Banks are no longer experimenting with crypto asset custody—they’re building it. What’s changed: regulators have finally moved from uncertainty to specific rules, and institutional investors now have enough conviction to demand institutional-grade safeguards that only banks can provide.
Why Institutional Crypto Custody Became a Regulatory Flashpoint
For years, crypto custody was a problem banks avoided. The asset class was too young, too volatile, and too legally ambiguous. Custody itself—the practice of holding and safeguarding financial assets on behalf of clients—is one of the oldest and most regulated functions in banking. When crypto entered the picture, that regulatory clarity evaporated.
Three pressures changed the calculus. First, institutional investors—pension funds, family offices, endowments—accumulated enough crypto holdings that they couldn’t ignore custody risk. A $500 million Bitcoin position sitting on an exchange, uninsured and held in the exchange’s name, violates every fiduciary principle a pension fund’s board understands. Second, regulatory agencies across the US, EU, and Asia began publishing explicit expectations for what crypto custody should look like. The SEC, FCA, and MAS didn’t wait for a market consensus; they imposed one. Third, banks realized that if they didn’t enter the market, fintech custodians would capture the relationship—and regulatory oversight—of some of the world’s largest institutional investors.
The result is a compliance framework that borrows heavily from traditional asset custody rules but introduces entirely new complexity: cryptographic key management, blockchain settlement verification, and institutional-grade cold storage systems that must meet bank-level audit standards.
The Regulatory Map: Where Different Jurisdictions Stand
United States: SEC and OCC Guidance Without a Crypto-Specific Rule
The SEC has not published a final rule specifically regulating crypto custody. Instead, it has published guidance—which sounds softer than it is. The SEC’s position paper on custody of crypto assets by registered investment advisers (released in 2021) sets expectations that banks now treat as de facto regulatory requirements: qualified custodians must segregate customer assets, maintain insurance, perform periodic verification of holdings, and produce audit reports aligned with SOC 2 Type II standards (or equivalent).
For banks regulated by the Office of the Comptroller of the Currency (OCC), the agency has not prohibited crypto custody activities. But it has issued letters clarifying that banks offering these services must apply the same risk management standards they use for traditional asset custody: capital adequacy, operational resilience, and third-party controls.
No explicit mention of blockchain settlement or smart contract verification appears in these documents. Banks have filled that gap with their own frameworks.
European Union: MiCA Creates a Formal Custody Regime
The Markets in Crypto-Assets Regulation (MiCA), which entered force in 2024, is the most prescriptive regulatory text on crypto custody globally. It requires crypto custody providers to:
– Segregate customer assets in separate bank accounts or wallets, with full transparency on storage location and method
– Hold customer assets at eligible custodians (regulated entities meeting strict capital and insurance requirements)
– Perform monthly attestations of holdings by independent third parties
– Maintain operational and cybersecurity standards aligned with the ECB’s technology risk management framework
MAS Technology Risk Management Guidelines: The Specific Controls Banks Must Have in Place provide a useful comparator—while not crypto-specific, they establish the baseline for operational resilience that regulators expect from custody systems handling digital assets.
Singapore and Asia-Pacific: MAS Takes a Phased Approach
The Monetary Authority of Singapore (MAS) has licensed crypto exchanges and custody providers under its Payment Services Act, but it doesn’t yet mandate which custody model an entity must use. However, MAS guidance makes clear that institutional-grade custody must include segregation, insurance, and regular third-party verification—mirroring EU and US expectations.
How Banks Are Structuring Crypto Custody Compliance
Cold Storage and Key Management as the Operational Foundation
Institutional crypto custody always involves cold storage—private keys held offline, away from internet-connected systems that could be compromised. This isn’t optional; it’s the only way to meet insurance requirements and audit standards.
The compliance burden sits here: every withdrawal from cold storage, every key rotation, every signature operation must be logged, approved, and verified. A bank’s compliance team needs to audit the cryptographic proof that a key was moved or used. This requires hiring or contracting specialist staff who understand both blockchain cryptography and audit frameworks.
