Crypto Assets – Who owns them anyway?

26 July 2022: CYK Partner Sam Roberts takes a look at crypto assets examining the concepts behind who owns them.

Imperfect analogies: crypto exchanges and banks

The prevalence of crypto exchanges, their polished apps and interfaces which mimic those of banks and regulated financial institutions, have done much to bring crypto into the mainstream. However, the imitation may obscure more than it helps when it comes to understanding our relationship with our exchange.

Why does it matter? If something goes wrong – a hack or insolvency event – how an exchange holds your crypto, and whether it even is your crypto, will be determined by the terms and conditions and what is going on at the exchange under the bonnet. If a crypto exchange becomes insolvent, then whether ‘your’ crypto is yours (and not the exchange’s and ultimately its creditors’) will depend on the nature of the relationship between you and the exchange.

While they might look and feel like a bank, in reality banks and exchanges have little in common. Money deposited in a current account is not actually “ours”. The money becomes the bank’s and we are owed a debt by the bank which is governed by the terms and conditions of the account. If you physically deposited a £20 note with a given serial number in your current account, you wouldn’t expect to (and probably wouldn’t) receive that physical note back if you went to an ATM and withdrew £20. Nor would you be entitled to get that specific note back. We can get a bit loose with our terminology here because we often refer to money in a bank account as “your cash”. Runs on the bank aside, a bank balance can readily be turned into cash, but it isn’t cash. That might sound like a fine distinction, but the difference matters because you are not a secured creditor of the bank, which means that if the bank became insolvent, you would rank equally with other unsecured creditors and may only get back pennies on the pound – or potentially nothing (although in the UK the Financial Services Compensation Scheme might cover some or all of your losses).

Unlike money, crypto assets only take a digital form. Actual cash is a purely physical asset and (ironically) also exists outside the global banking system – mattresses and shoeboxes being popular options. Representations of cryptocurrencies might exist in the real world, but you cannot exorcise a bitcoin from its blockchain.

This limitation matters because it forces exchanges and other businesses which provide means of accessing and transferring crypto (although I’m going to stick with the term “exchange” throughout this article) to define their legal relationships with customers by reference to what is technically possible on the blockchain. Behind the glossy wrapper of a smart phone app, the actual service offered, the legal relationship put in place and the technical infrastructure adopted to store your crypto and make it spendable varies widely – often in a way which is not all that obvious.

There are two key questions in analysing these relationships – the first technical and the second legal.

First, does the exchange segregate customers’ coins at different public addresses? Segregation can (in principle) take place on two levels: customers’ coins can either collectively be segregated from the assets of the exchange, or segregated from each other’s and from the exchange’s.

Second, does the exchange purport to have any property interest in the coin, whether as trustee (i.e., legal title) or also beneficially? At one extreme, if the exchange takes full legal and beneficial title to the coin, then this would seemingly be akin to a current account and a customer would have no property interest in ‘his’ coins – only a contractual right to the value attributable to his account. In the middle, retaining legal title while giving a customer a beneficial interest in the coin would seemingly give the customer a property interest and put him in a better position in an insolvency event. However, if the exchange adopts the mantle of trustee then by definition it will owe fiduciary duties to its beneficiaries – duties which it might rather not owe. At the other extreme, if the customer retains both legal and beneficial interest in his coins then the exchange may be doing nothing more than providing a software interface.

These two questions may in fact be closely related. If the technical setup is such that customers’ coins are segregated from each other, and each customer has his own (or multiple) discrete addresses on the blockchain, it might be a surprising conclusion if the coins stored there were taken to be legal and beneficial assets of the exchange. In the same vein, exchanges which say that title to cryptocurrencies remains with the customer must, presumably, be able to identify specific tokens of which that is true.

Figuring out exactly what is going on behind the scenes requires both technical delving into public addresses on the blockchain at different exchanges, and delving into each exchange’s terms and conditions.

Read him his rights: exchange terms and conditions

Although it probably sounds less interesting, starting with the terms and conditions makes most sense because it is here where you learn what exchanges think they are doing.

