All blogs
Cryptocurrency Custody for Regulated Firms

Cryptocurrency Custody for Regulated Firms

08.05.2025

As institutional interest in digital assets grows, regulated financial firms must navigate the complexities of cryptocurrency custody. We examine the technical and regulatory considerations.

The Custody Challenge

Cryptocurrency custody differs fundamentally from traditional asset custody. There's no central counterparty or custodian of last resort. Lose access to private keys and assets are gone forever. Get compromised and there's no reversing fraudulent transactions.

For FCA-regulated firms, these characteristics create unique challenges in meeting prudential requirements while building custody capabilities.

Regulatory Landscape

In the UK, cryptoasset custody is a regulated activity under the Money Laundering Regulations. Firms must:

  • Register with the FCA under the MLRs
  • Implement AML/KYC controls
  • Conduct ongoing transaction monitoring
  • Maintain segregation of client assets

Beyond the UK, operating internationally means navigating MiCA in Europe, varying state requirements in the US, and emerging frameworks globally.

Custody Architecture Models

Hot Wallet (Online)

Keys stored on internet-connected systems. Offers convenience for frequent transactions but highest security risk.

  • Use case: Operating liquidity for immediate withdrawals
  • Best practice: Minimise hot wallet balances; automate replenishment from cold storage

Warm Wallet (Semi-online)

Keys in secure enclaves with network access controlled by policy. Balances convenience and security.

  • Use case: Larger operational balances with controlled access
  • Best practice: Hardware Security Modules (HSMs) for key protection; multi-approval workflows

Cold Storage (Offline)

Keys never touch the internet. Highest security for long-term storage of significant value.

  • Use case: Treasury reserves, long-term holdings
  • Best practice: Geographic distribution; multi-signature schemes; tested recovery procedures

Multi-Signature Implementation

Multi-signature (multisig) schemes require multiple keys to authorise transactions, preventing single points of compromise:

// Example multisig configuration
{
    "scheme": "2-of-3",
    "signers": [
        {"id": "ops_team", "key_location": "hsm_primary"},
        {"id": "compliance", "key_location": "hsm_secondary"},
        {"id": "executive", "key_location": "cold_storage"}
    ],
    "thresholds": {
        "small_withdrawal": {"amount": 10000, "required": 1},
        "standard": {"amount": 100000, "required": 2},
        "large": {"amount": null, "required": 3}
    }
}

Key design considerations:

  • Balance operational efficiency with security (2-of-3 is common)
  • Distribute keys across different security domains
  • Plan for key rotation and compromise scenarios
  • Document and test recovery procedures

Security Architecture

Robust custody security includes:

Key Generation

Keys must be generated in secure environments with verified entropy sources. Use audited key generation ceremonies for significant wallets.

Access Controls

Implement defense in depth:

  • Physical security for cold storage
  • Network segmentation for warm wallets
  • Role-based access with audit trails
  • Time-locks on large transactions

Monitoring and Alerting

24/7 monitoring of:

  • Wallet balances and movements
  • Blockchain mempool for pending transactions
  • Anomalous access patterns
  • Key usage against expected patterns

Third-Party Custody Options

For firms not building custody in-house, institutional custodians offer regulated alternatives:

  • Qualified custodians: Firms with specific custody licenses (e.g., BitGo Trust, Coinbase Custody)
  • Bank custody: Traditional banks entering crypto custody (e.g., BNY Mellon)
  • Insurance-backed: Custodians with crime/specie insurance coverage

Evaluate custodians on security architecture, insurance coverage, regulatory status, and operational track record.

Conclusion

Cryptocurrency custody for regulated firms requires a fundamentally different approach than traditional asset custody. The immutability of blockchain transactions means security failures are unforgiving. Whether building in-house capability or selecting third-party custodians, rigorous attention to key management, access controls, and operational procedures is essential for protecting client assets.

Previous blog Next blog
The Architecture of Modern FX Platforms
The Architecture of Modern FX Platforms
Building Resilient Payment Systems
Building Resilient Payment Systems
Building Cross-Border Payment Corridors
Building Cross-Border Payment Corridors