CASSPr’s licence would depend on the number
and type of services they offer. The TCP proposes that this licence
would carry obligations on CASSPrs to:

  • do all things necessary to ensure that: the services covered by
    the licence are provided efficiently, honestly and fairly, and any
    market for crypto assets is operated in a fair, transparent and
    orderly manner;
  • maintain adequate technological, and financial resources to
    provide services and manage risks, including by complying with the
    custody standards;
  • have adequate dispute resolution arrangements in place,
    including internal and external dispute resolution
  • ensure directors and key persons responsible for operations are
    fit and proper persons and are clearly identified;
  • maintain minimum financial requirements including capital
  • comply with client money obligations;
  • comply with all relevant Australian laws;
  • take reasonable steps to ensure that the crypto assets it
    provides access to are ‘true to label’;
  • respond in a timely manner to ensure scams are not sold through
    their platform;
  • not hawk specific crypto assets;
  • be regularly audited by independent auditors;
  • comply with AML/CTF provisions; and
  • maintain adequate custody arrangements.

Proposed anti-money laundering regulation

One notable proposed requirement is the obligation of all
CASSPrs to comply with the Anti-Money Laundering and
Counter-Terrorism Financing Act (AML/CTF Act).
Currently, only DCEs are required to register with AUSTRAC for
AML/CTF purposes. Further development of these requirements, and
broadening of organisations captured, may be made difficult by the
fact that transactions facilitated by CASSPrs often run on
self-executing code and may be designed to preserve anonymity.
Developing the AML/CTF framework to accommodate CASSPr compliance
may challenge the TCP’s stated desire for this legislation to
be ‘technology neutral’.

Private key custody regime

In addition to the general obligations, the TCP proposes a
series of specific obligations for the safekeeping of private keys
by CASSPrs. The proposed regime is modelled to some extent after
the existing custodial services regulatory regime, and would
require CASSPrs to have requisite expertise and infrastructure,
implement independently verified cybersecurity practices and adopt
multi-factor (or similar) authentication. It would also create a
process for redress and compensation in the event that private keys
are lost.

One proposed requirement that may impact CASSPrs is the
obligation to ensure consumers’ assets are appropriately
segregated. Many crypto asset investment platforms pool
consumers’ assets, consolidating the net orders in a given time
period, and honouring orders to fund or withdraw from accounts.
This may be because CASSPrs lack the technical infrastructure or
risk frameworks to execute separate orders for individual

The proposed regime may require significant additional
regulation to support the cybersecurity obligations. The existing
custodial services regulatory regime has demonstrated the need for
clear standards particularly regarding the independent verification
obligations. If such a regime is implemented, it is likely that
there will be an even greater need for articulation of clear
standards given the diversity of crypto assets.

Alternative proposals

The TCP has proposed two alternative models to the licensing and
custody regime outlined above:

  1. Requiring CASSPrs to hold an AFSL. CASSPrs
    could be brought under the remit of the AFSL by amending the
    Corporations Act to specifically include crypto assets as
    financial products.
  2. Self-regulation by the crypto asset industry.
    The crypto industry could develop its own code of conduct. The TCP
    notes that this approach is similar to that followed in the US and
    UK, but acknowledges that both jurisdictions are considering
    additional regulatory obligations for crypto assets beyond the code
    of conduct.

What happens next?

Treasury will attempt to ‘map’ crypto assets and the
networks which they operate on so as to develop a framework for
their regulation by the end of 2022. This will involve another
consultation paper being released. The Board of Taxation is also
due to release a report on taxation of digital transactions and
assets by the end of 2022.

CASSPrs, and the private keys they hold, are likely to face
greater regulation in Australia. At this stage, it remains unclear
which exact model will be developed, and how broad its reach will
be. However, it appears likely that it will share significant
similarities with the licensing and custody regime under current
financial services legislation.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

Lawyers Weekly Law firm of the year
Employer of Choice for Gender Equality

POPULAR ARTICLES ON: Technology from Australia