Custody Best Practices: A Roadmap for Indian Institutions Holding Digital Assets

The Indian digital asset ecosystem has witnessed explosive growth over the past few years. This burgeoning rise in the use of digital assets is a testament to the advantages they bring over traditional asset classes. Whether for investment purposes, as a medium of payment, or to tap into the wider utility of the Web3 industry, these assets are increasingly being used in India

Nevertheless, institutional interest has remained dim thus far due to the lack of clarity from the government about the asset class. The added incidents of theft and misappropriation of digital assets, domestically and internationally, keep institutions at bay. However, that will change as the country looks to roll out regulations tailored to the industry within the next two years.

Nevertheless, institutional interest has remained dim thus far due to the lack of clarity from the government about the asset class. The added incidents of theft and misappropriation of digital assets, domestically and internationally, keep institutions at bay. However, that will change as the country looks to roll out regulations tailored to the industry within the next two years.

Financial institutions, investment firms, digital asset exchanges, and banks will take the central focus as a defined regulatory framework makes its way, expectedly, in the next two years. The onus falls on institutions to implement proper storage mechanisms and processes.

Navigating the Maze: Types of Digital Asset Custody Solutions

First things first, institutions must know the different custody solutions to choose the right ones for their storage practices.

Hot Wallets

• Store private keys within devices connected to online networks.
• Software applications on mobile and computer devices.
• Sign transactions quickly and transfer funds fast.
• Vulnerable to cyberattacks since the devices housing them are connected online.

Cold Wallets

• Store private keys within air-gapped computers and hardware security models (HSMs).
• Highly secure against exploits since the keys are stored in offline devices.
• Sign transactions offline and relay them online to blockchains.
• Fund transfers are slow and inefficient.

Multi-Signature (Multisig) Wallets

• Require multiple private keys to initiate transfers.
• More secure than wallets using a single private key to secure assets.
• Bring secure governance in institutions through distributed transaction signing capabilities – no one corrupt member can steal institutional funds.
• Drawbacks include high transaction fees at the blockchain level arising from several keys signing every transaction and the support for limited assets.

Multi-Party Computation (MPC) Wallets

• Offer distributed security and governance by dividing a single private key into several shards.
• Overcome high costs associated with multisig wallets thanks to a single transaction signature arising from multiple key parts.
• MPC algorithms create and deliver key shards stealthily, ensuring they are delivered to the right users and not visible to others using the wallet.
• The key refresh feature enables MPC wallets to generate new private keys after every transaction.
• Support several asset types from numerous blockchains and are easily implementable in institutional platforms.

Fortifying Your Assets: Best Practices for Secure Digital Asset Custody

Choosing the right custody solutions is just one part of operating secure custodianship facilities. Institutions must do much more. Here are some best practices to follow.

Risk Management

Institutions and enterprises dealing with digital assets must ensure that all the risks associated with their operations are identified and mitigated. The risks of operating custodial infrastructures are numerous and can vary depending on the kind of services offered by entities.

They can range from providing services for jurisdictionally banned digital asset types, like privacy and security coins, to allowing sanctioned wallets to bring crime-related funds to platforms. Also, institutions may operate conflicting verticals that can jeopardise client funds. Ventures must anticipate such risks to strategise their prevention.

Internal Controls

Most institutions provide more than one service. The presence of operations in multiple verticals can create conflicts between them. Such conflicts are often why virtual asset service providers (VASPs) misappropriate user funds. For instance, offering custody services for users while running lending and investing arms breeds conflict.

Many platforms have ended up utilising third-party funds in custody for their own lending and investing practices to boost profits. Eventually, such schemes come burning down, leading exchanges to lose user funds irrecoverably.

Therefore, enterprises must not conduct conflicting duties due to the high risks associated with operating certain verticals in tandem. Beyond that, enterprises must create and enforce robust policies aimed at preventing risky activities.

Technology and Security

With cyber threats being one of the biggest pain points to companies dealing with digital assets, companies must effectuate cybersecurity measures to protect client assets and sensitive data. 2023 has seen a whopping $1.7 Bn worth of digital assets stolen by cybercriminals globally.

Enterprises must safely handle user private keys and other sensitive data, including personal and financial information. It requires that enterprises utilise sophisticated encryption technologies and obtain needed cybersecurity certifications. Also, enterprise software should undergo penetration testing from reputable Web3 cybersecurity firms and encourage continuous bug bounty programs.

