Skip to main content
Custody: self vs exchange

Crypto Custody Regulation Landscape

Pomegra Learn

Crypto Custody Regulation Landscape

The regulatory frameworks governing cryptocurrency custody are fragmented, evolving rapidly, and frequently contradictory across jurisdictions. Unlike traditional assets, where custody is governed by a relatively stable set of rules developed over decades, cryptocurrency custody is navigating a landscape where regulators are still determining what rules apply, whether existing frameworks should be adapted, and what new authority they need to enforce them.

This creates a complex reality: if you're holding cryptocurrency for a business, managing client assets, or operating any kind of financial service, understanding which regulations apply to you is as important as understanding how to actually secure the cryptocurrency. This article maps the major regulatory frameworks and explains how they interact.

The Federal Regulatory Patchwork

The United States has no single "crypto custody regulator." Instead, custody is regulated by multiple federal agencies depending on your business type and what you're doing with the cryptocurrency.

The SEC and Securities Custody

The Securities and Exchange Commission regulates custody primarily through Rule 15c3-3 (for broker-dealers) and the Investment Advisers Act of 1940 (for investment advisors).

Rule 15c3-3 requires broker-dealers to maintain customer securities with "a bank, a broker or dealer, or a members' organization," and prohibits them from holding customer securities in their own name. In 2023, the SEC began clarifying that this rule applies to cryptocurrency held by registered broker-dealers. This means if you're operating as a broker-dealer and holding customer cryptocurrencies, you must use a qualified custodian.

The SEC defines a "qualified custodian" narrowly:

  • A bank as defined by the Bank Holding Company Act
  • A broker-dealer registered with the SEC
  • A foreign bank or broker-dealer with specific characteristics
  • As of 2024, certain specially licensed cryptocurrency custodians (a very limited list)

The practical implication: If you want to offer cryptocurrency trading services or products to customers, you likely need to use one of the SEC's approved qualified custodians. The SEC has named Coinbase Custody, Kraken, and a handful of others as meeting this standard, but the list is restrictive compared to the number of custody providers in the market.

Investment Advisers: If you're a registered investment advisor managing client cryptocurrency holdings, you must also use a qualified custodian. The SEC has stated that cryptocurrency qualifies as "securities" or "client funds" depending on context, triggering custody requirements.

The OCC and Bank Custody

The Office of the Comptroller of the Currency (OCC), which regulates national banks, issued guidance in 2020 stating that national banks could provide cryptocurrency custody services. This opened the door for traditional banks to enter the crypto custody space.

However, the OCC's framework is less detailed than the SEC's. Banks providing crypto custody must:

  • Conduct appropriate due diligence on the cryptocurrency they're custodying
  • Have robust cybersecurity practices
  • Maintain appropriate insurance
  • Manage conflicts of interest
  • Provide clear disclosures to customers

The impact: As more banks offer cryptocurrency custody, you now have options like Fidelity Digital Assets and (soon) other traditional custodians. These institutions bring the regulatory confidence of banking regulation, but may impose restrictions on which cryptocurrencies they'll custody.

The FinCEN and Money Transmission Rules

The Financial Crimes Enforcement Network (FinCEN), a bureau of the Treasury Department, regulates money transmitters under the Bank Secrecy Act. This is where the rules get murky for cryptocurrency custody.

FinCEN's regulations define "money transmitter" as anyone who "accepts currency, funds, or other value that substitutes for currency from one person and transmits it to another location or person by any means." Cryptocurrency clearly falls within this definition when it's being transmitted.

The custody question: Does holding cryptocurrency on behalf of a customer make you a money transmitter? FinCEN's position is nuanced:

  • If you're simply holding cryptocurrency that a customer has deposited with you (custodial arrangement), and you're not transmitting it on the customer's behalf, you may not be a money transmitter for custody purposes.
  • But if you're receiving customer cryptocurrency and then moving it (even to a segregated account), that can trigger money transmitter classification.

