Crypto Custody: Definition, Models and Regulatory Framework

Crypto asset custody refers to the holding, safeguarding, and management of private keys that control access to digital assets on behalf of clients. In the context of digital assets, custody is fundamentally a key management problem: the entity that controls a private key controls the assets associated with the corresponding public address on a blockchain. Custody, therefore, means having authorised, controlled possession of the private key — not merely recording a client’s holdings in an internal ledger.

This distinguishes crypto custody from the casual usage of the term on retail exchange platforms, where “holding” crypto in an exchange account does not constitute custody in the regulatory or technical sense. Exchange account balances are credit claims against the exchange; custody means that the keys to the on-chain assets are held under a governance framework that protects the client’s beneficial ownership.

The Foundational Principle: Keys Are Ownership

The phrase “not your keys, not your coins” captures the essential principle of crypto custody concisely, if colloquially. On a blockchain such as Bitcoin or Ethereum, asset ownership is determined entirely by control of the private key. There is no registry of beneficial owners, no securities depository, no clearinghouse that can correct a mistaken transfer. If a private key is lost, the associated assets are permanently inaccessible. If a private key is stolen, the assets it controls can be transferred irreversibly by the attacker. The security and governance of private keys is therefore the entire substance of crypto custody.

This architecture differs fundamentally from traditional securities custody. In conventional finance, securities are held in electronic form in a central securities depository — Euroclear, SIX SIS, or similar — with the CSD maintaining the authoritative ownership record. A custodian’s failure does not destroy client securities because the CSD record is independent. In crypto, the blockchain is the record, and control of the private key is the mechanism of ownership. There is no external record to fall back on.

Self-Custody

Self-custody refers to the model in which the asset owner directly holds and manages their own private keys, without delegating key management to any third party. Self-custody is the native model of decentralised blockchain systems: Bitcoin and Ethereum were designed for self-custody as the default.

In practice, self-custody takes two principal forms. Software wallets — applications such as MetaMask, Trust Wallet, or the Bitcoin Core client — generate and store private keys on the user’s own device (smartphone or computer). The user has full control but also full responsibility; if the device is lost, stolen, or the key backup is unavailable, assets cannot be recovered.

Hardware wallets — physical devices such as Ledger or Trezor — store private keys in a dedicated secure element chip that never exposes the key to the connected computer. Transaction signing occurs within the hardware wallet; the computer sees only the signed transaction, not the private key. Hardware wallets represent the security standard for sophisticated retail self-custody.

Self-custody is not appropriate for institutional asset management. The governance requirements of an institutional portfolio — multiple authorised signatories, audit trails, operational redundancy, regulatory reporting — cannot be adequately met by a single-party key management arrangement.

Third-Party Custody

Third-party custody is the model in which a regulated custodian holds private keys on behalf of clients, subject to a custody agreement that defines the governance, liability, and operational arrangements. This maps onto the traditional securities custody model: clients transfer assets to the custodian’s addresses, the custodian maintains internal records of client holdings, and the custody agreement establishes that the assets belong beneficially to the client.

In Switzerland, third-party crypto custody by a regulated institution provides the statutory insolvency protection of the DLT Act: client crypto assets segregated in custody accounts are treated as client property, not as assets of the custodian’s estate, and are returned to clients in the event of the custodian’s insolvency. This is a critical legal protection that distinguishes regulated Swiss custody from exchange-based asset holding.

Key institutional third-party custodians operating in or accessible from Switzerland include SEBA Bank, Sygnum Bank, Taurus (a Swiss custody technology provider), BitGo (US-based, with European operations), and Coinbase Custody International (operating from Ireland under EU regulatory authorisation).

Multi-Party Computation Custody

Multi-Party Computation (MPC) custody is an advanced cryptographic model that addresses a fundamental weakness of both self-custody and traditional third-party custody: the existence of a complete private key at some point in its lifecycle.

