Qualified Crypto Custodians: Regulatory Requirements and Selection Guide

By Chanté Eliaszadeh | October 15, 2025

"Not your keys, not your coins" is crypto's foundational principle—but it's also terrible compliance advice for regulated companies. The GENIUS Act, California's DFAL, and state money transmitter licensing regimes all require "qualified custodians" for customer digital assets. Yet the term "qualified custodian" carries specific regulatory meaning that most crypto companies misunderstand.

This guide provides a comprehensive framework for understanding qualified custodian requirements, evaluating providers, and implementing custody solutions that satisfy federal and state regulatory standards. Whether you're a stablecoin issuer, crypto exchange, or DAO treasury manager, understanding these requirements is critical to avoiding regulatory enforcement and maintaining banking relationships.

What Makes a Custodian "Qualified"? Legal Definition

The term "qualified custodian" is not just marketing language—it's a specific regulatory designation with precise requirements. Different regulatory frameworks define the term differently, but they share common standards.

Federal Standards: GENIUS Act Framework

The GENIUS Act, signed into law on July 18, 2025, establishes the first comprehensive federal framework for payment stablecoin custodians¹. Under the Act, only regulated financial institutions may provide custodial services for payment stablecoins, their reserves, or the private keys used for these assets.

Who Qualifies as a Custodian Under GENIUS Act:

1. Federal Banking Agencies: National banks regulated by the OCC, state banks supervised by the Federal Reserve or FDIC
2. State Banking Regulators: State-chartered trust companies and banks under state banking supervision
3. SEC-Regulated Entities: Broker-dealers, registered investment advisers with custody authorization
4. CFTC-Regulated Entities: Futures commission merchants with appropriate custody authority

Key Custodial Requirements:

• Segregation: Custodians cannot commingle their own funds with customers' funds (with limited exceptions)
• Reserve Custody: Payment stablecoin issuers must segregate reserves from operational funds and hold them with qualified custodians
• 1:1 Backing: Reserves must be held in specified high-quality liquid assets (cash, Treasury securities, repo agreements)

Effective Date: January 18, 2027, or 120 days following final implementing regulations, whichever comes first².

Practical Implication: Stablecoin issuers must use federally or state-regulated financial institutions for reserve custody. Self-custody of stablecoin reserves does not comply with GENIUS Act requirements.

State Standards: California DFAL

California's Digital Financial Assets Law (DFAL), with a compliance deadline now extended to July 1, 2026³, imposes qualified custodian requirements for companies holding customer digital assets.

Qualified Custodian Requirement:

If holding more than $150,000 in customer digital assets, companies must either:

• Use a qualified custodian, OR
• Obtain an insurance bond covering theft, loss, and unauthorized access

Who Qualifies Under California DFAL:

1. State or federally chartered trust companies
2. Licensed money transmitters meeting California capital requirements
3. Entities specifically approved by the California DFPI

Security Requirements:

• Commercially reasonable security measures
• Annual third-party security audits
• Insurance or surety bonds covering theft and loss
• Public disclosure of custody arrangements to customers

Enforcement: The California DFPI has examination authority and can impose civil penalties up to $2,500 per violation, per day.

OCC Guidance for Banks

For crypto companies with banking charters or seeking banking services, the OCC has clarified that national banks and federal savings associations may provide cryptocurrency custody services in both fiduciary and non-fiduciary capacities⁴.

OCC Interpretive Letter 1184 (May 2025):

• Banks may provide crypto custody services to customers
• Banks may outsource custody to third-party sub-custodians with appropriate risk management
• Banks may execute transactions (buy/sell) on behalf of custody customers
• Prior OCC supervisory non-objection requirement rescinded

Key Standards:

• Adequate risk management frameworks for custody operations
• Cybersecurity and operational benchmarks aligned with NIST frameworks
• Board-level oversight of digital asset activities
• Control of cryptographic keys (no other entity should have unilateral transfer ability)
• Sub-custodian due diligence and monitoring

Reality Check: Even if you don't have a bank charter, partner banks will require compliance with OCC guidance to maintain your banking relationship.

Self-Custody vs. Third-Party Custody: Regulatory Compliance Trade-offs

The custody decision isn't purely technical—it's a regulatory and operational choice with significant compliance implications.

Self-Custody

Structure: Company controls private keys directly using multi-signature wallets, hardware security modules (HSMs), or MPC (multi-party computation) technology.