Most large banks have outsourced this operational layer to specialized custody infrastructure providers (firms like Fidelity Digital Assets, Coinbase Custody, or Kraken Institutional). The bank then acts as the client-facing institutional custodian, maintaining regulatory relationships and SLAs while the infrastructure partner manages the technical cold storage.
This creates a compliance chain: the bank must audit the infrastructure provider quarterly, verify their insurance coverage, and ensure their key management procedures meet the bank’s risk policies—which must themselves meet regulatory expectations.
Segregation and Proof-of-Reserves
In traditional custody, segregation means each customer’s assets sit in separate accounts at a clearing house. For crypto, segregation is more complex because the asset (say, Bitcoin) is held in a blockchain wallet, not a bank account. The wallet is backed by a private key, not a bank balance sheet.
Regulators now expect crypto custody providers to prove segregation through regular, audited verification of holdings. This means:
– Publishing wallet addresses associated with each customer’s holdings
– Conducting monthly or quarterly third-party audits confirming the private keys actually control the published addresses
– Maintaining insurance that covers both operational failures (key loss) and custody failures (theft or misappropriation)
This verification step is legally and operationally distinct from holding the asset itself. A bank can hold a customer’s Bitcoin, but unless it can produce a signed, audited statement from an independent firm confirming those holdings, it cannot claim to meet institutional custody standards.
Insurance and the Custody Premium
Traditional custodians carry errors and omissions (E&O) insurance and fidelity coverage. Crypto custody requires additional insurance: underwriting of key management systems, coverage for smart contract failure, and coverage for infrastructure provider insolvency.
The cost of this insurance has dropped significantly as the market matured, but it remains 15–40 basis points annually on assets under custody. Banks pass this through to clients or absorb it into pricing. Either way, it’s a material cost that non-bank custody providers often don’t fully capture in their pricing—a competitive advantage that institutionalizes bank custody over time.
Settlement and Blockchain Verification
When a customer requests a withdrawal, the bank must transfer the crypto from its custody wallet to the customer’s wallet address. This transaction occurs on a public blockchain, visible to anyone. Regulators expect the bank to:
– Verify the customer has requested the withdrawal through authenticated channels
– Log the transaction on an immutable audit trail (typically a database with cryptographic integrity)
– Monitor the blockchain to confirm settlement
– Reconcile holdings after settlement
This last step is critical and often overlooked in discussions of crypto custody. Traditional settlement takes one to three days and passes through a clearing house that guarantees finality. Blockchain settlement is faster but carries finality risk: a transaction can be rolled back if the chain reorganizes. Banks must model for this risk and hold reconciliation buffers.
Regulatory Expectations vs. Market Reality: The Gap
Most crypto custody services today operate in a hybrid model: the bank is the regulated custodian on paper, but the actual key management and settlement infrastructure is operated by a fintech provider that is licensed (or not yet licensed) separately.
This creates ambiguity. When regulators say “the custodian must segregate assets,” do they mean the bank or the infrastructure provider? If the infrastructure provider is hacked, is the bank liable? How much liability flows through insurance?
The compliance answer is contractual: the bank must transfer all operational and custody liability to the infrastructure provider through a carefully drafted service agreement. But regulators increasingly expect the bank to take direct responsibility and conduct ongoing audits to verify the infrastructure provider is meeting contractual obligations.
What Institutional Clients Now Require
The gap between regulatory minimum and client expectation has widened. Institutional clients (pension funds, sovereign wealth funds, large asset managers) now demand:
– **Real-time settlement verification**: Confirmation that a withdrawal has reached its destination on the blockchain within seconds, not days
– **Multi-signature approvals**: Transactions must require signatures from multiple parties (bank custody officer, client relationship manager, client authorization)
– **Audit trail immutability**: All transactions and approvals must be recorded in a system that cannot be altered retroactively, ideally using append-only databases or blockchain-based logging
– **Insurance transparency**: Full visibility into coverage limits, exclusions, and claims history
None of these are regulatory requirements yet. All of them are now table-stakes for any bank competing for institutional crypto custody business.
