Home Insights Under lock and key? Regulating private key custody in the crypto industry

Under lock and key? Regulating private key custody in the crypto industry

Following the release of a Treasury Consultation Paper (TCP), submissions to which closed last week, the Federal Government will consider feedback on a proposed licensing regime that would regulate digital currency exchanges and impose obligations on the custody of private keys, similar to the Australian Financial Services Licence (AFSL) regime.

Private keys are strings of characters that allow the holder to execute full control over the crypto assets contained in the corresponding wallet. Many digital currency exchanges (DCEs) store users’ private keys to a range of underlying wallets, allowing them to trade a variety of crypto assets while only needing to remember a single password to their account. 

Given their sensitivity, the proposed regime would impose obligations on the storage of private keys by DCEs as well as a broader range of crypto platforms. The consultation is part of a series of ongoing reviews into Australia’s payments system, spurred in part by the concern that new crypto platforms holding private keys may pose significant risks to consumers, following the failure of several DCEs in Australia. 

In this insight, we discuss the model and alternatives proposed by the consultation paper and some key implications for industry.

The Treasury Consultation Paper (TCP) addresses some of the previous inquiries:

Crypto asset secondary service providers

The Senate Select Committee that predated the TCP only considered DCEs. Under the TCP’s proposal, the scope of regulation would be broadened to ‘crypto asset secondary service providers’ (CASSPrs) – platforms that facilitate exchange, transfer or storage of crypto assets. This expansion would capture a much larger variety of service providers than previously contemplated, including payment gateways and digital wallets. 

Notably, the TCP expressly contemplates the possible capture of non-fungible token (NFT) platforms. NFT platforms may not currently have the same level of cybersecurity measures in place that DCEs do, which would be required under the private key custodian obligations. 

Proposed licensing regime for CASSPrs

The TCP proposes a licensing regime for CASSPrs that would be similar, but separate to, the Australian Financial Services licensing regime. This regime forms the foundation for further obligations that are specific to the custody of private keys. The conditions of each CASSPr’s licence would depend on the number and type of services they offer. The TCP proposes that this licence would carry obligations on CASSPrs to:

  • do all things necessary to ensure that: the services covered by the licence are provided efficiently, honestly and fairly, and any market for crypto assets is operated in a fair, transparent and orderly manner;

  • maintain adequate technological, and financial resources to provide services and manage risks, including by complying with the custody standards;

  • have adequate dispute resolution arrangements in place, including internal and external dispute resolution arrangements;

  • ensure directors and key persons responsible for operations are fit and proper persons and are clearly identified;

  • maintain minimum financial requirements including capital requirements;

  • comply with client money obligations;

  • comply with all relevant Australian laws;

  • take reasonable steps to ensure that the crypto assets it provides access to are ‘true to label’;

  • respond in a timely manner to ensure scams are not sold through their platform;

  • not hawk specific crypto assets;

  • be regularly audited by independent auditors;

  • comply with AML/CTF provisions; and

  • maintain adequate custody arrangements.

Proposed anti-money laundering regulation

One notable proposed requirement is the obligation of all CASSPrs to comply with the Anti-Money Laundering and Counter-Terrorism Financing Act (AML/CTF Act). Currently, only DCEs are required to register with AUSTRAC for AML/CTF purposes. Further development of these requirements, and broadening of organisations captured, may be made difficult by the fact that transactions facilitated by CASSPrs often run on self-executing code and may be designed to preserve anonymity. Developing the AML/CTF framework to accommodate CASSPr compliance may challenge the TCP’s stated desire for this legislation to be ‘technology neutral’.

Private key custody regime

In addition to the general obligations, the TCP proposes a series of specific obligations for the safekeeping of private keys by CASSPrs. The proposed regime is modelled to some extent after the existing custodial services regulatory regime, and would require CASSPrs to have requisite expertise and infrastructure, implement independently verified cybersecurity practices and adopt multi-factor (or similar) authentication. It would also create a process for redress and compensation in the event that private keys are lost.

One proposed requirement that may impact CASSPrs is the obligation to ensure consumers’ assets are appropriately segregated. Many crypto asset investment platforms pool consumers’ assets, consolidating the net orders in a given time period, and honouring orders to fund or withdraw from accounts. This may be because CASSPrs lack the technical infrastructure or risk frameworks to execute separate orders for individual consumers.

The proposed regime may require significant additional regulation to support the cybersecurity obligations. The existing custodial services regulatory regime has demonstrated the need for clear standards particularly regarding the independent verification obligations. If such a regime is implemented, it is likely that there will be an even greater need for articulation of clear standards given the diversity of crypto assets. 

Alternative proposals

The TCP has proposed two alternative models to the licensing and custody regime outlined above:

  1. Requiring CASSPrs to hold an AFSL. CASSPrs could be brought under the remit of the AFSL by amending the Corporations Act to specifically include crypto assets as financial products.

  2. Self-regulation by the crypto asset industry. The crypto industry could develop its own code of conduct. The TCP notes that this approach is similar to that followed in the US and UK, but acknowledges that both jurisdictions are considering additional regulatory obligations for crypto assets beyond the code of conduct.

What happens next?

Treasury will attempt to ‘map’ crypto assets and the networks which they operate on so as to develop a framework for their regulation by the end of 2022. This will involve another consultation paper being released. The Board of Taxation is also due to release a report on taxation of digital transactions and assets by the end of 2022.

CASSPrs, and the private keys they hold, are likely to face greater regulation in Australia. At this stage, it remains unclear which exact model will be developed, and how broad its reach will be. However, it appears likely that it will share significant similarities with the licensing and custody regime under current financial services legislation.


James North

Head of Technology, Media and Telecommunications

Mizu Ardra

Special Counsel

MA Chenjie SMALL
Chenjie Ma

Senior Associate


Banking and Financial Services Technology, Media and Telecommunications

This publication is introductory in nature. Its content is current at the date of publication. It does not constitute legal advice and should not be relied upon as such. You should always obtain legal advice based on your specific circumstances before taking any action relating to matters covered by this publication. Some information may have been obtained from external sources, and we cannot guarantee the accuracy or currency of any such information.