This distinction is critical because money transmitter status triggers:

  • FinCEN registration requirements
  • State money transmitter licensing (see below)
  • Anti-money laundering (AML) compliance obligations
  • Suspicious activity reporting requirements
  • Customer due diligence (CDD) requirements

Practical guidance from FinCEN: If you're holding cryptocurrency with the intent to restore equivalent value to the customer later, you're likely a money transmitter. If you're holding it in a segregated account and can prove it belongs to the customer, you may have more flexibility, but this is legally gray territory.

The Federal Reserve and Banking Regulation

The Federal Reserve is gradually developing framework guidelines for how banks should approach cryptocurrency custody. In 2022–2023, the Fed issued guidance that banks wanting to offer crypto services must:

  • Have strong risk management procedures
  • Conduct customer due diligence
  • Implement AML and counter-terrorist financing (CFT) measures
  • Maintain adequate capital reserves
  • Be transparent with regulators about their crypto activities

The Fed's approach is supervisory—rather than imposing strict rules, the Fed evaluates whether individual banks have adequate controls. This means if you're working with a bank custodian, that bank has likely satisfied the Fed that its custody practices meet regulatory standards.

State-Level Custody Regulations

Many states have taken the custody question into their own hands, creating an additional layer of regulation.

State Money Transmitter Laws

The primary state-level custody regulation comes through money transmitter licensing laws. Nearly every state classifies cryptocurrency custody as part of money transmission or a related financial activity requiring licensure.

New York's BitLicense is the most famous (and most stringent) example. The BitLicense requires cryptocurrency businesses, including custodians, to:

  • Maintain proof of private keys
  • Segregate customer assets (prove they're not commingled with company assets)
  • Maintain insurance coverage of at least 90% of customer holdings
  • Submit to annual audits
  • Maintain cybersecurity standards
  • Implement AML/CFT procedures
  • Report suspicious activity

Other states have similar but sometimes less stringent requirements:

  • California treats cryptocurrency custodians as money transmitters and requires licensing, but the standards are less detailed than New York
  • Texas requires licensing and compliance but focuses more on anti-fraud measures than specific custody practices
  • Florida, Nevada, and Wyoming have developed crypto-friendly frameworks with lighter custody requirements

The practical reality: If you're operating a custody service, you likely need to be licensed as a money transmitter in any state where you have customers, which is effectively every state (through remote services).

State Insurance Requirements

Many states require cryptocurrency custodians to maintain insurance coverage. The amounts vary:

  • Some states require 100% coverage of customer holdings
  • Others require 90% or a sliding scale based on the size of holdings

This is where the regulatory framework starts to favor institutional custodians with deep resources—obtaining $100+ million in insurance is expensive and difficult for smaller operations.

The Regulatory Timeline: Evolution of Custody Rules

The custody regulatory landscape is moving in a specific direction, though it's not fully settled:

2013–2019: Regulatory Ambiguity The IRS and FinCEN issued initial guidance treating cryptocurrency as property/currency, but custody-specific rules didn't exist. Businesses essentially operated in a compliance gray zone.

2020–2022: Clarification and Prohibition

  • The OCC clarified that banks could custody crypto
  • The SEC began clarifying that crypto custody by broker-dealers needed to use qualified custodians
  • Some states moved toward stricter licensing
  • President Biden's executive order in 2022 directed agencies to develop cryptocurrency regulations

2023–2024: Formalization and Restriction

  • The SEC proposed and finalized rules on cryptocurrency custody by broker-dealers
  • Multiple states tightened money transmitter requirements
  • The Federal Reserve issued guidance on bank participation in crypto
  • The list of SEC-approved qualified custodians remained restricted, favoring established financial institutions

2025 and Beyond: Anticipated Direction

  • Expect more states to adopt custody licensing standards (moving toward convergence)
  • Anticipate a gradual broadening of SEC-approved qualified custodians, but with higher standards
  • International regulatory harmonization may occur (FATF and other global bodies are developing guidelines)
  • Self-custody regulations may emerge, potentially requiring registration or licensing even for individual holders in some jurisdictions

Which Regulations Apply to You?

Use this decision tree to determine your regulatory obligations:

If you're a broker-dealer or investment advisor: You must use an SEC-qualified custodian. This is non-negotiable and heavily enforced.

