SEC Risk Alert Digital Asset Securities

SEC Risk Alert Digital Asset Securities

01 March 2022

Main Contributor: Katie Mogan, IACCP® Vice President, Senior Compliance Consultant

Background 

I don’t know about you, but we are hearing and seeing cryptocurrency everywhere.  In this article we are tackling the SEC’s Digital Assets Risk Alert from February 2021. While we are experts in the SEC-registered investment advisor space, we are not experts in digital assets (i.e., cryptocurrency), and as we have found, neither are all of our clients. Therein lies the problem. Investors are asking their advisors if they should invest in cryptocurrency, if the advisor will “hold their wallet,” or purchase cryptocurrency on their behalf to give them crypto exposure. The problem is many advisors are new to this space – it’s the wild west! While the SEC is still wrapping their heads around cryptocurrency, they have issued some guidance on what their exams will focus on if an advisor recommends or manages cryptocurrency. We will focus on what investment advisors can do to amend policies and procedures, disclosures, and the annual review in light of this risk alert.

Digital Assets for Investment Advisors

The SEC suggests that some cryptocurrency or digital assets are considered securities, as we see in the definition below from the risk alert. Why does this matter? If a digital asset is a security, then it falls under the federal securities laws and the SEC’s domain.

Digital Asset refers to an asset that is issued and/or transferred using distributed ledger or blockchain technology (“distributed ledger technology”), including, but not limited to, “virtual currencies, coins and tokens.” A particular digital asset may or may not meet the definition of “security” under the federal securities law.

If you manage, buy, sell, monitor, or recommend digital assets to your investment advisory clients, there are some actions you should take to improve your compliance program including implementing processes and testing to address the additional risks and conflicts associated with digital asset management.

Disclosure Documents

First, make updates to your disclosure documents which include: ADV Part 2A, Form CRS (if you have retail clients), disclosures on marketing materials, private placement memorandum and other fund documents, and possibly your investment advisory or subscription agreements. Keep your language consistent between the documents as you describe the types of digital assets you recommend, manage and/or trade.

Risks and Conflicts

You will need to address the risks of these particular assets and describe those risks in Item 8 of Form ADV Part 2A.  The SEC suggests identifying the complexities of the products and technology underlying the assets, technical, legal, market and operational risks (think custody and cybersecurity), price volatility, illiquidity, valuation methodologies, related-party transactions, and conflicts of interest.

Remember, risks and conflicts can change in light of business developments, business relationships, regulatory changes, and client relationships. Review the risks associated with management of digital assets at least annually when you update disclosure documents with your annual amendment. Don’t forget to update your internal risk assessment as well to cover the risks, conflicts, and testing incorporated to mitigate each risk associated with digital assets!

Custody

You might have custody of your clients’ digital assets if you have possession or certain access to the digital wallet, including access to private keys.  If you have custody, you must disclose this fact in your ADV Part 2A, Item 16.  If management of digital assets suddenly gives you custody you must update your ADV Part 1, Item 9 and your ADV Part 2A, Item 16.  Advisors with custody must have appropriate policies and procedures in place, which we discuss later.

Registration

When reviewing your ADV, you will need to determine how the digital assets are categorized for both your retail clients and pooled investment vehicles. Based on your valuation policies you will need to determine how to calculate your regulatory assets under management and create a paper trail so you can support your rationale and stay consistent year after year.

Policies and Procedures

Once you identify your risks and conflicts and update your disclosure documents, it’s time to think about your policies and procedures. Policies and Procedures should be designed to address and mitigate risks and conflicts identified. The SEC identified several areas of concern in their exam priorities:

Due Diligence

Let’s assume your digital assets are securities and therefore fall under the jurisdiction of the SEC. Generate a policy to address how you perform and document due diligence on digital assets. Due diligence should cover important topics like liquidity, cybersecurity, volatility, how the particular asset works, who will hold the asset (custody), your knowledge on the product, and suitability for the client.

Evaluation and Mitigation of Risks

A process should be in place that addresses, at a minimum, security breaches, fraud, insolvency, market manipulation, and quality of market surveillance.  Your policies should address the process for purchases/sales and consider trade execution and settlement processes. It may be hard to cover every scenario but if you think about mitigating the major risks like liquidity, security breaches, trading and your fiduciary duty, your policies can have flexibility for ever-changing technology.

Management of Risks Associated Specifically with Forked and Airdropped Assets

Forked digital assets is when a permanent split occurs in the blockchain resulting in a change in code. This creates two paths: one path has a new digital asset and the other has the original block chain.

Airdropped assets are digital assets that are deposited directly into an investors’ wallet. Airdrop is a means to move the digital currency.

The SEC will focus on how firms manage the risks associated with forked and airdropped assets, such as allocations across accounts, conflicts of interest, valuation and books and records. We suggest approaching these two activities as trades to ensure your policies treat clients fairly and mitigate conflicts through your disclosure documents. Lastly, there has been an increase in fraud activities related to digital asset investments. Even if you do not purchase or manage digital assets for your clients/investors it’s important to understand, educate and escalate any frauds to your custodian or the authorities.

Fiduciary Duty

You have a fiduciary duty when managing your clients’ assets. That includes ensuring all clients who are eligible and have investment goals that would benefit from cryptocurrency are offered the same or similar opportunities. Policies should address allocation of cryptocurrency and digital assets to those interested and qualified.

Pricing of Client Portfolios

Your policies should address how you will value the digital assets you manage.  Challenges arise with liquidity, market fragmentation, and market volatility.  Pricing of digital assets can also be a risk because you presumably charge a management fee and possibly a performance fee on the value of the digital assets you manage.  Your policy should include how you approach valuation after significant events, review of forked and airdropped assets, and a process used to determine principal markets and fair value. Make sure you document those decisions and assessments.

Books and Records

You must keep accurate records of all digital asset trading/activity.  Consistency and reliability varies across digital platforms, so ensure your policies account for variation but still cover the requirements in the Books and Records Rule around trade memoranda (Books and Records Rule, (204-2(3)).

Custody

If you manage digital assets your firm should analyze whether you have custody of your clients’ digital assets, which could occur if you take possession of the client’s digital wallet or even have access to their private keys, for example. If determined that you have custody, you will need to adjust your policies and procedures to account for your digital assets.  The SEC is concerned with the security of digital assets including: instances of unauthorized transactions and theft, the safeguards in place to protect digital assets from external and internal misuse, business continuity plans (“BCP”) and plans around key personnel with access to keys and trading platforms, how loss and harm is evaluated if a private key is lost, storage of digital assets on trading platforms and with third party custodians, and security procedures related to software and hardware wallets.

Conclusion

The SEC is tuning into the digital asset craze, which means more focused exams and hopefully more guidance. In the meantime, refresh your policies and keep your disclosure documents transparent and in sync with one another.

Filed under: Uncategorized