• Speaker

    Petar has been part of Accenture’s Distributed Ledger Technology (DLT) practice for over four years, where he aquired a deep expertise in the Digital Asset Custody space through due diligence engagements, technology assessments and implementation projects with financial institutions across the globe. In addition, Petar has contributed to a number of initiatives around the world regarding tokenization/issuance of digital assets, and central bank digital currencies. Most recently, he has supported initiatives at digital asset exchanges, central banks, and other financial intermediaries.

    Petar Zelic
    Tech Innovation Strategy Manager - Digital Assets, Custody & CBDC
  • Speaker

    Mark has primarily worked in regulatory policy areas (retail and capital markets) and international regulatory engagement roles. Mark joined Elliptic from the UK Financial Conduct Authority (FCA), where he worked in the Capital Markets Policy Dept. and in the Financial Crime Advisory Team, and was responsible for delivering the UK’s cryptoasset amendments to the anti-money laundering regulations (MLRs). Before leaving the FCA, he was engaged with HM Treasury and the Bank of England on the financial markets infrastructure (FMI) cryptoassets sandbox.

    Mark Aruliah
    Senior Policy Adviser, EMEA
  • Speaker

    Max has extensive domain expertise in digital business models, DLTs, NFTs and crypto markets. He spent more than a decade building and scaling digital ventures and managing digital product initiatives, from strategy to go-to-market. He worked among others for Rocket Internet and UniCredit Bank.

    Maximilian Ruf
    Business Solutions Consultant, Digital Assets and Web3

Build and launch your digital asset business model

Full transcript

*Disclaimer: The accuracy of this transcript is not guaranteed. This is not investment advice. This is not investment advice, and any opinions expressed here are the sole opinions of the individuals, not of the institutions they represent.

Metaco Webinar

[00:00:11] Zarah: Hello everyone. Welcome to this webinar. I hope you all had a wonderful start into the year. My name is Zarah, I will be your moderator. I have a background in blockchain research at University of St. Gallen. I’m a previous Process Management Consultant, and now I am Market Director for Switzerland and Liechtenstein at Metaco.

Today we are going to talk about security, risk and compliance in the context of digital assets. Now welcome with me our three experts today, Petar Zelic, who is a Tech Innovation Strategy Manager at Accenture, Mark Aruliah, a Technical Specialist at Elliptic, and Max Ruf, Digital Business Strategy Consultant at Metaco. May I ask you all to quickly present yourselves and the companies you are representing? Let’s start with you, Petar.

[00:01:14] Petar: I’m the first one on the picture, so I’ll be starting. My name is Petar Zelic. I’m part of Accenture’s global DLT practice, where I’m focusing on use cases all around the financial services industry. Those use cases could be tokenization use cases, it could be payments use cases such as central bank digital currencies, as well as use cases around the topic that we will discuss today, such as digital asset custody.

We as the Accenture team, we support our clients throughout the entire journey of their digital assets journey, which starts with the strategy phase where we support our clients in defining use cases that they want to focus on, all the way down to the actual implementation of a POC or a pilot, or in the end, an actual life and market ready product or service. This is all about me. I’m handing over to Mark.

[00:02:13] Mark: Thank you. Thank you, Zarah. It’s great to be here. I’m Mark Aruliah, I work at Elliptic. Elliptic is a blockchain analytics firm. A blockchain analytics firm, basically we look at the blockchain data, we provide tools for crypto exchanges, for custodians, for law enforcement regulators, to be able to look at the financial crime risk of crypto assets and crypto asset transactions. Within that team, I’m in the regulatory team looking at Ramir. I’m looking at helping customers, but also following legislation and regulatory developments across Amir.

Before that, I was 25 years at the FCA, the Financial Conduct Authority and regulator, mainly in policy. I left there working on markets policy. But before I left there, I amended the crypto asset changes to the money laundering regulations, and also worked with the Bank of England and the Treasury on looking at FMI, financial market infrastructure, crypto assets, and blocks.

[00:03:22] Zarah: Thank you very much, Mark. Then Max?

[00:03:24] Max: Hello everyone., Maximillan Ruf from Metaco, I work in the solutions team. We consult the sales process with prospect, and we also do a little bit of after sales consulting, that anything gets delivered in the exact way how we actually promise it to our clients.

Metaco, just a little bit of an introduction, is a custody tech provider. We are so a software company. We are not regulated. We are only taking care that the lines of code are very neatly programmed, and anything around these lines of code are operationally functional in the way they should. We are always are up to date at the cutting edge and at the frontier of digital asset custody technology. My personal background is 10 years in developing business models for digital products, and 10 years also in Bitcoin. I read the Bitcoin White paper approximately 10 years ago, and I have never led off the hook since then, now actually working professionally in the field. The second time before that, I helped consult our NFT platform.

[00:04:39] Zarah: Good. Thank you so much. I’m going to stop sharing. I encourage you the speakers, but also the participants, to ask questions. I will have a look at the questions coming in, because we want to make this webinar as interactive as possible, so that we don’t start sleeping while listening.

I’m going to start with the first question to you, Petar. What are the most important risks for institutions when it comes to managing and storing digital assets? Because as we know, managing and storing digital assets like tokenized securities, cryptocurrencies, utility tokens, and so on, they underlie a totally different database logic. You cannot really adapt the frameworks from other electronical values like fiat currencies to digital assets. What are the most important risks?