If you accept customer cryptocurrency for payment processing or exchange: You're likely a money transmitter. You need to:

  • Register with FinCEN (file FinCEN form 107)
  • Obtain money transmitter licenses in each state where you have customers
  • Comply with AML/CFT requirements
  • File suspicious activity reports (SARs) for transactions meeting thresholds
  • Maintain customer due diligence records

If you operate a custody service for businesses: You need to understand your specific state's requirements and likely need to be licensed as a money transmitter. You should also:

  • Maintain insurance covering customer holdings
  • Implement segregation of customer assets
  • Maintain detailed audit trails
  • Have cybersecurity practices that meet regulatory standards

If you're running a business that holds its own cryptocurrency reserves: Specific federal custody rules don't apply to you directly, but you may need to:

  • Meet state reporting requirements if you're managing employee assets (in ERISA plans, for example)
  • Comply with tax reporting obligations
  • Maintain insurance on your holdings
  • Document custody procedures for auditors and accountants

International Regulatory Considerations

If you're operating globally or considering international expansion, be aware that custody regulations are becoming stricter, not looser:

European Union: The MiCA (Markets in Crypto-Assets Regulation) that took effect in 2024 imposes strict custody requirements on all cryptocurrency service providers, including custodians. EU custodians must be licensed and maintain customer asset segregation.

UK: Post-Brexit, the UK developed its own Financial Conduct Authority (FCA) rules for cryptocurrency custody, broadly similar to the EU's approach but with some differences.

Singapore and Hong Kong: Both treat cryptocurrency custodians as financial institutions requiring regulatory approval and maintaining custody standards similar to traditional securities custodians.

Recommendation: If you're considering serving international customers, consult with a compliance attorney in that jurisdiction. Custody regulations are becoming more uniform globally, but important differences remain.

Compliance Gaps and Your Risk

The regulatory landscape has significant gaps:

Self-custody regulation: There are essentially no federal regulations governing self-custody. You can hold cryptocurrency in a personal wallet without any registration, licensing, or compliance obligation—as long as you're not running a business that accepts customer deposits.

Custody insurance: Unlike deposits in FDIC-insured banks, there's no federal insurance requirement for cryptocurrency held by custodians. Insurance is a matter of contractual agreement. Some custodians maintain $100+ million in coverage; others maintain minimal coverage. You need to verify this.

Bankruptcy and custody: If a qualified custodian goes bankrupt, your cryptocurrency should be protected (it's not part of their estate). But this hasn't been tested extensively in court. The risk remains theoretical but real.

Staking and other services: Many custodians offer services beyond pure custody—staking, lending, yield services. These services may have different regulatory treatments and may not be covered under the same protections as pure custody.

Practical Compliance Checklist

If you're operating a custody service or business holding customer cryptocurrency:

  • Determine your regulatory classification (broker-dealer, money transmitter, custodian, etc.)
  • Register with FinCEN if required
  • Obtain state money transmitter licenses where required (typically all states if remote)
  • Implement AML/CFT procedures and document them
  • Conduct customer due diligence and maintain records
  • Segregate customer assets and maintain proof
  • Obtain insurance meeting regulatory requirements (90–100% of holdings)
  • Maintain audit trails and transaction records
  • File suspicious activity reports (SARs) when required
  • Conduct annual audits or regular compliance reviews
  • Update policies as regulations evolve

Key Takeaways

  • Custody regulation is fragmented across federal agencies (SEC, OCC, FinCEN, Fed) and varies significantly by state.
  • The SEC requires broker-dealers and advisors to use qualified custodians from a restricted list.
  • Most state regulations treat cryptocurrency custody as money transmission, triggering licensing and AML requirements.
  • The regulatory trend is toward stricter standards, not looser, especially internationally.
  • Gaps exist: self-custody is largely unregulated; insurance is not federally mandated; bankruptcy protections are untested.
  • Compliance costs are significant: money transmitter licensing, insurance, audits, and legal advice add up, which is why smaller operators often use third-party custodians rather than building their own.

If you're building a business that touches cryptocurrency custody, budget for compliance. It's not optional, it's increasingly expensive, and the penalties for non-compliance can include civil fines, criminal prosecution, and loss of operating licenses.