July 22, 2021 • 9 mins
Our host Adam Rodricks, National Lead, Digital Services welcomes back Kareem Sadek, Partner, Technology Risk Consulting and Kunal Bhasin, Senior Manager, Technology Risk Consulting and introduces Edwin Isted, Senior Manager, Management Consulting for his series debut. In episode two of our four-part series, the group discusses custodianship models, their benefits, and some key considerations when assessing a custodian.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
Hello everybody and welcome. I’m your host Adam Rodricks and today, I am elated to welcome you to a special KPMG PodBytes series entitled ‘The State of Cryptoassets’. If you missed our first episode, I encourage you to check it out as well.
(00:15):
Today, I’m joined by my esteemed colleagues in Technology Risk Consulting, Edwin, Kunal and Kareem. Welcome everyone. Can we start off with some roundtable introductions? We’ll start off with you Edwin - please let everyone know what you do at the firm.
Yes, good day everybody. The name is Edwin Isted. I'm in the KPMG Management Consulting practice. In the organization, I work primarily in the payments space as well as with digital assets and blockchain.
(00:46):
Hey, Adam. Nice to be back again. I’m Kunal Bhasin. I’m a Senior Manager in our Risk Consulting practice and I co-lead our blockchain and cryptoasset group alongside Kareem.
I am Kareem Sadek. I'm a Partner in our Technology Risk Consulting practice and I, like Kunal just mentioned, co-lead the blockchain practice along with him. Adam, always a pleasure talking to you.
(01:09):
Pleasure is all mine, sir. Kareem, I'm going to start with you. I think many of our listeners are familiar with traditional custodianship models that cater to physical and dematerialized asset classes. Could you walk us through a few of the custodianship models that align to digital assets and explain how they differ from those traditional models?
(01:30):
Let me take a try to take a stab at this. Kunal and Edwin, please help me out here. In simple terms, cryptoassets are stored on blockchains. Think of Bitcoin, the asset, which is recorded on the Bitcoin blockchain. Similarly, you can think about ether. Eher is a native asset on Ethereum, which is used to pay for transactions interacting with these decentralized finance applications that are stored on Ethereum.
(02:01):
I’ll give an example that one of our team members, Mitch uses all the time. The ownership of these assets relies on public-private key pairs. Think of the public key like an email address, where if anyone knows my address, they can send me emails. The private key is akin to the email account’s password, which must be used each time a transaction is sent. If one password is compromised, then anyone can send emails from their account. Likewise, if that private key is stolen, the crypto assets contained can be removed. That's an example that gives a very good explanation to it.
Coming to the two questions around custodial models, there are two approaches (02:57):
one being self-custody, where you take on that characteristic of looking after the keys, or the other, which relies on a dedicated custodian. Self-custody, I believe, was the initial intention around Bitcoin, where users would hold their own keys to control their own funds. However, as the value of cryptoassets have risen and institutional investors entered the space (including these investors that obviously have a fiduciary mandate), many multi-institutional-grade custodians have emerged. These firms are collectively holding hundreds of billions of dollars in cryptoassets and provide services to institutional investors as clients.
(03:40):
Wow, one hundred billion, it's difficult to fathom and I'm going to get lost in it but before I do, perhaps I can just touch on something. Kunal, can you describe some of the benefits of using a custodian?
Sure. Think of transactions on a blockchain, whether it's Bitcoin or Ethereum. All of these transactions are atomic in nature and irrevocable, so it is critical to have the right levels of controls in place to ensure that the correct amount is being sent or received, and also, the recipient addresses are appropriate.
(04:19):
A custodian is beneficial for these organizations because they have specific technology and controls in place, such as the multi-signature or the multi-body computation systems that increase the security in initiating those transactions. By requiring multiple signatories or sharding the private key into several separate pieces and having the appropriate controls in initiating these transactions, the risk that the private key could be compromised for initiating an illegitimate transaction is reduced by quite a bit.
Another reason why organizations tend to use a custodian is because the time to market is reduced. Think about an organization that's looking to deal in cryptoassets (05:09):
if they look to build this custodian capability in house, the time to market for their offerings is increased by quite a bit. However, if they rely on a custodian that's already out there and has the infrastructure built in, integrating with those in house is something that organizations tend to go with because it reduces their time to market by almost half or more than half.
(05:54):
That's really interesting. I want to focus now on shifting that viewpoint. From the perspective of an institutional investor, the benefits of a custodian are quite clear, right? Edwin, can you elaborate on some key considerations when assessing a custodian?
