Custody solutions for institutional crypto asset managers

The cornerstone of institutional crypto

The rapidly evolving world of digital assets has seen institutional investors increasingly allocating significant portions of their portfolios to cryptocurrencies. As of 2025, global institutional adoption has surged, with surveys indicating that over 60% of hedge funds, pension funds, and asset managers now hold digital assets, a substantial increase from 40% in 2023. This profound shift underscores the critical need for robust custody solutions - specialized services designed to securely store, manage, and protect crypto holdings. Safeguarding institutional assets through robust custody frameworks is essential to ensure trust and security at scale.

Unlike traditional assets, cryptocurrencies are bearer instruments, meaning that possession of private keys equates to ownership. A single security breach can result in irreversible losses, as evidenced by high-profile incidents like the 2024 Ronin Network breach that siphoned $625 million. This makes custody a cornerstone of institutional risk management. For asset managers handling billions in client funds, traditional self-custody options like hardware wallets are often insufficient due to scalability and regulatory demands. As a result, there is a growing emphasis on the need for safe custody solutions that meet institutional standards.

Beyond mere storage, institutional crypto custody encompasses compliance with regulatory frameworks, integration with trading platforms, insurance against theft, and seamless access for portfolio management. It is a strategic, regulatory, and operational necessity, reflecting a market progression from early, unregulated phases to a professionalized "Custody 2.0" era. The increasing clarity in global regulatory frameworks is not just a compliance obligation, but a crucial enabler, reducing perceived risks and fostering greater trust in the digital asset ecosystem. Choosing a third-party crypto custody provider enhances security and simplifies management for institutional investors.

The evolution and current landscape in 2025

The crypto custody sector has matured significantly since its inception in the late 2010s, evolving from rudimentary cold storage solutions. By 2025, the market is projected to exceed $3.28 billion, driven by regulatory clarity and institutional inflows. Key drivers of this growth include the repeal of restrictive frameworks like the U.S. SEC's Special Purpose Broker-Dealer (SPBD) in May 2025, which opened crypto custody to broker-dealers, and the Office of the Comptroller of the Currency (OCC) clarifying bank permissions for crypto custody in May 2025, enabling national banks to hold digital assets without prior approval. Increasingly, regulatory oversight is shaping the custody landscape, ensuring higher standards of compliance, security, and investor protection.

Institutional enthusiasm continues to grow, with EY's 2025 Institutional Investor Digital Assets Survey revealing that investors increased allocations last year and plan further expansions, citing improved custody as a top factor. Globally, Europe's MiCA regulation has standardized custody requirements, and in Asia, South Korea's BDACS launched XRP custody in August 2025.

Today, custody solutions cater to diverse needs, ranging from pure storage to integrated platforms offering staking, lending, and trading capabilities, all while delivering the operational flexibility required to meet the evolving demands of institutional clients. The market is dominated by a mix of traditional banks like BNY Mellon and State Street, crypto-native firms such as XBTO, Coinbase, and BitGo, and hybrids like Fidelity Digital Assets, which blend traditional finance expertise with blockchain innovation.

Understanding core custody models

Institutional crypto custody solutions fall into several categories, each with distinct advantages and trade-offs tailored to an institution's risk tolerance, operational needs, and regulatory obligations.

Key technologies underpinning institutional custody

The secure and efficient management of digital assets relies on a sophisticated interplay of various storage solutions and advanced cryptographic mechanisms.

Storage solutions (as detailed above, blending hot, cold, and warm to balance security and accessibility). Warm wallets, for instance, maintain some online connectivity for automated transaction creation but require human involvement for final signing, often integrating HSMs or MPC for private key protection.


Cryptographic security mechanisms:

1. Multi-signature (Multi-sig) wallets: Operate on the principle that a predefined number of private keys (e.g., an M-of-N scheme) must collectively authorize a transaction. This design eliminates a single point of failure and substantially enhances security by reducing the risk of theft, hacking, or internal misuse. It supports segregation of duties and increases accountability, aligning well with regulatory compliance. However, multi-sig wallets can be technically complex to set up and manage, and transactions require coordination, potentially leading to slower processing times. Not all cryptocurrencies natively support multi-sig, and poor implementations can introduce vulnerabilities. They are commonly used for DAO governance, team-shared funds, and basic shared control.