[00:05:38] Petar: Let me quickly try summarize it in a very structured way. When we approach clients and have discussions with them, the challenges but also the risks that we face with them can be broadly categorized into three areas. The first one is related to system integration, the second one is related to security, and the last one is related to regulation. The first one I said is system integration, where it is all about preventing the risk of operating in silos within the company. There the client is trying to ensure, and we’re supporting the client in doing that, the new systems that we’re trying to build up, be it a Metaco solution that Metaco is providing to their clients or be it any other system is fully integrated to the landscape that they already have in their infrastructure. We won’t be digging too much into the system integrations topic today, because we have the other two topics that we will focus on slightly more as part of this webinar. But it’s one of the, the challenges and risks that we currently face a lot when we talk to many of our.

The second area is related to security, and there it is all about preventing the loss of assets, be it through hacks of external attackers, be it through malicious internal employees, which could be a valid attack vector as well, or just simple errors in any of the technologies or errors performed by employees that haven’t acted maliciously. There it’s all about implementing all the security principles that we know of, the best practices to prevent all of these risks and all of these faults and errors and attacks from happening.

Last but not least, the last area is all about regulation. We’ve seen the industry is moving into a more regulated space. But nonetheless, we still have a lot of areas where there’s still regulatory uncertainty as to what exactly has to be done to really comply with regulatory requirements and how this can be done in practice. There’s still a gap as to how the regulatory requirements can already be fulfilled. We have the right people in this call to actually answer or cover all of these risks and challenges in more detail. Handing back over to you, Zarah.

[00:08:09] Zarah: Yeah, thank you very much for the structured answer. Max, a question to you. There are so many different solutions when it comes to manage and store digital assets. What are the different solutions out in the market and what are your recommendations when keeping in consideration the risks that Petar just mentioned?

[00:08:33] Max: First of all, I think you need to separate between non-custodial and custodial wallets. We are living in the world of custodial wallets. Essentially, you need to protect the private key because the private key is the access to the assets, or you could see it as the assets itself as well as some cases. You need to protect that private key from being hacked. The very first thing and if we’re talking about non hackable or non-fordable, everybody who uses these two words is probably not talking serious or doesn’t know what he’s talking about, but essentially what you’re doing is you’re assuming attack vectors, if we’re talking about hacks, we are assuming attack vectors and we’re trying to mitigate these attack vectors.

You can protect the private key through hardware security models, HSMs for example, or multi-party computation. If you want to take it like that and expand it in simple terms, you divide the key or you chart the key and you run it by different notes. The key never comes together to one time. It’s actually mathematical programs which run in parallel, but you decentralized the key in a way. You split it. Either HSMs, put in a very secure hardware dump hardware box and it is secured there. Very difficult to get into this box, neither through physical terms or through software terms. The other thing is you actually divide the key and you bring it into different locations and you get securities through that. That’s one way of protecting the key, first of all.

Secondly, you have to protect the access to the key. The layout, which gives access to do something with the key needs to be equally protected. Let’s imagine that it’s the wallet in a bank, the physical wallet where the gold is being stored. You need to have that protected in the IDL terms. Then also the door, which manages the entry permissions, who is allowed to get into that ward and take out the gold, that door needs to be equally well protected. How you do that in best practice terms is you ideally have some layout architecture where the more secure, the more sensitive layers have very few attack angles or vectors. They have very few lines of code in the software language, or ideally they’re actually stateless, like they don’t have a database or anything like that. Then the more you go up, the less sensitive the layers get, the more access you allow.

These things are normally pen tested, penetration tested, where you give the passwords actually out to the white hat hackers who hack that, then you see if they get in or if they don’t get in. In the case of Metaco Harmonize, they don’t get in and they’ve never gotten in.

Then there’s the policy layer. Once you have protected the key, you need to a strong, robust governance layer, which is ideally configurable. You can build all sorts of 4, 6, 8, 10 ICE principles for sensitive operations. These things need to be equally well programmed and set up that you don’t make the assets fragile at the end of the day, neither for internal collusion, nor for social engineering hacks, which we saw in the past as well.

All all sorts of other risks are involved. If you make the software really complex, very hard to use, then you obviously have a risk that people actually misuse the software and they screw up something in between. There are very important steps in between that you set up your organization, that you train the people who buy your software in the right way.

[00:11:57] Zarah: Okay. I imagine for institutions, especially for teams that don’t have that much experience in that field, it’s pretty hard to put a label on those solutions. What is your recommendation? It’s difficult to compare MPC with HSM, then you talked about different layers, architecture. But in the end, what is really a key requirement where you can say, this is highly secure? For example, that the vault software component is not tampering any other program.

[00:12:36] Max: Essentially, you can look at the certificates if you want an outside validation. There’s the FIPs certification. In our case, we are leveraging in our solution HSMs, which are FIPs level 4 certified. In the case of MPC, they only have been certified to level 2, for example. That’s an external look at it. But if you really want to dig into this, you really need somebody on the organization side, a security expert or somebody having the right background, to dig into to do a proper DD of the solution. Because we are not talking about an email tool or something like that. We are talking about a tool which is managing an orchestrating your digital assets. I would always recommend to, like in a webinar like this, you can listen to my words, but it’s much better to do a proper due diligence with your team and the proper people having on your side, asking the right questions, listening very carefully. If somebody is presenting to you in architectural diagram you need a person who can challenge the architectural diagram and ask the really specific questions.