Sure. I guess there are two that come to mind – one being an institution’s required operational model for the transaction and the custodian’s insurance coverage. Depending on the nature of the institutions operations, it requires different models for the transacting to take place. For example, a trading desk for a major financial institution will trade more actively than an asset manager who's rebalancing the investment products daily or a family office making a long-term strategic allocation. So as transaction frequency increases, different processes governing private keys are in place to maximize convenience while not compromising on security at the same time.
(06:51):
Another thing that comes to mind, Adam, is the SoC attestation reports that are provided by these custodians. It is a best practice that custodians are following these days, as providing SoC 1 and 2 attestation reports gives insight into their internal control environment as it relates to security, privacy, confidentiality, availability, so on and so forth. Their clients are using these SOC reports to review what the current practices are within these custodian companies and assessing whether they are able to meet the regulatory requirements and the internal requirements for those institutions as well.
(07:39):
Kunal, that's amazing and that cues me up really nicely because I'd be remiss if we don't talk about what happens if security is compromised, right? We talk about these SOC reports; all of that is to try to meet some of these security expectations. But what if security is compromised?
Having comprehensive insurance coverage in place is essential. We're hearing a lot more around insurance and how that works. Some of the key considerations of coverage include the aggregate limits of the policy, whether supplemental insurance is available, and if one's investment exceed the limit. Another thing – does the policy cover dishonest acts by employees, thefts and acts of nature like floods or electrical outages that can compromise the private keys? Who are the insurers syndicating the policy? Perhaps most importantly, how does this insurance coverage actually integrate in with the firm's existing insurance?
(08:40):
So, Adam, I can honestly keep going on further and go deeper into this subject, but I would love to hear from our listeners. Hopefully they'll reach out to us because I'd love to have a deeper conversation around that and see how we can help them in their cryptoasset journey.
That sounds like there is quite a bit to consider! I know we could go deeper and perhaps that’s why we’re bringing our listeners a four-part special series on the current state of cryptoassets. So, for today’s episode, I will stop there and simply thank you all for your time and your valuable insights. Join us next time on the KPMG in Canada’s PodBytes series on the state of cryptoassets, when we’ll welcome back Kareem, Kunal and Mitch for a discussion on proof of reserves, a particularly interesting process that ensures assets recorded on internal ledgers match the assets stored on blockchains. Once again, I’m Adam Rodricks. Thank you so much for listening, and we’ll see you next time. Bye everybody!
Hello everybody and welcome. I’m your host Adam Rodricks and today, I am elated to welcome you to a special KPMG PodBytes series entitled ‘The State of Cryptoassets’. If you missed our first episode, I encourage you to check it out as well.
(00:15):
Today, I’m joined by my esteemed colleagues in Technology Risk Consulting, Edwin, Kunal and Kareem. Welcome everyone. Can we start off with some roundtable introductions? We’ll start off with you Edwin - please let everyone know what you do at the firm.
Yes, good day everybody. The name is Edwin Isted. I'm in the KPMG Management Consulting practice. In the organization, I work primarily in the payments space as well as with digital assets and blockchain.
(00:46):
Hey, Adam. Nice to be back again. I’m Kunal Bhasin. I’m a Senior Manager in our Risk Consulting practice and I co-lead our blockchain and cryptoasset group alongside Kareem.
I am Kareem Sadek. I'm a Partner in our Technology Risk Consulting practice and I, like Kunal just mentioned, co-lead the blockchain practice along with him. Adam, always a pleasure talking to you.
(01:09):
Pleasure is all mine, sir. Kareem, I'm going to start with you. I think many of our listeners are familiar with traditional custodianship models that cater to physical and dematerialized asset classes. Could you walk us through a few of the custodianship models that align to digital assets and explain how they differ from those traditional models?
(01:30):
Let me take a try to take a stab at this. Kunal and Edwin, please help me out here. In simple terms, cryptoassets are stored on blockchains. Think of Bitcoin, the asset, which is recorded on the Bitcoin blockchain. Similarly, you can think about ether. Eher is a native asset on Ethereum, which is used to pay for transactions interacting with these decentralized finance applications that are stored on Ethereum.
(02:01):
I’ll give an example that one of our team members, Mitch uses all the time. The ownership of these assets relies on public-private key pairs. Think of the public key like an email address, where if anyone knows my address, they can send me emails. The private key is akin to the email account’s password, which must be used each time a transaction is sent. If one password is compromised, then anyone can send emails from their account. Likewise, if that private key is stolen, the crypto assets contained can be removed. That's an example that gives a very good explanation to it.