2. Multi-party computation (MPC): An advanced cryptographic technique that addresses private key management by splitting a private key into multiple "shares" distributed across different devices or parties. Crucially, no single party ever holds the complete private key, nor is the full key ever reconstructed in one place, even during the signing process. MPC effectively eliminates single points of failure and significantly enhances security, providing distributed trust and resilience. Compared to multi-sig, MPC offers greater flexibility and scalability, with authorization thresholds that can be changed dynamically without new wallets. Its off-chain signing processes often result in faster transaction confirmations and lower gas fees, and it is universally compatible with virtually all blockchains. MPC has become a de facto standard for institutional custody, particularly where secure automation and scalability are paramount.

3. Hardware security modules (HSMs): Dedicated, hardened, and tamper-resistant physical computing devices specifically designed to securely generate, store, and manage cryptographic keys within an isolated environment. HSMs are widely considered the "gold standard" for private key protection, undergoing rigorous testing and certification (e.g., FIPS 140-2/3, Common Criteria EAL4+). They ensure private keys never leave the device and cryptographic operations are performed securely within its boundary. While providing formidable security, HSMs have limitations, including their static, hardware-based nature, which can challenge adaptation to rapidly evolving digital environments and new blockchain protocols. Upgrading them can be costly and time-consuming, and they may struggle to support newly introduced ledgers. They are primarily used for secure cold storage, master key protection, and high-value asset vaults.

The progression from basic hot/cold storage to sophisticated cryptographic schemes like Multi-Sig, MPC, and HSMs reflects a maturing understanding of digital asset security, driven by the dual imperative to mitigate both external cyber threats and internal risks. MPC, in particular, emerges as a pivotal technology, bridging the "trilemma" of security, speed, and scalability.

Leading providers and comparisons

The 2025 custody market features a dynamic mix of established financial institutions and crypto-native innovators.

1. XBTO Vault: Purpose-built for digital asset protection. XBTO offers a three-tiered custody architecture for diverse operational needs, emphasizing institutional-grade security with multi-signature cold or warm storage, bank-grade infrastructure, and enterprise controls. It is licensed by the Bermuda Monetary Authority (BMA) and FSRA ADGM, ensuring full auditability, reporting, and governance. XBTO Vault features segregated wallets, a 24-hour timelock on withdrawals, independent proof of reserves (verifiable via a blockchain explorer), Know Your Transaction (KYT), Travel Rule compliance, and is bankruptcy-remote. XBTO, operating across six global financial hubs, has been creating advantages in digital assets since 2015, combining deep digital asset experience with a "TradFi mindset".

XBTO Vault: Digital asset protection with bankruptcy-remote custody | AI generated image by XBTO

Download the primer

2. Fidelity Digital Assets: Leverages Fidelity's traditional finance legacy for integrated custody and trading. It offers 24/7 support, SOC 2 audits, and cold storage with MPC. In 2025, it expanded to real-world assets (RWAs) and staking, providing insurance up to $1 billion. Fees are tiered, starting at 0.25% AUM.
3. Coinbase Custody: Supports over 200 assets with $320 million insurance. It features segregated accounts and API integrations for seamless management, with recent enhancements including DeFi yield farming custody. It is strong in U.S. compliance.
4. BitGo: A pioneer in multi-signature technology, serving exchanges like eToro. It offers $250 million in insurance and supports over 700 tokens. Its 2025 focus includes Web3 and NFT custody.
5. Anchorage Digital: The first OCC-chartered crypto bank, providing custody, staking, and financing. It utilizes MPC and undergoes regular audits, making it ideal for cross-border needs.
6. Traditional banks: Institutions like BNY Mellon and State Street now offer crypto custody services, often bridged with fiat services, emphasizing scalable trust-building.

When selecting a provider, institutional managers should consider factors such as Asset Under Management (AUM) fees (typically 0.1-2%), the scope of insurance, and the ease of integration with existing systems.

Critical considerations for selecting a custody solution

For institutional crypto asset managers, selecting a custody solution is not merely a technical decision; it involves establishing a comprehensive and holistic risk management framework.

