Due Diligence Framework-The 50-Point Custodian Assessment

REGULATORY STATUS ASSESSMENT:

POINT 1: QUALIFIED CUSTODIAN STATUS
Question: What is the legal basis for qualified custodian status?
Documents: Charter, license, regulatory filings
Verify: Status current and unrevoked
Score: Confirmed (2) / Unclear (1) / Not Qualified (0)

POINT 2: REGULATORY AUTHORITY
Question: Who is the primary regulator?
Best: OCC/Federal Reserve (3)
      NYDFS or strong state (2)
      Other state (1)
      Foreign only (0)

POINT 3: EXAMINATION HISTORY
Question: When was the last regulatory examination?
Request: Most recent examination report (if shareable)
Best: Annual examination, no material findings
Flag: More than 2 years since examination

POINT 4: ENFORCEMENT HISTORY
Question: Any enforcement actions or consent orders?
Search: SEC IAPD, OCC enforcement, state databases
Best: Clean record
Flag: Any enforcement action requires explanation

- Chief Compliance Officer
- Written policies/procedures
- Annual compliance review
- Regulatory change monitoring

- BSA/AML officer
- Customer identification program
- Transaction monitoring
- SAR filing capability
- Independent AML audit

POINT 7: REGULATORY RELATIONSHIPS
Question: How would you describe your regulatory relationships?
Assess: Proactive vs. reactive, examination preparation
Flag: Adversarial relationship indicators

POINT 8: LICENSE SCOPE
Question: Does your license cover all intended activities?
Verify: Custody, settlement, any additional services
Flag: Activities outside license scope

POINT 9: JURISDICTIONAL COVERAGE
Question: Where are you licensed to operate?
Verify: Covers all relevant client locations
Flag: Need services in unlicensed jurisdiction

POINT 10: ONGOING COMPLIANCE
Question: How do you monitor regulatory changes?
Elements: Regulatory monitoring, implementation process
Flag: No systematic approach

REGULATORY DD PROCESS:

- State regulatory databases
- SEC IAPD (if applicable)
- OCC enforcement database
- State attorney general filings
- Court records search

STEP 2: DOCUMENTATION REQUEST
Request:
□ Charter/license documentation
□ Latest regulatory examination letter (if shareable)
□ Compliance manual table of contents
□ AML/BSA program summary
□ Organizational chart (compliance function)

- Other clients (with permission)
- Industry contacts
- Former employees (LinkedIn)
- Regulatory contacts (if appropriate)

- News monitoring
- Regulatory alert services
- Annual verification
- Relationship reviews

---

SECURITY ARCHITECTURE ASSESSMENT:

POINT 11: KEY GENERATION
Question: How are private keys generated?
Best: HSM with hardware RNG, witnessed ceremony
Verify: Key ceremony documentation
Flag: Software generation, no ceremony

POINT 12: KEY STORAGE
Question: How are keys stored?
Best: FIPS 140-2 Level 3+ HSM
Verify: HSM vendor, FIPS certification
Flag: Software storage, low FIPS level

POINT 13: COLD/HOT RATIO
Question: What percentage of assets are in cold storage?
Best: 95%+ cold
Verify: Architecture documentation
Flag: Less than 90% cold

POINT 14: MULTI-SIG/MPC CONFIGURATION
Question: What authorization scheme is used?
Best: 3-of-5 or higher multi-sig or MPC
Verify: Technical documentation
Flag: Single-key or 1-of-2 for large values

POINT 15: GEOGRAPHIC DISTRIBUTION
Question: Where are key materials physically located?
Best: Multiple geographic regions
Verify: Facility locations
Flag: Single location

POINT 16: ACCESS CONTROLS
Question: Who has access to signing capabilities?
Best: Role-based, segregation of duties
Verify: Access control documentation
Flag: Concentrated access

POINT 17: SECURITY AUDITS
Question: What security audits are performed?
Request: Penetration test summary, audit reports
Best: Annual pen test, continuous monitoring
Flag: No regular security testing