I’m not going to name any specific exchanges here, but the terminology and concepts referred to are all taken from ‘household name’ exchanges. Some of the exchanges also offer higher tiers of accounts, to which different contractual provisions may well apply.

A common theme across many exchanges is that the exchange will act as “custodian” of a customer’s digital assets. This word appears in The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, the secondary legislation which requires “cryptoasset businesses” to obtain AML/KYC information on customers. “Custodian wallet providers” are businesses which “safeguard, or … safeguard and administer— (a) cryptoassets on behalf of [their] customers, or (b) private cryptographic keys on behalf of [their] customers in order to hold, store and transfer cryptoassets”.

What exactly “custody” means in the context of ownership, and the rights and obligations that flow from it, is not addressed by this legislation. “Custody” may therefore not mean the same thing in all scenarios and the precise relationship between a customer, exchange and the digital assets in question will be subject to the usual rules on contractual interpretation and the reality of the exchange’s operations. It is also worth mentioning that exchanges are incorporated all over the world and whether “custody” means something specific or different in those jurisdictions or under the laws of the jurisdiction governing the exchange’s customer-facing terms and conditions is something that warrants a closer look.

That said, the notion of “custody” is an interesting one in the context of purely digital assets. Images of safe deposit boxes come to mind. Again, the precise legal relationship between the provider of the safe deposit box (let’s say a bank), and the depositor, will be governed by terms and conditions, but ordinarily you would not expect title (legal or beneficial) to the items deposited to transfer to the bank. The legal relationship is essentially one of safe-keeping: the bank is “looking after” the box and its contents for the depositor. Exchanges that say they “custody” assets for customers frequently also say that the customer remains the legal and beneficial owner of the coin in question – which makes sense.

Does it really make sense, however, to refer to “custodying” digital assets? The notion of “possessing” an intangible asset is a non-starter. With nothing tangible to point to, what is really going on here? Again, it may vary between exchanges, but the legal distance that exchanges can try to put between themselves and their customers suggests that all that is being provided is a software interface to allow owners to interact with their own coins. Whether that does truly make sense in general, or for a given exchange, can only be assessed when we look at what is happening on the blockchain.

Before moving on, though, I should say that not all exchanges’ terms and conditions say that they act as custodian. Interestingly, some of the top exchanges’ terms and conditions do not seem to touch on this issue at all, leaving the question of who has title very much an open question – and perhaps one that is informed by the technical goings on. Others take a different approach, expressly giving a customer a beneficial right to a coin, suggesting that the exchange retains legal title. Yet another variation is where a beneficial right is to the value of the coin. This is an even further degree of abstraction because the customer might not have rights in the coins specifically so much as the general assets of the exchange (including hard currencies, bricks and mortar, IP, etc.). With the coins no doubt being the most volatile aspect of the exchange’s assets, whether that is a good outcome for the customer may depend on relative market price from time to time.

It’s also worth looking at the terms and conditions of the long-gone Cryptopia exchange, which is one of the few (or perhaps only?) to have been the subject of fully argued submissions and a public judgment (a decision of the High Court of New Zealand, David Ian Ruscoe and Malcolm Russell Moore -v- Cryptopia Ltd (in liquidation) [2020] NZHC 728). As far as can be determined from that judgment, Cryptopia’s terms did not squarely address legal and beneficial title, but the Court found that, as regards each cryptocurrency, all customer-owners of that cryptocurrency were beneficiaries of a single trust settled in their favour. However, in its judgment, the Court called Cryptopia “a custodian and trustee” of the digital assets. It isn’t clear from the judgment whether the court intended to imbue the concept of a “custodian” with special meaning, but it is clear that being a “mere” custodian does not mean that an exchange can’t also be a trustee (at least, not in New Zealand).

As a final cautionary note on the importance of delving into exchanges’ terms and conditions, I also discovered during my research that one exchange doesn’t even claim to act as mere custodian – it instead delegates that role to (and bumps customers into a contractual relationship with) a wholly different entity in South Dakota – with South Dakota governing law and jurisdiction.

