Crypto (cryptocurrency) wallets are software applications that use an internet connection to access the blockchain network in order to store, send and receive cryptocurrency.
Private keys enable de facto control over crypto-assets stored in the wallet, and by doing so facilitate any act involving the disposition of such assets (“not your keys, not your bitcoin”). Any user holding the private keys to a crypto wallet is in fact deemed the controller and/or owner of the crypto-assets stored in that wallet. Certain self-custody wallet providers are attempting to mitigate security risks without compromising a user’s control over crypto-assets, and are thus offering the user full control over their crypto-assets while leveraging MPC (Multi- Party Computation) technology or other technologies to eliminate single point of failure risk and heighten security.
The Supervision of Financial Services Law (Regulated Financial Services), 5766-2016 (the “Law”) regards certain kinds of crypto companies as financial service providers and seeks to ascribe to them a regulatory regime somewhat similar to that imparted on traditional financial service providers. In this article, we purport to raise important questions regarding the applicability of the Law to wallet providers – both custodial and non-custodial – as well as the necessity of ascribing these regulatory framework to such wallet providers.
In a nutshell, the Law prohibits engaging in the provision of a financial asset service without first applying for and obtaining the appropriate licence for doing so from the Israeli Capital Market, Insurance and Savings Authority (“the Capital Market Authority”).
The term “financial asset” is defined in the Law to mean, among other things, virtual currency, and the term “Financial asset service” is likewise defined in the Law to mean the performance of any act from amongst the list of actions enumerated below, excluding the provision of credit, that is carried out by way of business: (1) the exchange of one financial asset for another, including the redemption, conversion, sale or transfer of a financial asset; or (2) the management or safeguarding of a financial asset, including by means of a safe.1
On November 9, 2023, the Capital Market Authority published Financial Service Providers Second Draft Circular (“the Circular”),2 containing provisions that will apply to a holder of a licence for provision of a financial asset service under the Law who offers financial asset service of the type of “safeguarding” within the meaning of the definition of “financial asset service” under the Law. Such provisions include, among others, compliance with corporate governance provisions; establishing policy for safeguarding clients’ assets, taking into account, inter alia, the set of operations and inherent risks associated with the safeguarding of financial assets, including loss or theft, data and cyber-related security risks, embezzlement and fraud risks, business continuity risks, the need for examining the procurement and maintenance of adequate insurance coverage; the segregation of clients’ assets from those of the service provider; implementing all appropriate measures to protect clients’ assets and prevent them from being lost; recording and documenting actions performed in relation to clients’ assets; the appointment of an independent accountant; etc. Moreover, the Circular lays down specific additional qualification criteria for obtaining a licence for the provision of a financial asset service under the Law involving the safeguarding of virtual currencies, including, that the licence applicant must possess both the appropriate skills and necessary technological means for providing such service and shall have procured and have in place the necessary insurances covering all potential associated risks.
It should be noted that, in terms of the Circular, its provisions were drafted to accord, to the extent possible, with international established norms such as, for example, in the European Union, Payment Services Directive (EU) 2015/2366 and Markets in Crypto-Assets (EU) 2019/1937,3 as well as in light of existing regulatory activities engaged in by parallel financial regulators both in Israel and worldwide.
A review of the term “financial asset service” as defined in the Law and amplified in the Circular, appears to clarify that certain crypto wallets would be deemed as falling within the scope of the Law. Accordingly, in order to analyse whether the Law indeed applies to crypto wallet providers, it should also be clarified that there are two main types of crypto wallets, namely hosted and unhosted wallets. Hosted wallets (also known as custodial wallets) are hosted by a third party that maintains full access to the user’s private keys, or stores the user’s crypto-assets in their own wallet. Unhosted wallets (also known as non-custodial wallets) provide unhosted services, in that the user retains control over their crypto-assets; the crypto- assets are stored in the user’s own wallet with the private keys remaining within the user’s control.
While hosted wallet providers typically store the user’s private keys and thus would largely be considered as “safeguarding” the user’s cryptocurrency under the Law, different scenarios may be envisaged for unhosted wallets.
Accordingly, in order to determine whether an unhosted wallet would be deemed as falling within the ambit of a “financial asset service” as such term is defined in the Law, the activity and services engaged in by a specific crypto wallet provider will need to be examined and analysed not only in light of such definition, but also based on case law and other relevant interpretations and guidance accorded to such term by the courts and other regulatory authorities, including as construed by the Capital Market Authority and portrayed in the Circular.
Certain key questions to ask in order to ascertain the applicability of the Law on unhosted wallets could include the following:
It should be noted that the regulation of activities involving crypto-assets is constantly evolving and adapting concomitantly with the new technologies and development of the markets, and it is thus plausible that the current legal and regulatory framework will likewise change and develop over time.
The above should not be deemed as constituting legal advice or a firm legal opinion on the subject.It is highly recommended that expert advice be sought and obtained based on the given and specific circumstances of each case.
