Skip to main content
Custody: self vs exchange

Crypto Custody for Small Businesses

Pomegra Learn

Crypto Custody for Small Businesses

Small businesses operating in or accepting cryptocurrency face a fundamentally different custody landscape than individual holders. Whether you're a coffee shop accepting Bitcoin payments, a software company holding reserves in stablecoins, or a startup managing employee tokens, the custody decisions you make directly impact your operational risk, tax obligations, and regulatory exposure. Unlike individuals who can choose between self-custody and a personal exchange account, businesses must navigate institutional custody requirements, compliance frameworks, and operational resilience standards that don't have simple answers.

Why Business Custody Is Different

When an individual holds cryptocurrency in a hardware wallet or on an exchange, they're managing personal risk. When a business holds cryptocurrency, the stakes expand considerably. You're now responsible to employees who depend on the company's solvency, customers who trust your platform, and regulators who expect institutional-level controls even from small operations.

The fundamental difference: Business custody must address fiduciary duty. If you're the owner of a business holding cryptocurrency, you have a legal obligation to safeguard those assets responsibly. This isn't abstract—it shapes everything from insurance requirements to backup procedures to audit trails.

Consider a freelance developer who starts accepting Bitcoin for services. Initially, they might use a simple hardware wallet or exchange account. But the moment they hire employees and those employees' salaries depend on the company's financial stability, custody becomes a governance issue. The developer now faces questions: What happens if I lose the seed phrase? Who has access if I'm incapacitated? How do we ensure the cryptocurrency is protected from theft or accidental loss? These questions transform custody from a personal security problem into a business continuity problem.

The Four Custody Models for Businesses

1. Self-Custody with Operational Controls

Small businesses sometimes attempt to use self-custody solutions with strengthened operational procedures. This typically involves a hardware wallet paired with documented access protocols.

Advantages:

  • Direct ownership and control
  • No exchange counterparty risk
  • Lower ongoing fees compared to institutional custody
  • Full autonomy over asset movement

Disadvantages:

  • Loss of seed phrase remains catastrophic and unrecoverable
  • Single-person knowledge creates operational risk—illness or departure leaves no access path
  • Limited audit trails for accounting and tax purposes
  • Regulatory authorities may not recognize this as institutional-grade custody for compliance purposes

When it makes sense: Cryptocurrency holdings under $50,000, businesses with strong technical expertise, companies where the owner plans to remain actively involved long-term.

Critical requirements:

  • Multi-person approval for any transaction above a threshold (a two-of-three multisig, for example)
  • Seed phrase backup stored in geographically separated locations
  • Documented procedures for emergency access (what happens if the primary operator dies or becomes unavailable)
  • Regular backups and recovery drills
  • Clear accounting records of all transactions

2. Qualified Custodians (Institutional Custody)

This is the gold standard that regulators recognize and increasingly expect. A qualified custodian is a regulated financial institution (a bank, broker-dealer, or crypto custodian with regulatory approval) that holds cryptocurrency on your behalf under strict fiduciary standards.

Common qualified custodians in the crypto space include Coinbase Custody, Kraken Custody, Fidelity Digital Assets, and Bitcoin Suisse. These institutions maintain segregated accounts, comprehensive insurance, and institutional-grade security infrastructure.

Advantages:

  • Full regulatory recognition—often required if you manage client funds or operate as a regulated entity
  • Institutional-grade insurance coverage (typically $100+ million per account)
  • Audit trails and reporting that satisfy tax authorities and auditors
  • Professional staff ensure business continuity—you're not dependent on one person
  • Protection against most theft scenarios through multi-signature controls and offline storage

Disadvantages:

  • Custody fees typically range from 0.5% to 2% annually
  • Slower transaction times (sometimes 24–48 hours for withdrawal approval)
  • Limited flexibility in how assets are held (you must accept the custodian's infrastructure)
  • Regulatory restrictions may prevent certain activities (some custodians won't support certain tokens)

When it makes sense: Businesses managing $500,000+, regulated financial services companies, any business accepting or managing client cryptocurrency, companies operating in jurisdictions with specific custody requirements.

Regulatory note: If your business is registered with the SEC as a broker-dealer, investment advisor, or fund manager, you may be required by regulation to use a qualified custodian. Many state financial regulators also impose qualified custodian requirements on money transmitters and other financial service businesses.

3. Hybrid Custody (Hot and Cold)

Many businesses use a hybrid approach: a small amount in a hot wallet (online, fast, accessible) for regular operations, with the majority in cold storage or institutional custody for security.

A typical structure:

  • Hot wallet: 5–10% of holdings, used for daily operations and customer payouts
  • Cold storage or institutional custody: 90–95% of holdings, accessed only for planned movements

This mirrors traditional banking, where companies keep small operating cash in checking accounts and larger reserves in savings or investments.

Advantages:

  • Balances operational convenience with security
  • Reduces the impact if the hot wallet is compromised—the bulk of assets remain protected
  • Allows fast payment processing without sacrificing security
  • Flexible and scalable as the business grows

Disadvantages:

  • More complex to manage operationally—requires clear policies about what stays hot versus cold
  • Increased administrative overhead compared to single-location custody
  • Multiple access points create more opportunities for human error
  • Requires careful transaction reconciliation

Implementation example: A cryptocurrency payment processor might maintain a hot wallet that automatically sweeps to cold storage whenever it exceeds a threshold (e.g., if the hot wallet exceeds $10,000, the excess is transferred to cold storage daily).