Regulatory Considerations:

Advantages:

• Full control over asset access and transaction approval
• Greater privacy—no third-party disclosure of holdings required
• Access to broader range of digital assets (qualified custodians often limited to major tokens)
• Lower ongoing fees (no custody basis points charged)

Challenges:

• Does NOT satisfy "qualified custodian" requirements under GENIUS Act or California DFAL
• Requires SOC 2 Type II audit to demonstrate security controls (annual cost: $50,000-$150,000)
• Demands internal expertise: key management, disaster recovery, incident response
• Increases insurance costs (5-15% of coverage amount vs. 1.5-4% with qualified custodian)
• Key loss or theft results in permanent, unrecoverable asset loss
• Regulatory scrutiny during examinations—must demonstrate "commercially reasonable security"

When Self-Custody Works:

• Company-owned assets (not customer funds)
• Under $150,000 in customer digital assets (California threshold)
• DAO treasuries where qualified custodian not mandated
• Hot wallets for operational needs (5-10% of total assets)

Third-Party Qualified Custody

Structure: Transfer custody to federally or state-regulated custodian. Company maintains beneficial ownership but custodian controls private keys.

Regulatory Considerations:

Advantages:

• Satisfies "qualified custodian" requirements under federal and state law
• Custodian maintains SOC 2 Type II certification (cost absorbed)
• Institutional-grade security: HSMs, multi-sig, cold storage, geographic distribution
• Insurance coverage included (typically $100M-$320M+)
• Regulatory confidence—examiners view qualified custody favorably
• Banking relationship protection—partner banks require qualified custody
• Professional key management and disaster recovery

Challenges:

• Higher ongoing costs (10-60 basis points annually on assets under custody)
• Minimum balance requirements ($500K-$1M typically)
• Limited asset support—custodians often support only 35-1,000+ tokens
• Withdrawal delays for cold storage assets (24-48 hours typical)
• Counterparty risk—custodian insolvency or bankruptcy
• Less control—custodian policies govern transaction approvals

When Third-Party Custody Required:

• Stablecoin reserve assets (GENIUS Act mandatory)
• Customer funds exceeding $150,000 (California DFAL)
• Money transmitter licensees (most state regulations)
• Companies seeking institutional investment or banking relationships
• Cold storage for 70-85% of customer assets

Hybrid Approach (Recommended)

Most regulated crypto companies implement a hybrid custody architecture:

Hot Wallets (5-10%): Self-custody via Fireblocks or BitGo for daily operational needs Cold Storage (70-85%): Qualified custodian (Coinbase Custody, Anchorage Digital) for reserves Warm Wallets (10-20%): Self-custody with enhanced controls (3-of-5 multi-sig, time delays)

This approach balances operational efficiency, regulatory compliance, and cost management.

SOC 2 Type II Requirements for Crypto Custodians

SOC 2 (Service Organization Control 2) is a compliance framework developed by the American Institute of CPAs (AICPA) that evaluates a service provider's ability to protect sensitive data. For crypto custody providers, SOC 2 Type II certification has become the industry standard for demonstrating security controls.

SOC 2 Type I vs. Type II

Type I: Assesses the design of security controls at a single point in time (snapshot audit)

Type II: Evaluates the operating effectiveness of controls over a period of time, typically 3-12 months (continuous monitoring)

For Custody Providers: Type II is the required standard. Type I alone is insufficient.

Five Trust Service Criteria

SOC 2 audits evaluate custodians across five criteria (not all are required—custodians select which to include):

1. Security (Required for All):

• Access controls to systems and data
• Logical and physical security measures
• System monitoring and intrusion detection
• Change management and version control
• Risk mitigation and incident response

2. Availability:

• System uptime and reliability (typically 99.9% SLA)
• Disaster recovery and business continuity
• Redundant infrastructure and failover systems

3. Processing Integrity:

• Transaction accuracy and completeness
• Authorization of transactions
• Error detection and correction

4. Confidentiality:

• Protection of confidential information
• Data encryption at rest and in transit
• Non-disclosure agreements with personnel

5. Privacy:

• Collection, use, retention, and disposal of personal information
• GDPR/CCPA compliance where applicable
• User consent and disclosure practices

What SOC 2 Type II Audit Covers for Crypto Custody

For crypto custody providers, the audit includes:

Infrastructure Review:

• Exchange application security
• Database encryption and access controls
• Cloud infrastructure configuration (AWS, GCP, Azure)
• Network security architecture

Custody Systems:

• Private key generation, storage, and access
• Multi-signature wallet implementation
• Hardware security module (HSM) configuration
• Cold storage procedures and physical security
• Hot wallet monitoring and transaction limits

Operational Procedures:

• Employee background checks and training
• Segregation of duties
• Change management processes
• Incident response procedures
• Customer onboarding and KYC processes

Monitoring and Logging:

• Transaction monitoring systems
• Anomaly detection algorithms
• Audit trail completeness and integrity
• Log retention policies

Industry Examples: Who Has SOC 2 Type II?