POINT 18: SOC REPORTS
Question: Do you have SOC 1 and/or SOC 2 reports?
Request: SOC 2 Type II report
Best: Clean SOC 2 Type II
Flag: No SOC report or Type I only

POINT 19: INCIDENT HISTORY
Question: Have you experienced any security incidents?
Best: No incidents, or incidents properly handled
Verify: Incident response documentation
Flag: Unresolved incidents, pattern of issues

POINT 20: SECURITY CERTIFICATIONS
Question: What security certifications do you hold?
Look for: ISO 27001, SOC 2, CCSS
Verify: Current certification status
Flag: No independent security validation

SECURITY DD PROCESS:

STEP 1: DOCUMENTATION REQUEST
Request:
□ Security architecture overview
□ SOC 2 Type II report
□ Penetration test executive summary
□ HSM specifications
□ Cold storage procedures
□ Key ceremony documentation
□ Incident response plan

- Architecture soundness
- Defense in depth
- Single points of failure
- Attack surface
- Recovery capabilities

- Independent security assessment
- Architecture review
- Penetration test review
- Technical expert opinion

- Annual SOC report review
- Security update monitoring
- Incident notification review
- Periodic reassessment

---

OPERATIONAL CAPABILITIES ASSESSMENT:

POINT 21: ASSET SUPPORT
Question: Which assets do you custody?
Verify: XRP supported, asset list current
Flag: Limited or outdated asset coverage

POINT 22: TRANSACTION PROCESSING
Question: What are transaction processing times?
Best: Hot <1 hour, cold <24 hours
Verify: SLA documentation
Flag: No committed SLAs

POINT 23: REPORTING CAPABILITIES
Question: What reporting is provided?
Elements: Holdings, transactions, tax, audit
Best: Real-time + customizable reporting
Flag: Limited or delayed reporting

POINT 24: INTEGRATION/API
Question: What integration options exist?
Evaluate: API documentation, connectivity options
Best: REST API, real-time webhooks
Flag: Manual-only processes

POINT 25: SUPPORT MODEL
Question: What support is available?
Best: 24/7 support, dedicated account manager
Verify: Support SLAs, escalation paths
Flag: Limited hours, no escalation

POINT 26: ONBOARDING PROCESS
Question: What is the onboarding timeline and process?
Best: Clear process, defined timeline
Verify: Documentation requirements
Flag: Unclear or excessive timeline

POINT 27: DISASTER RECOVERY
Question: What is your DR capability?
Best: Documented BCP/DR, tested annually
Request: BCP summary
Flag: No DR plan or untested

POINT 28: SCALABILITY
Question: Can you handle our growth?
Verify: Current capacity, growth experience
Flag: Concerns about scale capability

POINT 29: SERVICE LEVEL AGREEMENTS
Question: What SLAs are committed?
Elements: Availability, transaction time, support
Best: Documented SLAs with remedies
Flag: No SLAs or no remedies

POINT 30: OPERATIONAL TRACK RECORD
Question: How long have you been operating?
Best: 5+ years, no major operational failures
Verify: Operating history
Flag: Limited track record

OPERATIONAL DD PROCESS:

STEP 1: DOCUMENTATION REQUEST
Request:
□ Service description
□ Asset support list
□ API documentation
□ Reporting samples
□ SLA documentation
□ BCP/DR summary
□ Client references

- Demo of platform
- Sample reports review
- API sandbox testing (if available)
- Support responsiveness test

- Operational reliability?
- Support responsiveness?
- Any issues encountered?
- Would you recommend?

