The Pennsylvania House of Representatives has passed a bill that could impact how digital assets are used within the state.

House Bill 2481, also known as the Bitcoin Rights Bill, was approved with a bipartisan majority of 176 votes to 26, and now heads to the state Senate for further consideration, according to Fox Business.

The bill, introduced by the nonprofit Satoshi Action Fund, establishes legal clarity around cryptocurrency ownership and usage. It allows residents to self-custody their digital assets, meaning they can hold Bitcoin (BTC) and other cryptocurrencies directly without relying on third-party services like exchanges.

Improved Bitcoin use

The bill also permits the use of Bitcoin for payments, which could change the way businesses and individuals conduct transactions using the cryptocurrency.

For those unfamiliar with crypto, self-custody means owning your digital currency directly, giving you full control over your assets. When you use exchanges, you trust them to store and manage your assets, but self-custody puts that responsibility in the hands of the individual.

Bitcoin is a digital currency that operates without a central authority, and this bill would make its use more widely accepted in Pennsylvania.

If passed by the Senate, this legislation could signal a growing acceptance of digital currencies at the state level, while the federal government continues to grapple with crypto regulation.

Pennsylvania’s decision mirrors efforts in other states, such as Oklahoma and Louisiana, which have passed similar laws.

Komainu, a crypto custodian provider backed by Nomura Group, completed their first acquisition by buying Singaporean rival custodian Propine Holdings.

According to an Oct. 22 Bloomberg report, Japanese Nomura-backed crypto custodian firm Komainu’s Propine purchase is still awaiting approval from the Monetary Authority of Singapore.

Propine Holdings has been operating as a digital asset custodian in Singapore since 2018. In November 2019, Propine was granted a conditional license from the Monetary Authority of Singapore after co-creating MAS’ FinTech Regulatory Sandbox.

Komainu co-Chief Executive Officer Paul Frost-Smith said in an interview with Bloomberg that Komainu’s acquisition of Propine will likely be the first of several more to come. Though, he refused to disclose the exact amount paid by Komainu to buy out Propine.

Frost-Smith added that he expects to close a funding round in the next few weeks for Komainu.

Frost-Smith stated that the Propine acquisition marks the first step towards Komainu’s expansion into other parts of the Asian region. He calls it “an absolutely key factor in building” the business, as buying Propine will provide Komainu a Capital Market Services license from Singapore.

In addition, Frost-Smith stated that Komainu will also apply for a Major Payment Institution license in Singapore, enabling the custody provider to operate in Singapore. He views Singapore as an integral part of Komainu’s future business endeavors as demand from private banks in Singapore for advisory services is on the rise. The same can be said about collateral management services for hedge funds and other asset managers.

Komainu plans to branch out its business into Singapore, Hong Kong and other economies that have set up regulations involving digital assets. Though, Frost-Smith added that Japan will remain the primary focus for Komainu operations as it is Nomura’s home market.

Komainu became Nomura’s first dip into the crypto space back in 2020, when it offered Bitcoin (BTC) and crypto custody services for institutional investors. Initially, Komainu offered Bitcoin, Ethereum (ETH), and other cryptocurrencies with significant market capitalization.

Traditional software-as-a-service-based multi-party computation custodians are often seen as the “convenient” solution in the crypto universe, managing a staggering portion of decentralized assets. But the reality is that the convenience quickly wears off, revealing a host of limitations, unexpected risks, and challenges as you dive deeper into the technological aspects of protecting digital currency. 

Regardless of your decentralization versus centralization stance, it is essential to recognize that the appearance of private key control can be skewered by a lack of control in policy governance and infrastructure you do not run yourself.

The rise and risks of SaaS-based MPC wallets 

The emergence of SaaS-based MPC wallets has significantly impacted the crypto landscape, allowing businesses to manage digital assets with convenience and perceived security. These wallets are typically provided by tech companies that are currently positioning themselves more and more as non-custodial service providers. However, despite this label, these solutions still require users to trust a centralized party to coordinate signing and key generation securely, placing them high on the custody spectrum in terms of control over assets. 

This reliance on a centralized service provider creates a situation where control and security are not entirely in the hands of the institution using the service. While these tech providers do not operate as traditional third-party custodians, such as BitGo or Anchorage—highly regulated and offer fully managed custodial services—they still introduce a central point of control and potential vulnerability. As used by both SaaS-based providers and traditional custodians, MPC technology involves splitting cryptographic keys required for transactions into multiple parts distributed among various parties to enhance security. 

