Skip to main content
Custody: self vs exchange

Not Your Keys, Not Your Coins

Pomegra Learn

Not Your Keys, Not Your Coins

"Not your keys, not your coins" is the foundational principle of cryptocurrency ownership. It encapsulates a simple but profound truth: if you do not hold the private keys that control a cryptocurrency address, you do not truly own the cryptocurrency. You are merely a creditor of whoever holds the keys. This phrase, popularized within the cryptocurrency community, captures a distinction that separates cryptocurrency from every previous form of digital asset.

The Meaning of Ownership in Crypto

Traditional financial ownership is a legal concept. When you own a stock, you don't possess the actual document—a depository institution holds the stock certificate, and your ownership is recorded on their ledger and protected by law. If the institution fails, regulators and insurance may recover your assets. The legal system enforces your rights as an owner.

Cryptocurrency ownership is different. Ownership is not a legal claim on a ledger; it's a cryptographic fact encoded in the blockchain. The person who controls the private key that corresponds to a cryptocurrency address is the cryptographic owner of whatever cryptocurrency sits at that address. The blockchain, not the legal system, enforces this ownership. No legal claim, no government, no institution can override the cryptography.

This distinction has profound implications. If you own Bitcoin by holding the private key, you own it in the most literal sense. No court order can freeze it. No institution can refuse to let you access it. No bankruptcy can take it. The cryptography is sovereign.

Conversely, if someone else holds your private key—an exchange, a custodian, or a bank—you are dependent on their willingness to give you access to your coins. You own a claim against them, not the cryptocurrency itself. The coins sit in their address, controlled by their keys.

The Custodian as Intermediary

When you deposit cryptocurrency on an exchange and receive a credit in your account, what happens to your coins? Typically, the exchange takes your cryptocurrency and moves it to a wallet that the exchange controls. The exchange's private key(s) control the address holding your coins. Your account shows a balance, but that balance is a promise from the exchange—a promise to send you that amount of cryptocurrency if you request a withdrawal.

This arrangement is no different from a traditional bank account. Your bank doesn't keep your dollars in a vault with your name on it. Your dollars sit in a commingled pool, and your account is a ledger entry representing a claim against the bank. If the bank fails, the Federal Deposit Insurance Corporation (FDIC) is supposed to pay you back (up to $250,000). This system works well because banks are heavily regulated, FDIC insurance is backed by the government, and banking regulations have been refined over a century.

Cryptocurrency exchanges operate under different rules. Most are not federally insured. Many are not heavily regulated. They operate under different jurisdictions with varying legal protections. When you deposit cryptocurrency on an exchange, you are trusting the exchange to:

  • Securely hold your private keys
  • Not use your cryptocurrency for proprietary trading or loans
  • Maintain adequate reserves to cover all customer balances
  • Survive technical failures and security breaches
  • Remain solvent and not go bankrupt

This is a substantial trust requirement. And history shows that this trust is sometimes misplaced.

The legal status of cryptocurrency you hold on an exchange is murky and jurisdiction-dependent. In most cases, when you deposit cryptocurrency, you no longer own it in the legal sense. You own a claim against the exchange. The exchange owns the cryptocurrency.

This has significant implications if the exchange fails:

If the exchange goes bankrupt, your claim against them is unsecured debt. You get in line behind secured creditors (who pledged collateral), employees (who have wage claims), and government tax liens. If the company's assets are insufficient, you get nothing or only a fraction of your balance.

If the exchange is hacked and funds are stolen, what happens depends on whether the exchange maintains insurance, how the exchange's terms of service define their obligations, and local law. Many exchanges have no explicit obligation to reimburse customers for stolen funds.

If government agents seize the exchange's funds for regulatory violations, you might not have any legal recourse. Your claim against the exchange doesn't protect you from government seizure of the exchange's assets.

In the United States, the Federal Deposit Insurance Corporation (FDIC) insures deposits at banks up to $250,000. However, the FDIC typically does not insure cryptocurrency deposits. The FDIC insures dollars, not Bitcoin. If a traditional bank accepts a deposit of cryptocurrency, holds it, and goes bankrupt, you likely have no FDIC protection.

Some jurisdictions are moving toward regulation of cryptocurrency exchanges and custodians. The New York Department of Financial Services issues BitLicenses to cryptocurrency companies, which come with requirements for capital reserves, consumer protection, and cybersecurity. However, most exchanges globally are not BitLicense holders, and regulatory requirements vary widely.

The Private Key as Cryptographic Proof

The blockchain doesn't care about legal claims or regulatory frameworks. It only cares about cryptography. If you have the private key, you can move the cryptocurrency. If you don't have it, you can't.

This creates a stark reality: the person who holds the private key is the functional owner, regardless of legal claims or promises. If you hold private keys and an exchange claims to own your cryptocurrency, you could move those coins anytime you wanted (assuming the exchange doesn't lock you out). If you hold only a promise from an exchange and the exchange locks you out or disappears, your cryptocurrency is gone.

This is why "not your keys, not your coins" is more than a slogan—it's a statement of cryptographic fact. Ownership in the blockchain is determined by key possession, not by account balances or legal contracts.

