By Chanté Eliaszadeh | Updated June 2026
“Not your keys, not your coins” is crypto’s founding principle. It is also poor compliance advice for a regulated company. Federal and California law increasingly decide who may hold the keys, and they do not mean the same thing by it: the GENIUS Act tells stablecoin issuers where reserves must sit, California’s Digital Financial Assets Law tells licensees how to hold customer assets, and the banking regulators decide which institutions may custody crypto at all. Most companies blur these three regimes together, and the phrase “qualified custodian” hides the differences.
This guide separates them. It explains what each regime actually requires as the law stands in 2026, how that shapes the choice between self-custody and a third-party custodian, and how to evaluate a custodian without relying on its marketing. Whether you issue a stablecoin, run an exchange, or manage a DAO treasury, getting custody right is what keeps you clear of an enforcement action and inside a banking relationship.
What Makes a Custodian “Qualified”? Legal Definition
The term “qualified custodian” is not just marketing language—it’s a specific regulatory designation with precise requirements. Different regulatory frameworks define the term differently, but they share common standards.
Federal Standards: GENIUS Act Framework
The GENIUS Act, signed into law on July 18, 2025, establishes the first comprehensive federal framework for payment stablecoin custodians1. Under the Act, only regulated financial institutions may provide custodial services for payment stablecoins, their reserves, or the private keys used for these assets.
Who Qualifies as a Custodian Under GENIUS Act:
- Federal Banking Agencies: National banks regulated by the OCC, state banks supervised by the Federal Reserve or FDIC
- State Banking Regulators: State-chartered trust companies and banks under state banking supervision
- SEC-Regulated Entities: Broker-dealers, registered investment advisers with custody authorization
- CFTC-Regulated Entities: Futures commission merchants with appropriate custody authority
Key Custodial Requirements:
- Segregation: Custodians cannot commingle their own funds with customers’ funds (with limited exceptions)
- Reserve Custody: Payment stablecoin issuers must segregate reserves from operational funds and hold them with qualified custodians
- 1:1 Backing: Reserves must be held in specified high-quality liquid assets (cash, Treasury securities, repo agreements)
Effective Date: January 18, 2027, or 120 days following final implementing regulations, whichever comes first2.
Practical Implication: Stablecoin issuers must use federally or state-regulated financial institutions for reserve custody. Self-custody of stablecoin reserves does not comply with GENIUS Act requirements.
California: the Digital Financial Assets Law
California’s Digital Financial Assets Law (DFAL), codified at Financial Code Division 1.25, prohibits unlicensed digital-financial-asset business activity with California residents on or after July 1, 2026; the DFPI began accepting license applications on March 9, 2026.3
DFAL’s custody rule is not a dollar-threshold test, and the summary you will most often read of it is wrong. Financial Code section 3503 requires a licensee that controls a customer’s digital financial asset to “at all times maintain in its control an amount of each type of digital financial asset sufficient to satisfy the aggregate entitlements” of its customers. That is a continuous, one-to-one segregation duty. It applies to every licensee and every asset type. There is no floor below which it disappears, and no option to post a surety bond in place of holding the assets.
A covered person must also qualify to hold those assets — as a state or federally chartered trust company, a licensee meeting the DFPI’s capital and bonding requirements, or an entity the DFPI otherwise approves — and must meet the security and disclosure standards the DFPI sets by regulation.
DFAL backs the duty with real penalties. The DFPI may assess up to $100,000 per day for unlicensed activity and up to $20,000 per day for a licensee’s violation, each accruing until the violation stops. The department has already enforced the law, starting with a $300,000 penalty against a crypto-kiosk operator in 2025.3
Banking regulators: the OCC and the SAB 121 reversal
For a chartered institution — and for any company whose bank partner holds it to the same standard — the federal banking regulators reopened crypto custody in 2025, and two changes carry the weight.4
First, the accounting barrier fell. In January 2025 the SEC rescinded Staff Accounting Bulletin 121, which had forced custodians to carry customer crypto as a balance-sheet liability, and replaced it with SAB 122. Removing that treatment is what made bank crypto custody practical again, and it underlies the developments that followed.
