The Australian Securities and Investments Commission (ASIC) has reissued Regulatory Guide 133 Funds management and Custodial Services: Holding assets (RG 133). This updated RG 133 provides guidance for Australian financial services (AFS) licensees that hold assets and sets out minimum standards for asset holders. The most material update is the inclusion of good practices for the custody of crypto-assets.
This alert summarises the following:
- Background – where this fits and why it matters.
- Key changes, including a synopsis of the good practices for holding crypto-assets.
This development is significant, particularly when read together with the proposed updates to ASIC’s Information Sheet 225, as we reported earlier this month. Cumulatively, they suggest a focus on more clearly embracing crypto-assets within the existing regulatory fold, and an effort on the part of one of Australia’s key financial services regulators to provide more guidance on how to apply existing foundational principles of regulation to these assets.
The updated RG 133 is live. This means that swift updates are essential where necessary.
Please contact us if we can assist you.
Background
RG 133 is a regulatory guide published by ASIC that sets out its expectations on holding assets and establishes obligations and minimum standards for the custody and management of client assets, focusing particularly on security, operational integrity, and compliance.
RG 133 applies to a broad spectrum of financial services providers including responsible entities of registered schemes, licensed custodians, managed discretionary account providers, and operators of investor-directed portfolio services.
An entity can be subject to RG 133 in two key ways:
The indirect application of RG 133 creates sizeable ripple effects to asset holding beyond the practices of Australian regulated entities alone.
The application of RG 133 can be complex for foreign entities as several Australian jurisdictional touchpoints can be relevant, including the location of clients and staff, as well as any other involvement of the local branch.
Why RG 133 matters
RG 133 carries important weight as it explains how ASIC interprets underlying legal instruments as they apply to custody and related matters. A failure to comply with RG 133 can have impacts on an entity’s regulatory status in Australia, potential penalties that may apply to breach, as well as contractual obligations to clients.
What has changed?
The reissued RG 133 marks the first significant update since June 2022.
There are two key components to the update:
- New guidance on holding crypto-assets. A new Section F introduces a range of good practices and expected measures in relation to holding crypto-assets. We provide further details below.
- Other minor updates. These changes relate to the issue of legislative instruments which replaced class orders which expired earlier this year, the removal of references to outdated transitional arrangements, and other drafting refinements.
A wave of reform and guidance for digital assets and payments
The updated to RG 133 comes amidst an evolving digital asset and payments regulatory ecosystem in Australia, as demonstrated by the following recent developments:
- The publication of Consultation Paper 381 outlining proposed updates to ASIC’s guidance to persons offering products and services in relation to crypto and digital assets, as we summarise here.
- On 29 November 2024, the Australian parliament passed the Anti-Money Laundering and Counter-Terrorism Financing Amendment Bill 2024 (Cth) which expands the scope of virtual assets regulated under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) regime.
- The Crypto-Asset Reporting Framework which aims to prevent crypto tax evasion, as we summarise here.
- Payments reforms which includes the regulation of payment stablecoin issuers, as we summarise here.
Further detail on the new crypto-asset guidance
To whom does it apply?
ASIC’s guidance relating to the holding of crypto-assets is applicable to:
- responsible entities where scheme assets comprise or include crypto-assets, and
- custodians where the crypto-assets are financial products.
RG 133 does not define “crypto-asset”, nor does it explain ASIC’s precise approach to differentiating between assets in different contexts. This means that relevant entities will need to assess the precise application of RG 133 to their business model and consider advice and/or ASIC engagement where appropriate.
What are ASIC’s expectations?
The new Section F of RG 133 contains two key areas of control:
These contain a blend of high-level principles and more granular expectations. We break these down as follows. Critically, most are expressed as “good practices”, meaning there is flexibility in implementation. That said, if a good practice is not followed, we suggest the rationale should be carefully reviewed and clearly documented, with a consideration of what alternative measures (if any) are appropriate.
