Digital Asset Services

There are over 1,000 digital assets with a market cap in the hundreds of billions.

Digital assets (cryptocurrencies) and the distributed ledger technology behind them have the potential to completely change the way financial products are created, distributed, and traded. They also hold the potential to change how purchases are made and assets are tracked. Currently, they can both reduce fraud and increase fraud.

Oyster can help firms view the opportunities and risks associated with digital assets from a strategic, operational, and compliance standpoint for the emerging digital asset industry and for existing broker-dealers and RIAs.

Frequently Asked Questions:

Who is the GDPR for

GDPR is an EU regulation that is aimed at protecting the data and data rights of EU residents (Data Subjects).


Back to top
Are US companies subject to GDPR?

Ask yourself some basic questions – answering yes to any of these may mean that your company may be subject to GDPR:

  • Do I transact business in the EU? Do I have a physical location in the EU, EU employees or do I transact business in an EU currency? All of these scenarios could indicate you “do business” in the EU
  • Do I have a website that collects data from people within the EU? Do I perform data analytics on people who may have visited my website? Gathering someone’s IP information and retaining it could subject you to oversight.
  • Do I have clients that are located in the EU?
  • Do I have contacts or client prospects in the EU? Any personal information I retain on my prospects could be subject to the rule, and my marketing campaigns need to have a specific legitimate business reason to contact the individual, unless I have express consent. Also, do I retain anecdotal personal information about a spouse or family member?
  • Could I receive an email that I would retain in my data base that includes PII, including just an identifiable email address?
  • Do I import business data in any manner that originates from outside sources, not controlled by me? If so I may be receiving GDPR protected data.

There is another way that data is required to be protected. Businesses that are established in the EU must protect the data of all persons, whether they are residents of the EU or not.


Back to top
What is a data subject?

Data subjects are EU residents. EU citizens living abroad are not. Only people can be data subjects; trusts, companies, business, etc. are not data subjects.


Back to top
What constitutes personal data?

GDPR defines protected data as any information relating to an identified or identifiable natural person. Data relating to businesses are not protected. Some data that falls under PII for GDPR include: Name and Address; Economic Data, like income and transactional data; Racial, sexual orientation, and political data; IP address, browser cookie data; and biometric data like fingerprints. Any data that you have that is tied to an individual should be considered protected data.


Back to top
What is the difference between a data processor and a data controller?

GDPR defines two types of users of data: Controllers and Processors. Controllers are the firm that is in charge of determining how data should be treated. Processors are the firms that conduct processing. GDPR does not allow for controllers to assign any responsibility to processors and leave the controller risk free. Ultimately, Controllers are responsible for their all requirements. GDPR considers data processing to include data retention, use, dissemination, backing-up, and deletion of data. What firms need to understand is that any time that you have data or use it in any meaningful sense, you should expect that to be processing


Back to top
What if I have a data breach?

GDPR requires that you notify the appropriate regulators within 72 hours. At that time, you must be able to identify what data and data subjects were compromised, the consequences/severity of the data, and the actions that your firm needs to take or is taking.


Back to top
How does consent work?

Consent is required for processing that is not in the normal legitimate interest of the business. It must be freely-given, meaning that there can be no change in the business relationship due to the giving or withholding consent. Consent cannot be required to use a service or to be a client. Also, the consent must be specific and unambiguous. When the data subject is giving consent, they must know exactly what they are agreeing to and a layman should be able to read the form and understand exactly what they are agreeing to. Just as consent must be free-given, consent must also be withdrawable. The data subject, AT ANY TIME, must be able to withdraw consent, and your firm must stop processing their data, again with no changes in the business relationship. Consent must be a last resort; you cannot use consent as a legal basis if you are using any other legal basis.

You must track who gave the consent, when that consent was given and what the consent actually was with all consent data. This cannot be kept is some other database; it must be tied directly with the data.


Back to top
What are the fines for non-compliance?

Fines for the most egregious of cases are allowed to be up to the GREATER of 20 million euros or 4% of global revenue. One question that is not addressed in the regulation is how US firms will be fined. GDPR does not directly set up a mechanism for non-EU enforcement.


Back to top
What is the right to erasure?

The right to erasure is commonly called the right to be forgotten. This requires that you delete data at the data subject’s request. You are not required to delete the data if you meet certain requirements, like being legally required to retain the data.


Back to top
How can DLT be used in the process of compliance testing/monitoring and creating related documentation (such as quarterly compliance certifications from advisory firm employees or sub-advisers)?

Distributed Ledge Technology, or DLT can have many benefits over any sort of centralized recordkeeping system, due to the immutability of data.  While most think of the benefits in the financial world related to digital currency trading and streamlining payments processes, as well as more efficient investment trading, settling and recording, there are actually many other uses for the DLT technology within financial services.  Uses to better record, control, oversee and audit processes is one of the many DLT benefits, although it is likely the current open and anonymous DLT network will likely give way to permissioned models connecting a limited population such as banks or broker-dealers/clearinghouses.  Some uses:

  • DLT may have a use in maintaining a virtual record of a potential clients’ digital identity, providing a single course of authentication for compliance oversight on AML, KYC or validation of accredited investor status.
  • Recording any sort of transfer of assets, including real estate, vehicles and assets with any sort of special provenance (such as certified antiques, artwork, etc.)
  • Once securities settlement processes are built into a DLT, firms could track the trading of employees by identifying their accounts on the ledger, and could match activity to that of the firm. You could even build in controls to not allow an employee to trade at the same time a security that a firm is trading.  This would make it much easier to monitor employee accounts that were held at other institutions that were also on the DLT.
  • DLT could be used to keep track of required regulatory steps and automate regulatory reporting and auditing.
  • Smart Contracts built on DLT technology. They are self-executing agreements between parties, which track external data and events, according to rules in the contract and can automatically execute when all contract terms are met.

