Oct. 20, 2023
the proposed SEC rules lack clear guidelines for assessing compliance with digital asset custody requirements. Some areas that need further clarification: Security standards - No defined criteria for evaluating the adequacy of custodians' cybersecurity and internal controls. Key management - No specifics on acceptable protocols for private key generation, storage, access, etc. Multi-party protocols - No guidance on use of technologies like multi-signature, sharding, distributed trust. Auditing methodology - Unclear what audit testing procedures will assess compliance with custody safeguards. Insurance metrics - No thresholds prescribed for adequate insurance coverage relative to assets under custody. Due diligence rules - Vague standards for vetting sub-custodians and wallet providers. Technology reviews - No defined process for evaluating new technologies like hardware wallets. Transition timeframes - No concrete schedule for phasing in compliance with finalized rules. Recordkeeping rules - Ambiguous requirements for retaining auditable trails of asset transactions. Without detailed compliance criteria and controls guidance, regulated firms will struggle to reliably demonstrate adherence. The SEC should delineate precise assessment frameworks to create consistency in oversight and reporting. This will ensure custody providers have clear roadmaps for securing regulatory approval. Sent with Proton Mail secure email.