In December 2024, the Australian Securities and Investment Commission (ASIC) issued an updated version of its Regulatory Guide 133 Funds management and custodial services: Holding assets (RG133). RG133 sets out the regulator’s minimum standards for asset holders to ensure that they meet their obligations under their Australian Financial Services Licence (AFSL). This is the most significant update to the guidance since 2022, and for the first time formally extends the standards to the custody of crypto-assets.
Generally, the good practice standards in RG133 apply to licensed asset holders and custodians engaged by them to hold crypto-assets. With regards to crypto custody, the new standards in RG133 apply to:
- responsible entities (mostly licensed retail fund managers) where they hold crypto-assets; and
- custodians where crypto-assets are financial products.
While RG133 is not a legal instrument, it expresses ASIC’s views and expectations when it interprets and enforces the law in relation to custody arrangements, including in the context of assessing whether the asset holder which holds or relies on an AFSL is complying with its general obligations to ensure that the financial services are provided efficiently, honestly and fairly and to have in place adequate resources to carry out their obligations.
While RG 133 formalises ASIC’s good practice standards for crypto custody for the first time, it mostly reflects guidance first introduced in 2021 in ASIC’s Information Sheet 225 (which is subject to changes in the near future, with a proposed draft released in December 2024).
The key changes to RG133 require:
- Specialist expertise and infrastructure relating to crypto-asset custody, including robust systems and practices to receive, validate, review, report and execute instructions from the relevant client.
- Robust cyber and physical security practices for operations, including appropriate internal governance and controls, risk management and business continuity practices.
- Crypto-assets should be segregated on the blockchain. This means that unique public and private keys are maintained by the asset holder so that other assets are not intermingled with crypto-asset holdings.
- The private keys used to access the crypto-assets should be generated and stored in a way that minimises the risk of loss and unauthorised access. This requires, for example, solutions that protect private key materials using hardware devices should be physically isolated, and subject to robust physical security practices.
- The security of private keys is of critical importance. Asset holders should ensure that the private keys used are protected from unauthorised access—both online and offline.
- Asset holders should adopt a transaction-signing approach that minimises single point of failure risk. For example, a multi-signature or sharding-based signing approach is preferred to a single private key to sign transactions.
- The process of receiving, validating, reviewing and executing instructions should include appropriate permissioning so that no one party has control of the entire process.
- Cyber security practices and control environments are independently verified to an appropriate standard, as determined by industry practice.
In addition, RG133 also creates new risk management standards for asset holders regarding crypto asset exchanges that they use to obtain crypto-assets. These standards are new and were not included in the previous INFO225. Specifically, ASIC considers it good practice for asset holders to carefully consider where they source their crypto-assets from, including their service providers used to buy or sell crypto-assets. ASIC expects, among other things:
- the asset holder should be satisfied, based on reasonable due diligence, that any service provider it relies on is a digital currency exchange provider registered with the Australian Transaction Reports and Analysis Centre (AUSTRAC), or is regulated by foreign laws giving effect to the Financial Action Task Force recommendations relating to customer due diligence and record-keeping.
- implements risk-based systems and controls under the Anti-money Laundering and Counter-Terrorism Financing Act (AML/CTF Act) that are supervised or monitored by a body empowered by law (e.g. AUSTRAC) to supervise and enforce the customer due diligence and record-keeping obligations.
- the asset holder should ensure that authorised participants, market makers and other service providers that trade crypto-assets in connection with the product do so through a service provider that meets the same standard as above.
- the asset holder is responsible for ensuring its risk management systems appropriately manage all other risks posed by crypto-assets. This could include implementing or applying relevant standards published by Australian and international organisations as they are developed.
In addition to the new standards in RG133, ASIC’s Report 705 Response to submissions on CP 343 Crypto-assets as underlying assets for ETPs and other investment products (REP 705), which clarifies guidance in previous versions of RG133 and INFO225, should also be considered together with this version of RG133.
Given ASIC’s complex custody standards for crypto assets, it is recommended that licence holders and custodians seek advice from legal and industry professionals to ensure they are meeting ASIC’s expectations and custody best practice.