- SLA compliance tracking
- Incident tracking
- Support quality monitoring
- Annual operational review

---

FINANCIAL STABILITY ASSESSMENT:

POINT 31: CAPITAL ADEQUACY
Question: What are your capital levels?
Request: Capital adequacy information
Best: Capital well above regulatory minimums
Flag: Near minimums or declining

POINT 32: PROFITABILITY
Question: Are you profitable/sustainable?
Assess: Business model viability
Best: Profitable or clear path to profitability
Flag: Burn rate concerns, unclear sustainability

POINT 33: FUNDING SOURCES
Question: What is your funding status?
Assess: Equity funding, debt levels
Best: Well-capitalized, diverse funding
Flag: Distressed funding, excessive debt

POINT 34: PARENT COMPANY (IF APPLICABLE)
Question: What is parent company financial status?
Request: Parent financial information
Best: Strong, supportive parent
Flag: Weak or distressed parent

POINT 35: INSURANCE COVERAGE
Question: What insurance coverage do you carry?
Request: Certificate of insurance
Elements: Crime, E&O, cyber, specie
Best: Comprehensive coverage, reputable insurers
Flag: Limited coverage, unknown insurers

POINT 36: INSURANCE LIMITS
Question: What are coverage limits?
Verify: Limits relative to AUC
Best: Adequate limits for client exposure
Flag: Limits insufficient for coverage

POINT 37: INSURANCE CLAIMS
Question: Have you filed any claims?
Verify: Claims history
Best: No claims or successfully resolved
Flag: Denied claims, pattern of issues

POINT 38: COUNTERPARTY EXPOSURE
Question: What are your material counterparties?
Assess: Bank relationships, technology providers
Best: Diversified, quality counterparties
Flag: Concentrated or weak counterparties

POINT 39: AUDIT STATUS
Question: Are your financials audited?
Request: Most recent audit opinion
Best: Clean audit opinion, Big 4 or equivalent
Flag: No audit, qualified opinion

POINT 40: FINANCIAL TRANSPARENCY
Question: What financial information do you share?
Assess: Willingness to share, quality of information
Best: Transparent, proactive sharing
Flag: Opaque, reluctant to share

FINANCIAL DD PROCESS:

STEP 1: DOCUMENTATION REQUEST
Request:
□ Annual report (if available)
□ Regulatory capital filings
□ Insurance certificate
□ Audited financials
□ Funding history
□ Parent financial information

- Capital trends
- Revenue/expense trends
- Funding adequacy
- Insurance adequacy
- Counterparty quality

- Crypto market downturn impact
- Client exodus scenario
- Regulatory action impact
- Technology failure cost

- Annual financial review
- Insurance renewal verification
- News/industry monitoring
- Regulatory filing review

---

CONTRACTUAL PROTECTIONS ASSESSMENT:

POINT 41: ASSET SEGREGATION
Question: How is asset segregation documented?
Review: Custody agreement segregation provisions
Best: Clear legal segregation, identifiable assets
Flag: Comingling permitted, unclear ownership

POINT 42: REHYPOTHECATION TERMS
Question: Can you rehypothecate client assets?
Best: No rehypothecation without consent
Verify: Agreement terms
Flag: Broad rehypothecation rights

POINT 43: LIABILITY PROVISIONS
Question: What liability does custodian accept?
Review: Liability and limitation provisions
Best: Liability for negligence/breach
Flag: Excessive liability limitations

POINT 44: INDEMNIFICATION
Question: What indemnification is provided?
Review: Indemnification provisions
Best: Balanced indemnification
Flag: One-sided indemnification

POINT 45: TERMINATION RIGHTS
Question: What are termination provisions?
Review: Termination notice, transition assistance
Best: Reasonable termination, transition support
Flag: Excessive lock-in, difficult exit

POINT 46: ASSET RETURN PROVISIONS
Question: How are assets returned on termination?
Review: Asset return timeline, procedures
Best: Clear timeline (30-60 days), defined process
Flag: No timeline, unclear process

POINT 47: DATA AND RECORDS
Question: What data rights do clients have?
Review: Data ownership, record retention
Best: Client owns data, reasonable retention
Flag: Custodian data ownership claims

POINT 48: GOVERNING LAW
Question: What law governs the agreement?
Review: Choice of law, venue
Best: Appropriate jurisdiction
Flag: Unfavorable jurisdiction