A wild bitcoin chase: looking at the blockchain itself

If you buy coins from an exchange, it can take a little bit of work to determine how exactly your coins are held vis-à-vis those of other customers. Public blockchains are available for all the world to inspect on free blockchain explorers, but those transfers can be meaningless without knowing what is going on within the four walls of an exchange making and receiving transfers.

I started off with an amount of bitcoin at an account with an exchange that I will call ‘A’. Having initially bought the BTC with GBP through A’s app, I had no idea at which address ‘my’ BTC was held, and there was also no way of telling (this assumes that ‘A’ had itself allocated an identifiable chunk of BTC in its internal records at the time of my purchase – it may well not have done). I figured that the only way I would be able to tell is if I transferred it elsewhere, and then looked back along the blockchain to see where it had come from.

So, I opened an account with exchange ‘B’ and sent a small amount BTC (then worth about £5) to that account. With a little digging on B’s browser-based platform, I could see that my BTC had come in a 5 BTC block (to put in context, then worth about £90,000) from a single address (presumably controlled by A) to 47 different addresses. My £5 worth of BTC was deposited into my own address, which had no other transaction history on it. Less than 38 minutes after the BTC had arrived, the address controlled by B at which my £5 worth of BTC had been deposited was transferred (along with bitcoin at 60 other addresses which were nothing to do with me, and didn’t include any of the other 47 other addresses to which the initial 5 BTC had gone) to a total of 39 addresses.

My £5 worth of BTC comes as part of a £90,000 block from Exchange ‘A’. Within the hour, the BTC at my address is swept (along with BTC at 60 other addresses) to 39 other addresses (presumably cold storage). None of those 39 outputs matches the value of my deposit.

A couple of quick technical digressions here.

Bitcoin transactions work on inputs and outputs. Single transactions can have single or multiple inputs and single or multiple outputs. Provided the total value of inputs matches the total value of outputs, the overall transaction is valid. Imagine if you had a £10 note and a £5 note, and needed to pay £3 to 5 different people. The bitcoin blockchain allows you to tear the notes into £3 chunks and make those payments as part of one transaction. There is no analogy with bank payments here, where each transaction must have a single input and a single output.

Second, exchanges usually maintain “hot” and “cold” wallets, the former being connected to the internet and the latter being held offline (an oversimplification, but good enough for our purposes). Cold wallets are more secure, and exchanges frequently “sweep” coins in incoming transfers into cold wallets for that reason.

While I cannot know for sure, I imagine that the onward transfer of my BTC was a sweep into more secure cold wallets. Interestingly, none of the onward sweep transfers was for the exact value of my transfer. Remember, the bitcoin blockchain does allow you to tear and divvy up your notes, but applying traditional (and some might say common sense) notions of “following the money” would lead you to conclude that either my BTC were mixed in with a larger transfer, or split across multiple transfers to different addresses.

I ran the same experiment of transferring a small amount from A to B a little while later. This came from a different address controlled by A, but as with the first transfer came in a 1 BTC block to a large number of different addresses – this time 73 in total. Several hours later, it (along with BTC at 60 other addresses) was swept to 31 addresses. Again, none of the onward transfers was for the exact value of my transfer.

I decided to try a different exchange, and created an account with exchange ‘C’, moving about £17 worth of BTC from A to C. This too came from A in an approximate 5 BTC block, again worth about £90,000, to 77 different output addresses. About an hour later, that too (along with BTC in 99 other addresses, totalling about £4,000) was swept to a different address – albeit this time to a single address rather than the plurality of addresses I saw with B. In theory, that should make following ‘my’ BTC easier, but the entire contents of that address (about 107 BTC) were then swept to a further address several hours later, split into three 30 minutes after that, and so on.

My £17 worth of BTC again comes as part of a £90,000 block from Exchange ‘A’. A short while later, the BTC at my address is swept (along with BTC at 99 other addresses) to a single address (presumably cold storage), but further sweeps combine and then split the swept BTC further.

I then transferred the entire balance of my account with B to my account with C. This is where it gets interesting. Unlike the two transfers from A to B, the transfer from B to C took place from 61 input addresses to 31 output addresses, one of which was ‘mine’. None of the transaction inputs matched the value of the output that went to my account with C, and none of the input addresses matched any of the addresses that my coins that went to B were initially swept into.

