Digital Asset Custody Regulation: Global Standards and Requirements
Custody regulation is where the abstract principles of digital asset compliance meet the hard reality of key management, balance reconciliation, and client asset protection. The regulatory requirements differ across jurisdictions — but the compliance failures, when they happen, are universal in their consequences.
The collapse of FTX, Celsius, BlockFi, and Voyager between 2022 and 2023 destroyed tens of billions of dollars in client assets that had been commingled with platform assets, lent without adequate disclosure, or placed at risk through undisclosed operational practices. These failures were not primarily technology failures — they were custody failures, arising from the absence of the asset segregation, reconciliation, and safeguarding obligations that have governed traditional securities custody for decades. Global regulators have responded by extending those obligations to digital asset custodians, with approaches that share common principles but differ in scope, detail, and enforcement philosophy.
The Core Custody Problem in Digital Assets
Digital asset custody presents technical challenges that have no precise equivalent in traditional securities:
Private key control: Whoever controls the private key controls the asset. Unlike a securities account, where ownership is recorded in a ledger maintained by a custodian or CSD, a digital asset can be moved by anyone possessing the relevant private key. Custody security is therefore fundamentally a key management problem.
Immutability of unauthorized transfers: A blockchain transaction, once confirmed, generally cannot be reversed. An unauthorized transfer of digital assets — whether by a rogue employee, an external hacker, or an operational error — results in permanent loss in the absence of recovery mechanisms.
Self-custody vs. institutional custody: Digital assets can be held directly by their owner without any institutional intermediary. Institutional custody necessarily involves trust delegation — clients delegate key control to a custodian. This trust delegation requires rigorous regulatory discipline to ensure the custodian does not abuse its control.
Omnibus vs. segregated wallets: Most institutional custodians pool client assets in omnibus wallets for operational efficiency, maintaining individual client balances as internal ledger entries. The distinction between the on-chain pool and the off-chain ledger creates reconciliation and insolvency risk that must be managed through rigorous controls.
MiCA: EU Custody Framework
MiCA Articles 70-76 establish the most detailed statutory custody framework currently in force for digital assets. The core requirements — segregation, reconciliation, prohibition on rehypothecation, and client asset protection in insolvency — are analyzed in depth in the MiCA custody requirements article.
Key features of the MiCA framework relevant to cross-jurisdictional analysis:
- Client assets must be segregated from CASP proprietary assets in all circumstances
- Daily reconciliation between internal records and on-chain positions is mandatory
- Sub-custody to authorized third parties is permitted but CASPs remain responsible
- Client assets do not form part of the CASP’s insolvency estate
United States: The Qualified Custodian Framework
In the US, digital asset custody regulation operates through two primary channels: the SEC’s investment adviser framework and the OCC’s bank custody rules.
Investment Advisers Act — Qualified Custodian Rule: SEC Rule 206(4)-2 under the Investment Advisers Act requires registered investment advisers (RIAs) to maintain client funds and securities with a “qualified custodian.” The SEC has proposed (but not yet finalized) specific guidance on whether digital asset custodians qualify as qualified custodians — the matter remains unsettled for assets that do not qualify as securities held by a bank or broker-dealer with SIPC coverage.
The SEC’s proposed safeguarding rule (2023) would have extended the qualified custodian requirement to all client assets held by RIAs, including crypto-assets — regardless of whether they are securities. This would effectively require all institutional crypto asset holders managed by RIAs to use SEC/CFTC-regulated custodians. The proposal faced significant industry opposition and had not been finalized as of early 2026.
OCC Interpretive Letters: The Office of the Comptroller of the Currency issued guidance in 2020 clarifying that federally chartered national banks may hold digital assets on behalf of customers as custodians. This opened a pathway for major bank trust departments to offer digital asset custody, with the full complement of bank regulatory supervision, FDIC insurance (for cash components), and fiduciary obligations.
State trust company licenses: Several states — South Dakota, Wyoming, Nevada, and New York — have established state-chartered trust company frameworks specifically for digital asset custody. Wyoming’s Special Purpose Depository Institution (SPDI) charter, and South Dakota’s digital asset trust framework, have been used by early-mover digital asset custodians including Anchorage Digital and Avanti (Custodia).