Several major crypto custody providers have completed SOC 2 Type II audits:

• Coinbase Custody: SOC 2 Type II certified
• Kraken: Completed SOC 2 Type 2 for custody and funding services⁵
• Gemini: World's first cryptocurrency exchange and custodian to complete SOC 2 review⁶
• Anchorage Digital: SOC 2 Type II certified
• Custodia Bank: Achieved SOC 2 Type II compliance certification⁷
• BitGo: SOC 2 Type II certified

Warning: Despite being industry standard, many crypto custodians are still NOT accredited. Always verify current SOC 2 status before selecting a provider.

Requesting SOC 2 Reports

During custodian due diligence, request:

1. SOC 2 Type II Report (full report, not just certificate)
2. Audit Date Range (ensure audit covered at least 6 months, preferably 12)
3. Scope of Audit (which trust service criteria were evaluated)
4. Management Assertions (custodian's description of controls)
5. Auditor Opinion (unqualified opinion is best)
6. Exceptions or Findings (any control failures or weaknesses noted)

SOC 2 reports are confidential and covered by NDA. Custodians should readily provide them to prospective institutional clients.

Major Qualified Custodian Comparison

The qualified custodian market has matured significantly, with clear leaders emerging for institutional custody. Here's a comprehensive comparison of major providers based on 2024-2025 data.

Regulatory Status Comparison

Critical Distinction: Fireblocks is NOT a qualified custodian—you maintain control of keys. It's a technology platform for self-custody, not third-party custody.

Pricing and Fee Comparison

*Fireblocks charges based on transaction volume or AUM but is NOT a qualified custodian.

Pricing Notes:

• Basis Points (bps): 10 bps = 0.10% annually. On $10M AUM, 10 bps = $10,000/year; 50 bps = $50,000/year
• Volume Discounts: Larger AUM receive lower basis point rates
• Setup Fees: One-time onboarding cost for account setup, KYC, integration
• Minimums: Most institutional custodians require $500K-$1M minimum balance

Asset Support Comparison

Selection Consideration: If you need custody for long-tail assets, BitGo or Fireblocks (self-custody) may be necessary.

Security Architecture Comparison

Security Notes:

• Multi-Signature (Multi-Sig): Requires multiple private key signatures to authorize transactions (e.g., 3-of-5 means 3 out of 5 keys must sign)
• MPC (Multi-Party Computation): Distributes private key across multiple parties so no single entity ever has the full key
• HSM (Hardware Security Module): Tamper-resistant hardware device for cryptographic key storage
• Cold Storage: Offline, air-gapped storage with no internet connectivity

Withdrawal and Transaction Speed

Planning Consideration: Cold storage withdrawals require 24-48 hour advance notice. Plan liquidity needs accordingly.

Recommended Custodian by Use Case

Stablecoin Issuers (GENIUS Act Compliance):

• Primary: Coinbase Custody or Anchorage Digital (regulatory clarity, deep reserves experience)
• Alternative: BNY Mellon (traditional banking comfort)

Crypto Exchanges (Customer Funds):

• Primary: BitGo (broad asset support, proven exchange integrations)
• Alternative: Coinbase Custody (brand recognition, institutional trust)

DAO Treasuries:

• Primary: Anchorage Digital (governance-friendly, multi-sig native)
• Alternative: Fireblocks (self-custody with MPC)

Fintech Companies (Hybrid Custody):

• Hot/Warm: Fireblocks (operational efficiency)
• Cold Storage: Coinbase Custody or Anchorage Digital (qualified custodian requirement)

Institutional Investors:

• Primary: Coinbase Custody (familiar name, regulatory comfort)
• Alternative: Anchorage Digital (sophisticated tooling)

Qualified Custodian Selection Criteria

Selecting a qualified custodian is not a purely technical decision—it's a regulatory, operational, and strategic choice. Use this framework to evaluate providers systematically.