Back to top
Are all digital assets frauds?

No…But regulators warn investors to approach any Initial Coin Offering “ICO” or Cryptocurrency related investment product with extreme caution


Back to top
What are the due diligence questions unique to cryptocurrencies?

The question of fulfilling a regulatory obligation of due diligence on a cryptocurrency (not to be confused with an equity) is a webinar unto itself, but it surely goes beyond having a whitepaper. A top 10 list for most firms would likely include:

  1. What is the depth and breadth of experience and reputation of the management team and development team associated with this product?
  2. What are the unique characteristics that may give this product a competitive advantage or create risks?
  3. What is the speed/time to clear a block?
  4. Is there a track record for this product/how long has the product existed and have there been any significant issues yet?
  5. If there is a track record, what is the level of acceptance (exchange volume, retailer acceptance, significant partnerships, etc.)?
  6. How is the code/platform as it relates to security and reliability?
  7. What are the analysts/experts saying?
  8. What are the non-analysts/non-experts saying (too much hype?)
  9. What is the level of scarcity in the design? Is it hard to mine, and what is the expense of mining compared to the market price?
  10. Is there any pending litigation/regulatory actions that would materially impact the product?

Once that information is obtained, then ask if you have enough clients that have the risk tolerance and resources to speculate in or diversify a portfolio with a cryptocurrency. Do you have the controls in place to make sure this product is only recommended to those type of clients? Does the firm understand the scenarios where the product will perform well and the ones where it could crater? Do you have a training program/product certification process to make sure that the reps engaging in this business have a full understanding of the products features, benefits, and risks? Can they explain it in a way that your clients will fully understand?

If you would like us to conduct another webinar on this topic, please let us know! Contact libby.hall@oysterllc.com or call (804) 965-5400.


Back to top
Getting Bank accounts seems to be an issue for companies dealing in virtual currencies. Some countries are considering introducing a new type of bank. What are your thoughts on this? Also, where do these businesses currently bank?

Fintech companies involved in blockchain or digital assets are still seen by many banks, especially large global banks, as too high a risk. However we have seen smaller banks like Silvergate Bank and Metropolitan Commercial Bank in the US offering banking services. Specialist banks are also forming like Blockchain Factory, part of Solarisbank in Germany for example. Some Jurisdictions, like Bermuda, are also considering offering special licenses to establish banks that will provide services to local fintech and blockchain organizations.

So yes, Banking for fintech and blockchain firms is currently difficult but we are seeing small and more specialized banks offering their corporate banking services to the industry.


Back to top

Digital Asset Services

   ADV/CTA Amendments

   AML

   CMA

   Clearing/Reporting

   Custody/Possession & Control

   Market Access 15c3-5

   Marketing Review

   New Product Review

   NFA/CFTC Registration

   Policies & Procedures

   Risk Assessment

   Suitability

   Testing

   Training

To learn more about how Oyster can help your firm in the digital asset space or to watch our webinar on digital assets, complete the contact form below and one of our Relationship Managers will be happy to assist you.

Get a Free Digital Asset Consultation:



For more information on Oyster Consulting’s Digital Asset services, call (804) 965-5400 and one of our Relationship Managers will be happy to assist you.

 

Related Digital Asset Resources:

Digital Assets – Engage Operations Team NowBuddy Doyle – August 20, 2018

The Custody Dilemma for Digital AssetsBuddy Doyle – August 7, 2018

Regulatory Actions – ICOs and Digital TradingBill Reilly, Don Horwitz – July 17, 2018

Practical Considerations for Firms with Clients in the Digital Assets MarketsBill Reilly, June 21st, 2018

Blockchain Technology – Transforming Business Activities – June 7th, 2018

Digital Assets and State Regulatory ChallengesBill Reilly, Don Horwitz, June 5, 2018

Cryptocurrencies and the Regulatory Challenges Around ThemBill Reilly, Don Horwitz, May 29, 2018

Cryptocurrencies – Time to understand the Products, Risks and BenefitsGeorge Jennison, May 22, 2018

Cryptocurrencies Could Change Product Purchasing, Trading and TrackingBuddy Doyle, May 15, 2018

 

PDF versions are available for downloading by completing the contact form below.

Digital Asset Services

   ADV/CTA Amendments

   AML

   CMA

   Clearing/Reporting

   Custody/Possession & Control

   Market Access 15c3-5

   Marketing Review

   New Product Review

   NFA/CFTC Registration

   Policies & Procedures

   Risk Assessment

   Suitability

   Testing

   Training

Related Digital Asset Resources:

Digital Assets – Engage Operations Team NowBuddy Doyle – August 20, 2018

The Custody Dilemma for Digital AssetsBuddy Doyle – August 7, 2018

Regulatory Actions – ICOs and Digital TradingBill Reilly, Don Horwitz – July 17, 2018

Practical Considerations for Firms with Clients in the Digital Assets MarketsBill Reilly, June 21st, 2018

Blockchain Technology – Transforming Business Activities – June 7th, 2018

Digital Assets and State Regulatory ChallengesBill Reilly, Don Horwitz, June 5, 2018

Cryptocurrencies and the Regulatory Challenges Around ThemBill Reilly, Don Horwitz, May 29, 2018

Cryptocurrencies – Time to understand the Products, Risks and BenefitsGeorge Jennison, May 22, 2018

Cryptocurrencies Could Change Product Purchasing, Trading and TrackingBuddy Doyle, May 15, 2018

 

PDF versions are available for downloading by completing the contact form below.