The Technology Integration Challenge
Legacy banking systems were not designed for blockchain verification or cryptographic key management. A compliance officer at a large regional bank trying to build crypto custody must either:
1. **Build in-house**: Hire blockchain engineers and cryptography specialists, integrate crypto monitoring tools with existing compliance systems, and invest 18–36 months and $5–15 million to go live
2. **Partner with a fintech**: Outsource the entire stack to a custody infrastructure provider and accept regulatory opacity
3. **Hybrid approach**: Use a fintech infrastructure provider but invest in integration and audit tooling to maintain regulatory visibility
The largest banks (JPMorgan, Goldman Sachs, HSBC) have chosen option 1 and now control the regulatory conversation. Mid-size banks and regional lenders are migrating toward option 3, recognizing that option 2 leaves them exposed to fintech counterparty risk that regulators increasingly scrutinize.
What Does Crypto Asset Custody Compliance Actually Require?
Crypto asset custody compliance requires: (1) secure offline key management audited by independent third parties; (2) monthly or quarterly proof-of-reserves verifying customer assets are segregated and held at the custody address; (3) insurance covering key loss, custody failure, and infrastructure provider insolvency; (4) audit trails documenting all withdrawals and settlement; (5) SOC 2 Type II or equivalent certification of custody infrastructure; and (6) ongoing client-facing reporting of holdings and custody status.
The Algoy Perspective
Crypto asset custody has become a regulatory legitimacy play. Institutions don’t adopt bank custody for operational efficiency—the blockchain is already operationally efficient. They adopt bank custody because a pension fund board understands bank regulation and bank insurance in ways they don’t understand fintech risk management. Regulators know this. They’ve written rules that make bank custody the only path that institutionalizes trust.
What most articles miss is that the compliance burden—the quarterly audits, the key management systems, the insurance overlay—is not a cost that gets passed through to customers and gradually declines. It’s a structural feature of institutional custody that favors banks with existing compliance infrastructure and existing institutional relationships. A fintech that can offer lower fees but lacks bank-like audit visibility and insurance will never capture institutional assets at scale, regardless of technical sophistication.
For practitioners, the strategic implication is clear: if your bank hasn’t begun building crypto custody capabilities, the window for organic entry is closing. The next entrants will face a regulatory framework that assumes crypto custody is a bank function, not a fintech experiment. Building compliance infrastructure from scratch in that environment will be far more expensive than building it now, when regulators are still accommodating different approaches.
Frequently Asked Questions
Do regulators require banks to use specific custody infrastructure providers?
No. Regulators specify outcomes (segregation, insurance, audit verification) but not vendors. Banks can build in-house or partner with fintechs, provided the infrastructure provider is licensed in its jurisdiction and meets the bank’s audit standards. The bank remains the regulated custodian and takes responsibility for the infrastructure provider’s compliance.
What insurance is required for crypto custody, and how much does it cost?
Institutional crypto custody requires underwriting of key management failures, custody theft, and infrastructure provider insolvency. Insurance costs typically range from 15–40 basis points annually on assets under custody. The exact cost depends on asset size, custody method (cold vs. warm storage), and the reputation of the infrastructure provider.
How often must a bank audit customer crypto holdings in custody?
Regulatory guidance suggests monthly to quarterly audits by independent third parties. The ECB’s DORA framework and MiCA both point toward quarterly as a baseline, though leading institutions are moving to monthly or continuous verification. Audit frequency depends on customer risk profile and total asset value.
Can banks use blockchain-based proof-of-reserves to satisfy audit requirements?
Blockchain-based verification (cryptographic proofs that a private key controls a specific address) can support audit procedures but does not replace independent third-party audits. Regulators expect human-readable, signed attestations from audit firms, not just on-chain cryptographic proofs.