My recommendation is always going for a solution which is battle tested, like Metaco, which has been sold to tier one financial institutions. We have done this due diligence. But I would not only listen to with these big institutions, I would always do my own type of due diligence and want to listen to the security model myself. It’s very sensitive stuff we are talking about here.

[00:13:57] Petar: Which is where usually we come and play, when it’s all about due diligence. When our clients approach us in one of the initial phases to look at the technologies that are out there and see whether they’re fit for purpose for the actual use case that they’re trying to pursue. But I agree to a lot of points that you’ve already mentioned, Max, in terms of protecting, not only within the focus on protecting the keys, because that’s what we’ve seen the industry do in the initial phases. They had their MPCC solutions, they had their HSMs, but that was the main focus of the technology. Which then put the attack vector to another layer, be it the business logic or even a layer above that, where the protection wasn’t really fulfilling the security requirements that we see as being the best practices.

When we go to clients and support them in looking at all of these technologies, we don’t only look at how the extra cryptographic key is protected within whatever key management system they’re using, but as well at the entire chain that leads to that signature being generated within the key management system, because that’s used usually where we still see flaws with that business logic being enforced not in a secure environment. They will be running somewhere in the cloud and no one could actually pinpoint what is really happening as part of that transaction signature generation. This is a very important point when we look at it from a technical perspective.

In addition to that, what I want to emphasize is that it’s not only about the technology itself. The technology has to be backed by proper policies and procedures. Without the policies and procedures, that mandate that we need, segregations of duty, segregation of duties, or all of these 4 I principles checks within that transaction generation all the way to the signature, it’s still a gap where we see some weaknesses that could be happening. We might be digging in a little further into that when we talk about how backups are created and stuff like that. I’ll keep telling the same stories where we see backups not being stored correctly and stuff like that. But we can pick this up a little later.

What I wanted to emphasize here is securing the entire chain all the way to the transaction is what we usually focus on, especially as well as how it is aligned with internal procedures and the policies.

[00:16:48] Max: Adding, to your point, Petar, I’m pretty sure you also do that, that you actually look not only for how a transaction authorized, but how is, for example, a new policy creation authorized or editing the policy. If I have the right to edit a policy and I make myself the sole approval, I can circumvent the four I principle or the six I principles I’ve set up in my company. Then what’s the point of having it in the first place?

[00:17:14] Petar: Any major action on the platform should be subject to such an approval scheme. Simply creating a user should at least involve four I principle check. You would have a maker and a checker. Otherwise it just wouldn’t make sense, because all of a sudden you could create super users that will be able to change stuff that shouldn’t be changed, and create rules that shouldn’t be in there. It’s all about the full setup, the full protection of it. Exactly.

[00:17:44] Mark: Talking about ex regulator, this is music to my ears.

[00:17:50] Max: At the same time, we don’t want to build an absolute securities anyway. It’s a bit of a farce because essentially it would be super secure, would be digging a hole and throwing everything into that hole and then building balls around it and having people who have guns sitting on top, whatever. Something like that is probably really then absolute secure, or goes near to absolute security. But I think you want a well secured system where the software architects have good security model and have built appropriate technology. You want to robust governance layer, but you also want it to be built in a way that you can actually extend it to use cases.

If I can make business and I can make money, I want that system to be capable to adapt to all of these things. I want to have a system where I can seamlessly integrate something like Elliptic to be compliant with the AML regulation. We are going to hear more about this today in the webinar, but that system should not just be a dump box which cannot do anything. It’s secure, nice, but I cannot do anything. You have to think about these things as well.

[00:18:46] Zarah: Yeah. Thank you very much for this input. Talking about governance layer, a custody solution or a digital asset management solution usually comes with a governance layer, a governance component. Talking about that, what is important to look after when you analyze a governance component? Is it important that you can configure it agile, or is it important that it can be seamlessly covering processes, integrating third party providers? What is it look for here?

[00:19:17] Petar: I followed the industry right from its beginning, where the policy layer was still a weakness within most of the solutions. We’ve seen a lot of development in that area happening. Most of them have converged solo to into the same direction, offering the same main features. What we saw of most importance there is that first of all, the policy layer itself provides a possibility to reflect anything that we have in the internal organization, be it organizational charts, be it procedures that are followed within the company, and make this customizable in a, if possible, easier fashion. Whereas the early stages it would require a development team adjusting the policy layer to make it fit for purpose. Nowadays it has moved into the policy layer being more easily adaptable and customizable to the customer’s needs. Customizability and make it customizable for a more general type of user, not for a completely technical person. That’s the important features that we’ve seen when we talk about the policy layer.

Then second of all is we look at it from a purely technical perspective, is that it provides a cryptographic attestation. We’re actually creating cryptographic signatures once we have an approval that is fulfilled. Someone will be creating a signature, be it on his mobile phone or be it on his desktop device once he’s approved one of the steps of that approval framework. These are the things that we’ve seen on the market as being one of the important factors in looking at the business, business and policy layer.

[00:21:26] Zarah: Yeah, exactly. I imagine that the clients or the companies you’re working with, they don’t want to go back to the tech vendor every time they want to configure a policy. They want to be as little vendor locked in as possible. We have some questions. One of the first questions is, have you experienced over compliance in crypto, such as your bank refusing to transfer money to an exchange platform bank account? How to go around the traditional finance, hyper cautious risk management?