• Security protocols and infrastructure: A robust security posture is multi-layered and extensive. This includes multi-signature authorization, strategic use of cold storage for the majority of assets, hot wallets for necessary liquidity, continuous vulnerability testing, and 24/7 monitoring. Advanced measures include Multi-Party Computation (MPC), biometric authentication, Hardware Security Modules (HSMs), robust data encryption, DDoS attack protection, and continuous monitoring. Crucially, custodians should provide "proof of reserves" regularly audited by independent third parties to ensure transparency and verify asset backing. Physical security controls, like secure vaults for offline storage, are essential. Internally, strict segregation of duties and least-privilege access protocols are vital to minimize human error and mitigate insider threats. The widespread emphasis on external audits, such as SOC 1 Type II and SOC 2 Type II reports, is critical for independent verification of the custodian's security architecture.
• Regulatory compliance and fiduciary responsibilities: A qualified custodian must demonstrate strict adherence to all relevant laws and regulations, including comprehensive Know Your Customer (KYC) and Anti-Money Laundering (AML) rules, as well as compliance with international standards like the FATF Travel Rule. The definition of a "qualified custodian" is under continuous scrutiny, with expectations for tighter definitions in forthcoming SEC rulemaking. A cornerstone of institutional custody is rigorous asset segregation, meticulously separating an investor's assets from the custodian's own proprietary holdings to protect clients in the event of bankruptcy. Transparency through frequent auditing and reporting is a key expectation. For institutional clients, a qualified custodian has a legal obligation to act in the best interest of its clients, upholding the highest standards of care. The chosen solution must seamlessly align with the institution's existing internal control frameworks and broader risk management systems.
• Operational efficiency and integration: The ideal custodian offers seamless integration with cryptocurrency exchanges and robust trading capabilities, enabling rapid access to liquidity and minimal price slippage. Application Programming Interface (API) capabilities are crucial for automation and integration with internal systems. Beyond storage and trading, custodians should support value-added services such as staking (to earn rewards on Proof-of-Stake networks) and participation in on-chain governance. Clear, comprehensive, and audit-ready reporting is essential for compliance and tax obligations. Given the 24/7 nature of crypto markets, the custody solution must support continuous operation, ensuring immediate access to assets around the clock. Integration with prime brokerage services, portfolio management systems (PMS), execution management systems (EMS), and audit/compliance tools is also paramount.
• Insurance and asset protection: Many reputable custodians offer comprehensive insurance coverage for digital assets, providing a critical safety net against security breaches, theft, or operational failures. This coverage typically extends to losses from cold storage compromises, criminal acts, key management failures, internal collusion, and administrative errors. It is crucial for institutions to conduct thorough due diligence on any insurance policy offered, understanding its scope, limitations, and the specific risks it covers.
• Cost structures: Custody costs typically include an annual custody fee (a small percentage of AUM, usually less than 1%), a potential one-time setup fee (often waived), and withdrawal fees (often a flat fee per crypto withdrawal). A thorough cost-benefit analysis is essential.
• Provider reputation and track record: Thorough due diligence on a prospective custodian's reputation, client satisfaction, and tenure in the digital asset industry is paramount. This includes researching their history, assessing their stability, and understanding their approach to risk management, as well as meticulously reviewing independent audit reports and detailed insurance policy coverage. Key questions include their regulatory licenses, private key management, incident response protocols, and scalability.

Navigating the global regulatory landscape

The global regulatory landscape for digital asset custody is fragmented but rapidly maturing.

