What Are You Paying for?
By: Becca Rubenfeld, AnchorWatch Cofounder
What is a bitcoin custodian? At its most basic, it’s a business that holds onto a piece of data on behalf of a customer. Bitcoin itself is a decentralized asset that is secured via private-public key pairing, so to have custody of the private keys is to have custody of the bitcoin itself. For a custodian to be a viable business that will attract paying customers, the security surrounding the data storage must be very robust to the point of approaching failsafe. However… failsafe custody has eluded bitcoin owners even as industry best practices have improved over time. Hacks, attacks, internal bad actors and loss of keys have continued to create irrevocable losses for bitcoin owners and their custodians.
As a bearer asset, the cryptographically encoded data that acts as record of ownership of bitcoin cannot be replaced if lost. When a custodian holds private bitcoin keys on behalf of a customer, whether in a named segregated account or in a comingled omnibus account, they are assuming the supreme responsibility of the data’s security.
So… what is responsibility without accountability? What would the custodian do to reimburse the bitcoin owner if a loss occurred? Would they cover the loss? If so, how — do they have sufficient resources denominated in either bitcoin or in fiat (sufficient to purchase bitcoin at market rate) to make the customer whole? Even if they have the resources to cover a catastrophic event, would they willingly reimburse the customer or would they point to a loophole in their terms of service, forcing the customer to either eat the loss or engage a legal team at their own expense to attempt to recover the value of the bitcoin? What has the custodian actually promised (if anything) in their terms of service? Would a major loss result simply and painfully in a bankruptcy, leaving the customer empty handed? Does the custodian hold an insurance policy? What does it cover and what does it exclude? Is the customer the recipient of a benefit payment after a loss, or the custodian? If the custodian, have they provided the customer with a warranty or other guarantee that the benefit payment will be passed through to them in the case of lost funds? How large is the insurance policy in relation to the total value of assets under custody?
In most cases, the answer to these questions is no. Not enough. Unknown. Questionable.
Exceptions can exist; crypto owners seeking custody support for any reason should seek out providers who are the exceptions. To identify an exception, the customer should consider the question: what is responsibility for extreme security without accountability? How can accountability exist without a guarantee? What form should that guarantee take?
Pragmatically, there are two dependable forms of accountability that apply to custodial services. The first is an owned balance sheet (of bitcoin or across asset classes) that is extremely deep, combined with a reputation extremely strong. In the case of a loss due to any cause mentioned in their terms of service, the entity would have the ability (due to the deep balance sheet) and the desire (to maintain their earned reputation) to liquidate owned assets and return the value of the lost bitcoin to the impaired customer. This isn’t a guarantee, but there are certainly long standing institutions with immense wealth who could and likely would cover even a huge loss event. However, few of those institutions have entered the bitcoin custody business.
The second dependable form of accountability is insurance. Insurance is, by definition, regulated for the protection of customers and provides clear documentation of which causes of loss are covered and which are excluded and to what financial extent. Insurance provides a service — the guarantee of indemnity against loss — in exchange for a transparent fee. If a custodian does not have the owned balance sheet to self-insure, sufficient insurance is the only real accountability they can provide their customers.
If compelled to use a custodian, what service are bitcoin owners actually seeking: holding onto a bit of data? Or the guarantee that the data will be held securely and returned to them on demand in accordance with the agreed-to terms? Of course, it’s the guarantee that is actually what is desired — or should be. Any potential custody customers are already extremely critical of the custodian’s history of responsibility crypto custody and resilience to hacks and other vulnerabilities that will decrease the likelihood of a loss to occur. But they should be equally (if not more) critical of the guarantees the custodian provides to indemnify them in the case of a loss despite their best efforts… not to mention in the case of a loss due to the actions of internal bad actions or subpar efforts. Customers should demand that they either have the balance sheet of owned assets and adequate terms of service or high quality insurance on assets in their custody. If the custodian does not hold a large enough insurance policy themselves or doesn’t name the customer as the recipient of benefit payments, the customer should insist on the ability to buy their own 1-to-1 insurance coverage where the custodian has completed security audits with the underwriter but where the customer is the named insured and beneficiary of the policy.
After all, without a financially backed guarantee, what are custody customers even paying for?