Second, the OCC restored and then extended its permissions. Interpretive Letter 1183 (March 2025) confirmed that national banks may custody crypto and rescinded the supervisory non-objection that Letter 1179 had required. Interpretive Letter 1184 (May 2025) went further, confirming that a bank may buy and sell at a custody customer’s direction and may use sub-custodians under appropriate risk management. The OCC expects the ordinary controls — board oversight, key control so that no other party can move assets unilaterally, and sub-custodian diligence — but it has not published a prescriptive crypto-custody rulebook.
The shift is now structural. On December 12, 2025 the OCC conditionally approved national trust-bank charters for a wave of crypto custodians: BitGo, Paxos, and Fidelity’s digital-asset unit converting from state trust companies, and Circle and Ripple chartered de novo. The approvals are conditional — each institution must satisfy operational requirements before commencing full operations — but the direction is clear: custody is moving from a patchwork of state trusts toward federal supervision.4
Reality check: even without your own charter, a partner bank will hold you to OCC-grade expectations to keep the relationship.
Self-Custody vs. Third-Party Custody: Regulatory Compliance Trade-offs
The custody decision isn’t purely technical—it’s a regulatory and operational choice with significant compliance implications.
Self-Custody
Structure: Company controls private keys directly using multi-signature wallets, hardware security modules (HSMs), or MPC (multi-party computation) technology.
Regulatory Considerations:
Advantages:
- Full control over asset access and transaction approval
- Greater privacy—no third-party disclosure of holdings required
- Access to broader range of digital assets (qualified custodians often limited to major tokens)
- Lower ongoing fees (no custody basis points charged)
Challenges:
- Does not satisfy the GENIUS Act’s supervised-custodian requirement for stablecoin reserves
- Requires a SOC 2 Type II audit to demonstrate security controls — a recurring cost
- Demands internal expertise: key management, disaster recovery, incident response
- Raises insurance costs relative to placing assets with a qualified custodian
- Key loss or theft results in permanent, unrecoverable asset loss
- Invites regulatory scrutiny during examinations — you must demonstrate “commercially reasonable security”
When self-custody works:
- Proprietary assets the company holds for itself, not customer assets held under a license
- DAO treasuries where a qualified custodian is not mandated
- A small operational hot wallet for daily needs
Third-Party Qualified Custody
Structure: Transfer custody to federally or state-regulated custodian. Company maintains beneficial ownership but custodian controls private keys.
Regulatory Considerations:
Advantages:
- Satisfies the qualified-custodian requirement under federal and state law
- Custodian maintains SOC 2 Type II certification, absorbing that cost
- Institutional-grade security: HSMs, multi-signature or MPC, cold storage, geographic distribution
- Insurance carried by the custodian (amounts vary by provider; confirm directly)
- Regulatory confidence — examiners view qualified custody favorably
- Banking-relationship protection — partner banks expect qualified custody
- Professional key management and disaster recovery
Challenges:
- Ongoing custody fees, charged in basis points on assets under custody
- Account minimums that may exceed a smaller company’s holdings
- Asset support that varies by custodian — long-tail tokens may not be covered
- Withdrawal delays for cold-storage assets
- Counterparty risk — custodian insolvency or bankruptcy
- Less control — the custodian’s policies govern transaction approvals
When Third-Party Custody Required:
- Stablecoin reserve assets (GENIUS Act mandatory)
- Customer digital assets held by a DFAL licensee (Financial Code § 3503 segregation, at any amount)
- Money transmitter licensees (most state regulations)
- Companies seeking institutional investment or banking relationships
- Cold storage for the majority of customer assets
The hybrid approach most companies use
Most regulated crypto companies run a hybrid custody architecture rather than choosing a single model:
- A small hot wallet — self-custody, for daily operational liquidity.
- The cold-stored majority — a qualified custodian holds the bulk of reserves.
- A warm tier in between — self-custody with enhanced controls, such as a multi-signature policy and time delays, for funds that move occasionally.
