Custody Compliance for Digital Assets
Why Custody Compliance Matters
Custody — the safekeeping of customer assets — is one of the highest-risk activities in crypto. Losses from exchange hacks, insider theft, and operational failures have cost the industry billions of dollars. The collapse of FTX in 2022, where customer funds were commingled with proprietary trading operations, resulted in over $8 billion in customer losses and criminal convictions for executives. Regulators worldwide have responded with increasingly specific custody requirements.
If you hold customer crypto assets, custody compliance is non-negotiable. Every major jurisdiction now imposes asset segregation, key management, and disclosure requirements on custodians. Failure to comply carries civil and criminal liability.
Regulatory Requirements by Jurisdiction
European Union — MiCA
MiCA (Regulation EU 2023/1114) imposes specific obligations on CASPs providing custody and administration of crypto-assets on behalf of clients (Article 75):
| Requirement | Detail |
|---|---|
| Capital | EUR 125,000 minimum permanent capital |
| Segregation | Client assets must be segregated from proprietary assets at all times |
| Liability | CASP is liable for loss of client crypto-assets due to ICT-related incidents, including those caused by third parties, up to the market value of the lost assets |
| Insurance | Must have adequate insurance or equivalent guarantees to cover potential liability |
| Custody policy | Written custody policy describing the custody arrangements, key management procedures, and safeguarding measures |
| Record-keeping | Maintain a register of positions for each client, updated promptly |
| Return of assets | Clear procedures for returning assets to clients upon request |
EBA Regulatory Technical Standards (RTS) provide detailed custody requirements including:
- Specific segregation arrangements (omnibus vs. individual wallets)
- Key management standards
- Reconciliation frequency and procedures
- Business continuity for custody operations
ESMA supervision: ESMA coordinates supervisory approaches across NCAs for custody CASPs, with particular focus on asset segregation and liability.
United States
US custody regulation is fragmented across multiple regulators:
SEC — Investment Adviser Custody Rule (Rule 206(4)-2):
- Investment advisers holding client crypto assets must use a "qualified custodian."
- Qualified custodians include banks, broker-dealers, and certain trust companies.
- Annual surprise examination by independent accountant required.
- SAB 121 (Staff Accounting Bulletin): Required crypto custodians to recognize a liability and corresponding asset on their balance sheet for custodied crypto — creating significant capital implications for banks. Subsequent legislative and regulatory developments have modified this requirement.
OCC (Office of the Comptroller of the Currency):
- Interpretive Letters 1170 and 1171 (2020-2021) confirmed that national banks and federal savings associations may provide crypto custody services.
- Must demonstrate adequate risk management, controls, and compliance.
State Trust Charters:
- Wyoming Special Purpose Depository Institution (SPDI) — Purpose-built for digital asset custody. Requires unencumbered liquid assets equal to 100% of custodied assets (no fractional reserve). Examples: Custodia Bank (formerly Avanti).
- New York Limited Purpose Trust Company — Used by Gemini, Paxos, and others. Regulated by NYDFS with bank-like examination requirements.
- South Dakota Trust Charter — Another option with favorable regulatory environment.
FinCEN: Custodians are classified as Money Services Businesses (MSBs) and must register with FinCEN, implement a full BSA/AML compliance program, and file SARs and CTRs.
Singapore — MAS
MAS requires DPT custodians under the Payment Services Act 2019 to:
- Hold customer assets in statutory trust — customer assets are protected in the event of the VASP's insolvency
- Maintain segregated accounts — customer assets must be separate from the company's own assets
- Implement robust cybersecurity controls per MAS Technology Risk Management (TRM) Guidelines
- Maintain business continuity plans for custody operations
- Annual audit of custody arrangements
Key legislation: Payment Services Act 2019, MAS Notice PSN02, MAS TRM Guidelines.