Coming to the two questions around custodial models, there are two approaches (02:57):
one being self-custody, where you take on that characteristic of looking after the keys, or the other, which relies on a dedicated custodian. Self-custody, I believe, was the initial intention around Bitcoin, where users would hold their own keys to control their own funds. However, as the value of cryptoassets have risen and institutional investors entered the space (including these investors that obviously have a fiduciary mandate), many multi-institutional-grade custodians have emerged. These firms are collectively holding hundreds of billions of dollars in cryptoassets and provide services to institutional investors as clients.
(03:40):
Wow, one hundred billion, it's difficult to fathom and I'm going to get lost in it but before I do, perhaps I can just touch on something. Kunal, can you describe some of the benefits of using a custodian?
Sure. Think of transactions on a blockchain, whether it's Bitcoin or Ethereum. All of these transactions are atomic in nature and irrevocable, so it is critical to have the right levels of controls in place to ensure that the correct amount is being sent or received, and also, the recipient addresses are appropriate.
(04:19):
A custodian is beneficial for these organizations because they have specific technology and controls in place, such as the multi-signature or the multi-body computation systems that increase the security in initiating those transactions. By requiring multiple signatories or sharding the private key into several separate pieces and having the appropriate controls in initiating these transactions, the risk that the private key could be compromised for initiating an illegitimate transaction is reduced by quite a bit.
Another reason why organizations tend to use a custodian is because the time to market is reduced. Think about an organization that's looking to deal in cryptoassets (05:09):
if they look to build this custodian capability in house, the time to market for their offerings is increased by quite a bit. However, if they rely on a custodian that's already out there and has the infrastructure built in, integrating with those in house is something that organizations tend to go with because it reduces their time to market by almost half or more than half.
(05:54):
That's really interesting. I want to focus now on shifting that viewpoint. From the perspective of an institutional investor, the benefits of a custodian are quite clear, right? Edwin, can you elaborate on some key considerations when assessing a custodian?
Sure. I guess there are two that come to mind – one being an institution’s required operational model for the transaction and the custodian’s insurance coverage. Depending on the nature of the institutions operations, it requires different models for the transacting to take place. For example, a trading desk for a major financial institution will trade more actively than an asset manager who's rebalancing the investment products daily or a family office making a long-term strategic allocation. So as transaction frequency increases, different processes governing private keys are in place to maximize convenience while not compromising on security at the same time.
(06:51):
Another thing that comes to mind, Adam, is the SoC attestation reports that are provided by these custodians. It is a best practice that custodians are following these days, as providing SoC 1 and 2 attestation reports gives insight into their internal control environment as it relates to security, privacy, confidentiality, availability, so on and so forth. Their clients are using these SOC reports to review what the current practices are within these custodian companies and assessing whether they are able to meet the regulatory requirements and the internal requirements for those institutions as well.
(07:39):
Kunal, that's amazing and that cues me up really nicely because I'd be remiss if we don't talk about what happens if security is compromised, right? We talk about these SOC reports; all of that is to try to meet some of these security expectations. But what if security is compromised?
Having comprehensive insurance coverage in place is essential. We're hearing a lot more around insurance and how that works. Some of the key considerations of coverage include the aggregate limits of the policy, whether supplemental insurance is available, and if one's investment exceed the limit. Another thing – does the policy cover dishonest acts by employees, thefts and acts of nature like floods or electrical outages that can compromise the private keys? Who are the insurers syndicating the policy? Perhaps most importantly, how does this insurance coverage actually integrate in with the firm's existing insurance?
(08:40):
So, Adam, I can honestly keep going on further and go deeper into this subject, but I would love to hear from our listeners. Hopefully they'll reach out to us because I'd love to have a deeper conversation around that and see how we can help them in their cryptoasset journey.
That sounds like there is quite a bit to consider! I know we could go deeper and perhaps that’s why we’re bringing our listeners a four-part special series on the current state of cryptoassets. So, for today’s episode, I will stop there and simply thank you all for your time and your valuable insights. Join us next time on the KPMG in Canada’s PodBytes series on the state of cryptoassets, when we’ll welcome back Kareem, Kunal and Mitch for a discussion on proof of reserves, a particularly interesting process that ensures assets recorded on internal ledgers match the assets stored on blockchains. Once again, I’m Adam Rodricks. Thank you so much for listening, and we’ll see you next time. Bye everybody!
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
The Nikki Glaser Podcast
Every week comedian and infamous roaster Nikki Glaser provides a fun, fast-paced, and brutally honest look into current pop-culture and her own personal life.