Three key 'know your provider' (KYP) questions for digital asset security

Josh Schwartz is COO of Curv, a digital asset security platform.

In 2008, when Wall Street giants like Lehman Brothers and Bear Stearns became the casualties of the credit crisis and subsequent financial meltdown, no one was protected. There are stories of hedge funds who had nothing to do with the mortgage market losing their client funds because they were held at Lehman and funds were commingled. Clients who used services from other divisions of Lehman (trading, advisory) experienced business disruption because of the company’s bankruptcy and subsequent closure.

As indicated in recent press articles, consolidation and convergence in the digital asset security landscape are occurring. Technology firms are branching out to become custodians and custodians are branching out to become prime brokers. While these are signs of the industry’s maturation, it's important to understand the risks being taken by these providers.

While some industry protections have, of course, been enacted to avoid a disruption of the magnitude experienced in 2008, traditional and crypto institutions should consider implementing a KYP (Know Your Provider) process to assess their digital asset security.

Below, I detail the reasons for implementing a KYP approach.

How did we get here?

In the beginning, there were no custodians. One of the original aims of cryptocurrency was to disintermediate all middlemen (governments, banks, etc), with the idea that people would hold their own assets. The only custodians were exchanges; users deposited funds on these exchanges and trusted the exchange to secure their funds. On a centralized exchange, a user needs to request a withdrawal, meaning they need the exchange to move their funds for them.

These exchanges were not regulated, yet no one cared. However, as buy-side institutions entered the market, the assumption was that these firms would need a regulated custodian to secure their funds (despite continued ambiguity from regulators in many geographies).

The business model for these custodians was based on AUC (Assets Under Custody). Fees were charged at roughly 50 bps per year, which is 20 times the average custody fees in traditional markets. As expected, these rates began to compress, forcing custodians to find other ways to monetize assets and create new sources of revenue.

And then came lending

As in traditional markets, prime brokers make a large part of their profits by lending their clients’ digital assets and managing the associated risk.

There is a big opportunity for borrowing, namely to go short. In addition, as most exchanges are centralized and require assets in place prior to trading, there is a demand for assets in order to trade on multiple exchanges (and optimize pricing inefficiencies). Some derivatives exchanges offer the ability to deposit margin in the underlying asset, and various trading opportunities (like the traditional “cash and carry” trade) also have a significant impact on the demand to borrow crypto or fiat.

Several specialized lending firms have joined the scene, each with a different business model. Custodians later realized that, since they are already holding client funds, they can facilitate loans between their clients. Doing so would create a new source of revenue, replacing the need to charge for asset custody. I’ve seen several custodians consider entering the lending business. Some of them are even lending their own assets.

But what happens when things go wrong?

The critical thing to keep in mind is that the skills and infrastructure necessary to secure client funds are not the same skills and infrastructure needed to manage the risks of lending client funds. Having a solid foundation of risk management tools to assess the risk of each client – as well as systems in place to both securely calculate and manage the collateral behind the loans – is very different from securing client funds from both inside and outside attack vectors.

So what happens when things don’t go as expected? What happens when the market corrects (or crashes) and collateral is not there? One sharp correction is all that’s needed for firms with subpar risk controls to see a domino effect of defaults that will result in loss of client funds. Unfortunately, it is in those times when the effect of dealing with the right counterparty is most pronounced.

If a client is using one of those providers, they may wake up and find themselves without the “stable” tech partner they thought they had. They may find that, due to losses in riskier businesses, they will need to find a new provider. Such a change can prove catastrophic to one’s business.

Questions to ask your provider as part of KYP

KYP (know your provider) should be a standard part of due diligence on any new or existing security provider. Given the risks a provider takes can seriously impact your business, here is a list of questions you should ask as part of your audit to assess your level of vulnerability.

1) What risks does your provider take and how may these risks affect your ongoing business? A custodian that experiences losses in a risky business line (trading, lending, etc...) will certainly experience disruption in their “stable” business lines as well. Therefore, either ensure the risks your provider regularly takes have no bearing whatsoever on your firm or seek to fully grasp the implications these risks will have on your organization and how you can withstand them when they become a reality.

2) What new business lines is your provider considering entering? Ask about the resources being spent on those businesses (are they coming at the expense of advancements in security?). Ask about the risks involved, how they might evolve, and how these new lines will impact your ongoing operations.

3) How does your provider interpret his role in the broader ecosystem? As a technology partner, your provider should not have conflicts of interest. Providers should be solely focused on helping you secure your digital assets so you can continue to offer new and innovative solutions to the industry. You rely on that provider to be stable, secure, and tech-driven, so that you can focus on doing your business well.

It’s critical to understand how your provider’s risks impact your business and know that entering any potential new line of business should never come at the expense of your security.

© 2023 The Block Crypto, Inc. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.