UAE
VARA (Dubai):
- Enhanced custody requirements for regulated firms handling virtual assets
- Client asset segregation and protection standards mandatory
- VARA Custody Activities Rulebook specifies detailed operational requirements
ADGM FSRA (Abu Dhabi):
- ADGM's Virtual Asset Framework includes specific custody rules
- Institutional-grade custody requirements aligned with international standards
- Strengthened governance and disclosure requirements for custody activities
DFSA (DIFC):
- Strengthened governance and disclosure requirements for crypto-related activities effective January 2026
- Client asset segregation standards
United Kingdom
- FCA registration required for crypto custodians under MLR 2017
- No specific custody license regime yet — UK is developing comprehensive crypto regulation under FSMA 2023
- FCA expects custodians to maintain adequate safeguarding arrangements
- Bank of England / PRA may impose prudential standards on systemic custodians
Japan
- Payment Services Act (amended 2020) mandates separate management of customer crypto-assets
- Cold wallet storage for majority of customer assets — legally required, not just best practice
- Annual audit by certified public accountant
- JFSA examines custody arrangements during regulatory inspections
- JVCEA self-regulatory rules add additional custody standards
Germany
- BaFin pioneered dedicated crypto custody licensing (Kryptoverwahrgeschaeft) under the Banking Act (KWG) since January 2020
- Minimum capital: EUR 125,000
- Approximately 40 entities have applied for or hold a crypto custody license
- Now transitioning to MiCA CASP authorization framework
- BaFin examinations focus heavily on key management and asset segregation
Operational Requirements
Asset Segregation
Customer assets must be clearly segregated from the company's own assets at all times. This is a regulatory red line — commingling customer and proprietary funds has led to criminal charges (FTX) and massive enforcement actions.
Segregation approaches:
| Approach | Description | Pros | Cons |
|---|---|---|---|
| Individual wallets | Each customer has dedicated on-chain wallet(s) | Clear ownership, simple reconciliation | Gas costs for many wallets, operational complexity |
| Omnibus with sub-accounting | Single wallet on-chain, individual balances tracked off-chain | Gas efficient, operationally simpler | Reconciliation critical, on-chain audit harder |
| Hybrid | Individual wallets for large clients, omnibus for smaller | Balance of efficiency and clarity | More complex to manage |
Regardless of approach:
- Never use customer wallets for proprietary trading or lending
- Maintain real-time reconciliation between on-chain balances and off-chain records
- Reconciliation discrepancies must trigger immediate investigation
- Separate legal entities for custody vs. trading operations where possible
- Legal opinion confirming that customer assets are protected in insolvency
Key Management
Private key management is the core technical challenge of crypto custody. The security of customer assets depends entirely on the security of private keys.
Multi-signature (multisig) schemes:
- Require M-of-N approvals to authorize transactions (e.g., 3-of-5)
- Distribute signing authority across multiple individuals and/or devices
- Eliminate single points of compromise
- Implement different multisig thresholds for different transaction sizes
Hardware Security Modules (HSMs):
- Tamper-resistant hardware devices for key generation, storage, and signing
- FIPS 140-2 Level 3 or higher certification expected by regulators
- Used for hot wallet operations where speed is needed
- Vendors: Thales Luna, Utimaco, Securosys, Fireblocks
Multi-Party Computation (MPC):
- Distributes key shares across multiple parties — no single party ever holds the complete key
- Signing occurs through a cryptographic protocol without reconstructing the full key
- Growing adoption for institutional custody
- Vendors: Fireblocks, Curv (PayPal), Sepior, Unbound Security
Key ceremony procedures:
- Documented, witnessed process for generating and backing up keys
- Conducted in physically secure environment
- Video recorded with multiple independent witnesses
- Key material split across geographically distributed secure locations
- Ceremony procedures must be auditable and repeatable
Disaster recovery:
- Secure backup of key material in geographically separate locations
- Recovery procedures documented and tested at least annually
- Recovery testing must not expose actual production keys — use test keys
- Clear chain of custody for backup material
Cold and Hot Wallet Strategy
| Wallet Type | Connection | Typical Allocation | Use Case |
|---|---|---|---|
| Cold storage | Completely offline (air-gapped) | 90-95% of assets | Long-term storage, large balances |
| Warm storage | Connected but with additional controls | 3-8% of assets | Pre-staged for anticipated withdrawals |
| Hot wallet | Internet-connected | 2-5% of assets | Immediate withdrawal processing |
Cold storage best practices:
- Air-gapped signing devices (never connected to the internet)
- Hardware wallets or HSMs in physically secure, access-controlled vaults
- Geographic distribution (multiple locations, multiple jurisdictions)
- Multisig with key holders in different locations
- Regular inventory and reconciliation
Hot wallet policy:
- Define maximum hot wallet balance (tied to expected daily withdrawal volume)
- Automated replenishment from warm/cold storage when balance drops below threshold
- Rate limiting on withdrawals (maximum single transaction, maximum daily total)
- Real-time monitoring for unauthorized transactions
- Insurance coverage should prioritize hot wallet exposure (highest risk)
Insurance
Obtain insurance coverage for custodied assets. Crypto insurance is specialized and capacity remains limited, but it is increasingly expected by regulators and institutional clients.