Regulatory and Compliance Criteria

1. Regulatory Status

• ✅ State or federal banking charter (trust company, bank, OCC charter)
• ✅ Active good standing with regulatory agency
• ✅ Regular examinations by banking supervisors
• ✅ Qualified custodian status under GENIUS Act and applicable state laws
• ✅ Money transmitter licenses in required states (if providing transmission services)

2. Audit and Certification

• ✅ SOC 2 Type II certification (within past 12 months)
• ✅ ISO 27001/27017/27018 certifications
• ✅ Annual financial audits (GAAP or IFRS)
• ✅ Proof of reserves attestations
• ✅ Penetration testing and security audits

3. Insurance Coverage

• ✅ Minimum $100M coverage for digital assets in custody
• ✅ Crime insurance covering theft, employee fraud, external hacking
• ✅ Coverage for both hot and cold storage
• ✅ Clear deductibles and exclusions disclosed
• ✅ Insurance carrier financial strength (A.M. Best rating A or higher)

Operational and Security Criteria

4. Security Architecture

• ✅ 95%+ assets in cold storage (offline, air-gapped)
• ✅ Multi-signature or MPC technology for hot wallets
• ✅ HSM (hardware security module) for key storage
• ✅ Geographic distribution of keys across multiple locations
• ✅ Physical security (biometric access, 24/7 monitoring, dual custody)

5. Key Management

• ✅ No single point of failure for key access
• ✅ Secure key generation (on HSM, not on networked device)
• ✅ Key backup and disaster recovery procedures
• ✅ Key rotation policies
• ✅ Cryptographic key never exposed in plaintext

6. Transaction Monitoring

• ✅ Real-time transaction monitoring and anomaly detection
• ✅ Whitelisting/blacklist controls for destination addresses
• ✅ Transaction velocity limits and approval workflows
• ✅ Automated alerts for unusual activity
• ✅ 24/7 security operations center (SOC)

Business and Operational Criteria

7. Asset Support

• ✅ Supports all tokens you need to custody
• ✅ Roadmap for adding new asset support
• ✅ Support for staking, governance, airdrops (if needed)
• ✅ DeFi protocol integration (if needed)
• ✅ Multi-chain support (Ethereum, Bitcoin, Solana, etc.)

8. Integration and API

• ✅ REST API for programmatic access
• ✅ Webhooks for event notifications
• ✅ Comprehensive documentation
• ✅ Sandbox environment for testing
• ✅ Integration support and SLAs

9. Service Level Agreements (SLAs)

• ✅ Uptime guarantee (minimum 99.9%)
• ✅ Withdrawal processing times (hot: instant, cold: 24-48 hours)
• ✅ Customer support responsiveness (response time SLAs)
• ✅ Scheduled maintenance windows disclosed in advance
• ✅ Incident response and communication protocols

10. Pricing and Economics

• ✅ Transparent fee structure (basis points, setup fees, withdrawal fees)
• ✅ Minimum balance requirements feasible for your AUM
• ✅ Volume discount tiers clearly defined
• ✅ No hidden fees (network fees, API calls, statement fees)
• ✅ Cost-effective relative to self-custody (including insurance, audits, personnel)

Legal and Contractual Criteria

11. Custody Agreement Terms

• ✅ Clear ownership rights—you retain beneficial ownership
• ✅ Segregation of assets (no commingling with custodian's assets)
• ✅ Bankruptcy remoteness—your assets protected in custodian insolvency
• ✅ Liability limitations clearly defined
• ✅ Indemnification provisions reasonable
• ✅ Governing law and jurisdiction acceptable

12. Sub-Custodian Risk

• ✅ Disclosure of any sub-custodian relationships
• ✅ Sub-custodians are also qualified custodians
• ✅ Custodian remains responsible for sub-custodian actions
• ✅ Right to approve or reject sub-custodians

13. Business Continuity and Disaster Recovery

• ✅ Documented disaster recovery plan
• ✅ Regular disaster recovery testing (at least annually)
• ✅ Redundant infrastructure across multiple geographic locations
• ✅ Key recovery procedures in case of key loss
• ✅ Succession plan if custodian ceases operations

Qualified Custodian Due Diligence Checklist

When evaluating prospective custodians, use this comprehensive due diligence checklist. Request all documentation in writing and verify claims independently.

