← Back to guides

Custody Compliance for Digital Assets

2026-04-04 · Web3 Compliance AI

Why Custody Compliance Matters

Custody — the safekeeping of customer assets — is one of the highest-risk activities in crypto. Losses from exchange hacks, insider theft, and operational failures have cost billions. Regulators have responded with increasingly specific custody requirements. If you hold customer crypto assets, custody compliance is non-negotiable.

Regulatory Landscape

European Union

MiCA requires CASPs offering custody to segregate client assets from proprietary assets, maintain adequate insurance or equivalent guarantees, implement robust IT security controls, and establish clear procedures for asset returns. The European Banking Authority (EBA) has issued Regulatory Technical Standards (RTS) with detailed custody requirements.

United States

In the US, custody is regulated at both federal and state levels. The SEC's custody rule (Rule 206(4)-2 for investment advisers) requires qualified custodians. The OCC has clarified that national banks may provide crypto custody. State trust charters (like Wyoming's SPDI) offer another path. FinCEN considers custodians as MSBs. The SEC has proposed (and partially finalized) Staff Accounting Bulletin guidance (SAB 121 and its successors) affecting how custodied crypto appears on balance sheets.

Singapore

MAS requires DPT custodians to hold customer assets in trust, maintain segregated accounts, and implement robust cybersecurity controls. The Payment Services Act includes specific custody provisions.

Operational Requirements

Asset Segregation

Customer assets must be clearly segregated from the company's own assets at all times. This means separate wallets, separate accounting, and ideally separate legal entities. Commingling of customer and proprietary funds is a regulatory red line that has led to enforcement actions and criminal charges.

Key Management

Private key management is the core technical challenge. Best practices include: multi-signature schemes requiring multiple approvals for transactions, Hardware Security Modules (HSMs) for key storage, geographic distribution of key material, air-gapped signing for cold storage, clear key ceremony procedures documented and audited, and disaster recovery procedures including secure backup of key material.

Cold and Hot Wallet Strategy

Maintain the minimum necessary balance in hot wallets (internet-connected) for operational liquidity. The majority of customer assets should be in cold storage (offline). Industry standard is 90-95% cold / 5-10% hot, though this varies by business model. Document your hot wallet policy and review it regularly.

Insurance

Obtain insurance coverage for custodied assets. Coverage types include: crime/fidelity insurance (employee theft), specie insurance (direct coverage of crypto assets), professional liability, and cyber insurance. Note that crypto insurance capacity remains limited and expensive — document any gaps and implement compensating controls.

Proof of Reserves

Increasingly, regulators and customers expect proof of reserves — cryptographic or audited verification that customer assets exist and are fully backed. Consider implementing Merkle-tree proof of reserves or engaging an auditor for periodic attestations. Full proof of solvency (proving assets exceed liabilities) provides stronger assurance than proof of reserves alone.

Audit and Reporting

Maintain detailed records of all custody operations: deposits, withdrawals, internal transfers, key ceremonies, and access logs. Engage independent auditors with crypto expertise for annual custody audits. SOC 2 Type II certification is increasingly expected for institutional-grade custody operations.