Coverage types:
| Type | What It Covers | Typical Limits |
|---|---|---|
| Crime/fidelity | Employee theft, internal fraud | $5M-$100M+ |
| Specie/crypto | Direct loss of crypto assets (hack, theft) | $5M-$500M (limited market) |
| Professional liability (E&O) | Claims arising from custodial errors | $5M-$50M |
| Cyber insurance | Data breach, ransomware, system failures | $5M-$50M |
| Directors and officers (D&O) | Personal liability of directors | $5M-$25M |
Key considerations:
- Total insurance coverage should align with total assets under custody
- Most policies exclude nation-state attacks — document this gap and implement compensating controls
- Hot wallet exposure is highest risk and hardest to insure — minimize hot wallet balances
- Obtain broker guidance from specialty crypto insurance brokers (Aon, Marsh, Lockton)
Proof of Reserves
Increasingly, regulators and customers expect proof of reserves — verifiable evidence that customer assets exist and are fully backed.
Approaches:
Merkle-tree proof of reserves:
- Cryptographic proof that each customer's balance is included in the total reserves
- Customer can independently verify their balance is included without seeing other customers' data
- Does not prove solvency (assets may equal liabilities but not exceed them)
- Pioneered by exchanges post-FTX
Auditor attestation:
- Independent auditor (Big Four or specialist) verifies on-chain balances against customer liability records
- SOC 2 Type II report covering custody operations
- Periodic attestation (monthly or quarterly) provides ongoing assurance
- More comprehensive than Merkle-tree alone
Full proof of solvency:
- Proves that assets exceed liabilities (not just that they equal)
- Requires disclosure of both reserves and liabilities
- Strongest form of assurance but requires more disclosure
- Some jurisdictions moving toward mandatory proof of solvency
Best practice: Implement Merkle-tree proof of reserves for customer self-verification AND engage an independent auditor for periodic attestation. Publish attestation reports.
Audit and Reporting
Record-Keeping
Maintain detailed records of all custody operations:
- Deposits: Transaction hash, amount, asset type, customer identifier, timestamp, source address, confirmation count
- Withdrawals: Transaction hash, amount, asset type, customer identifier, timestamp, destination address, approval chain
- Internal transfers: Movements between cold/warm/hot wallets, authorization records, reconciliation
- Key ceremonies: Full documentation, witness records, video recordings
- Access logs: Who accessed custody systems, when, from where, what actions taken
- Reconciliation records: Daily reconciliation between on-chain and off-chain records, discrepancy investigations
Retain all records for at least five years (longer in some jurisdictions). Records must be retrievable within a reasonable timeframe for regulatory examinations.
Audit Requirements
| Audit Type | Frequency | Scope |
|---|---|---|
| Financial audit | Annual | Financial statements including custodied asset disclosures |
| Custody operations audit | Annual | Asset segregation, key management, reconciliation, access controls |
| SOC 2 Type II | Annual | Security, availability, processing integrity, confidentiality, privacy |
| Penetration testing | At least annual | External and internal network, application, and smart contract testing |
| Key management audit | Annual | Key generation, storage, usage, backup, and destruction procedures |
| Surprise examination (US) | Annual | SEC-required for investment advisers; independent accountant verification |
SOC 2 Type II certification is increasingly expected for institutional-grade custody operations. It provides independent assurance that your custody controls are designed effectively and operating effectively over a defined period.
Common Pitfalls
- Commingling assets — The fastest path to enforcement action and criminal liability. Maintain strict segregation at all times.
- Single point of key compromise — Any key management scheme where one person or one device can unilaterally move all assets is unacceptable. Multisig or MPC is mandatory.
- No disaster recovery testing — Backup procedures that have never been tested may not work when needed. Test recovery annually.
- Insufficient insurance — Custody without insurance is a risk regulators and institutional clients will not accept. Budget for it.
- Hot wallet overexposure — Holding more in hot wallets than needed for daily operations. Minimize hot wallet balances.
- No reconciliation — If you do not reconcile on-chain and off-chain records daily, you will not detect discrepancies until it is too late.
- Informal key ceremonies — Undocumented key generation creates audit gaps and operational risk. Document and witness every ceremony.
- Ignoring smart contract risk — If custodied assets interact with smart contracts (staking, lending), the smart contract risk must be assessed and documented.