This balances operational efficiency against regulatory compliance and cost.
SOC 2 Type II Requirements for Crypto Custodians
SOC 2 (Service Organization Control 2) is a compliance framework developed by the American Institute of CPAs (AICPA) that evaluates a service provider’s ability to protect sensitive data. For crypto custody providers, SOC 2 Type II certification has become the industry standard for demonstrating security controls.
SOC 2 Type I vs. Type II
Type I: Assesses the design of security controls at a single point in time (snapshot audit)
Type II: Evaluates the operating effectiveness of controls over a period of time, typically 3-12 months (continuous monitoring)
For Custody Providers: Type II is the required standard. Type I alone is insufficient.
Five Trust Service Criteria
SOC 2 audits evaluate custodians across five criteria (not all are required—custodians select which to include):
1. Security (Required for All):
- Access controls to systems and data
- Logical and physical security measures
- System monitoring and intrusion detection
- Change management and version control
- Risk mitigation and incident response
2. Availability:
- System uptime and reliability (typically 99.9% SLA)
- Disaster recovery and business continuity
- Redundant infrastructure and failover systems
3. Processing Integrity:
- Transaction accuracy and completeness
- Authorization of transactions
- Error detection and correction
4. Confidentiality:
- Protection of confidential information
- Data encryption at rest and in transit
- Non-disclosure agreements with personnel
5. Privacy:
- Collection, use, retention, and disposal of personal information
- GDPR/CCPA compliance where applicable
- User consent and disclosure practices
What SOC 2 Type II Audit Covers for Crypto Custody
For crypto custody providers, the audit includes:
Infrastructure Review:
- Exchange application security
- Database encryption and access controls
- Cloud infrastructure configuration (AWS, GCP, Azure)
- Network security architecture
Custody Systems:
- Private key generation, storage, and access
- Multi-signature wallet implementation
- Hardware security module (HSM) configuration
- Cold storage procedures and physical security
- Hot wallet monitoring and transaction limits
Operational Procedures:
- Employee background checks and training
- Segregation of duties
- Change management processes
- Incident response procedures
- Customer onboarding and KYC processes
Monitoring and Logging:
- Transaction monitoring systems
- Anomaly detection algorithms
- Audit trail completeness and integrity
- Log retention policies
Industry Examples: Who Has SOC 2 Type II?
Several major crypto custody providers have completed SOC 2 Type II audits:
- Coinbase Custody: SOC 2 Type II certified
- Kraken: completed a SOC 2 Type 2 examination for its qualified custody offering (2025)5
- Gemini: SOC 2 Type II certified6
- Anchorage Digital: SOC 2 Type II certified
- Custodia Bank: Achieved SOC 2 Type II compliance certification7
- BitGo: SOC 2 Type II certified
Warning: Despite being industry standard, many crypto custodians are still NOT accredited. Always verify current SOC 2 status before selecting a provider.
Requesting SOC 2 Reports
During custodian due diligence, request:
- SOC 2 Type II Report (full report, not just certificate)
- Audit Date Range (ensure audit covered at least 6 months, preferably 12)
- Scope of Audit (which trust service criteria were evaluated)
- Management Assertions (custodian’s description of controls)
- Auditor Opinion (unqualified opinion is best)
- Exceptions or Findings (any control failures or weaknesses noted)
SOC 2 reports are confidential and covered by NDA. Custodians should readily provide them to prospective institutional clients.
Major qualified custodians: regulatory status
The custodian market changed structurally in late 2025, when the OCC began chartering crypto custodians as national trust banks. Confirm any provider’s current status against its own regulator record before you rely on it; the table below reflects status as of mid-2026.
| Custodian | Regulatory status | Supervisor |
|---|---|---|
| Coinbase Custody | State limited-purpose trust company | NYDFS (OCC national-charter application pending) |
| Anchorage Digital | National trust bank | OCC (since 2021) |
| Gemini Custody | State limited-purpose trust company | NYDFS |
| BitGo | National trust bank (converting) | OCC-approved Dec 2025 |
| Paxos | National trust bank (converting) | OCC-approved Dec 2025 |
| Circle, Ripple, Fidelity Digital Assets | National trust bank (new or converting) | OCC-approved Dec 2025 |
| Fireblocks | Not a custodian — self-custody technology | Not a chartered custodian |
A supervised trust company or national trust bank is the kind of institution the GENIUS Act will recognize for stablecoin reserve custody and that California’s DFAL contemplates for licensee custody. But the GENIUS Act’s implementing rules are not yet final, so treat “qualifies under GENIUS” as a forward-looking judgment about a regulated institution, not a settled status.