Good practices when holding crypto-assets
The following table summarises ASIC’s guidance on good practices for holding crypto-assets that apply to:
- the asset holder; and
- any custodian engaged by it.
|
Good practices
|
INDIVIDUAL
|
Example
uses 2
|
|
|
Specialist expertise and infrastructure
|
Including robust systems and practices to receive, validate, review, report and execute instructions from the relevant client. |
|
|
|
Robust security practices
|
Covering both cyber and physical security, including appropriate:
|
|
|
|
On-chain segregation of assets
|
That is, client crypto-assets must be segregated from other assets on the blockchain (and not just in off-chain internal ledgers), with unique public and private keys maintained by the asset holder. |
|
|
|
Private key management
|
Generating and storing private keys securely to minimise risk of loss and unauthorised access. ASIC signals private key security to be of “critical importance”. NB. RG 133.141(c) provides several examples of good practices that are highly relevant to the overall design of custodial models, the selection of any third-party solutions, operational flows, diligence and audit procedures, back-up structures and cybersecurity controls. Based on our experience, this is an area that requires particular care, given the rapid and ongoing evolution of crypto-asset safeguarding technologies. We anticipate regulatory engagement on certain solutions will be valuable. |
|
|
|
Transaction-signing and instructions processes
|
Adopting signing methods that minimise single points of failure. NB. ASIC signals a preference for multi-signature or sharding-based signing approaches over single private key schemes, but acknowledges that other approaches may be suitable as technology develops. Implementing appropriate permissioning arrangements that prevent single-party control over the entire instruction receipt, validation, receipt and execution process. ASIC also suggests whitelisting where a solution involves only interacting with a predefined set of addresses. |
|
|
|
Compensation arrangements
|
Having in place an arrangement, such as insurance, an asset protection plan or compensation fund, so that clients can be compensated if crypto assets are lost. ASIC acknowledges the precise approach to compensation will depend on the nature of the product and obligations at law. |
|
|
|
Cybersecurity verification
|
Independently verifying cybersecurity practices to an appropriate standard. ASIC does not exhaustively define what is “appropriate”, noting this is for the responsible entity to determine, but does refer to “industry practice” and provides examples in RG 133.141(e). |
|
|
|
Independent audit
|
Assessing the effectiveness of third-party controls by obtaining and considering a copy of an independent audit. ASIC provides additional guidance on the nature of this audit in RG 133.147. |
|
|
Additional risk management good practices
ASIC also leverages the requirement for AFS licensees to ensure financial services are provided “efficiently, honestly and fairly” and to have adequate risk management systems, in providing additional good practices across a range of other areas.
These include the following:
|
Care with crypto-asset sourcing and service providers
|
This includes reasonable diligence on any service provider the entity relies on to buy or sell crypto-assets. Key good practices include:
|
|
|
|
Other risk reduction focus areas
|
ASIC also signals the need for care in relation to:
For now, these are signposts only, as RG 133 does not drill down into any additional good practices. This is understandable given the focus of RG 133. However, the inclusion of these points signals their importance, making it vital for AFS licensees to carefully consider how they apply other regulatory principles to crypto-assets. |
|
|
Silver linings?
The introduction of any new regulatory expectations and good practices can create implementation challenges for any institution, particularly when they are likely to require:
- physical and operational upgrades;
- additional specialist resources;
- engagement with third-party service provides; and
- contractual updates.
At the same time, the updated RG 133 provides much-needed clarity on ASIC’s expectations in relation to the custody of crypto-assets. In our experience, these expectations are also broadly commensurate with developments in other markets. For example, Hong Kong banks are subject to crypto-asset custodial standards introduced in February 2024 (see our alert here), in line with similar standards imposed on Hong Kong-regulated exchanges (see here).
The benefit of such clarity is greater confidence. In practice, we expect regulatory engagement will still be valuable given the flexibility inherent in the good practices.
Next steps
Please contact us if you have any questions about RG 133, custody or crypto-assets more generally. We have significant experience in these areas and would be delighted to help.
The authors wish to acknowledge the input of Raesha Tamrakar to this alert.
