Article
Real-World Workflow

The Institutional Digital Asset Operating Model

Sagar Prasad
Portfolio Manager
In This Article
Share
Questions? Speak to our Team

In the first week of July 2026, BNY — the world's largest custody bank at 59 trillion dollars under custody and administration — expanded support for institutional clients to custody, mint, and redeem USDC on its own infrastructure, and Standard Chartered followed within days with direct mint-and-redeem access of its own. Two G-SIBs shipping the same capability in one week, while the OCC's proposed GENIUS custody rules move through comment and Chainalysis projects stablecoin settlement volumes approaching a quadrillion dollars annually by 2030. As one executive put it, the debate has shifted from whether to use these rails to how. Over the past 52 posts I have walked through the pieces one at a time; this one assembles them into the operating model — the six layers a CFO actually runs, and the evidence stack each layer produces.

The Legacy Operating Model

The institution already has an operating model for every other asset class: entities and mandates defined by legal, custody at a qualified custodian, execution through approved brokers under a best-execution policy, collateral and cash managed by treasury, risk parameters set by a committee, and everything reconciled monthly to the general ledger and tested annually by the auditor. Digital assets historically entered sideways — an ETF line in a brokerage account, a wallet someone in innovation opened, a venue relationship with no counterparty review. The operating-model question is not whether to add a crypto desk. It is whether each existing function — legal, custody, treasury, trading, risk, finance — has a defined digital asset workflow with the same discipline it applies everywhere else.

The Operating Model in Six Layers

Layer one, entity and governance: each legal entity mapped to its jurisdiction and license scope, an investment policy statement amended for the digital asset mandate, a signing matrix defining who authorizes what size with what second approval, and a named owner for the regulatory calendar — the function that keeps a MiCA July 1 deadline or an OCC comment period from arriving as a surprise. Layer two, custody and keys: a qualified custodian holding the core in segregated, bankruptcy-remote accounts; an MPC tier for operational balances; and a multi-custodian policy, which regulators from MAS to the HKMA now encourage and custody analysts expect to become standard. Compliance runs inside the custody workflow — transaction screening at the point of movement, not after settlement. Layer three, cash, collateral, and routing: the jurisdiction matrix deciding which compliant stablecoin each entity holds, a hold-versus-convert routing policy applied to every receipt, idle balances swept to a tokenized money market sleeve as a deliberate investment position, and tokenized Treasuries posted as venue collateral where accepted. Layer four, execution and hedging: OTC or prime for size, regulated options venues for downside protection, and cross-chain movement through native burn-and-mint rather than wrapped bridges. Layer five, yield operations: staking through managed non-custodial validators with the withdrawal address at the institution's own custodian — now available directly inside major custody platforms — restaking sized as compensated tail risk, and DeFi strategies only where a realistic-cost backtest survives. Layer six, risk, reporting, and finance: stress parameters from an independent engine, counterparty and depeg monitoring, and monthly on-chain-to-ledger reconciliation feeding the audit.

Where It Breaks

Three cross-cutting failures recur. First, layer mismatch: assets titled to the wrong entity, custody that does not match the books, a venue license that does not cover the activity — each layer correct in isolation, wrong in combination. The control is a single mapping document tying every wallet to an entity, a custodian, a license, and a signer. Second, single-provider concentration: one custodian, one risk engine, one oracle, one banking partner. Each is a quiet single point of failure, and identical risk models across counterparties produce correlated surprises. Third, the calendar: an operating model with no regulatory-change owner runs yesterday's compliance into tomorrow's regime — the pattern behind every enforcement-cliff casualty this year.

Costs, Timing, and the Audit Trail

The assembly now takes one to two quarters for a fund or family office and longer for a bank — but it is assembly, not pioneering: OCC national trust charters at the major custody and issuance firms, reserve custody rulemaking in motion, staking integrated into custody platforms, and attestation APIs as standard features mean every layer can be bought or contracted at production grade. For a CPA, the operating model is the audit trail: the IPS and signing matrix are the authorization evidence; custodian statements and proof-of-reserves attestations the existence evidence; the wallet-to-entity mapping and monthly on-chain reconciliation the completeness evidence; the routing-policy decision log, hedge documentation, tax lots, and fair-value marks the measurement evidence. Each layer produces the record the next one depends on, and the auditor tests the model, not a pile of exceptions. The constructive signal is the week that opened this post: when the world's largest custodian and a second G-SIB ship the same stablecoin capability days apart, the operating model stops being a design exercise and becomes a procurement decision — and the institutions that treated the last two years as assembly time are the ones already running it.

For informational purposes only. Not an offer to buy or sell any security. Available only to accredited investors who meet regulatory requirements.

Recommended blog posts