Fireblocks is not a qualified custodian. It is a technology platform for self-custody — you keep control of the keys — so it sits outside the GENIUS and DFAL custody requirements rather than satisfying them.
What custody costs
Custodians do not publish standard fee schedules, so a precise price comparison is not possible from public sources. Pricing is institutional and negotiated. A custodian typically charges an annual fee measured in basis points on assets under custody, often with a one-time onboarding fee and a minimum account size, and discounts the rate as balances grow. Treat any specific number you see in an online guide — including earlier versions of this one — as a prompt to ask, not a published rate. Request a current fee schedule in writing from each candidate and compare the all-in cost rather than the headline basis points.
Asset coverage
Coverage varies widely, and the published counts move constantly, so confirm current support directly with the custodian for the specific assets you hold. As a general matter, BitGo supports the broadest range — well over a thousand tokens by its own count — while Coinbase and Anchorage cover several hundred each, weighted toward major assets and stablecoins, and Gemini takes a more conservative approach focused on major tokens. Fireblocks supports nearly every chain, but as a self-custody technology provider rather than a qualified custodian. If you need custody for long-tail assets, the field narrows quickly; verify before you commit.
Security and insurance
Every institutional custodian below holds a SOC 2 Type II report, keeps the majority of assets in offline cold storage, and secures keys with hardware security modules and either multi-signature or multi-party-computation controls. No custodian publishes a current, dated cold-storage percentage, so treat any specific figure with caution and confirm the security model in the provider’s own trust documentation. Insurance is the number worth checking directly, because the figures custodians publish differ and move:
| Custodian | Published insurance | Notes |
|---|---|---|
| Coinbase Custody | $320M crime policy | Confirm carrier and scope in Coinbase’s current disclosures |
| BitGo | Up to $250M | For assets held in qualified custody |
| Gemini Custody | $125M | $25M hot and $100M cold, per Gemini’s published figure |
| Anchorage Digital | Not publicly stated | Describes coverage “subject to applicable limits”; discloses no cap |
A note on the terms: multi-signature requires several keys to authorize a transaction; multi-party computation splits one key across parties so no party ever holds it whole; a hardware security module is tamper-resistant key-storage hardware; cold storage is offline, air-gapped storage.
Withdrawal timing
Custodians do not publish withdrawal service levels, so the timing you will actually get is a contract term to negotiate, not a published figure. The general shape is consistent across providers: a small operational hot wallet allows near-immediate transfers, while moving assets out of cold storage requires advance notice — often a day or more, because the security that protects cold storage is the same friction that slows withdrawals. Build that delay into your liquidity planning and confirm the committed timing in your custody agreement.
Matching the custodian to your use case
The right custodian depends on what you are protecting and why. A few patterns hold:
- Stablecoin issuers need a custodian that clearly qualifies under the GENIUS Act for reserve custody — a federally or state-supervised institution with reserve-management experience and the willingness to meet the Act’s segregation and attestation requirements.
- Crypto exchanges holding customer funds should weight broad asset support and proven exchange integrations alongside qualified-custodian status.
- DAO treasuries benefit from governance-friendly controls — native multi-signature or MPC and flexible approval policies — where a qualified custodian is not otherwise mandated.
- Fintech companies typically run a hybrid model: a self-custody technology layer for operational liquidity and a qualified custodian for the cold-stored majority.
- Institutional investors tend to prioritize regulatory familiarity, audited controls, and reporting that fits their own compliance obligations.