[00:22:02] Mark: I’m happy to take that. I’ve had it firsthand. Talking as an ex regulator, I don’t see it’s hyper cautious, banks are cautious. Partly, I think if you look back, it’s because there’s no regulatory structure beyond financial crime. We’ll touch on it later on, that if you like, banks are nervous, I think regulators are nervous, and that creates an uncertainty in the environment. The mindset is lacking though is that banks feel that they can avoid all risk by trying to block these things. It’s not true, because it’s what they don’t see are customers who are transferring it. Because when you make a payment to a cryptos exchange, it might not be directly to the bank account. It might be through a merchant-acquirer relationship, through a payment firm, and therefore you can’t always see the flows.

What they should be doing is using tools like Elliptic, blockchain analytics, to look at the risk profile of the different crypto exchanges that they’re interacting with. It starts to get into a grown up world of understanding risk and looking at mitigants to risk. But I appreciate where the banks are, and I think some of this will change hopefully over time as the regulatory environment changes over time.

[00:23:12] Petar: To extend a little on that, it comes down to what we’ve also discussed regarding the custody solutions or the custodians that we have seen as part of our due diligence engagements that we’ve done in numerous times. It’s all about assessing your counterparty before you engage with any business with them. This holds through even in that case. You will be looking at your counterparty from a business perspective. You can look at them from a technical perspective and see how they handle all of these things before you actually start working with them. We’ve seen a lot of financial institutions in the market do that in a very structured way before they start doing business with them.

[00:23:55] Mark: I agree with all of that. I think as well with Mika, the European regulation on crypto assets, banks will get more involved with this one. They’re already seeing them enter into the custody environment. There’s also the potential for them to start holding client money for the exchange. This lapping between traditional finance and crypto will start to change over the coming years as Mika, for example, Europe becomes solidified.

[00:24:23] Zarah: Thank you very much for your answer. Coming to the next question, which is slightly connected to that one, would it be beneficial to have good defined terms? Do definitions matter? Can you have a competitive advantage when you have better definitions defined when implementing digital assets or digital assets use cases?

[00:24:50] Petar: What would be interesting is definitions of what are we talking about specifically. When we talk to clients, generally what we see most of the time a lack of definition in terms of what assets are we talking about. Because there’s a mix of terminology used for what we see as cryptocurrencies, when we talk about the Bitcoin for instance. There’s a different terminology that should be used when we talk about tokenized securities or more traditional financial instruments. There’s different terminology that should be used when we talk about NFTs or whatever assets that we talk about.

Usually when we discuss with clients and we get engaged in discussions, we see them using a mixture of terminology that overlap or really make sense for them to have an actual framework behind them. This is one of the suggestions that we have for them right at the beginning, is to get that terminology straight and know what you’re talking about so that it’s really clear what we’re talking about.

When we’re talking about a cryptocurrency, we know what is in that bucket, or else it starts creating confusion. It also has an influence on all the requirements that come out of it when we talk about custody for instance. For instance, the requirements would differ if we talk about assets that are on a public chain versus assets that are on a purely private and permission chain. Because all the checks and screenings that we do aren’t as important as they are on a public chain, for instance.

All of these definitions have an impact on how requirements are defined and how the solutions should look like, how the procedures look like, et cetera. Definitely it’s a very important thing that has to be defined and also be structured through at the beginning of any of these engagements.

[00:26:55] Mark: I would agree. Definitions when you’re talking from a regulatory perspective, from a procedural perspective, it’s absolutely important, because as you rightly said Petar, it makes you understand what you’re missing or not missing. If they start to blur it, and we saw it even with some of the discussions that the FCA was having as we were registering some of the crypto asset firms, there was a lack of clarity between what they were saying versus what their procedures said. That’s because there was a lack of understanding of what exactly they were doing. Definitions do matter when we’re talking procedures. If you’re in the pub, I don’t think definitions matter. But actually when you’re talking in a regulatory sense, yes it does.

[00:27:35] Zarah: Thank you very much. Next question, short question. Are stress tests already executed or being executed?

[00:27:45] Max: Yes, I mentioned this before. Pen tests are actually a regular. It’s also being requested by prospects and RFIs and RFPs, we answer to these and they are well documented. Normally if you do a proper pen test, you will get a documentation afterwards, which you can share with the prospect under NDA. We have pen tests every year.

[00:28:10] Petar: We see this done across the board. Once you have a client that will implement a solution, it’s definitely necessary to test the entire infrastructure. You want to know what your general key figures are in terms of RTO and RPO and stuff like that. You want to know how fast you can recover your infrastructure, how fast you would be able to recover lost key, and stuff like that. All of these tests have to happen, be it a stress test, be it a pen test, be it whatever test you want to do. That’s what has to happen after any of these implementations, and then be done in a regular fashion to cover any upcoming vulnerabilities that might be arising throughout the years.

[00:29:02] Zarah: Yeah, thank you very much. We have a lot of questions. Most of them are also for us METACO. I will just come back to you in the end and maybe also answer them in written form so that we can continue with the next topic, if that is okay. The next topic is digital asset recovery, which is also a topic that we discuss quite often, because what happens if something goes wrong? Of course, we all think that it can never happen that an HSM gets destroyed by a fire, but it could happen. Now question to you, Max, what are the different kinds of recovery methods, and what are your recommendations?

[00:29:51] Max: Whoever has dealt with crypto or Bitcoin, Ethereum, Ether in this case and the private matters, knows he has to write on the private key of hopefully your cold storage or hardware storage device, be a treasure or nano ledger, whatever. You write it down a little piece of paper immediately. They give you two paper where you write it down, two of them so you have one backup essentially, or both of them are serving as backups. For institutions, writing down the password somewhere and putting it in the locker, I don’t know if it’s the best solution.