1. United States: Financial institutions providing digital asset custody are increasingly expected to meet cybersecurity and operational benchmarks aligned with NIST frameworks. The definition of a "qualified custodian" is undergoing significant scrutiny by the SEC, aiming for tighter and expanded definitions. The OCC's Interpretive Letter 1184 reaffirms national banks' authority to provide crypto asset custody. There is a strong call for the SEC and CFTC to provide clearer guidance on registration, custody, trading, and recordkeeping. Regulators also signal support for integrated models, allowing broker-dealers and futures commission merchants (FCMs) to custody client assets. Proactive stances on AML/CFT and clarity on Bank Secrecy Act (BSA) obligations are crucial.
2. European Union: The Markets in Crypto-Assets Regulation (MiCA) has instituted a uniform EU market rulebook for crypto-assets not covered by existing financial services legislation, addressing transparency, disclosure, authorization, and supervision. MiCA mandates that custodians must be authorized, comply with capital requirements, operational risk standards, and audit obligations. The DLT Pilot Regime, effective since March 2023, provides a legal framework for trading and settlement of crypto-assets that qualify as financial instruments under MiFID II, facilitating new DLT market infrastructures.
3. United Kingdom: Adopting an approach that expands its existing financial services framework, the Financial Services and Markets Act (FSMA) makes the safeguarding of "qualifying cryptoassets" a regulated activity requiring FCA authorization. Proposed rules mandate that client cryptoassets must be segregated from the firm's own assets, ideally held via a non-statutory trust, to protect client interests in insolvency. Custodians must maintain accurate records, perform daily reconciliations, and implement robust private key management. A tailored prudential framework mandates permanent minimum capital requirements (e.g., £150,000 for custodians) and a 'K-factor' capital requirement (0.04% of client cryptoassets safeguarded).
4. Singapore: The Monetary Authority of Singapore (MAS) is implementing new rules for Digital Payment Token Service Providers (DPTSPs), effective October 2023, with a strong focus on safeguarding customer assets. Key requirements include depositing customer assets into a custody account held on trust, rigorously segregated from the DPTSP's own assets, and ensuring at least 90% of customer Digital Payment Tokens (DPTs) are stored in cold wallets. Notably, MAS has explicitly prohibited DPTSPs from facilitating the lending and staking of digital payment tokens for retail customers.
5. Switzerland: Has adopted a principle-based approach, applying existing financial market laws to crypto activities via FINMA. Licensing requirements vary, with a banking license generally required for accepting deposits or collective custody. Key exemptions exist for segregated storage in individual blockchain addresses for each client, where assets are always available and cannot be used by the custodian. Regardless of licensing, crypto custodians qualify as financial intermediaries under the Swiss Anti-Money Laundering Act, mandating KYC obligations, reporting suspicious activities, and adherence to the FATF Travel Rule.

Institutions should select custodians with multi-jurisdictional licensing to ensure global compliance.

Future trends

Looking ahead, the role of custody will evolve from a static safekeeping function to an active enabler of capital efficiency. Key trends include:

1. DeFi custody: Integration with decentralized finance protocols for yield optimization.
2. Tokenization of assets: Expanding custody scope to include digital representations of real-world assets (RWAs), with tokenized assets projected to reach $16 trillion by 2030.
3. Quantum-resistant encryption and AI security: Emergence of advanced cryptographic and security technologies.
4. Real-time collateralization: Using held assets as collateral for trading, lending, or derivatives without removing them from custody.
5. Programmable compliance: Automating KYC/AML and jurisdictional restrictions at the smart-contract level.
6. Interoperability with DeFi: Secure, regulated access to decentralized liquidity pools.
7. 24/7 settlement networks: Continuous settlement across multiple asset classes.

Institutional surveys predict doubled allocations by 2027, driven by scalable solutions. By 2030, the most competitive custodians will likely be full-stack financial infrastructure providers, integrating custody, settlement, liquidity, compliance, and risk analytics on a single platform. Innovations like Binance's off-exchange custody with BBVA signal growing global partnerships.

Custody as a strategic differentiator

Custody solutions are the bedrock of institutional crypto management in 2025, offering security, compliance, and efficiency. For institutional crypto asset managers, custody is no longer simply a box to tick, but a strategic enabler of performance, compliance, and investor confidence. The right custody solution must balance robust security with operational agility, strict regulatory adherence with technological innovation, and asset protection with capital efficiency.

The role of institutional crypto custodians is rapidly evolving beyond passive asset safekeeping to encompass a broader suite of value-added services, including active participation opportunities like staking, on-chain governance, and integrated trading capabilities. This transformation signifies that custodians are becoming integral partners in an institution's active digital asset management strategy, enabling them to unlock new growth opportunities within the Web3 ecosystem and dynamically adapt to market shifts.

In a rapidly maturing digital asset market, those who invest in the right custody infrastructure today will be best positioned to manage risk, attract institutional capital, and seize opportunities in the tokenized economy of tomorrow. The sector's evolution demands meticulous attention to specific jurisdictional requirements, underscoring the complexity and criticality of informed decision-making in this rapidly evolving financial frontier.