Name recognition is not a compliance credential. Verify each candidate’s current charter, audit, and insurance against its own disclosures before you rely on it — the regulatory status of even the largest custodians changed materially in 2025.
Qualified Custodian Selection Criteria
Selecting a qualified custodian is not a purely technical decision—it’s a regulatory, operational, and strategic choice. Use this framework to evaluate providers systematically.
Regulatory and Compliance Criteria
1. Regulatory Status
- ✅ State or federal banking charter (trust company, bank, OCC charter)
- ✅ Active good standing with regulatory agency
- ✅ Regular examinations by banking supervisors
- ✅ Qualified custodian status under GENIUS Act and applicable state laws
- ✅ Money transmitter licenses in required states (if providing transmission services)
2. Audit and Certification
- ✅ SOC 2 Type II certification (within past 12 months)
- ✅ ISO 27001/27017/27018 certifications
- ✅ Annual financial audits (GAAP or IFRS)
- ✅ Proof of reserves attestations
- ✅ Penetration testing and security audits
3. Insurance Coverage
- ✅ Insurance coverage appropriate to the assets held — confirm the amount and scope in writing
- ✅ Crime insurance covering theft, employee fraud, external hacking
- ✅ Coverage for both hot and cold storage
- ✅ Clear deductibles and exclusions disclosed
- ✅ Insurance carrier financial strength (A.M. Best rating A or higher)
Operational and Security Criteria
4. Security Architecture
- ✅ The large majority of assets in offline, air-gapped cold storage
- ✅ Multi-signature or MPC technology for hot wallets
- ✅ HSM (hardware security module) for key storage
- ✅ Geographic distribution of keys across multiple locations
- ✅ Physical security (biometric access, 24/7 monitoring, dual custody)
5. Key Management
- ✅ No single point of failure for key access
- ✅ Secure key generation (on HSM, not on networked device)
- ✅ Key backup and disaster recovery procedures
- ✅ Key rotation policies
- ✅ Cryptographic key never exposed in plaintext
6. Transaction Monitoring
- ✅ Real-time transaction monitoring and anomaly detection
- ✅ Whitelisting/blacklist controls for destination addresses
- ✅ Transaction velocity limits and approval workflows
- ✅ Automated alerts for unusual activity
- ✅ 24/7 security operations center (SOC)
Business and Operational Criteria
7. Asset Support
- ✅ Supports all tokens you need to custody
- ✅ Roadmap for adding new asset support
- ✅ Support for staking, governance, airdrops (if needed)
- ✅ DeFi protocol integration (if needed)
- ✅ Multi-chain support (Ethereum, Bitcoin, Solana, etc.)
8. Integration and API
- ✅ REST API for programmatic access
- ✅ Webhooks for event notifications
- ✅ Comprehensive documentation
- ✅ Sandbox environment for testing
- ✅ Integration support and SLAs
9. Service Level Agreements (SLAs)
- ✅ Uptime guarantee (minimum 99.9%)
- ✅ Withdrawal processing times (hot: instant, cold: 24-48 hours)
- ✅ Customer support responsiveness (response time SLAs)
- ✅ Scheduled maintenance windows disclosed in advance
- ✅ Incident response and communication protocols
10. Pricing and Economics
- ✅ Transparent fee structure (basis points, setup fees, withdrawal fees)
- ✅ Minimum balance requirements feasible for your AUM
- ✅ Volume discount tiers clearly defined
- ✅ No hidden fees (network fees, API calls, statement fees)
- ✅ Cost-effective relative to self-custody (including insurance, audits, personnel)
Legal and Contractual Criteria
11. Custody Agreement Terms
- ✅ Clear ownership rights—you retain beneficial ownership
- ✅ Segregation of assets (no commingling with custodian’s assets)
- ✅ Bankruptcy remoteness—your assets protected in custodian insolvency
- ✅ Liability limitations clearly defined
- ✅ Indemnification provisions reasonable
- ✅ Governing law and jurisdiction acceptable
12. Sub-Custodian Risk
- ✅ Disclosure of any sub-custodian relationships
- ✅ Sub-custodians are also qualified custodians
- ✅ Custodian remains responsible for sub-custodian actions
- ✅ Right to approve or reject sub-custodians
13. Business Continuity and Disaster Recovery
- ✅ Documented disaster recovery plan
- ✅ Regular disaster recovery testing (at least annually)
- ✅ Redundant infrastructure across multiple geographic locations
- ✅ Key recovery procedures in case of key loss
- ✅ Succession plan if custodian ceases operations
Qualified Custodian Due Diligence Checklist
When evaluating prospective custodians, use this comprehensive due diligence checklist. Request all documentation in writing and verify claims independently.