With HSMs there’s a method of backing up the private keys and then eagerly encrypting them. You are backing up each of these private keys. The recommendation would be to look into the market, to very carefully listen to these KMS providers and listen to the backup methodologies. There’s one backup methodology, for example, we worked out with IBM, where you don’t back up the individual private keys, but you back up something that is called a seat key, which you derive from the blockchain private key. This seat key will be encrypted, it will be stored as a cryptogram, which is at flit level 4 certified piece of software. When you find it, when you actually find this cryptogram where the private keys are in, it’s only gibberish, you can’t do anything with it.

On the HSM, you don’t store the private key itself. You store something called an HSM master key. There’s more to it. Essentially the rule of trust exists in what are called smart cards, which are level 3 certified FIPs. They look like bank cards, and you use them as a rule of trust to set up these HSM master keys.

To go into detail, we can always talk with everybody about it, that they learn more about this process. But it’s a really beautiful and elegantly designed process. With elegantly, it’s very hard to correct for somebody from the outside. That really goes into, I would say, what I would recommend as an institutional grade disaster recovery process.

[00:31:55] Petar: It really shows greatly what the key elements are of such a backup piece. Ideally at some point you would need three different artifacts to recreate the C at some point in time, in a different device or in the same one. This is the approach we see many of the vendors when we talk about, for instance different HSM vendors, what we see them apply. You would have an encrypted backup somewhere that is stored on any device. It could be an USB device, could be whatever. It’s encrypted against credentials. There are either on the HSM itself or on a smart card, and stuff like that. The technology there already provides a lot of protection for the backup itself.

Where we usually see the weaknesses in that area is then related to the handling of these artefacts themselves. Here I have to be the typical consultant again because it all comes down again to policies and procedures. Because ultimately what you want to make sure is that at some point in time in the future, you are able to prove in a documented fashion where and how that backup was created. Who has created it? Who has checked it? Where it is stored at what point in time, and who has had access to that backup? Ultimately what you want to prevent is what we’ve seen numerous times, that we would walk into one of these due diligence engagements and ask the responsible personal where these smart cards are stored, and all of them would reach down into their pockets and just show them on the call. They would just say, we have it in our pockets, which usually you wouldn’t want to have in an enterprise grade environment.

Ideally all of these artefacts are stored somewhere where there are access controls, access is logged, no person can recreate the key at some point in time somewhere without it being tracked. This is very important to keep in mind, whatever backup solution is used across the board.

[00:34:13] Zarah: Okay. Thank you very much for your answer. Well, there are many requirements and it seems like integrating the custody solution makes more sense to make sure that all those requirements are fulfilled, but also it seems like this causes a lot of additional costs. For example, license costs or other costs to set up such a solution. Does this mean that now only the bigger banks or the larger institutions have the ability to implement such solutions that meet all those security requirements, which would make it more favourable for larger institutions but not really for the crypto native start-ups or the neobanks?

[00:35:05] Max: I can take this question. It’s our job obviously if we market such a product, that we price points which are acceptable to a broad demand of the market. Something we are definitely moving into, we are moving into a situation where you can’t just up start without having some seriousness meaning budget to do this thing. I think the times are over that you can start with something that doesn’t cost you a certain amount of money, which this amount of money is needed to actually set up and comply with all these regulations, which are either already there or which are about to come.

I think we are going to move a little bit into a different wave now, into a different market wave. There was this market creator wave perhaps, which where you mentioned with the crypto natives., a lot of it was their own fault that this market is more or less being destroyed nearly now. They over leveraged, under collateralized this stuff. It was not so much the extra technology behind it, but rather the humans. I’m seeing a second wave now, the market finance, which are the big banks, which are the tier ones, the tier twos, the big institutions of this world who are used to having regulation, who are used to implement this regulation. I think also, as you said, they’re used to different budgets. I think that’s totally okay because we are talking about like critical market infrastructure.

In the case of FTX, I would’ve loved that FTX would’ve had some more requirements from the get-go, that they would’ve looked much more after regulation and would’ve protected these customer funds, and not used them to send them to Alameda and do all sorts of things.

Yes, I think actually you cannot just upstart anymore. We are definitely moving away from this market probably. I’m just going to let Petar extend on it a little bit.

[00:37:10] Petar: What it comes down to is also the implementation strategy that is followed. Cause it’s tightly link to how you proceed in implementing it.

If you’re a start-up and you’re trying to build up your solution from scratch, trying to build everything new do it by yourself, that takes a longer time, which is associated with more costs. On the other hand, if you follow a SaaS based solution where you would direct implementation to the tech provider and operation of the platform as well, there’s even cloud services for HSMs nowadays, most of the stuff can be outsourced to the providers, which in some cases might lead to a less expensive solution. But I agree with Max. The more we’re moving into that regulated territory, the harder it is to actually get into the business without following strict requirements, which is necessarily associated with costs, and can be seen as a filter for anyone, as Max indicated already, a filter for companies or businesses that mean serious business instead of just going in there and try whatever they can do.

[00:38:37] Mark: Just very quickly, because some of the points are all very similar to that, I’m going to make, to the both Petar and Max. Regulation is always a barrier to entry. You improve standards and therefore it makes this harder. Is regulation needed? Yes, it is.

