Commentary: The question of custody of cryptocurrency takes center stage

After years on the sidelines, institutional capital is coming to cryptocurrency. Cambridge Associates recommends that institutional investors should have at least a modest exposure to cryptocurrencies, and a recent survey from Fidelity Investments found that nearly half (47%) of institutional investors believe digital assets have a place in their portfolio, and 22% already own digital assets.

Every institution that invests in cryptocurrency must figure out how to hold the assets securely. With a range of custody solutions now available, investors might find it difficult to know which one best suits their needs.

Given the far-reaching impact a custodian can have throughout an organization, picking the right custodian for your needs is key. At a high level, you should be looking for three qualifications in your digital asset custodian: security, accessibility and yield generation.

Security is the foremost responsibility of any digital asset custodian. Unlike with other asset classes, digital asset theft is untraceable and irreversible. Every custodian claims to be secure, so how can you tell which ones really are?

A custodian's key generation process is the best place to start. If a key is exposed at the outset, no amount of downstream security will be able to protect it. Many custodians attempt to generate keys securely using off-the-shelf general-purpose computers (e.g., laptops) that have never been connected to the internet, in order to protect against the keys being intercepted and copied, but this offline approach isn't enough. You should make sure your custodian's private keys are never exposed to the memory of a general-purpose device at any time in their lifecycle: even one exposure can compromise security.

How the custodian authenticates individual users is equally important. Consider what actions could be taken, and what data would be exposed, if an attacker gained access to your organization's devices, email accounts or passwords. All of these scenarios are relatively common, and demonstrate why custodians must authenticate each user with more than just a password, phone call, direct message or even a YubiKey, a commonly used hardware authentication device.

Custodians should protect all sensitive data and operations with authentication that goes beyond proving possession of a device, and instead proves that the end user really is who they claim to be. This goes for multiperson quorums as well: investors should keep in mind that any multiuser approval process is only as good as the authentication of each individual user.

Finally, digital asset custody must be configured so that assets remain safe if any part of the system is compromised — a personal device stolen, a server breached, a data center intruded, and so on. When evaluating custodians, ask them to diagram their architecture and explain how their system is protected if any part is breached or has an outage.

Institutional investors expect traditional custodians to enable liquidity and ease of trading for their stocks, bonds and other asset types. The same should be true for digital asset custodians, who should provide on-demand asset availability without compromising security.

You should beware of custodians whose architecture involves a combination of "hot wallets" for accessibility and "cold storage" for security. Hot wallets — which store private keys on an internet-connected server — expose assets to significant risk, as hot wallet breaches across a range of exchanges and other service providers account for the loss of digital assets valued in the hundreds of millions of dollars.

Many custodians combat the risks of hot wallets by keeping assets in cold storage, which involves storing private keys offline and managing them by hand. To access private keys in cold storage for transactions, audits or other online operations, cold storage custodians must send personnel to a secure location where the keys are stored. These manual operations expose the keys to risk through human error or malfeasance, and also may involve delays, which can be costly in a volatile market.

Some custodians may attempt to market delays as a security measure. It's common for custodians to use a practice called "time-locking," whereby the custodian waits a minimum amount of time to fulfill a client request such as a withdrawal. But time-locking alone does little to improve security, and instead plays into the common misconception that inaccessibility and security are the same thing. It's entirely possible for an asset that's available in seconds to be better protected than an asset that's available only after 24 hours.

Old and new blockchains now reward active online participation with in-kind dividends, effectively allowing asset holders to earn interest on their investments. These include proof-of-stake mechanisms (coming soon to Ethereum), inflation mechanisms (Stellar), and dividend reward systems (Neo). Custodians must support institutional activity on such chains, and enable investors to maximize returns from their holdings.

Institutional investors seeking exposure to PoS or other on-chain protocols have a fiduciary duty to investors to participate in interest-bearing activities, just as investment managers have a fiduciary duty to limited partners to act in their allocators' best interests. Investors should feel empowered by their custodian to fully participate in the brave new world of cryptocurrencies.

Diogo Monica is co-founder and president of Anchorage, San Francisco, a digital-native custodian for institutions investing in cryptocurrency. This content represents the views of the author. It was submitted and edited under Pensions & Investments guidelines, but is not a product of P&I's editorial team.