4. Third-Party Payment Processors

Some businesses avoid holding cryptocurrency altogether by using third-party payment processors that immediately convert cryptocurrency to fiat currency.

Examples include BitPay, Coinbase Commerce, and BTCPay Server (open-source, self-hosted). When a customer pays with Bitcoin, the processor converts it to USD and deposits the equivalent to your bank account.

Advantages:

  • You never actually hold cryptocurrency—no custody risk
  • Accounting is simpler (all records are in fiat)
  • No seed phrases or private keys to manage
  • Instant settlement (in many cases)

Disadvantages:

  • You don't benefit from cryptocurrency appreciation
  • Processing fees (typically 1–3%)
  • You're dependent on the processor's continued operation
  • No ability to hold reserves for future use

When it makes sense: Businesses that view cryptocurrency as purely a payment method, not a store of value; companies with tight cash flow that need immediate fiat conversion.

Regulatory Considerations for Business Custody

Different jurisdictions impose specific requirements on how businesses can hold cryptocurrency. The regulatory landscape is evolving rapidly, but several principles are becoming standard:

SEC Requirements: If your business is regulated by the SEC (as a broker-dealer, investment advisor, or fund manager), you must use a "qualified custodian" under SEC Rule 15c3-3 or the Advisers Act. The SEC explicitly recognizes certain cryptocurrency custodians as qualified, but the list is limited and continues to expand.

State Money Transmitter Laws: Many states classify cryptocurrency custody as part of a money transmission business. If you hold customer cryptocurrency, you may need a money transmitter license in each state where you operate. These licenses typically require you to meet custody and insurance standards. See the regulatory custody landscape for detailed requirements.

Tax Reporting: The IRS requires businesses to report cryptocurrency holdings and transactions with precision. Your custody solution should provide exportable transaction history and supporting documentation. Qualified custodians typically provide this automatically; self-custody requires you to maintain meticulous records.

Insurance and AML Requirements: Depending on your business model, you may need to conduct anti-money laundering (AML) checks on who can access your cryptocurrency holdings and maintain insurance coverage against theft or loss.

Operational Best Practices

Custody Policy Documentation

Create a written custody policy that documents:

  • Which custody model you use and why
  • Who has access to what assets
  • How emergency access is handled
  • Backup and recovery procedures
  • What triggers moving between hot and cold storage
  • How transactions are approved
  • How you verify balances

This isn't just good practice—it's often required by auditors, regulators, and insurance providers.

Segregation of Duties

Ensure no single person can unilaterally move significant cryptocurrency. A typical setup:

  • Person A initiates a transaction
  • Person B approves it
  • Person C verifies it on the blockchain

For self-custody, use multisig wallets that require multiple signatures.

Regular Reconciliation

Reconcile your cryptocurrency holdings against your accounting records at least monthly. For businesses using qualified custodians, this is often automated in their reporting dashboards. For self-custody, you should:

  • Verify all wallet addresses contain the expected amounts
  • Cross-check transaction records against blockchain records
  • Reconcile against your financial statements

Incident Response Planning

Develop a plan for what you'll do if:

  • The primary custodian becomes unavailable (the person managing the wallet is incapacitated)
  • Cryptocurrency is stolen or lost
  • You discover an unauthorized transaction
  • Your custody provider goes out of business

This plan should include contact information for backup personnel, procedures for emergency access, and communication protocols.

Scaling Your Custody as the Business Grows

Your custody solution should evolve as your business grows:

Growth StageTypical Custody ModelHoldings Range
Pre-launch (testing)Personal wallet or exchange account$1K–$10K
Early operationsSelf-custody with backups + hot wallet$10K–$100K
EstablishedHybrid (hot + cold self-custody or qualified custodian)$100K–$1M
Venture-backed or regulatedQualified custodian mandatory$1M+

At $1M+ in holdings, the cost of qualified custody (0.5–2% annually) is typically justified by the reduced operational and regulatory risk.

Business Custody Models Comparison

Making the Decision: A Practical Framework

Ask yourself:

  1. How much cryptocurrency will I hold? Under $50K, self-custody with strong backups may be acceptable. Over $500K, qualified custody becomes increasingly necessary.
  2. Do I manage client funds? If yes, you almost certainly need a qualified custodian and possibly regulatory licensing.
  3. How technical is my team? Self-custody requires genuine expertise; don't overestimate your capabilities.
  4. What does my regulatory environment require? Check your state's money transmitter laws and your industry's regulatory standards.
  5. How mission-critical is this cryptocurrency? If losing it would threaten employee payroll or customer refunds, use a qualified custodian.
  6. Can I handle a custody emergency? What's your plan if the person managing the wallet becomes unavailable?

Key Takeaways

  • Business custody is fundamentally different from personal custody because of fiduciary duties and regulatory requirements.
  • Qualified custodians are the regulatory standard for businesses managing significant cryptocurrency or client assets.
  • Hybrid custody balances operational convenience with security.
  • Self-custody is possible for small businesses with strong technical expertise and documented procedures, but creates operational risk around key management and business continuity.
  • Your custody choice should scale with your business size and regulatory obligations.

The most expensive custody mistake you can make isn't a high fee to an institutional custodian—it's losing control of assets because your self-custody procedures weren't robust enough. Choose a custody model that matches your size, expertise, and regulatory environment, then implement it with rigor and documentation.