Historical Examples

The principle "not your keys, not your coins" has been tragically validated multiple times:

Mt. Gox: In 2014, Mt. Gox, once the largest Bitcoin exchange, collapsed. Users had deposited Bitcoin expecting the exchange to hold it securely. Instead, the exchange was hacked multiple times, and over 850,000 Bitcoin belonging to customers and the exchange itself were stolen. Customer funds were completely lost. In bankruptcy proceedings that lasted years, users received only a fraction of their Bitcoin, and only after extensive legal battles.

QuadrigaCX: In 2019, the Canadian exchange QuadrigaCX went dark after its sole executive mysteriously died. Users had deposited over $190 million in cryptocurrency. The exchange's private keys were supposedly held by the executive and encrypted with a password that nobody else knew. Users' cryptocurrency became permanently inaccessible. Subsequent investigation suggested funds had actually been misappropriated earlier, but regardless, users who held their cryptocurrency on the exchange lost everything.

FTX: In 2022, FTX, one of the world's largest cryptocurrency exchanges, collapsed in a few days after revelations about mismanagement of customer funds. Customers discovered that instead of holding their cryptocurrency safely, FTX had loaned customer deposits to affiliated companies to support risky bets. When the scheme unraveled, customer funds were gone. Users with cryptocurrency on FTX became creditors in bankruptcy, waiting years for potential partial recovery.

These cases demonstrate that holding cryptocurrency on an exchange is fundamentally different from holding it yourself. The exchange promises to keep your keys safe and return your coins when you withdraw. But promises can be broken, institutions can fail, and executives can be dishonest or incompetent.

The Security-Convenience Tradeoff

The reason people use exchanges despite understanding "not your keys, not your coins" is the tradeoff between security and convenience:

Exchanges offer real convenience. You can trade between cryptocurrencies instantly. You can access your funds with a password from any internet-connected device. You don't need to worry about backing up private keys or securing hardware wallets. This convenience attracts users, especially those who trade frequently or don't hold cryptocurrency long-term.

Self-custody offers security at the cost of convenience. You must secure your private keys, back them up, and manage their safety yourself. If you want to trade, you must withdraw from your self-custody wallet to an exchange, which is slower and has transaction fees.

Rational users often split their holdings: frequently traded amounts on exchanges for convenience, long-term holdings in self-custody for security.

What "Not Your Keys, Not Your Coins" Really Means

The phrase encapsulates several overlapping concepts:

Cryptographic fact: The person with the private key can move the cryptocurrency; the person without it cannot, regardless of any other claims.

Counterparty risk: If an intermediary holds your keys, you are exposed to that intermediary's failure, dishonesty, or incompetence. You must trust them, and trust can be misplaced.

Regulatory ambiguity: If an exchange holds your cryptocurrency, your legal protections depend on jurisdiction, regulation, and the exchange's business practices. In most cases, your protections are weaker than traditional banking.

Personal responsibility: If you hold your own keys, you are responsible for keeping them secure. This is burdensome but ensures that nobody else can take your coins.

No bailouts: If an exchange fails or you lose your keys, there is no government insurance, no customer service, no recovery. The loss is final.

Practical Implications

Understanding "not your keys, not your coins" should inform your custody decisions:

For trading: Use exchanges for the portion of your portfolio you're actively trading. These funds are exposed to counterparty risk, but the convenience of trading justifies the risk for short-term holdings.

For long-term holding: Use self-custody for amounts you plan to hold for extended periods. The security advantage outweighs the reduced convenience for holdings you don't intend to move frequently.

For significant amounts: The larger your holdings, the stronger the case for self-custody. The security advantage of holding your own keys becomes increasingly valuable as the amount at risk increases.

For institutions: Institutions holding customer cryptocurrency should use professional custodians that provide institutional-grade security, insurance, and regulatory compliance—or implement self-custody with multi-signature controls.

For understanding counterparty risk: Before depositing cryptocurrency on an exchange or with a custodian, research:

  • Do they maintain adequate reserves?
  • What security measures do they employ?
  • Are they regulated?
  • Do they carry insurance?
  • What is their track record?

The Evolution of Custody

As cryptocurrency has matured, custody solutions have evolved. Professional custodians offer institutional-grade security and insurance. Some traditional banks are now offering cryptocurrency custody services under banking regulations. Hardware wallets and software wallets are becoming more user-friendly.

However, the fundamental principle remains: the security and ownership of your cryptocurrency is ultimately determined by who holds the private keys. Understanding this principle is essential for making informed custody decisions.

Key Takeaways

  • "Not your keys, not your coins" means cryptocurrency is truly owned only if you control the private keys
  • Holding cryptocurrency on an exchange means you own a claim against the exchange, not the cryptocurrency itself
  • Exchange-held cryptocurrency is exposed to institutional failure, hacks, mismanagement, and fraud
  • The person with the private key can move the cryptocurrency; no legal claim can override this cryptographic fact
  • Most cryptocurrency exchanges do not carry FDIC-style insurance
  • Rational users split holdings between exchanges (for convenience and trading) and self-custody (for security)

Further Reading

To understand how to self-custody properly, see Self-Custody in Crypto Explained. To understand specific risks of leaving cryptocurrency on exchanges, see Exchange Custody Risks and Proof of Reserves Explained. For historical examples of exchange failures, see Mt. Gox Lesson and FTX Bankruptcy.