The SEC’s digital assets enforcement and guidance is published at sec.gov.
Dubai (VARA): Custody Standards
VARA’s Virtual Asset Custody Services rules, published as part of its broader virtual asset regulatory framework at vara.ae, establish comprehensive custody obligations for licensed Virtual Asset Custodians (VACs) in Dubai.
VARA’s custody requirements include:
- Minimum capital of AED 2 million for VACs
- Mandatory segregation of client assets from firm assets at both wallet and record level
- Cold storage requirement: a minimum percentage of client assets must be held in cold storage (VARA specifies a minimum of 90% for most asset types)
- Daily reconciliation with tolerance limits specified by VARA
- Mandatory insurance or equivalent financial safeguards for client assets
- Independent annual audit of custody operations
- Board-level responsibility for custody risk management
VARA has licensed more than 80 platforms across virtual asset service categories, including several dedicated digital asset custodians. Its custody framework is among the most detailed currently operative outside of MiCA.
Singapore: MAS Custody Requirements
Under Singapore’s Payment Services Act and Securities and Futures Act, digital asset custodians must satisfy requirements that vary depending on whether the assets custodied are payment tokens or capital markets products.
For capital markets product custodians (holding tokenized securities), MAS custody requirements align closely with the SFC’s approach in Hong Kong and the MiFID II custody regime in the EU — segregation, reconciliation, and client property protection in insolvency are mandatory.
For digital payment token custodians, MAS’s Technology Risk Management Guidelines and the Payment Services Act impose operational security requirements, including key management standards, incident reporting, and business continuity obligations.
MAS has indicated through Project Guardian that it expects institutional custodians to implement cold/hot wallet protocols, multi-party computation (MPC) key management, and real-time monitoring capabilities for institutional-scale digital asset custody. Framework details are at mas.gov.sg.
Switzerland: FINMA and the Banking Act
FINMA’s approach to digital asset custody is anchored in the revised Swiss banking law (effective February 2021), which introduced specific rules for the segregation and bankruptcy-remote treatment of crypto-assets held by custodians.
Under Article 242a of the Swiss Debt Enforcement and Bankruptcy Act, crypto-assets held in custody for clients by a custodian are bankruptcy-remote — they are treated as client property, not as assets of the insolvent estate, provided they are identifiable as belonging to specific clients. This legal clarity has made Switzerland an attractive jurisdiction for digital asset custody structures. FINMA’s supervision framework is detailed at finma.ch.
Hong Kong: SFC Custody Rules
The SFC’s revised licensing framework for virtual asset trading platforms (VATPs) requires platforms to implement custody arrangements that maintain at least 98% of client assets in cold storage at all times, with only up to 2% held in hot wallets. This is among the strictest cold storage mandates of any major jurisdiction. The SFC’s framework is published at sfc.hk.
Exhibit: Custody Requirements by Jurisdiction
| Jurisdiction | Regulator | Cold Storage Requirement | Segregation | Reconciliation | Insolvency Protection |
|---|---|---|---|---|---|
| EU (MiCA) | NCA / ESMA | Yes (standards-based) | Mandatory; omnibus permitted | Daily | Statutory — not part of estate |
| United States | SEC / OCC / State | Not mandated (practices-based) | Required for bank custodians | Yes | Varies by structure |
| Dubai (VARA) | VARA | Min. 90% cold storage | Mandatory | Daily with tolerance | VARA rules provide protection |
| Singapore | MAS | Yes (TRM guidelines) | Mandatory | Ongoing | SFA client money rules |
| Switzerland | FINMA | Yes (recommended) | Mandatory | Ongoing | Bankruptcy Act Art. 242a |
| Hong Kong | SFC | Min. 98% cold storage | Mandatory | Continuous | SFO client money protection |
For MiCA-specific custody analysis, see MiCA custody requirements. For AML obligations related to custody operations, see AML/KYC for tokenization platforms.
External references: ESMA MiCA | VARA Regulations | FINMA FinTech | SFC Virtual Assets
Subscribe for full access to compliance intelligence across all 7 analytical lenses, including licensing guides, jurisdiction benchmarks, and enforcement trackers.
Subscribe from $29/month →