The Spectacular Fall of FTX: Considerations about Crypto Custody and Insurance
This morning, the FTX crypto exchange (and more than 130 affiliates) filed for bankruptcy in Delaware. FTX was recently valued at $32 billion, and now it appears to be worth $0. The bankruptcy petition listed at least $10 billion in liabilities.
The rapid unwinding of the world’s second largest crypto trading platform this week may have been a solvency crisis, or it may have been a liquidity crisis (or one turned into the other, or both!). And most of its in-house lawyers and compliance staff abruptly quit three days ago. As a crypto exchange which offered futures and other leveraged trades to investors, it rehypothecated assets (tokens) in order to create leverage that its customers wanted. The death spiral of FTX raises a lot of good questions about coin custody and crypto insurance.
When people talk about stocks or cash, we rarely focus on custody. Either the cash is in our pocket or it’s in a bank vault (maybe its locked in a safe at your house or under the mattress). The cash is either somewhere you can readily put your hands on it, or it’s in a physically secure (and highly regulated) financial institution. If it’s in a bank, its insured by the FDIC up to $250,000. And SIPC provides insurance for cash and some securities in trading accounts at regulated brokers. Similarly, your experience buying and selling stocks is usually by calling a regulated broker or trading them through an online broker (also regulated); but rarely handling the physical share certificates. Instead, for nearly fifty years, the tracking of share ownership and the custody of stock certificates has mostly been done by the Depository Trust Company (owned by the Depository Trust and Clearing Company), and Cede & Company is the leading custodial nominee and holder of record for securities. Nearly all corporate, equity, money market securities, and freely tradable public company securities in the U.S. are recorded and settled there.
That’s not the case with cryptocurrency. None of that applies to tokens.
If your home is broken into and cash is stolen, your homeowners insurance policy usually provides some relatively low limits of coverage. Insuring cash – by its very nature – leads to a lot of moral hazard. Similarly, a businessowners property policy might have limited coverage of cash, checks, and securities. It might also have $1,000 of coverage for the good faith acceptance of counterfeit currency. But if a customer walks away with the cash register or a burglar destroys a safe, they might take more than the insurance covers. So lots of businesses buy a separate crime policy to protect against the loss of cash and securities both inside their building, and also when an employee is making a bank run to drop off the cash deposits.
But that’s also not the case with cryptocurrency either. Few people think about insuring their own cryptocurrency assets, perhaps wrongfully assuming that the exchange or custodian they use is providing insurance against hacks.
Because crypto hacks happen. A month ago, it was reported that $570 million worth of Binance’s BNB token were stolen. Binance is the largest crypto exchange, by volume, in the world. Imagine if 2 million shares of stock on the New York Stock Exchange, worth over a half-billion dollars, just evaporated off the exchange’s floor on a random Thursday? Well . . . they wouldn’t. Because the NYSE is just an exchange and is not a custodian. The shares being traded aren’t actually on the floor at the New York Stock Exchange, and the guys shown yelling on the exchange floor on television do not have a stack of physical share certificates with them. The custody of shares and tracking of ownership is mostly at the Depository Trust Company.
Structurally, why is there a difference? There are a few reasons. In no particular order:
Cryptocurrencies and methods of trading them (exchanges, brokers, etc.) are still relatively novel. Their employees have not been going to industry security meetings and conferences since the days of Jesse James, sharing information on how to prevent thieves.
The regulatory environment – which can be synergistic for customer and custodian protection – for cryptocurrencies and exchanges is still a bit like the Wild West.
The nature of many cryptocurrencies is that they share some features with other financial bearer instruments (like lottery tickets, casino chips, physical cash, or gold and silver). Just try buying something with a certificated share of General Electric common stock. It’s much easier to buy something with a Bitcoin or BNB token. (But I doubt anyone is taking FTX’s FTT token today).
Which gets us back to insurance. We have seen time and again that when the origination of risk is separated from the retention of risk, underwriting standards tend to fall. This occurred with Lloyd’s of London’s (commonly misunderstood to be an insurance company, but it’s really an insurance exchange) near collapse in 1991-1992. It occurred with “originate to distribute” excesses with mortgage backed securities and collateralized debt obligations that fueled the global financial crisis in 2007-2010. It’s the reason that reinsurers insist on a right to information or to audits from the cedants.
In the cryptocurrency world, the exchanges have typically also been the custodians of the assets. Coinbase is a good example. But other exchanges are structured to facilitate more expansive trading (with leverage and futures contracts), with the custody of crypto assets held elsewhere. That separation of the origination of risk (taking customers dollars in exchange for tokens) from the retention of risk (where the tokens are stored, and what do you do when the customer comes back and wants to cash in their tokens or coins for dollars) creates a situation where there are incentives for the security of the coins to deteriorate.
Anyone with a substantial amount of cryptocurrency needs to understand who has custody of the coins, and whether the wallet is insured. Some exchanges are also custodians, and some are not. Some are fully insured, some self-insured, and some have no insurance to cover the theft of your coins.
Some of the bigger name platforms (Coinbase, Bitstamp) reportedly have crime policies with limits in excess of a quarter-billion dollars, insured through Lloyd’s and other major insurers. Binance reportedly earmarks a percentage of all trading fees into a self-insurance fund, which it claims is now worth over $1 billion. Question whether it’s bankruptcy remote, though?
FTX US’s website indicates it has a crime policy from Aon with limits of $7.5 million. That seems low for a company that, a few weeks ago, was worth $32 billion. But, the important fact is that is that policy is for tokens in hot or warm wallets. For the majority of assets stored in cold wallets, it relies on BitGo to provide custody and insurance. And BitGo appears to have insurance from a syndicate of major London-market, Lloyd’s, and European insurers. With 9 figure limits.
Not many companies write insurance for crypto traders and investors to buy to protect themselves. One that does is Breach Insurance. It claims its “Crypto Shield” is the first insurance designed for crypto investors, rather than exchanges and other businesses which handle crypto assets. It is not available in every state, and is limited to tokens on certain exchanges. It does not cover tokens held in third-party wallets. So it avoids the risk explained above. And policies range from covering $2,000 to $1 million in coins. Coincover also provides coverage to individual traders and wallets, with a product designed to cover theft by various methods (hacking, security breach at the exchange, employee theft, etc.) and is backed by Lloyd’s.
If you are a trader with $10,000 in Dogecoin held by one major exchange, there is probably an off the shelf insurance policy. If you are an institutional investor, a fund, or a business which accepts tokens as payment, and you have $100,000 or $1 million or more spread across multiple wallets and possibly on multiple platforms, you will likely have different needs. The insurance decisions will vary because of the differing tokens, where they are stored, how they are stored, and who your counterparties are.
The insurance market for tokens continues to evolve. On one hand you have more focus on regulation. On the other there are millions of dollars of losses every single day. Some losses are considered hacking. Others – like the loss of $100 million last month on the Solana-based Mango Markets – can be described as a fair exploitation of the rules (lots of people still call it a “hacking”). It will probably be hard to insure your Mango tokens. And there is always old fashioned mitigation; maintaining tight control of passcodes and privacy keys and spreading tokens across multiple wallets on different platforms to keep all your eggs in different baskets.