Compliance with Authorities

While India is yet to witness a fully developed digital asset regulatory framework, a handful of legislations presently uphold the integrity of its financial market and the safety of the users in the space. Institutions must adhere to these regulations to safeguard themselves and their users from persistent threats.

VASPs can also look at the legislation issued by other jurisdictions and emulate what their counterparts in those jurisdictions do. They must simultaneously follow international frameworks to prevent criminal fund flows through their platforms.

One such framework is the Crypto Travel Rule issued by the Financial Action Task Force (FATF), providing guidelines for deploying know-your-customer (KYC), enhanced due diligence (EDD), anti-money laundering (AML), and countering the financing of terrorism (CFT) protocols.

Disaster Recovery

At times, no amount of security or compliance measures can prevent exploits. Cybercriminals utilise cutting-edge measures that can penetrate the best of defence. Moreover, corrupt governance within organisations is just one decision away. VASPs must consider unforeseen circumstances and stay prepared.

To that end, they must insure themselves against such happenings. In the unfortunate events of unstoppable fund losses, insurance will help enterprises cover their losses and clients recover their assets. In instances when ventures turn bad and misappropriate assets, clients can still recover their funds. They must also set up effective communication protocols and detailed plans of action to continue essential functions during disastrous events.

Charting the Course: Regulatory Considerations for Digital Asset Custody in India

Operating custody services in India also requires a look at the regulatory scenario.

• 2020: The Supreme Court of India overrules the Reserve Bank of India’s (RBI) blanket ban on digital assets, acknowledging their existence and legality in 2020.
• 2022: The Finance Act of 2022 gets implemented, introducing a 30% income tax on income received or gains acquired through digital assets.
• 2022: The Finance Act of 2022 also introduces 1% TDS (Tax Deducted at Source) at 1% of transacted value when digital assets are sold or traded.
• 2022: The Indian Computer Emergency Response Team (CERT-In), an offshoot of the Ministry of Electronics and Information Technology, issues KYC – related guidelines for VASPs. They state that VASPs must record user KYC details, construct their financial activity effectively, and store the details for five years.
• 2022: The Advertising Standards Council of India (ASCI) enforces advertising guidelines dictating that VASPs and asset issuers must highlight the high risks associated with digital assets and not mislead investors about returns while promoting their products and services.
• 2023: The Ministry of Finance brings digital asset transactions under the scope of the Prevention of Money Laundering Act (PMLA), mandating VASPs to report suspicious transactions to the Financial Intelligence Unit – India (FIU-IND).

As these mandates and guidelines presently govern the Indian jurisdiction, the Indian digital asset landscape awaits complete clarity through digital asset-specific legislation. Recent developments suggest a bill making its way in 2025 at the earliest.

This delay can be considered a challenge to the Indian digital asset ecosystem. Despite stalling to provide regulatory clarity over the asset class, the government is pushing the adoption of its Central Bank Digital Currency (CBDC) by calling it a safer alternative to decentralised digital assets. The Ministry of Finance says so in the document titled CENTRAL BANK DIGITAL CURRENCY (DIGITAL RUPEE – e₹), hampering the validity of digital assets.

Nevertheless, there are some merits to the delay. The government needs to prepare itself to handle large-scale adoption and maintain the integrity of the Indian financial system. The Ministry of Finance issued a press release in February 2023 stating its investigations into VASPs involved in laundering money.

Around Rs 936 Cr worth of digital assets were either seized or frozen by the government, showing how unchecked digital asset usage can result in money laundering and crime financing. Thus, the enforcement of the PMLA by various agencies, including FIU-IND, is highly needed and beneficial.

Embracing the Future: Building a Secure and Thriving Digital Asset Ecosystem in India

As India witnesses a burgeoning digital asset ecosystem, taking it to new levels of adoption requires it to be underscored by security. Achieving that needs institutional and enterprise players to utilise robust custody solutions. Partnering with established and reputed custody solution providers is of utmost importance.

Custody platforms like Liminal are making strides in safeguarding digital assets and offering banking-grade custody, elevating Web3 storage practices to the standards of traditional finance custodians. Liminal provides tailored custody solutions for your business needs aimed at easy scalability as you grow. Its wallet infrastructure and white-label use cases let you effortlessly implement the secure storage your operation needs and make the most out of the vibrant Web3 landscape.