Qualified Custody for Digital Assets: What Institutions Require

A Washington Monthly investigation published this week reported that over $40 million in digital assets were allegedly stolen from government-controlled wallets in 2025, part of a federal stockpile now valued at roughly $23 billion. The episode is a case study in what happens when custody infrastructure does not match the value it secures. For institutional allocators subject to SEC oversight, "qualified custody" is not optional -- it is the regulatory prerequisite that determines whether digital asset exposure is even permissible.

The Primitive: What Qualified Custody Actually Means

Under the Investment Advisers Act, registered investment advisers must hold client assets with a "qualified custodian" -- defined as a national bank, state-chartered trust company, registered broker-dealer, or futures commission merchant. The custodian's job is conceptually simple: segregate client assets from the firm's own balance sheet and maintain controls that prevent unauthorized movement. In traditional markets, this is well-understood plumbing. For digital assets, it becomes an architecture problem.

Digital asset custody means securing private keys -- the cryptographic strings that authorize on-chain transactions. Unlike a stock held in a central depository, a private key is both the credential and the vulnerability. If the key is compromised, the assets move irreversibly. There is no clearinghouse to reverse the transaction. The custodian must build around a single constraint: the private key can never be exposed to an unauthorized party, yet it must remain available when a legitimate transaction is required.

Where It Breaks First

From a failure analysis perspective, the operational risks concentrate in three areas.

Key compromise is the most visible failure mode. Keys stored in internet-connected ("hot") environments are exposed to remote attack. The industry standard for institutional custody is cold storage -- keys held on hardware security modules (HSMs) or air-gapped devices that never connect to a network. But cold storage introduces latency: moving assets from cold to hot wallets creates a window during which keys are momentarily exposed. Multi-party computation (MPC) has emerged as a mitigation, splitting key material across multiple servers so no single device ever holds the complete key. Coinbase Custody, BitGo, and Fireblocks each use variations of this approach.

Governance and access control failures are harder to detect externally. The question is not just how the key is stored but who can authorize its use. Institutional custodians implement multi-signature or threshold approval workflows -- requiring, say, three of five authorized signers to approve a withdrawal above a certain threshold. The failure mode is social, not cryptographic: insider collusion, compromised credentials, or stale access lists after personnel changes. The Washington Monthly report linked the government wallet thefts to a contractor with access to key material -- precisely the governance gap that institutional frameworks are designed to close.

Bankruptcy remoteness is the third concern. If a custodian becomes insolvent, are client assets legally segregated from the custodian's estate? The FTX collapse demonstrated that commingled funds could be trapped in proceedings for years. Qualified custodians operating as state-chartered trust companies are generally required to segregate client assets, and the SEC's September 2025 no-action letter reinforced this by conditioning relief on written agreements prohibiting rehypothecation without explicit client consent.

What "Institutional-Grade" Looks Like Now

Three regulatory developments in 2025 reshaped what compliance teams evaluate when selecting a custodian.

First, the SEC's Division of Investment Management issued a no-action letter on September 30, 2025, confirming that RIAs and registered funds may treat state-chartered trust companies as qualified custodians for digital assets, provided they meet due diligence and oversight conditions. This resolved years of ambiguity about whether entities like Coinbase Custody Trust Company, BitGo Trust Company, and Anchorage Digital Bank qualify as "banks" under the Advisers Act.

Second, the OCC's Interpretive Letter 1184, issued May 7, 2025, reaffirmed that national banks may provide custody for digital assets in both fiduciary and non-fiduciary capacities, including the use of sub-custodians. This opened the path for traditional banks to enter the space directly.

Third, SAB 121 -- which had required firms to record custodied digital assets as liabilities on their own balance sheets -- was replaced by SAB 122, granting more flexibility in accounting treatment. This removed what many banks described as the primary economic barrier to offering custody services. Citigroup subsequently announced plans to launch digital asset custody in 2026, with $2.57 trillion in existing assets under custody.

What Is Improving

The convergence of traditional banking infrastructure with digital-native custody providers is narrowing the gap between what institutions require and what the market offers. The SEC no-action letter gives compliance teams a concrete diligence framework rather than an ambiguous void. Citi's planned entry -- alongside Anchorage, the only federally chartered digital asset bank -- signals that qualified custody is shifting from niche specialty to standard banking service. And the NYDFS updated its custody guidance in September 2025 to address sub-custodian oversight and on-chain wallet architecture, the kind of operational specificity that auditors need to build defensible processes.

Custody plumbing map -- where risk sits at each layer:

• Key generation and storage (HSM / MPC): Risk owner is the custodian's security engineering team. Failure mode: hardware compromise, side-channel attacks on HSMs, or incomplete MPC key shard distribution. Detection: SOC 2 Type II audits covering key management controls; penetration testing on a minimum annual cycle.
• Transaction authorization (multi-sig / threshold approval): Risk owner is the client's operations team plus the custodian's compliance function. Failure mode: insider collusion, social engineering of authorized signers, or stale access lists after personnel changes. Detection: segregation-of-duties reviews; real-time alerting on approval pattern anomalies.
• Settlement and on-chain execution: Risk owner is shared between custodian and blockchain network. Failure mode: transaction broadcast to the wrong address, chain reorganization (on chains with probabilistic finality), or smart contract vulnerability in the receiving protocol. Detection: address whitelisting with multi-party verification; confirmation-depth thresholds before marking settlement as final.
• Segregation and legal structure (trust / omnibus accounts): Risk owner is the custodian's legal and compliance function. Failure mode: commingling of client and proprietary assets; inadequate internal ledger reconciliation. Detection: independent third-party audits; on-chain proof-of-reserves attestations with Merkle-tree verification.
• Regulatory and reporting layer: Risk owner is the RIA or fund manager. Failure mode: custodian falls out of compliance with state banking authority requirements; no-action conditions are not maintained. Detection: annual due diligence reviews per the SEC's September 2025 conditions; monitoring of custodian's regulatory status and examination history.

Caption: Institutional custody risk does not concentrate in any single layer -- it distributes across cryptographic, operational, legal, and regulatory boundaries. The custodian selection process must evaluate all five.

The infrastructure question for digital asset custody is no longer whether qualified solutions exist -- it is whether the institution's diligence process is rigorous enough to distinguish between custodians that meet the standard and those that merely claim to.

For informational purposes only. Not an offer to buy or sell any security. Available only to accredited investors who meet regulatory requirements.

Sources:

1. Washington Monthly, "The $22 Billion Spreadsheet Problem," February 19, 2026.
2. SEC Division of Investment Management, No-Action Letter on State-Chartered Trust Companies as Qualified Custodians, September 30, 2025.
3. CNBC / CoinDesk, "Citi Targets 2026 Launch for Crypto Custody Service," October 13, 2025.

‍