What is a qualified custodian for crypto?

A qualified custodian is a regulated entity authorized to hold client assets. For crypto, this typically includes state-chartered trust companies (Anchorage, BitGo), federally chartered banks with crypto custody programs, and certain broker-dealers.

Is self-custody appropriate for institutions?

Self-custody can work for institutions with sophisticated operational capabilities, but most prefer qualified custodians for regulatory compliance, insurance coverage, and operational simplicity. Hybrid MPC solutions offer a middle ground.

How much insurance should a crypto custodian have?

Insurance coverage varies widely. Top custodians offer $200M-500M+ in coverage, but understand that policies may have exclusions for certain loss scenarios. Coverage should be proportional to assets under custody.

What happens if a crypto custodian goes bankrupt?

This depends on the custodial arrangement. Assets held in segregated accounts under trust structures should be protected from creditors. Review custody agreements to understand asset ownership and bankruptcy protections.

Institutional Crypto Custody Guide 2026 | Security & Compliance

Institutional Crypto Custody: Complete Guide

Custody is the foundation of institutional crypto investment. Unlike traditional securities where custody is straightforward, digital assets require specialized solutions that address unique challenges: cryptographic key management, blockchain-specific requirements, and evolving regulatory frameworks.

This guide covers the custody landscape, security considerations, and selection criteria for institutional investors.

Understanding Crypto Custody

The Custody Challenge

Crypto custody fundamentally differs from traditional custody:

Self-Custody Risk: "Not your keys, not your coins"—whoever controls the private keys controls the assets. Unlike stocks held in street name, there's no central authority to restore lost crypto. Irreversibility: Blockchain transactions cannot be reversed. A single mistake or hack results in permanent loss. Operational Complexity: Different blockchains require different custody approaches. Managing Ethereum, Solana, and Bitcoin requires distinct technical infrastructure.

Custody Models

Self-Custody

Organizations hold their own private keys, typically using:

Multi-signature (multisig) wallets requiring multiple approvers
Hardware security modules (HSMs)
Air-gapped signing devices

Pros: Full control, no counterparty risk Cons: Operational complexity, insurance challenges Third-Party Custody

Qualified custodians hold assets on behalf of clients:

Regulated trust companies (Anchorage, BitGo, Coinbase)
Prime brokers with custody services
Specialized crypto custodians

Pros: Regulatory compliance, insurance coverage, operational simplicity Cons: Counterparty risk, fees, potential access limitations Hybrid Models

Multi-party computation (MPC) and distributed key arrangements that split control:

No single party has full key access
Quorum required for transactions
Combines self-custody security with third-party operational support

Security Architecture

Key Management

Multi-Signature Setups

Require M-of-N approvals for transactions:

2-of-3 for smaller operations
3-of-5 or 4-of-7 for large treasuries
Geographically distributed signers

Multi-Party Computation (MPC)

Cryptographic technique where key shares are distributed:

No complete key ever exists in one location
Threshold signatures enable distributed approval
More flexible than traditional multisig

Hardware Security Modules (HSMs)

Dedicated cryptographic hardware that:

Stores keys in tamper-resistant devices
Signs transactions without exposing keys
Provides audit trails and access controls

Operational Security

Access Controls

Role-based permissions with principle of least privilege
Time-locked operations for large transactions
Separation of duties between initiators and approvers

Process Security

Transaction verification procedures
Address whitelisting
Velocity limits (maximum daily/weekly transfers)

Physical Security

Secure facilities for hardware wallets/HSMs
Backup key storage in geographically distributed locations
Disaster recovery procedures

Regulatory Landscape

U.S. Framework

SEC Custody Rule

Investment advisers must hold client assets with "qualified custodians." The SEC has proposed rules specifically addressing crypto custody requirements.

State Trust Charters

Several states (NY, Wyoming, South Dakota) grant trust company charters to crypto custodians, providing regulatory clarity.

Bank Custody

OCC has clarified that national banks can provide crypto custody services, though few have implemented comprehensive offerings.

Compliance Requirements

SOC 2 Certification

Service Organization Control reports demonstrating security controls and operational processes.

Insurance Coverage

Crime/theft insurance
Errors and omissions
Cyber liability

Coverage limits vary significantly; understand policy exclusions.

Audit Rights

Ensure contractual right to audit custodian's controls and verify asset holdings.

Evaluating Custodians

Selection Criteria

Security Track Record

Years of operation without security incidents
Public disclosure of security architecture
Third-party security audits

Regulatory Status

Chartered/licensed entity
SOC 2 Type II certified
Subject to regulatory examination

Insurance Coverage

Crime and cyber coverage amounts
Policy terms and exclusions
Claims history

Operational Capabilities

Supported assets and chains
Integration capabilities (APIs, reporting)
Transaction support (staking, DeFi)

Financial Stability

Capitalization and reserves
Parent company backing
Bankruptcy protections

Due Diligence Process

Information Security Review: Audit their security architecture and incident response
Operational Review: Understand transaction flows and approval processes
Legal Review: Examine custody agreements and liability terms
Reference Checks: Speak with existing institutional clients
On-site Visit: Inspect physical facilities and meet the team

Best Practices

Diversification

Don't concentrate all assets with a single custodian:

Distribute across 2-3 qualified custodians
Consider self-custody for a portion
Ensure operational continuity if one custodian has issues

Regular Verification

Proof of reserves attestations
On-chain verification of addresses
Regular reconciliation with internal records

Disaster Recovery

Document recovery procedures
Test backup and restoration processes
Maintain updated beneficiary and succession plans

Fensory integrates with leading institutional custody providers, allowing allocators to track holdings across custodians and monitor on-chain positions from a unified dashboard.

Institutional Crypto Custody: Complete Guide

Institutional Crypto Custody: Complete Guide

Understanding Crypto Custody

The Custody Challenge

Custody Models

Security Architecture

Key Management

Operational Security

Regulatory Landscape

U.S. Framework

Compliance Requirements

Evaluating Custodians

Selection Criteria

Due Diligence Process

Best Practices

Diversification

Regular Verification

Disaster Recovery

Frequently Asked Questions