In a traditional custody arrangement, even if a private key is generated within an HSM and never leaves in plaintext, the complete key theoretically exists as a single cryptographic object. MPC eliminates this by distributing the key generation and signing process across multiple independent parties, such that no single party ever possesses or computes the complete private key.

Under an MPC protocol, key “shares” are distributed — for example, one share to the client, one share to the custodian, and one share to a third-party key agent. Transaction signing requires a threshold of shares (for example, two of three) to participate in the computation. The computation produces a valid signature without any party ever assembling the complete key. Even if one party is compromised, the attacker cannot access the underlying assets without the remaining shares.

MPC custody offers several operational advantages over multi-signature governance: it avoids the on-chain complexity of multi-signature scripts (which differ by blockchain and may expose governance information), it is compatible with blockchains that do not natively support multi-signature, and it provides a more flexible governance framework for institutional key management policies.

Leading MPC custody implementations in Switzerland include those deployed by Taurus Group, whose infrastructure powers the custody operations of multiple Swiss banks, and SEBA Bank’s internal MPC framework.

FINMA’s Regulatory Framework for Custody

FINMA’s approach to regulating crypto custody is grounded in existing financial institution law rather than bespoke crypto legislation, adapted through regulatory guidance to address the specific characteristics of digital assets.

The key regulatory instruments are the Banking Act (for bank-licensed custodians), the Financial Institutions Act (for portfolio managers and other regulated entities that may hold client crypto assets), and the Anti-Money Laundering Act (which applies to all VASPs including custodians). FINMA’s circular 2019/02 provides specific guidance on the accounting and segregation treatment of crypto assets held in custody, establishing that properly segregated client crypto assets do not form part of a custodian’s balance sheet.

The requirement for “qualified intermediary” status for regulated crypto custody means that only banks, securities dealers, and certain licensed financial intermediaries may provide third-party custody of client crypto assets as a regulated service. This limits the universe of regulated Swiss crypto custodians to institutions subject to FINMA oversight, capital requirements, and regular audit.

Custodian Selection Criteria

Institutional investors selecting a crypto custodian typically evaluate candidates against a set of criteria that broadly mirrors the selection criteria applied to traditional securities custodians, adapted for the technical specificities of digital assets.

Regulatory standing is the first filter: is the custodian licensed or registered with an appropriate regulator? For Swiss institutional investors, a FINMA-supervised entity is strongly preferred, with particular weight given to full banking authorisation.

Technical security architecture — the custody model employed, the HSM and MPC infrastructure, the cold storage proportion, and the key governance procedures — is evaluated through technical due diligence. Institutional investors increasingly request third-party audits (Proof of Reserves, SOC 2 Type II) as evidence of operational quality.

Insolvency protection — the legal enforceability of the custodian’s client asset segregation — is evaluated through legal opinion. Under Swiss law, the DLT Act’s segregation provision provides strong client protection, and this is a competitive advantage that Swiss-regulated custodians emphasise.

Operational integration — compatibility with the client’s trading and reporting infrastructure, API access, support for required assets and networks — is increasingly important as institutional crypto operations become more sophisticated.

The Evolution of Institutional Custody Infrastructure

Crypto custody has evolved from a retail afterthought — exchange wallets and hardware devices — to a sophisticated institutional discipline with dedicated technology providers, regulatory frameworks, and governance standards. The direction of development is toward deeper integration with traditional finance: custodians that can hold both crypto assets and tokenised traditional securities within a unified custody framework, with seamless connectivity to trading venues, fund administrators, and audit providers.

Switzerland’s regulatory environment — with the DLT Act’s insolvency protection, FINMA’s supervised custody providers, and the depth of institutional expertise concentrated in Zug and Zurich — positions Swiss custody infrastructure as one of the most credible in the world for institutional digital asset management.

Donovan Vanderbilt is a contributing editor at ZUG TRADING, a publication of The Vanderbilt Portfolio AG, Zurich. The information presented is for educational purposes and does not constitute investment advice.