Building Internal Compliance Programs for Digital Asset Custody

CUSTODY POLICY STRUCTURE:

- Policy purpose statement
- Covered activities
- Covered assets
- Applicable regulations

- Board/committee oversight
- Roles and responsibilities
- Escalation procedures
- Approval authorities

- Qualified custodian requirement
- Selection criteria
- Due diligence requirements
- Approval process

- Account opening
- Transaction authorization
- Withdrawal procedures
- Settlement processes

- Ongoing due diligence
- Performance monitoring
- Incident tracking
- Periodic review

- Concentration limits
- Insurance requirements
- Counterparty limits
- Contingency planning

- Record keeping
- Retention requirements
- Audit trail
- Regulatory filings

SAMPLE POLICY PROVISIONS:

QUALIFIED CUSTODIAN REQUIREMENT:

"All digital assets held on behalf of clients
shall be maintained with a qualified custodian
as defined in SEC Rule 206(4)-2, unless
otherwise exempt.

• Federally or state-chartered banks
• Registered broker-dealers
• Futures commission merchants
• State trust companies meeting SEC conditions

Self-custody is prohibited for client assets."

CUSTODIAN SELECTION:

"Prior to engaging any custodian, the following
due diligence shall be completed and documented:

1. Regulatory status verification
2. Security architecture assessment
3. Financial stability analysis
4. Insurance coverage evaluation
5. Contractual review

Custodian selection requires approval of the
Compliance Committee and documentation of
selection rationale."

CONCENTRATION LIMITS:

"To mitigate counterparty risk, the following
concentration limits apply:

• Single custodian: Maximum 50% of digital assets
• Single jurisdiction: Maximum 75% of digital assets
• Exception: Requires CCO and CEO approval with

ONGOING MONITORING:

"Custodian relationships shall be monitored on
an ongoing basis including:

• Quarterly: Performance and incident review
• Annual: Full due diligence refresh
• Event-driven: Upon material changes
• Immediate: Upon negative news or regulatory action"

POLICY GOVERNANCE:

APPROVAL PROCESS:

1. Draft by Compliance

2. Review by Legal

3. Risk Committee review

4. Board/Committee approval

5. Documentation of approval

6. Compliance review for updates

7. Regulatory change assessment

8. Operational experience incorporation

9. Committee approval of changes

10. Version control update

POLICY MAINTENANCE:

• Sequential version numbering

• Change log maintained

• Prior versions archived

• Effective dates clear

• All affected personnel

• Training on updates

• Acknowledgment tracking

• Access controlled

• Approval minutes

• Review records

• Change documentation

• Training records

---

CUSTODY GOVERNANCE STRUCTURE:

- Policy approval
- Risk appetite setting
- Major custodian decisions
- Annual review

- Custodian selection approval
- Due diligence review
- Policy implementation
- Incident escalation

- Policy development
- Due diligence execution
- Monitoring programs
- Regulatory liaison

- Transaction processing
- Reconciliation
- Issue identification
- Documentation

SAMPLE GOVERNANCE CHART:

┌─────────────────────────────────────┐
│ Board of Directors │
│ (Annual policy approval) │
└──────────────┬──────────────────────┘
│
┌──────────────▼──────────────────────┐
│ Compliance Committee │
│ (Quarterly oversight) │
└──────────────┬──────────────────────┘
│
┌──────────────▼──────────────────────┐
│ Chief Compliance Officer │
│ (Ongoing management) │
└──────────────┬──────────────────────┘
│
┌───────┴───────┐
│ │
┌──────▼─────┐ ┌──────▼──────┐
│ Operations │ │ Compliance │
│ Team │ │ Team │
└────────────┘ └─────────────┘
```

DETAILED RESPONSIBILITIES:

BOARD/INVESTMENT COMMITTEE:
□ Approve digital asset custody policy
□ Set risk appetite for custody
□ Approve custodian relationships >$X
□ Review annual custody summary
□ Approve policy exceptions

COMPLIANCE COMMITTEE:
□ Review and recommend custodians
□ Approve due diligence findings
□ Review monitoring reports quarterly
□ Approve policy updates
□ Escalate issues to Board

CHIEF COMPLIANCE OFFICER:
□ Develop and maintain policy
□ Conduct custodian due diligence
□ Oversee monitoring program
□ Report to Committee
□ Regulatory examination coordination

COMPLIANCE TEAM:
□ Execute due diligence
□ Daily/weekly monitoring
□ Documentation maintenance
□ Issue tracking
□ Training coordination

OPERATIONS TEAM:
□ Execute transactions
□ Perform reconciliation
□ Report discrepancies
□ Maintain records
□ Support audits

MEETING SCHEDULE:

- Policy approval/updates
- Risk appetite review
- Major custodian changes
- Significant incidents

- Monitoring report review
- Due diligence status
- Incident summary
- Policy compliance

- Transaction volumes
- Reconciliation status
- Open issues
- Custodian communications

REPORTING PACKAGE:

1. Custody Summary

2. Monitoring Summary

3. Incident Summary

4. Regulatory Update

---

MONITORING PROGRAM:

DAILY MONITORING:
□ Transaction confirmation
□ Balance reconciliation
□ Exception review
□ Settlement status

WEEKLY MONITORING:
□ Open item resolution
□ Custody reports review
□ Issue tracking update
□ Communications review

MONTHLY MONITORING:
□ Full reconciliation
□ Fee analysis
□ SLA compliance review
□ Incident log update

QUARTERLY MONITORING:
□ Performance summary
□ Due diligence items
□ Insurance verification
□ Committee reporting

ANNUAL MONITORING:
□ Full due diligence refresh
□ SOC report review
□ Financial analysis update
□ Policy compliance review

DAILY CHECKLIST:

□ Review all transaction confirmations
□ Verify transaction details match instructions
□ Confirm settlement/delivery
□ Reconcile positions to custodian reports
□ Identify and log any discrepancies
□ Escalate material issues

WEEKLY CHECKLIST:

□ Review custodian communications
□ Follow up on open items
□ Update issue tracking log
□ Review news for custodian mentions
□ Confirm upcoming settlements
□ Update transaction log

MONTHLY CHECKLIST:

□ Full position reconciliation
□ Review and approve custodian fees
□ SLA compliance calculation
□ Update monitoring dashboard
□ Review incident log
□ Prepare monthly summary

QUARTERLY CHECKLIST:

□ Comprehensive monitoring review
□ Verify insurance currency
□ Review regulatory developments
□ Due diligence item updates
□ Committee report preparation
□ Policy compliance verification

ANNUAL CHECKLIST:

□ Full due diligence refresh
□ Request updated SOC report
□ Financial stability assessment
□ Insurance adequacy review
□ Contractual review
□ Board/Committee annual review
```

EXCEPTION HANDLING PROCEDURES:

CLASSIFICATION:

• Minor discrepancies (<$1,000)

• Administrative errors

• Timing differences

• Resolution: Operations, 24 hours

• Material discrepancies ($1,000-$50,000)

• Repeated issues

• SLA breaches

• Resolution: CCO review, 48 hours

• Large discrepancies (>$50,000)

• Security concerns

• Regulatory implications

• Resolution: Committee escalation, immediate

ESCALATION MATRIX:

Issue Type Level 1 Level 2 Level 3
─────────────────────────────────────────────────
Financial Loss <$1K $1K-$50K >$50K
Security Incident Minor Material Any breach
Regulatory Issue Admin Inquiry Examination
Operational <4 hrs 4-24 hrs >24 hrs

DOCUMENTATION:

For Each Exception:
□ Date/time identified
□ Nature of exception
□ Classification level
□ Root cause analysis
□ Resolution actions
□ Preventive measures
□ Sign-off by appropriate level

---

DOCUMENTATION FRAMEWORK:

- RFP/RFI materials
- Due diligence reports
- Selection memorandum
- Approval documentation
- Executed agreements

Retention: Life of relationship + 7 years

- Annual DD assessments
- SOC reports
- Financial analyses
- Insurance certificates
- Meeting notes

Retention: Current + 5 years

- Transaction instructions
- Confirmations
- Settlement documentation
- Authorization records
- Reconciliation records

Retention: 7 years

- Monitoring reports
- Exception logs
- Resolution documentation
- Committee reports
- Audit trails

Retention: 5 years

- Policies (all versions)
- Committee minutes
- Board approvals
- Training records
- Compliance certifications

Retention: Permanent (policies)
           7 years (other)

REGULATORY DEFENSE FILE:

PURPOSE:
Demonstrate compliance to examiners

ORGANIZATION:

• Current policy

• Policy history

• Approval documentation

• Training records

• Due diligence files

• Selection memoranda

• Approval records

• Executed agreements

• Monitoring reports

• Annual reviews

• Exception handling

• Remediation records

• Committee charters

• Meeting minutes

• Escalation records

• Board reports

FILE MAINTENANCE:

□ Update quarterly
□ Organize chronologically
□ Index for easy navigation
□ Electronic and physical copies
□ Access controlled
□ Ready for examination
```

AUDIT TRAIL REQUIREMENTS:

- Initiator identification
- Timestamp of initiation
- Authorization(s)
- Approver(s) identification
- Timestamp of approval(s)
- Execution confirmation
- Settlement confirmation

- Decision point identified
- Information considered
- Alternatives evaluated
- Rationale documented
- Approver(s) identified
- Date/time recorded
- Supporting documentation referenced

- Prior state
- New state
- Change date/time
- Change initiator
- Change approver
- Rationale for change

DOCUMENTATION STANDARDS:

□ All records dated
□ Author identified
□ Approvals documented
□ Changes tracked
□ Versions controlled
□ Access logged
□ Retention scheduled

---

INCIDENT RESPONSE PLAN:

INCIDENT CATEGORIES:

• Unauthorized access attempts

• Key compromise (suspected/actual)

• Theft or fraud

• Data breach

• Transaction errors

• System failures

• Settlement failures

• Communication failures

• Custodian regulatory action

• Custodian financial distress

• Custodian operational failure

• Custodian breach

RESPONSE PHASES:

• Identify incident

• Classify severity

• Notify response team

• Preserve evidence

• Limit damage

• Secure assets

• Isolate affected systems

• Implement workarounds

• Root cause analysis

• Impact assessment

• Timeline reconstruction

• Evidence collection

• Implement fixes

• Restore operations

• Verify resolution

• Document actions

• Lessons learned

• Control improvements

• Policy updates

• Stakeholder communication

CUSTODIAN DISTRESS RESPONSE:

Trigger: News or information suggesting custodian
         financial or operational distress

Immediate Actions (0-4 hours):
□ Verify information
□ Contact custodian for information
□ Assess current exposure
□ Notify CCO and senior management
□ Convene response team

Short-Term Actions (4-48 hours):
□ Assess withdrawal options
□ Evaluate alternative custodians
□ Review contractual rights
□ Prepare transfer instructions
□ Monitor situation closely

If Deteriorating:
□ Execute partial withdrawal if possible
□ Activate backup custodian
□ Document all actions
□ Communicate with stakeholders
□ Engage legal counsel

SECURITY INCIDENT RESPONSE:

Trigger: Suspected or confirmed security incident
at custodian affecting client assets

Immediate Actions:
□ Verify incident details
□ Assess impact on our assets
□ Contact custodian immediately
□ Suspend new transactions
□ Notify CCO and senior management

Investigation:
□ Obtain incident report from custodian
□ Verify asset status
□ Review insurance coverage
□ Document timeline
□ Assess recovery prospects

Resolution:
□ Confirm asset recovery/loss
□ File insurance claim if applicable
□ Document lessons learned
□ Update risk assessment
□ Consider custodian change
```

INCIDENT COMMUNICATION:

INTERNAL COMMUNICATION:

1. Operations → CCO (immediate)
2. CCO → CEO/Senior Management
3. CCO → Compliance Committee (if material)
4. Committee → Board (if required)

Documentation:
□ Initial notification (email/call log)
□ Status updates (minimum daily)
□ Resolution notification
□ Post-incident summary

EXTERNAL COMMUNICATION:

• Formal written inquiries

• Document all communications

• Request written responses

• Escalate as needed

• Follow notification requirements

• Document notification

• Coordinate with legal counsel

• Maintain communication log

• Coordinate with senior management

• Review disclosure obligations

• Document communications

• Maintain confidentiality

COMMUNICATION TEMPLATES:

Maintain templates for:
□ Initial incident notification
□ Status update format
□ Regulatory notification (if required)
□ Client notification (if required)
□ Post-incident summary

---

✅ Internal compliance programs are required - Regulatory expectation clear

✅ Governance structures improve outcomes - Oversight reduces errors

✅ Documentation protects institution - Critical for regulatory defense

✅ Monitoring catches issues early - Prevents small issues from becoming large

⚠️ Optimal governance structure - Varies by institution

⚠️ Monitoring frequency - Risk-based determination

⚠️ Regulatory expectations evolution - Standards may increase

⚠️ Incident response adequacy - Untested until needed

📌 Policies without implementation - Paper compliance insufficient

📌 Governance without substance - Meetings without action

📌 Monitoring without follow-through - Identifying issues but not resolving

📌 Documentation gaps - What's not documented didn't happen

Internal compliance programs require sustained effort. Writing policies is the easy part; implementing and maintaining them is where most institutions struggle. But the investment pays off—both in avoiding problems and in defending your program to regulators.

---

Assignment: Design an internal custody compliance program for your institution.

Format: Professional compliance program document, 6 pages maximum

Time Investment: 5-6 hours

---

1. Who retains compliance responsibility when using a qualified custodian?
Answer: B - The institution retains responsibility for selection, monitoring, and documentation

2. What is the recommended frequency for full due diligence refresh?
Answer: C - Annually, with event-driven updates for material changes

3. What should be included in a regulatory defense file?
Answer: A - Policies, due diligence, monitoring reports, and governance documentation

4. When should an incident response plan be developed?
Answer: D - Before any incident occurs, as part of compliance program setup

5. What is the primary purpose of documentation in custody compliance?
Answer: B - Demonstrate compliance to regulators and maintain operational discipline

---

End of Lesson 13

Total Words: ~4,400
Estimated Completion Time: 60 minutes reading + 5-6 hours for deliverable