Phase 1: Initial Screening (1-2 Weeks)
Regulatory Verification:
- Confirm regulatory charter (OCC, NYDFS, state banking department)
- Verify licenses via NMLS (if money transmitter) or agency website
- Check for regulatory enforcement actions or consent orders
- Review financial condition (capital ratios, liquidity)
Documentation Request:
- Request SOC 2 Type II report (most recent, within 12 months)
- Request insurance certificates (coverages, limits, carriers)
- Request client references (similar industry, similar AUM)
- Request fee schedule and minimum balance requirements
- Request sample custody agreement for legal review
Initial Questions:
- What percentage of assets are held in cold storage?
- What is your insurance coverage for digital assets?
- How long does it take to withdraw from cold storage?
- Which blockchain assets do you support?
- What are your pricing tiers and volume discounts?
Phase 2: Technical and Security Review (2-4 Weeks)
Security Architecture:
- Request architecture diagrams (logical and physical)
- Review key generation procedures
- Understand multi-signature or MPC implementation
- Assess HSM usage and configuration
- Evaluate geographic distribution of keys
Operational Procedures:
- Request employee background check policies
- Review segregation of duties and dual control procedures
- Understand transaction approval workflows
- Assess monitoring and alerting capabilities
- Review incident response procedures
Proof of Reserves:
- Request latest proof of reserves attestation
- Verify on-chain holdings match reported reserves
- Confirm attestation performed by reputable third party
- Understand frequency of attestations (monthly, quarterly)
Penetration Testing:
- Request most recent penetration test results (sanitized)
- Confirm testing performed by reputable third party (e.g., Trail of Bits)
- Understand remediation of identified vulnerabilities
- Verify testing includes web application, API, infrastructure
Phase 3: Legal and Contractual Review (2-3 Weeks)
Custody Agreement:
- Engage legal counsel to review custody agreement
- Confirm you retain beneficial ownership of assets
- Verify assets segregated and bankruptcy-remote
- Assess liability limitations and indemnification
- Negotiate unacceptable terms (if possible)
Insurance Review:
- Verify insurance policies cover your assets specifically
- Understand deductibles and how losses are shared
- Confirm you are named as loss payee or beneficiary
- Review exclusions (e.g., war, nuclear event, protocol failure)
- Verify carrier financial strength (A.M. Best rating)
Business Continuity:
- Request disaster recovery plan summary
- Understand key recovery procedures
- Confirm redundant infrastructure and failover capabilities
- Assess succession plan if custodian ceases operations
Phase 4: Reference Checks and Final Decision (1-2 Weeks)
Client References:
- Contact 2-3 client references provided by custodian
- Ask about service quality, responsiveness, uptime
- Inquire about any incidents or issues experienced
- Understand onboarding process and timeline
Public Reputation:
- Research custodian online (news, forums, social media)
- Check for security incidents, hacks, or breaches
- Review customer complaints and dispute resolution
- Assess thought leadership and industry participation
Pilot Program:
- Start with small deposit (minimum balance)
- Test deposit and withdrawal procedures
- Evaluate API integration and ease of use
- Assess customer support responsiveness
- Expand custody relationship after successful pilot
Phase 5: Ongoing Monitoring (Continuous)
Annual Reviews:
- Review updated SOC 2 Type II report annually
- Verify insurance renewal and coverage updates
- Confirm regulatory status remains in good standing
- Reassess pricing competitiveness
Quarterly Attestations:
- Review proof of reserves attestations
- Reconcile your account balance with on-chain holdings
- Verify custodian financial statements (if publicly available)
Incident Monitoring:
- Monitor news for security incidents affecting custodian
- Review custodian communications about incidents
- Assess custodian response to industry-wide events
- Maintain contingency plan to migrate to alternative custodian
What custody actually costs
The total cost of custody is more than a basis-point fee, and it scales with the size and complexity of what you hold. Budget for four things: the custodian’s fee, charged in basis points on assets under custody and discounted as balances grow; the operational stack around it, such as transaction monitoring, reconciliation, and reporting tools; compliance overhead, including SOC 2 and other audits plus insurance; and the people to run it.