POINT 49: DISPUTE RESOLUTION
Question: How are disputes resolved?
Review: Arbitration, litigation provisions
Best: Balanced dispute resolution
Flag: One-sided arbitration, waiver of rights

POINT 50: CHANGE PROVISIONS
Question: How can agreement be modified?
Review: Amendment provisions
Best: Mutual consent required
Flag: Unilateral modification rights

LEGAL DD PROCESS:

STEP 1: AGREEMENT REVIEW
Have counsel review:
□ Custody agreement
□ Service agreement
□ Master agreement (if applicable)
□ Service level agreements
□ Insurance provisions

- Asset segregation
- Liability allocation
- Termination rights
- Transition assistance
- Insurance coverage

- Asset protection provisions
- Liability standards
- Insurance requirements
- Transition terms

- Agreement renewal review
- Amendment tracking
- Rights exercise monitoring
- Periodic legal review

---

DUE DILIGENCE TIMELINE:

- Public records search
- Regulatory status verification
- Initial documentation request
- Preliminary evaluation

- Security documentation review
- Financial analysis
- Operational assessment
- Insurance verification

- Reference checks
- Technical evaluation
- Legal review
- Negotiation (if proceeding)

- Final due diligence questions
- Agreement negotiation
- Internal approvals
- Documentation completion

- Quarterly review
- Annual comprehensive assessment
- Incident tracking
- Regulatory monitoring

DUE DILIGENCE FILE:

REGULATORY:
□ Charter/license copies
□ Regulatory search results
□ Compliance documentation
□ AML program summary

SECURITY:
□ Security architecture documentation
□ SOC 2 Type II report
□ Penetration test summary
□ Key management procedures

OPERATIONAL:
□ Service documentation
□ SLA documentation
□ BCP/DR summary
□ Reference check notes

FINANCIAL:
□ Financial statements/analysis
□ Insurance certificates
□ Capital adequacy information
□ Credit assessment

LEGAL:
□ Executed agreements
□ Legal opinion (if obtained)
□ Negotiation notes
□ Key terms summary

ONGOING:
□ Annual assessment reports
□ Incident logs
□ SLA compliance tracking
□ Regulatory updates

---

✅ Structured due diligence reduces selection risk - Framework catches issues

✅ Documentation requirements filter poor providers - Unwillingness to share is a red flag

✅ Ongoing monitoring is essential - Initial DD is not sufficient

✅ Legal review catches contractual issues - Agreements matter

⚠️ Appropriate depth for different allocations - How much DD for how much exposure

⚠️ Relative weighting of factors - Depends on institutional priorities

⚠️ Future risk indicators - Past performance isn't guarantee

⚠️ Emerging provider evaluation - Limited track records challenge assessment

📌 Checking boxes without substance - Process without judgment

📌 Ignoring red flags for convenience - Wishful thinking

📌 One-time due diligence - Set-and-forget mentality

📌 Over-relying on certifications - Certifications have limitations

Due diligence is essential but not a guarantee. Even the most thorough assessment can't eliminate all risk—it can only identify and manage it. The framework provides structure; judgment provides value.

---

Assignment: Conduct and document due diligence on a hypothetical custody provider.

Scenario: You're evaluating "SecureVault Digital Custody" for a $50M XRP allocation. Create a comprehensive DD report.

Format: Professional due diligence report, 6 pages maximum

Time Investment: 4-5 hours

---

1. What is the most important indicator of regulatory status quality?
Answer: B - Examination history and enforcement record

2. What should a SOC 2 Type II report reveal?
Answer: C - Independent assessment of controls operating effectiveness over time

3. Why is insurance limit verification important?
Answer: A - To ensure coverage is adequate relative to client exposure

4. What contractual provision is most critical for asset protection?
Answer: B - Clear asset segregation and prohibition on rehypothecation without consent

5. When should custody due diligence occur?
Answer: D - Initial selection AND ongoing monitoring throughout relationship

---

End of Lesson 7

Total Words: ~4,800
Estimated Completion Time: 70 minutes reading + 4-5 hours for deliverable