As Max said, for me, the cost is not third party solutions. The cost will be the internal controls, the resources that you’re going to have to bring in, the prudential obligations, the liability that comes with it in terms of your activity. I think those are bigger costs than we’re talking about the outsourcing.

The last one I want to make is, this is not an implication of regulation. It’s actually a dem and from institutional investors. I think it’s the way that it will go, that standards will have to improve as institutional investors enter this market, because they will expect high standards.

[00:39:28] Zarah: Okay. We are not quite sure what’s going to happen, how do regulator is going to decide what is going to change. When talking about digital assets management and custody solutions, what would you think makes it futureproof? What is important now when thinking about implementing a custody solution when thinking about the future?

[00:39:53] Petar: The most important aspect is what we’ve seen vendors like METACO, for instance, do, is offer the flexibility to build on top of the basic custody solution, build on top of that additional use cases. An example of this could be, let’s look at tokenization cases where we want to create a smart contract and have that be controlled with the same system that is used to maintain these assets within the custody solution. You want to use the same system across the different use cases.

Flexibility and extending that solution throughout the different use cases is what is important. No matter what you do with digital assets, at some point in time, you want to store them somewhere. There’s some aspects of control, be it for a smart contract, where you won’t have to sign off an additional step in that life cycle of that smart contract. All of this has to optimally be performed out of the same platform. Flexibility and extendibility of it is what, from my perspective, may makes it future proof.

In addition to that, the integration of all what we usually call third party services, which is for instance in the Elliptic case, the blockchain analytic tools. That could be tools related to travel rule regulation. It could be market data integration and all that kinds of stuff. It’s an integration of every additional service that we’ve seen pop up on the market, which will also bring a lot of added value to the platform.

[00:41:45] Mark: Can I also talk from regulator? I think for me, lots of things jump out. The two most obvious one for this discussion is around segregation, segregation, segregation, and also what we talked about before, about robustness in terms of security, but also systems and controls and procedures. That’s what a regulator’s going to look for. They’re going to look at investor risk, and they’re going to look at fit and proper. The fit and proper is actually how well you understand the risks and how well have you documented and control those risks.

[00:42:15] Zarah: Thank you so much. When talking about integrations, Elliptic is also something that METACO integrates. What does it take for a custody solution and a digital asset management solution to comply with all the compliance and regulation requirements, for banks or institutions?

[00:42:37] Mark: There’s a lot there and there’s going to be more, I suppose. In Europe we’ve got conduct and prudential regulation coming in for Mika, and the UK will probably come up with something in the future. But what we have right now is financial crime legislation, and that is really around the anti-money laundering regulations, and also we call it the travel rule, but it’s the funds transfer regulation.

What does it mean for a custodian or a bank entering into the crypto assets space? Part of it is just doing similar things to what you were doing before. It’s know your customer, know your transaction. They’ll have to note for fiat, the norm transactions, but now you have the blockchain data as well. You’d have to also consider how your systems and controls need to work with that as well.

How does a firm look at KYT, know your transactions? Again, you’d use a company like Elliptic in terms of blockchain analytics. Blockchain analytics, as I said, is we spend our time investigating and interrogating the blockchain to be able to label these actors. When you are a custodian and you receive assets, you might not know where those assets are coming from because once you’ve got your customer onboarded, one of the features of digital assets or crypto is those assets go straight to you.

What you’d need to do is to be able to have a system to quarantine those assets as they come in, because you don’t want them pooling and commingling with other assets in case they’re risky assets. That transaction will have a specific transaction hash, you would screen it using something like Elliptic tool, navigate it, and it’ll give you a risk score based on what you put into that in terms of risk. If it’s clean, it goes into the client account. If it’s not, you submit a suspicious report to the relevant law enforcement.

In terms of a withdrawal, it’s quite similar to a certain degree. What you want to do is before you send it somewhere, particularly in this world of sanctions right now, you need to ensure that the wallet I’m sending it to or the exchange I’m sending it to doesn’t create any risk and concerns to me. Again, you’d screen that wallet that the customer would give you, and then you would assess the risk of that using the blockchain analytics tool.

The one thing I would add to that though is with this world, is that the complexity of criminality to becoming more complicated. In the world, before we used to live in, you’d have a Bitcoin attack and then you’d send it to an exchange and you’ll off ramp bit and get your fiat. The world has changed. We’re now much more complicated, the ecosystem of assets. If, for example, you have an attack and you steal some stable coin, you’ll very quickly change it into something else, maybe Ether using a decentralized exchange with lower KYC, and then you’ll go through various bridges before you then go to an exchange. The whole point is you want to blur the transaction.

One of the things you should be looking for is when you’re looking at your risk, you’re not just looking at at, I’ve got Bitcoin in, what’s that risk? That’s very linear and that’s very old school now. What you should be looking for is, where’s this coin come from and what’s it interacted with? If you look at some of the more recent attacks, it is using decentralized exchanges. It is looking at where cross chain bridges are going. Even FATF, they’re the supernational financial crime organization, says in their most recent report, the emerging risk is cross chain risk. That’s one of the hardest bits to look at. That’s what I think I would say to people to look through.

The other aspect, I would say, the other piece of legislation to reflect on, is the travel rule. The travel rule is again, something that you have in the fiat space, and that is to help law enforcement be able to go to an exchange and say, can you give me all this data about a particular transaction, and you’ll have all the history.

