Custody & Asset Safeguarding
Custody is where virtual asset risk stops being theoretical and starts becoming painfully real. If a firm controls client assets, private keys, wallet permissions, transfer logic, or recovery pathways, it assumes a materially higher safeguarding burden. This guidance explains the control expectations that sit behind that burden.
Core safeguarding expectations
Where custody or wallet control exists, these expectations become central to the review. The exact depth varies by model, but the logic stays the same: clearer asset control means clearer safeguarding obligations.
Segregation of client assets
Client assets should be clearly distinguishable from firm assets, both operationally and in internal records. If omnibus structures are used, the mapping and reconciliation controls must still make client attribution defensible.
Key governance
Private keys, signing rights, recovery permissions, and approval logic should be tightly governed. The framework expects role separation, access reviews, and limits on unilateral movement.
Reconciliations
Wallet balances, customer ledgers, treasury movements, and exception items should be reconciled on a disciplined schedule, with clear investigation and sign-off for breaks.
Incident response
Safeguarding is only credible if the firm can handle abnormal events: compromise, unauthorized transfer attempts, key misuse, ledger mismatch, vendor outages, or recovery failure.
A serious custody model explains how hot, warm, and cold wallets are used, who can access them, how transfers are approved, how limits are enforced, and how emergency scenarios are handled. Reviewers usually want logic, ownership, and evidence — not vague “bank-grade security” marketing fluff.
- Define wallet tiers and permitted transaction types per tier.
- Set approval thresholds and escalation rules for transfers.
- Document provider dependencies, integrations, and fallback arrangements.
- Track every administrative action through logs and reviews.
Private key governance should reduce concentration risk, misuse risk, insider threat risk, and operational fragility. The key issue is not whether keys are “encrypted.” The key issue is whether permissions, approvals, monitoring, and recovery processes are genuinely defensible.
- No single point of unchecked control for high-value asset movement.
- Access rights reviewed on a scheduled basis and after role changes.
- Key generation, storage, rotation, and retirement events documented.
- Emergency use procedures tightly limited and independently reviewed.
Reconciliations should identify unmatched balances, stale items, unauthorized movement, failed settlements, and ledger inconsistencies quickly enough that corrective action is still meaningful.
If a third-party custodian, wallet stack, signing provider, or operational vendor is used, governance should cover due diligence, SLAs, incident access, data flows, recovery support, and termination risk.
Client-facing disclosures should explain how assets are held, where third parties are involved, and what operational limitations or recovery constraints may apply.
Most common safeguarding weakness
The biggest problem is usually not “no policy.” It is weak alignment between wallet architecture, internal records, approvals, vendor arrangements, and actual daily operations. That gap is where real losses tend to hide.
Next: AML/CFT Programme Expectations
Move from asset protection controls into the financial crime control framework: onboarding, monitoring, sanctions, escalation, and reporting logic.