The trade-off shifts with scale. For a smaller company, a qualified custodian is usually cheaper all-in than building self-custody, because the audit, insurance, and staffing a self-custody program demands often exceed the custodian’s fee. As assets grow, a hybrid model — a qualified custodian for the cold-stored majority plus a self-custody layer for operations — tends to optimize cost against control, and custody becomes a material operating expense that warrants board-level attention. None of these figures are publicly standardized, so build your budget from written quotes for your own asset mix rather than from published ranges.
Implementation Roadmap: Onboarding a Qualified Custodian
Onboarding a qualified custodian is not instant—expect 6-12 weeks from initial contact to first deposit. Here’s a realistic implementation timeline.
Weeks 1-2: Selection and Initial Contact
Activities:
- Complete due diligence checklist (see above)
- Narrow to 2-3 finalist custodians
- Schedule calls with sales and technical teams
- Request and review SOC 2 reports and sample agreements
Deliverables:
- Custodian selection decision
- Preliminary pricing and fee negotiation
Weeks 3-4: Legal and Contractual
Activities:
- Engage legal counsel to review custody agreement
- Negotiate terms (liability, indemnification, termination)
- Execute custody agreement and related documents
- Complete corporate governance approvals (board resolution)
Deliverables:
- Signed custody agreement
- Board authorization for custody relationship
Weeks 5-6: KYC and Compliance
Activities:
- Complete custodian’s KYC/AML onboarding
- Provide corporate documents (articles, bylaws, operating agreement)
- Provide beneficial ownership information (FinCEN Form)
- Background checks on key employees (if required)
Deliverables:
- KYC approval from custodian
- Account opened and activated
Weeks 7-8: Technical Integration
Activities:
- API key generation and secure exchange
- Integrate custody API with your systems
- Configure transaction approval workflows
- Set up whitelisting/blacklist rules
- Test deposits and withdrawals in sandbox environment
Deliverables:
- Working API integration
- Successful test transactions
Weeks 9-10: Initial Funding and Testing
Activities:
- Initial deposit (start with minimum balance or pilot amount)
- Test deposit confirmation and reconciliation
- Test withdrawal request and approval process
- Verify transaction monitoring and alerts
- Confirm reporting and statements
Deliverables:
- Successful deposit and withdrawal
- Account reconciliation verified
Weeks 11-12: Full Migration and Cutover
Activities:
- Migrate remaining assets from prior custody solution
- Decommission old wallets (after confirming full migration)
- Establish ongoing reconciliation procedures
- Train treasury team on custodian platform
- Document custody procedures in runbook
Deliverables:
- Full asset migration complete
- Custody operations documented and operational
Ongoing: Monitoring and Compliance
Monthly:
- Reconcile custody account balances
- Review transaction activity and anomalies
- Monitor custodian service availability
Quarterly:
- Review proof of reserves attestations
- Assess custodian performance against SLAs
- Evaluate pricing competitiveness
Annually:
- Review updated SOC 2 Type II report
- Verify insurance coverage renewal
- Reassess custodian relationship and alternatives
Conclusion: Custody as Competitive Advantage
Qualified custodian requirements are not regulatory burdens—they’re competitive advantages. Companies with institutional-grade custody architecture gain regulatory confidence, banking access, customer trust, and acquisition readiness that competitors without proper custody cannot match.