My BTC may have come from one address, multiple addresses, or 61 addresses.

I have not done the laborious exercise to determine whether all of my BTC which were initially sent to B, and then swept into one or more of 39+31 cold storage addresses at B, can be followed into any intermediate addresses controlled by B, and then sent to C. There would be a large number of transactions to look through, growing exponentially as coins are swept and swept again. There is however one key reason why I suspect that the BTC sent to my account at C cannot be traced back to the BTC I deposited at B.

As I said, none of the values of the transaction inputs going from B match the value of the output into my account at C. In other words, there was not one identifiable balance at an address controlled by B which can be definitively said to be the source of my BTC that went to C. Exchange B clearly processes large numbers of transactions on behalf of customers all at once. From minute to minute, it does not know and cannot accurately guess which customer might want to move funds where. Once customers’ coins have been swept to other addresses, some or many of which may be held offline and therefore be more difficult to initiate transfers from, the coins may simply have to come from elsewhere in order to comply with customer instructions in a timely fashion. The BTC network may be a relatively quick way of moving assets around the globe, but it is also quite slow – which means that if an exchange had to move a customer’s coins from a cold wallet first before transferring them elsewhere, there would be an unacceptable delay to the customer.

This is the first place that the analogy to a safe deposit box breaks down. Banks cannot treat the contents of customers’ safe deposit boxes as fungible. This is obviously a trite observation in that the contents are highly unlikely to be fungible, but even if they were, banks do not purport to have a right to give you back a different asset to what you deposited. Of course, banks aren’t moving the contents of customer-facing safe deposit boxes into even safer safe deposit boxes, and certainly aren’t mixing their contents. You might say, well, why even draw the analogy? Cryptocurrencies such as BTC are wholly fungible. They can be mixed, and good security hygiene suggests that they should be.

That may be so, but as soon as they are mixed, does it make sense to talk of customers retaining legal title? If a coin remains at all time ‘yours’, both legally and beneficially, it must presumably remain at all times identifiable. If you then try to deal with it, you must actually be dealing with it, rather than an asset that has the same properties. If an exchange gives back a different asset to the one that was deposited, it is difficult to see how that can be consistent with legal title to the deposited crypto asset remaining at all times with the customer. You might say here that, in the view of the authors of the UK Jurisdiction Taskforce Legal Statement, cryptoassets cannot truly be transferred anyway – an asset is spent and destroyed and a wholly new asset is created at the destination address. In that sense, customers will always get back a different asset to the one held by the exchange. It remains to be seen if that outlook is adopted by the courts, but even so, that does not seem to address a scenario where no ‘chain of ownership’ can be drawn between the coins deposited and those transferred.

In case anyone thought it was still useful, the analogy to a safe deposit box breaks down even further. With a safe deposit box, a customer would expect to be the only one to retain a key, albeit the bank will reserve the right to force the box open in certain circumstances – e.g., under a court order. That kind of court order makes sense because the box and its contents are in the possession of the bank.

Most exchanges put the customer at a further stage of remove, however. Although transactions on blockchains can be effected by inputting the private key that corresponds with a given public address, exchange platforms do not usually give customers that level of access. In fact, once coins are swept from a deposit address and the customer wishes to make a withdrawal (which, as we have seen, will likely come from a pooled address) the exchange can’t give customers private keys because the customer would be able to deal with the entire contents of that address. Exchanges therefore interpose themselves to prevent a customer from directly accessing their coins and when a customer initiates a transfer it is instead instructing or requesting the exchange to use the exchange’s own private key.

This same setup was relevant to the New Zealand High Court’s conclusion that pooled customer coins were held on trust for the customers as a class of beneficiaries (my emphasis):

[153] On this, I am satisfied that Cryptopia manifested its intent through its conduct in creating the exchange without allocating to accountholders public and private keys for the digital assets it commenced to hold for them. The SQL database that Cryptopia created showed that the company was a custodian and trustee of the digital assets and effect needs to be given to this.

So, the pooling of customer coins and executing transfers from those pooled addresses may be indicative of a trust, even if the T&Cs say otherwise.