As the vass sends crypto assets to another vass, so you have an originator and you have a beneficiary, what the travel rule says is you need to also pass information about who those people are so that if I as a law enforcement go to one of you, I can follow that all the way through. We as Elliptic do not provide that underlying plumbing, but we link up with other partners. We have Notabene, they provide it in terms of travel rule. But in terms of what Elliptic does, it’s complimentary in terms of the financial crime risks.

That gives you where your flow’s coming from X and Y. But what happens if it’s going to a hardware wallet, to my personal ledger? Everybody has a slightly different regulatory environment. Europe has one, UK has one, all slightly different. You need to look at your obligations. But you’d screen that wallet, or you’d look at the due diligence of where you’re sending this exchange to. Is that exchange based in a jurisdiction that’s high risk? Has that wallet interacted with illicit actors?

Again, the blockchain analytics should be seen as complimentary in terms of the travel rule. It is not the travel rule, but it’s definitely part of financial crime prevention.

[00:47:45] Petar: When we discuss with clients, we’ve seen especially that that travel rule aspect of sending funds from a vass to one of the non-custodial wallets being a treasurer, a letter or whatever, we’ve seen the difficulties arise. In some jurisdictions you would have to ensure that the individual at the other end has control over that wallet before funds are sent there.

Currently what we see, even though there’s couples method methodologies as to how this can be established, all of them come at significant disadvantages. There’s for instance the methodology where the users ask to send over a screenshot of the wallet. He logs into the wallet on his mobile phone and sends over a screenshot. But what it comes with is the risk of that screenshot is easy to be forged by the user. On the other hand, at the custodian side, you would need a person to screen that screenshot and then look at it and see whether it makes sense. What else can they do? They can ask the user to send over a small amount of that fund, of whatever fund on that network, which comes with costs for the user. He has to pay the fees. There again, we have a disadvantage, even though it’s less easy to be forged. Then what else is left, they can ask the user to send a message on that same network with the private key that is associated with that wallet. But that not every wallet supports that functionality. There again, we have the disadvantage of it being too complex for the user.

Across the board what we’ve seen is, even though there are a couple of methodologies to how this can be done, there’s still gaps as to what is the real valid and the best practice solution of how this can be done on the market. I know there’s a few solutions out there that are trying to look at it. But support for that is not widespread enough for it to be considered a best practice solution. Hopefully from my perspective, we can see further development in that area in the future, such that even individual wallets can be easily whitelisted on the custodian side.

[00:50:07] Mark: I think that that’s where some of the technology developments are going in terms of being able to validate. I think one of the points that your best practice highlights is the fact that because of regulation, you fragment the market. In Switzerland, I can only send it to a wallet that you are actually a customer of. In Singapore, you require a DDD. In Europe, if you’re over 1000, you have to show control of verification. In the UK it’s high risk.,

Knowing your jurisdiction, knowing your obligations is one of the key aspects of saying, who are my customers that I am transacting with? What are the obligations in those? Then I think, as you quite rightly say, Petar, what is the highest standard that I should go to if I want to global practice or group global procedures to avoid costs? It’s more complicated. Regulation, I did it for 25 years, it’s complicated and costly.

[00:50:58] Max: Yeah. All these examples you guys are mentioning, it’s one of the prime examples why for example a custody tech vendor or software company like ours, we often get asked, what are you doing regarding trading? What are you doing regarding tokenization, what you doing regarding this? These are all important questions because all of these things are the moneymaking use cases. Like digital asset custody, still a moneymaking use case.

But these examples show how important it is that the custody technology is built in a way that can adapt to all of these, let’s call them problems for now, and that you can solve them with the same platform. this sometimes comes way too short in our conversations we have with our prospects. Everybody looks for this tokenization case or for the trading case or for this, I don’t know, web three case, NFT case or the flashy ones to make the PR headlines. But the real thing, the real infrastructure will be that you don’t need two different types of software which run parallel, which more or less do the same thing but they do it for a slightly different regulation case. You want to have everything on top of just one platform, and then you put everything, and you stuck everything on this one platform.

[00:52:12] Mark: Just to add it to that, I’d say that what I’m seeing in my discussions from Elliptic is that big banks are starting to look at custody as the true initial function out there. For me, if I was on the other end of the spectrum and everybody had a different view, the complexity and the level of change in this marketplace is vast.

If I’m a bank and I want to develop my own system, I need to exp and resource rather than use a third party provider there. Yes, there’s a license fee, but you take on some of the responsibility and the development costs. I can focus on my business, which is about making my institutional customers not to leave me. They can actually deposit their assets with me, what they do with it later on, I don’t need to get more involved in custody at this stage while Mika’s still coming about. But that’s my starting point for real crypto usage. For me, that’s the low risk in terms of real assets.

[00:53:09] Petar: It also comes with faster time to markets. We’ve seen that story happen across the globe with financial institutions, first of all focusing on outsourcing all these capabilities to custody service providers or brokers and all these players in the market. Then through time transfer and bring all of these capabilities and knowledge in-house, building it up internally, starting for instance with custody and then building on top of it. Which might be more of a case in the future, the more clarity we have from a regulatory perspective, and the more maturity we have in the market.

[00:53:56] Zarah: Thank you so much. Just looking at my watch we have now six minutes left. There was actually one interesting question that I would like to take up now. Have you considered the risk of quantum computing? That was one of the questions from one of the listeners, and I would love you to answer that.