The choice between self-custody and qualified custody is not binary. Most regulated crypto companies implement hybrid architectures: qualified custodians for cold storage and customer reserves, enhanced self-custody for operational hot wallets. This approach balances regulatory compliance, operational efficiency, and cost management.
Start your custodian evaluation early. Onboarding an institutional custodian takes weeks, not days, and the deadlines are close: California’s DFAL licensing requirement takes effect July 1, 2026, and the GENIUS Act’s custody rules apply as early as January 2027. Companies that establish qualified-custody relationships now will avoid the crowd as those dates near.
Custody is infrastructure. Like banking relationships and legal counsel, it’s not optional for regulated crypto companies. Choose wisely, implement thoroughly, and monitor continuously.
Need Custody Architecture Guidance?
Astraea Counsel helps crypto companies design compliant custody architectures, select qualified custodians, and implement state and federal custody requirements. We advise stablecoin issuers, exchanges, and DAOs on custody strategy, vendor selection, and regulatory compliance.
Schedule a consultation to discuss your custody requirements.
Related Resources
- Treasury Management for Crypto Companies - Complete framework for custody architecture, multi-sig, and compliance
- The GENIUS Act: Stablecoin Compliance Roadmap - Reserve and custody requirements for stablecoin issuers
- Money Transmitter Licensing Guide - State-by-state custody requirements for MTLs
- Regulatory Compliance Services - Navigate federal and state custody regulations
Footnotes
-
GENIUS Act, Pub. L. No. 119-27, S. 1582, 119th Cong. (2025), available at https://www.congress.gov/bill/119th-congress/senate-bill/1582/text ↩
-
WilmerHale, “What the GENIUS Act Means for Payment Stablecoin Issuers, Banks, and Custodians” (July 18, 2025), available at https://www.wilmerhale.com/en/insights/client-alerts/20250718-what-the-genius-act-means-for-payment-stablecoin-issuers-banks-and-custodians ↩
-
California Digital Financial Assets Law, Cal. Fin. Code Div. 1.25 (Assemb. Bill 39 (2023), as amended by Assemb. Bill 1934); § 3503 (licensee custody of customer digital financial assets); § 3906 (civil penalties — up to $100,000 per day for unlicensed activity and $20,000 per day for a licensee violation). On the enforcement example and effective dates, see In re Coinme, Inc. (DFPI consent order, 2025) and California Department of Financial Protection and Innovation, “Digital Financial Assets Law” (license applications opened March 9, 2026; licensing requirement effective July 1, 2026), available at https://dfpi.ca.gov/regulated-industries/digital-financial-assets/digital-financial-assets-law-frequently-asked-questions/ ↩ ↩2
-
OCC Interpretive Letter #1183 (Mar. 7, 2025) (rescinding the supervisory non-objection required by Interpretive Letter #1179); OCC Interpretive Letter #1184 (May 7, 2025), available at https://www.occ.gov/news-issuances/news-releases/2025/nr-occ-2025-42.html. On the accounting change that reopened bank custody, see SEC Staff Accounting Bulletin No. 122 (Jan. 23, 2025) (rescinding SAB 121). On the December 12, 2025 national trust-bank charters (BitGo, Paxos, and Fidelity Digital Assets converting from state trusts; Circle and Ripple chartered de novo), see OCC News Release nr-occ-2025-125 (Dec. 12, 2025). ↩ ↩2
-
Kraken Blog, “Kraken completes SOC 2 Type 2 compliance report, underscoring commitment to institutional security” (2025), available at https://blog.kraken.com/product/security/soc-2-type-2 ↩
-
Gemini, “Institutional Custody” (describing SOC 2 Type 2 and ISO 27001 certification), available at https://www.gemini.com/institutions/custody ↩
-
Crypto News, “Crypto-friendly Custodia Bank achieves SOC 2 Type II compliance certification” (2025), available at https://crypto.news/crypto-friendly-custodia-bank-achieves-soc-2-type-ii-compliance-certification/ ↩