However, in the case of SaaS-based solutions, the centralization of these services within a few dominant players introduces new risks. One of them is that these providers become attractive targets for hackers due to their significant control over many clients’ assets, creating a vulnerability similar to that of centralized exchanges. Two, the concentration of control in these SaaS-based models not only increases security risks but indirectly limits the autonomy of crypto businesses.

By relying on an external provider to manage critical aspects of digital asset security, institutions may find themselves constrained in managing policies, procedures, and the overall governance of their assets. This centralization stands in contrast to the decentralized ethos of the crypto industry, where individual sovereignty over digital assets is paramount.

The challenges of dependency and trust in MPC custodians 

While MPC wallets often claim to be non-custodial because the institution holds part of the key, the reality is far more complex: the heavy dependency on third-party vendors for day-to-day operations, security, and service availability introduces significant risks. Despite the customer institution holding a key share, all other components affecting the use or potential misuse of key shares remain under the vendor’s control. This setup creates vulnerabilities around key signing integrity but, even more importantly, introduces friction into the customer experience, an operational risk that should be accounted for.  For instance, any policy change can take up to a few weeks if it is not prioritized by the vendor, posing significant delays and operational inefficiencies​.

Analyze this potential impact further. MPC wallets can have longer transaction times, and their reliance on vendors for routine account changes and maintenance can be problematic. If a team member leaves, revoking their access is done at the vendor’s tempo. It can take considerable time, resulting in a period where the security of assets may be compromised. Additionally, service downtimes for maintenance during business hours can disrupt operations. Plus, in disaster scenarios, asset recovery can take up to 48 hours—a period that is far too long for any organization dealing with high-value transactions. These operational dependencies can be highly inconvenient. Ultimately, they pose security risks that contradict what decentralization stands for—namely, running your own wallet infrastructure.

For regulated financial institutions or firms with stringent security requirements, these dependencies are deal-breakers. That’s because the operational risks and costs associated with relying on third-party MPC wallet solutions are often unacceptable to internal risk teams. These teams are unable to get comfortable with the inherent uncertainties and potential for delayed response times that these products entail. Consequently, many MPC wallet solutions fail to pass the rigorous scrutiny of risk assessments, preventing them from being adopted by institutions that require the highest levels of security and operational control​.

A new paradigm for crypto custody

If the incumbent SaaS solutions represent the ‘trust us’ model, the ideal solution should transition towards a ‘trust but verify’ approach and, ultimately, a ‘never trust, always verify’ model. This shift empowers customers to partially or fully host the software, granting them control and ownership of critical IT infrastructure. By eliminating the opaque operations inherent in black box SaaS solutions, institutions not only mitigate operational risks hidden in the friction of operating in a third party’s sandbox but also enable more agile and flexible infrastructure management.

This enhanced control supports better risk management and allows institutions to adapt quickly to market demands, ultimately driving revenue growth and positively impacting the bottom line.

A practical solution integrates critical management and policy controls into a comprehensive platform, allowing institutions to manage their digital assets within a zero-trust security framework. This architecture continuously validates every interaction, eliminating implicit trust and enhancing security. By adopting a service-oriented architecture, institutions can tailor the system to their unique requirements, ensuring scalability, high performance, and robust security. 

Current market offerings, which rely entirely on SaaS-based MPC wallets, place undue trust in vendors who control all components, including cryptographic processes, keys, policies, and transaction data. By moving towards solutions that enable institutions to own and control critical parts of their digital asset infrastructure, the industry can mitigate risks and reduce vulnerabilities while operating more closely to the principles of decentralization. Such a transformation is essential for fostering trust and security in the rapidly evolving crypto landscape​.

Now is the time for institutions to take control of their policies. By adopting models that provide partial or complete control over key management and policy enforcement, institutions can better align with the correct treatment and oversight of service providers or outsourcing arrangements. This paradigm shift is essential for the industry’s future, and it’s something that is poised to safeguard crypto’s core values while paving the way for continued innovation and trust.

Haden Patrick

Haden Patrick is the director of business operations of Cordial Systems, a provider of institutional-grade self-custody software using a zero-trust security model.  Haden has executive experience in team leadership, engineering, and education originating from his 24-year career as a Naval Officer. After co-founding SoloKeys, the first open-source security key company, he managed projects connecting web3 to traditional finance at a cryptocurrency trading firm before joining Cordial Systems.