Phase 1: Initial Screening (1-2 Weeks)

Regulatory Verification:

• Confirm regulatory charter (OCC, NYDFS, state banking department)
• Verify licenses via NMLS (if money transmitter) or agency website
• Check for regulatory enforcement actions or consent orders
• Review financial condition (capital ratios, liquidity)

Documentation Request:

• Request SOC 2 Type II report (most recent, within 12 months)
• Request insurance certificates (coverages, limits, carriers)
• Request client references (similar industry, similar AUM)
• Request fee schedule and minimum balance requirements
• Request sample custody agreement for legal review

Initial Questions:

• What percentage of assets are held in cold storage?
• What is your insurance coverage for digital assets?
• How long does it take to withdraw from cold storage?
• Which blockchain assets do you support?
• What are your pricing tiers and volume discounts?

Phase 2: Technical and Security Review (2-4 Weeks)

Security Architecture:

• Request architecture diagrams (logical and physical)
• Review key generation procedures
• Understand multi-signature or MPC implementation
• Assess HSM usage and configuration
• Evaluate geographic distribution of keys

Operational Procedures:

• Request employee background check policies
• Review segregation of duties and dual control procedures
• Understand transaction approval workflows
• Assess monitoring and alerting capabilities
• Review incident response procedures

Proof of Reserves:

• Request latest proof of reserves attestation
• Verify on-chain holdings match reported reserves
• Confirm attestation performed by reputable third party
• Understand frequency of attestations (monthly, quarterly)

Penetration Testing:

• Request most recent penetration test results (sanitized)
• Confirm testing performed by reputable third party (e.g., Trail of Bits)
• Understand remediation of identified vulnerabilities
• Verify testing includes web application, API, infrastructure

Phase 3: Legal and Contractual Review (2-3 Weeks)

Custody Agreement:

• Engage legal counsel to review custody agreement
• Confirm you retain beneficial ownership of assets
• Verify assets segregated and bankruptcy-remote
• Assess liability limitations and indemnification
• Negotiate unacceptable terms (if possible)

Insurance Review:

• Verify insurance policies cover your assets specifically
• Understand deductibles and how losses are shared
• Confirm you are named as loss payee or beneficiary
• Review exclusions (e.g., war, nuclear event, protocol failure)
• Verify carrier financial strength (A.M. Best rating)

Business Continuity:

• Request disaster recovery plan summary
• Understand key recovery procedures
• Confirm redundant infrastructure and failover capabilities
• Assess succession plan if custodian ceases operations

Phase 4: Reference Checks and Final Decision (1-2 Weeks)

Client References:

• Contact 2-3 client references provided by custodian
• Ask about service quality, responsiveness, uptime
• Inquire about any incidents or issues experienced
• Understand onboarding process and timeline

Public Reputation:

• Research custodian online (news, forums, social media)
• Check for security incidents, hacks, or breaches
• Review customer complaints and dispute resolution
• Assess thought leadership and industry participation

Pilot Program:

• Start with small deposit (minimum balance)
• Test deposit and withdrawal procedures
• Evaluate API integration and ease of use
• Assess customer support responsiveness
• Expand custody relationship after successful pilot

Phase 5: Ongoing Monitoring (Continuous)

Annual Reviews:

• Review updated SOC 2 Type II report annually
• Verify insurance renewal and coverage updates
• Confirm regulatory status remains in good standing
• Reassess pricing competitiveness

Quarterly Attestations:

• Review proof of reserves attestations
• Reconcile your account balance with on-chain holdings
• Verify custodian financial statements (if publicly available)

Incident Monitoring:

• Monitor news for security incidents affecting custodian
• Review custodian communications about incidents
• Assess custodian response to industry-wide events
• Maintain contingency plan to migrate to alternative custodian

Cost Analysis: Custody Fees by Tier

Understanding the total cost of custody—not just basis points—is critical to budgeting and custodian selection. Here's a realistic breakdown by company size.