[00:54:18] Max: Yeah, that would be probably a question to ask, but it’s probably even a question to the KMS provider itself, so to IBM, the big HSM providers. It’s a question more to them probably. The quantum computing and the power which comes with the calculation power is definitely a question to Bitcoin core developers or Blockchain core developers, if you want to make it a broader term. Everybody has to look into it. We definitely, as a company look and we keep on looking into it, alone and together with our partner IBM. I know that IBM m is working on a quantum secured old storage solution. We also presented this one time already, so this actually is more than just a concept on paper.

The question can be answered simply with yes. Is there a ready solution yet? No. Will there be a solution? For sure, because quantum computing is not a question of if, it’s a question of when. I think all experts or most of the experts will agree on that. Hopefully not that I’m saying something wrong here now, I’m not an expert in quantum computing or computer science, but it’s definitely a question to be considered.

[00:55:42] Petar: What we usually say when we talk about the quantum computing phase or era, is that people see it as there even is quantum computers or there is none. There’s no in between. But what we expect to happen is slow conversions towards that quantum computing era. With the development towards that, we will see more and more solid solutions implemented and solutions be updated throughout the technologies that are being used. The key terminology that we use there in terms of protecting against such incoming threats is the term crypto agility, the ability to change between algorithms and protocols to be up to date with the newest and more secure methods of encryption or creating digital signatures, et cetera.

We usually say don’t look at it as a black and white thing. Therewill be conversions towards that. There will be quantum computers, or there are quantum computers out there right now. They’re not as widely used, and they’re not as functional as they might be at some point in time in the future. With that evolution the protection against it will hopefully evolve in the same pace or even further ahead, because that’s what usually the cryptography area does. They’re always trying to be a step ahead of what the attack vectors. .

[00:57:27] Mark: I got that question sometime back from, I think somebody on this call. We’ll go back to them as well to explain. But I think I agree with what you’ve said, Petar, that as the attack develop, so does the defence mechanisms develop as well.

The other point when our expert was looking at this as a response, the amount of energy that it’s going to take for these things, the question is, what are they going to attack? Are they going to really attack these chains? Are they going to do for something much more interesting? I think therefore it is a question of when, and we don’t know what the solutions will be, but it doesn’t necessarily compute that two plus two equals five. Hopefully they won’t necessarily go for the crypto, they’ll go for something else.

[00:58:16] Max: Two plus two, definitely not in the quantum world.

[00:58:23] Zarah: Good. Thank you so much. I’ve looked at the questions and we answered most of them, not all of them. I will try to get back to you separately and individually if possible, because we don’t have that much time left. But just in those last two minutes, I would love to give us a quick summary. What is the key takeaway away from this webinar from each of you? Let’s start with you, Petar.

[00:58:49] Petar: I said it a couple of times. We discussed it at the beginning where we said managing digital assets is not all about managing key management systems, but the entire infrastructure as well as the entire process, be it any action that we perform on the platform has to be protected. This is what we have to keep in mind from a technical perspective.

I also mentioned a couple of times that it’s not only a technical issue, it also involves all the policies and procedures that we are building up when implementing a custody solution and system.

Those are the two key facts to keep in mind.

[00:59:35] Mark: I’ll go next. There was a lot of things in this discussion, which was good. I think for me it’s about the dynamic nature of this sector and how regulation will be a positive and negative influence on this. It’s needed, but it will control and slow down some of the development. But again, it’s a double-edged sword because the introduction of traditional financing in this space will improve it for sure. I do think it is all about the improvement of the sector through regulation, and the maturing risk management that’s comes from traditional finance into this sector as well.

[01:00:12] Max: For me, it’s a confirmation that I think the rules are there. I’m not quite sure if we need even more regulation. But I can be corrected. I always listen to arguments for more regulation because I’m also a fan of roots, but I think the roots are there. They need to be applied. I think they need to be digested. With Mika now being out, they need to be digested first. I don’t think it’s easy. But once they’re digested, I think they need to be applied because digital assets won’t go away. The benefit is very clear, what you get out of it.

I really look into this next 50 years, or I don’t know, 100 years, working on a foundation now and then work on all the fund use cases hopefully within the next 18 to 24 months with all the big tier one or regulated financial institutions. Because it can be fun, but I think custody is only the foundation. You want to get to these fund use cases very quickly, but you have to do your homework first.

[01:01:16] Mark: There’ll always be more regulation, Max. But just while you say that though, so it’s on the FCA crypto spin on custody, some of the basic building blocks of regulation right now in custody, how does it deal with reconciliation on a blockchain? How does it deal with it in terms of if you’re a personal customer and you’ve got your pension on a ledger? We are changing the paradigm of regulation at the same time. When I was leaving my capital markets policy role, a lot of things are changing. That’s why the Bank of England and Treasury have developed the FMI Crypto Sandbox as more, if you like, institutional investors start getting to this market. That to me is what’s exciting it. We are actually seeing a bigger change this year, and it’s a big start of something bigger, one hopes. If the price of Bitcoin stays up.

[01:02:03] Max: It’s going up now.

[01:02:06] Zarah: True. Good. Thank you so much. Unfortunately, we are at the end of our time. But it was very interesting, and I hope some questions have been answered. If there are more questions, feel free to reach out to us. We are all available for you, the mail addresses are displayed here. I wish you all a successful 2023, and hope to see you soon.

[01:02:34] Max: Thank you, Zarah. Thank you, Mark. Thank you, Petar.