In our Series 2 of these updates we analysed the Securities and Exchange Commission's ("SEC") requirements in relation to Digital Assets Offering Platforms (DAOPs). In this series, we will analyse Part C of the Rules which stipulates the rules guiding the registration requirements for Digital Asset Custodians ("DAC") (the "DAC Rules"). Prior to the issuance of the Rules, the SEC only recognised the functions and operations of (and licensed) custodians in relation to custody of equity and debt instruments. The Investment and Securities Act 2007 defines a "custodian" as a person who has custody as a bailee of securities or certificate issued in the investor's name with the investor's name appearing in the issuer's register as the beneficial owner of the securities. With the increase in the use of virtual currencies and non-fungible tokens/assets in Nigeria, and in its desire to protect investors in that space, it became imperative for the SEC to recognise and regulate the operations of DACs within the Nigerian capital market.

Who is a DAC and can be registered in Nigeria?

The DAC Rules defines a "Digital Assets Custodian" as a person who provides the services of providing safekeeping, storing, holding or maintaining custody of virtual assets/digital tokens for the account of another person. To be registered as a DAC in Nigeria, the DAC Rules requires that an applicant:

  1. must satisfy the eligibility requirements for registration as a custodian or trustee and any additional requirements which the SEC may prescribe from time to time; and
  2. shall pay the fees as prescribed by the SEC.

As a way of deepening the market, the SEC requires that an existing registered custodian or trustee company may also apply to the SEC for registration to provide DAC services in order to expand its service offerings to cover both physical assets and virtual assets. In addition, the DAC Rules permits foreign DACs to apply to the SEC for registration to operate in Nigeria. To be registered, a foreign DAC must fulfill the requirements set out in the DAC Rules and satisfy the SEC that it is:

  1. authorised to operate or carry out an activity of a similar nature in its jurisdiction; and
  2. from a jurisdiction with which the SEC has regulatory arrangements on enforcement, supervision and sharing of information.

Key registration requirements

The SEC's registration requirements for a trustee or custodian which also apply to a DAC shall inter alia include;

  1. a set of duly completed designated forms to be filed by a minimum of 3 sponsored individual;
  2. The constitutional documents of the Company and a form certified by the Corporate Affairs Commission ("CAC") containing the names of the directors
  3. copy of the audited accounts and management accounts for companies in operation for less than one year at the time of filing with the CAC;
  4. profile of the Company, its promoters and management;
  5. Fidelity bond of a value not less than 25% of paid up capital;
  6. sworn undertaking to keep proper records and render returns and to abide by the provisions of the Investments and Securities Act and the SEC rules in the discharge of its functions as custodian of securities.

What are the Obligations of a DAC?

The DAC Rules prescribe some of the obligations of a DAC in carrying out its duties. Such functions include: acting in the best interest of its clients and taking all reasonable measures to avoid situations that are likely to involve conflict of interest with its clients; safeguarding the rights and interests of its clients including ensuring that its clients have access to their virtual assets/digital tokens at all times; preventing unauthorised access to clients' virtual assets/digital tokens; ensuring that all fees and charges payable by clients are fair, reasonable and transparent; disclosing any information or providing any document to the SEC as the SEC may require from time to time; ensuring compliance with all relevant laws, regulations and guidelines including but not limited to Anti-Money Laundering/Combating the Financing of Terrorism/Proliferation Financing laws and regulations etc.

Responsibilities of DACs

DACs have responsibilities in the discharge of their services as set out in the DAC Rules. These responsibilities include establishing a risk management framework, conflict of interest management, undertaking internal audit checks, key generation and management, segregation of client assets, transaction handling, and outsourcing obligations. We have discussed some of these below:

  • Risk Management

    DACs are required to establish a risk management framework that will identify, assess, monitor, control and report all material risks to which the DAC could be exposed to. The risk management framework must include strategies developed to identify, assess, monitor and mitigate all material risks; policies and protocols relating to management and controls of all material risks; methodology to assess all material risks; and reporting system for all material risks to senior management and board. A DAC is also required to carry out periodic reviews, audits and testing on systems, operational policies, procedures, and controls relating to risk management and its business continuity plan.
  • Conflict of interest management

    The SEC requires a DAC to give priority to its clients' interest if there is a conflict between its clients' interests and its own interests. In this regard, a DAC shall establish and maintain written policies, processes and procedures that (a) identify, monitor, mitigate and manage situations and potential situations which may give rise to conflict of interest; and (b) require disclosure of any conflict or potential conflict of interest.
  • Internal audit

    The SEC also mandates a DAC to perform internal audit checks on its operations regularly and may establish an internal audit office or outsource this role to accomplish this. Furthermore, a DAC shall also establish an internal audit framework which shall be approved by the board of directors of the DAC.
  • Transaction Handling