If you’re anything like me, the assumptions I made about being unable to draw a line between the coins sent to B and the coins then sent to C will be nagging at you and you will be thinking – “sure, but you didn’t prove that the coins sent to C can’t be traced back to B. You’re just assuming that and you haven’t actually done the tracing exercise to rule it out.”

You got me.

So, I decided to do a final experiment. I transferred the entire balance of my account at C back to B. It arrived from a single input address in a round 9 BTC block to a manageable 5 different addresses. The transaction took over an hour to be confirmed on the blockchain, but as soon as it was confirmed, and before it could be swept to cold storage, I transferred half of it back to my account at A.

Rather than come from the address where I had just deposited my worldly holdings, my transfer came in a single 92 BTC block from a different address. Bingo. Even when the exact value of my transfer was sitting in a hot wallet, segregated from other customers’ and ready and waiting to be used, B dug into a pool of BTC sitting elsewhere and moved that instead.

On reflection, maybe this should not have been such a huge surprise. With each transfer where my coins were swept to other addresses, the sweeping took place about an hour after the initial transfer. In my recent experience of using the BTC blockchain, it could take anywhere from 30 minutes to well over an hour for the network to confirm a transfer. While I do not know, I would not be surprised if the exchanges executed the sweep very shortly after the coins were received and the delay in seeing it was simply the bitcoin blockchain taking its time to process the transaction. If that’s right, then I never had an opportunity to transfer “my” BTC at all.

I’m still reading: why does this matter?

So, the exchange gave me back a different coin with the same properties and same value. What does it matter?

As I said above, exchange hacks are not uncommon – it was a hack and theft that got Cryptopia. Others are frequently in the news. Depending on which assets were taken and from which addresses, it may be open to customers to argue that the coins taken weren’t theirs if a line cannot be drawn between their deposit address and the stolen coins, and argue instead that their coins are still “custodied” at the exchange. Alert readers will realise that the other side to that ‘coin’ is that, if the stolen coins did not belong to one customer, they must have belonged to another. This approach may therefore pit customers against each other.

The insolvency of exchanges remains an on-going possibility as well, especially in light of recent volatility in crypto markets (which has been extreme even by the sector’s own standards). In the Cryptopia example cited above, customers were found to have beneficial rights in the coins pooled and held by the exchange on their behalf – and those coins were ring-fenced from the exchange’s assets in the liquidation. But that conclusion need not follow in every case. Very importantly, as well, the New Zealand High Court found that there was a trust notwithstanding the terms and conditions and because of what the exchange was doing technically with its platform “behind the scenes”.

Another issue arises in the context of fraud and asset-tracing. Freezing injunctions and disclosure orders against exchanges are now a cottage industry across the common law world. Although the anonymity afforded by public blockchains can frustrate victims in their attempts to follow their stolen assets, the public ledgers themselves do allow customers to trace or follow their stolen property along the blockchain. From the perspective of asset-tracing rules that apply to bank transfers, you might think that you could follow a specific coin into an exchange, track its onward movement into cold storage and freeze it. And you might be right. But you might also find out that the exchange had dissipated other coins on that customer’s behalf from wholly unconnected addresses, immediately after the initial deposit. Looking at the blockchain itself, you would have no way of knowing that, and a victim might conclude that its stolen property are the coins still resting in cold storage – a view the exchange might take issue with.

Any conclusions on this topic are necessarily tentative. Different exchanges have different terms of business, and different technical setups. The differing factual circumstances which may lead to these issues being considered by the courts will mean that the analysis is all case by case. That said, the purpose and function of crypto exchanges is certainly not per se inconsistent with customers retaining legal title to crypto assets sent to an exchange on their behalf. For instance, the ease with which countless new addresses can be created to receive coins means that customer coins could in theory be segregated from other customers’, and dealings in coins on behalf of those customers could be restricted to those coins. There would no doubt business inefficiencies that come with that approach, and 999 times out of 1,000 the average customer may prefer the more efficient but legally murkier approach. However, the fact that total segregation can in theory be achieved may be an interesting counterpoint to scenarios where exchanges pool customer assets but nevertheless eschew taking legal title.