Small Companies: $1M-$10M AUM

Qualified Custodian Fees:

• Annual Custody Fee: 20-60 bps ($2,000-$60,000/year)
• Setup Fee: $0-$50,000 (one-time)
• Minimum Balance Fee: May apply if below $500K-$1M
• Transaction Fees: $0-$50 per withdrawal

Alternative: Enhanced Self-Custody

• Platform: Fireblocks or BitGo self-custody ($10,000-$30,000/year)
• Hardware Wallets: Ledger Enterprise ($3,000-$10,000 one-time)
• SOC 2 Audit: $50,000-$75,000 annually
• Insurance: $50,000-$150,000 annually (5-15% of coverage)
• Personnel: 0.5-1 FTE ($50,000-$100,000 allocated)

Total Annual Cost:

• Qualified Custodian: $50,000-$110,000/year (all-in)
• Self-Custody: $150,000-$350,000/year (higher due to audit + insurance + personnel)

Recommendation: For $1M-$10M AUM, qualified custodian is typically MORE cost-effective than self-custody when total costs are considered.

Medium Companies: $10M-$100M AUM

Qualified Custodian Fees:

• Annual Custody Fee: 10-40 bps ($100,000-$400,000/year)
• Setup Fee: $10,000-$50,000 (one-time)
• Negotiated Minimums: Often waived at this tier
• Transaction Fees: Often waived with volume commitments

Hybrid Approach (Recommended):

• Cold Storage (80%): Qualified custodian at 10-20 bps ($80,000-$160,000/year on $80M)
• Hot/Warm (20%): Fireblocks self-custody ($30,000-$100,000/year)
• Monitoring: Chainalysis or TRM Labs ($30,000-$100,000/year)
• Reconciliation: Cryptio or Bitwave ($20,000-$75,000/year)
• SOC 2 Audit: $75,000-$150,000/year
• Insurance (Incremental): $50,000-$200,000/year (qualified custodian reduces premium)
• Personnel: 1-2 FTE treasury/custody specialists ($200,000-$400,000)

Total Annual Cost: $500,000-$1,200,000/year

Recommendation: Hybrid approach optimizes cost, control, and compliance at this scale.

Large Companies: $100M+ AUM

Qualified Custodian Fees:

• Annual Custody Fee: 5-20 bps ($500,000-$2,000,000/year on $1B)
• Setup Fee: $25,000-$100,000 (often negotiated)
• Volume Discounts: Significant negotiating leverage
• Dedicated Account Management: Included

Enterprise Infrastructure:

• Primary Custodian: Coinbase or Anchorage ($500,000-$2,000,000/year)
• Backup Custodian: BitGo or Gemini ($100,000-$500,000/year) for redundancy
• Hot Wallet Platform: Fireblocks ($100,000-$300,000/year)
• Monitoring Suite: Chainalysis + TRM ($100,000-$300,000/year)
• Reconciliation: Enterprise systems ($50,000-$150,000/year)
• Multiple Audits: SOC 2, SOC 1, penetration tests ($200,000-$500,000/year)
• Layered Insurance: $50M-$200M coverage ($1M-$3M premium)
• Treasury Team: 3-5 FTE ($500,000-$1,500,000)

Total Annual Cost: $2,000,000-$8,000,000/year

Recommendation: At this scale, custody is a material operating expense requiring board-level oversight and dedicated treasury function.

Implementation Roadmap: Onboarding a Qualified Custodian

Onboarding a qualified custodian is not instant—expect 6-12 weeks from initial contact to first deposit. Here's a realistic implementation timeline.

Weeks 1-2: Selection and Initial Contact

Activities:

• Complete due diligence checklist (see above)
• Narrow to 2-3 finalist custodians
• Schedule calls with sales and technical teams
• Request and review SOC 2 reports and sample agreements

Deliverables:

• Custodian selection decision
• Preliminary pricing and fee negotiation

Weeks 3-4: Legal and Contractual

Activities:

• Engage legal counsel to review custody agreement
• Negotiate terms (liability, indemnification, termination)
• Execute custody agreement and related documents
• Complete corporate governance approvals (board resolution)

Deliverables:

• Signed custody agreement
• Board authorization for custody relationship

Weeks 5-6: KYC and Compliance

Activities:

• Complete custodian's KYC/AML onboarding
• Provide corporate documents (articles, bylaws, operating agreement)
• Provide beneficial ownership information (FinCEN Form)
• Background checks on key employees (if required)

Deliverables:

• KYC approval from custodian
• Account opened and activated

Weeks 7-8: Technical Integration

Activities:

• API key generation and secure exchange
• Integrate custody API with your systems
• Configure transaction approval workflows
• Set up whitelisting/blacklist rules
• Test deposits and withdrawals in sandbox environment

Deliverables:

• Working API integration
• Successful test transactions

Weeks 9-10: Initial Funding and Testing

Activities:

• Initial deposit (start with minimum balance or pilot amount)
• Test deposit confirmation and reconciliation
• Test withdrawal request and approval process
• Verify transaction monitoring and alerts
• Confirm reporting and statements

Deliverables:

• Successful deposit and withdrawal
• Account reconciliation verified

Weeks 11-12: Full Migration and Cutover

Activities:

• Migrate remaining assets from prior custody solution
• Decommission old wallets (after confirming full migration)
• Establish ongoing reconciliation procedures
• Train treasury team on custodian platform
• Document custody procedures in runbook

Deliverables:

• Full asset migration complete
• Custody operations documented and operational

Ongoing: Monitoring and Compliance

Monthly:

• Reconcile custody account balances
• Review transaction activity and anomalies
• Monitor custodian service availability

Quarterly:

• Review proof of reserves attestations
• Assess custodian performance against SLAs
• Evaluate pricing competitiveness

Annually:

• Review updated SOC 2 Type II report
• Verify insurance coverage renewal
• Reassess custodian relationship and alternatives

Conclusion: Custody as Competitive Advantage

Qualified custodian requirements are not regulatory burdens—they're competitive advantages. Companies with institutional-grade custody architecture gain regulatory confidence, banking access, customer trust, and acquisition readiness that competitors without proper custody cannot match.

The choice between self-custody and qualified custody is not binary. Most regulated crypto companies implement hybrid architectures: qualified custodians for cold storage and customer reserves, enhanced self-custody for operational hot wallets. This approach balances regulatory compliance, operational efficiency, and cost management.

Start your custodian evaluation early. Onboarding takes 6-12 weeks, and regulatory deadlines (GENIUS Act: January 2027, California DFAL: July 2026) are approaching. Companies that establish qualified custody relationships now will avoid the rush—and potential service degradation—as deadlines near.

Custody is infrastructure. Like banking relationships and legal counsel, it's not optional for regulated crypto companies. Choose wisely, implement thoroughly, and monitor continuously.

Need Custody Architecture Guidance?

Astraea Counsel helps crypto companies design compliant custody architectures, select qualified custodians, and implement state and federal custody requirements. We advise stablecoin issuers, exchanges, and DAOs on custody strategy, vendor selection, and regulatory compliance.

Schedule a consultation to discuss your custody requirements.

Related Resources

• Treasury Management for Crypto Companies - Complete framework for custody architecture, multi-sig, and compliance
• The GENIUS Act: Stablecoin Compliance Roadmap - Reserve and custody requirements for stablecoin issuers
• Money Transmitter Licensing Guide - State-by-state custody requirements for MTLs
• Regulatory Compliance Services - Navigate federal and state custody regulations

---

Footnotes

1. GENIUS Act, S. 1582, 119th Cong. (2025), available at https://www.congress.gov/bill/119th-congress/senate-bill/1582/text ↩

2. WilmerHale, "What the GENIUS Act Means for Payment Stablecoin Issuers, Banks, and Custodians" (July 18, 2025), available at https://www.wilmerhale.com/en/insights/client-alerts/20250718-what-the-genius-act-means-for-payment-stablecoin-issuers-banks-and-custodians ↩

3. California Department of Financial Protection and Innovation, "Digital Financial Assets Law Frequently Asked Questions" (October 2024), available at https://dfpi.ca.gov/regulated-industries/digital-financial-assets/digital-financial-assets-law-frequently-asked-questions/ ↩

4. Office of the Comptroller of the Currency, Interpretive Letter #1184 (May 7, 2025), available at https://www.occ.gov/news-issuances/news-releases/2025/nr-occ-2025-16.html ↩

5. Kraken Blog, "Kraken completes SOC 2 Type 2 compliance report, underscoring commitment to institutional security" (2024), available at https://blog.kraken.com/product/security/soc-2-type-2 ↩

6. Gemini, "Gemini Completes SOC 2 Review — A World's First For a Cryptocurrency Exchange and Custodian" (2017), available at https://www.gemini.com/blog/gemini-completes-soc-2-review-a-worlds-first-for-a-cryptocurrency-exchange-and-custodian ↩

7. Crypto News, "Crypto-friendly Custodia Bank achieves SOC 2 Type II compliance certification" (2024), available at https://crypto.news/crypto-friendly-custodia-bank-achieves-soc-2-type-ii-compliance-certification/ ↩