    On transactions with clients, a DAC is required to ensure that it has up-to-date transactional records relating to its clients' virtual assets/digital tokens. Such transactional information should include transaction timestamp, details of any transaction including the purpose of a transfer, amount and details of the counterparty, relevant signatories and transaction, and any other information as may be specified by the SEC from time to time. On the currency for recording transactions, the SEC requires that transactions should be denominated in Nigerian Naira.
  • Key Generation and Management

    A DAC shall establish and maintain a sufficiently and verifiably secured storage medium designated to store its clients' virtual assets/digital tokens and have in place effective security mechanisms for the virtual assets/digital tokens. In this regard, a DAC shall adopt measures such as having multifactor authentication requirements before effecting any transaction on behalf of its clients.
  • Segregation of client assets

    The role of a DAC is similar to that of a trustee which holds assets for and on behalf of clients. As a result, the SEC requires a DACs to ensure that all clients' virtual assets/digital tokens are properly segregated from its own assets and safeguarded from conversion or inappropriate use by any person. A DAC shall establish systems and controls for maintaining accurate and up-to-date records of its clients' virtual assets/digital tokens held. In relation to foreign DACs which are registered with the SEC, the SEC requires that such foreign DACs should have a separate account for its custodial services in digital asset offerings with clients in Nigeria.

Outsourcing Requirements

The SEC recognizes that not all services could be provided by a DAC in-house and that some services could be outsourced. In that regard, the SEC permits a DAC to outsource any of its functions such as back-office processes, etc. to external service providers subject to complying with the requirements of the Rules. Functions that involve (i) the decision making or (ii) any contact whatsoever with its clients should not be outsourced. A DAC that intends to outsource any of its functions is required to appoint an appropriate and efficient service provider for its outsourcing arrangement and monitor the outsourcing arrangement on a continuous basis to ensure that it does not lead to business disruption and negative consequences to its clients.

The SEC considers the outsourcing of functions by a DAC to be a material outsourcing arrangement and, consequently, can only be outsourced by a DAC to the following service providers: internal audit function to a DAC's auditor or an external auditor, where applicable; compliance function to a DAC's group of companies, where applicable; or risk management function to a DAC's group of companies or an external service provider in the area of risk management. Where the internal audit and risk management functions are outsourced by a DAC, it cannot be further sub-contracted.

Suspension or Cancellation of a DACs Registration/Licence

The SEC may suspend or cancel the license of a DAC on the terms prescribed in the SEC Rules and Regulations 2013 (as amended) (the SEC Rules) on cancellation of registration. Such terms which could trigger a cancellation include;

  1. Where the DAC is guilty of fraud or has been convicted of an offence involving moral turpitude; or
  2. Where the DAC is guilty of repeated defaults.

Withdrawal of a DACs Registration/Licence

A DAC may voluntarily seek a withdrawal of its licence. In that regard, a DAC seeking a withdrawal of its license/registration may send a notice to the SEC requesting that its licence should be withdrawn. Such an application must supported with reasons as prescribed in the SEC Rules on withdrawal of registration. The prescribed reasons include;

  1. Failure to render statutory returns;
  2. Erosion of capital; or
  3. Where the DAC is affected by policy changes

Where the SEC approves an application for withdrawal of the DAC's licence, the withdrawal shall not take effect until the SEC is satisfied that adequate arrangements have been made to meet all the liabilities and obligations of the DAC that are outstanding at the time when the notice of the withdrawal was given. In addition, the DAC shall operate so as to (a) avoid or affect any agreement, transaction or arrangement entered into by the DAC, whether the agreement, transaction or arrangement was entered into before or after the withdrawal of the registration; or (b) affect any right, obligation or liability arising under any such agreement, transaction or arrangement.

Cessation of Business

A DAC is prohibited from ceasing its business or operations without prior engagement with the SEC. The SEC may also issue a direction or impose any term or condition for the purposes of ensuring the orderly cessation of the business or operation of a DAC. A DAC which ceases to operate or cannot fulfil its obligation under the custodial agreement is mandated to ensure that its clients continue to have uninterrupted access to their respective virtual assets/digital tokens in its custody. Such cessation of business or operations shall not also take effect until the SEC is satisfied that all the requirements stated in the relevant laws and regulations have been fulfilled.

Conclusion

As you would have seen above, the DAC Rules apply to persons who intend to provide the services of a DAC Nigeria – whether a Nigerian company or an offshore DAC. There is lack of clarity yet on whether a registration as a DAC would also be sufficient for an entity to operate as a Virtual Asset Service Providers ("VASPs"). This is because Part D of the Rules requires persons whose activities involve safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets to register as VASPs. The Rules are silent on whether one licence would cover the other or whether both licences are required by the same entity to operate as a VASP and DAC. It is also unclear yet how a DAC will open and operate accounts with Nigerian banks. This is because of the CBN prohibition of institutions under its regulatory purview from engaging in, or facilitating payments for, transactions involving cryptocurrencies considering that DACs will be required to operate bank accounts for their business.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.