Custody is the secure control of the cryptographic keys that move digital assets. In practice, it is a stack:
Your teams will use custody for three jobs:
Two market shifts make this urgent. First, stablecoin capitalization hit an all‑time high in mid‑2025, signaling broad institutional use. Second, tokenized U.S. Treasuries crossed seven billion dollars on public chains, turning tokenization from a pilot into production infrastructure.
Source: https://ww.pwchk.com/en/risk-assurance/digital-asset-custody-report-jul2023.pdf
When individuals or businesses hold digital assets like Bitcoin or Ethereum, they control unique cryptographic keys that grant access and enable transactions. Losing these keys means losing assets forever - there’s no “forgot password” option. As institutional investors - from hedge funds to pension funds - enter the market, the stakes for secure, compliant custody have become too high for self-managed solutions.
These complex requirements spurred the rise of professional custody services, driving a surge in assets held by custodians. What began as a niche offering for early adopters has become critical financial infrastructure, safeguarding trillions in digital wealth.
The cryptocurrency industry has witnessed numerous cases where individuals and businesses lost millions of dollars due to lost private keys, security breaches, or inadequate storage practices. Professional custody services eliminate these risks by implementing institutional-grade security measures that would be impossible for most individuals or businesses to achieve independently.
Attackers target keys, change recipient addresses, or exploit approvals. Enterprise custody reduces these risks with segregated environments, multi‑party approvals, tamper‑evident hardware, transaction policy engines, and geographic redundancy.
Rules have sharpened. In the EU, MiCA applies in two phases. Stablecoin provisions apply from 30 June 2024. Broader rules for crypto‑asset service providers apply from 30 December 2024. In the U.S., new accounting rules require many entities to carry qualifying crypto assets at fair value with changes in net income starting fiscal years that begin after 15 December 2024. New York’s regulator emphasizes segregation of customer assets and clear disclosures for sub‑custody. Across jurisdictions, the Travel Rule now applies to crypto transfers, with EU guidelines effective December 2024 and FATF urging stronger enforcement.
EU DORA applies from 17 January 2025 and raises the bar for ICT risk management, incident reporting, and third‑party oversight for financial entities and their critical ICT providers. If you serve EU firms, your custody operations must align.
FASB: “measure certain crypto assets at fair value, with changes in fair value recorded in net income.”
FATF: “less than one third have issued findings or directives” on Travel Rule enforcement, highlighting the need for stronger controls.
You keep key‑control and run the system within your perimeter. Use cases: banks, market infrastructure, large fintech. You gain autonomy and reduce counterparty risk. You also accept responsibility for governance, controls, and audits.
For businesses that prefer direct control, Scalable provides turnkey key management tools and expert guidance. You retain full ownership of your cryptographic keys while leveraging our secure hardware and software frameworks. Our team assists with setup, backup strategies, and policy recommendations - ensuring you avoid the single-point-failure risks of unmanaged key storage. This approach suits organizations with internal technical capability that want autonomy without taking on excessive security or compliance burdens alone.
A regulated custodian safekeeps assets, while you integrate by API and policy. Use cases: funds, brokers, corporate treasury. You benefit from the custodian’s licensing, controls, and insurance. You trade off some control and custom policy design.
In this model, Scalable Solutions sets you up through a partnership network of the custodians acting as a reliable technological provider through. Partner-custodian holds and protects your digital assets in industry-leading, fully reserved vaults. You benefit from our proven security infrastructure, regulatory compliance, and professional liability coverage without necessity to hold a custodian license yourself.
Outsourcing custody to Scalable’s partner ecosystem eliminates the need to build or maintain in-house key management, allowing your business remain with monitoring performance and adhere to oversight best practices.
You co‑manage key shares with a technology partner or custodian. Transactions require a threshold of approvals across parties. This reduces counterparty risk while keeping operational control and rapid recovery.
Scalable co-manages key shares alongside your team using a multi-signature framework. Your business holds the majority of key approval power, while Scalable safeguards the remaining key shares. This arrangement balances operational control with third-party oversight and insurance, reducing counterparty risk without sacrificing self-custody benefits. It is ideal for enterprises requiring both high security and active involvement in transaction approvals.
Source: https://river.com/learn/how-should-a-business-store-bitcoin/
Faster to launch. Vendor manages infrastructure and security baselines. Your team manages policies and approvals.
You host the stack in an isolated VPC. Strong for compliance alignment and integration with your SIEM, KMS, and IAM.
Highest control, longest lead time. For entities with strict data residency or air‑gapped vaults.
Regulatory posture. Do you need a qualified custodian or can you self‑custody with controls and audits
Operating model. Do you prefer hosted service, dedicated VPC, or on‑prem
Risk tolerance. What loss scenarios are acceptable. What quorum model limits that risk
Performance. What are your peak TPS, approval latency targets, and SLA needs
Integration. How will it connect to core banking, ERP, markets, and analytics
Multisig is enforced at the blockchain layer and depends on chain support. MPC creates one signature from multiple fragments and works across more chains. MPC improves key recovery and rotation.
If your regulator or mandate requires it, yes. Otherwise, many institutions operate compliant self‑custody with SOC 2 evidence and strong policy. Check MiCA and local rules.
You must exchange originator and beneficiary information with counterparties and handle exceptions when data is missing or counterparties are non‑compliant. Build workflows to block, hold, or remediate.
For qualifying assets, measure at fair value with changes in net income for fiscal years beginning after 15 December 2024. Disclose holdings and changes.
Inventory crypto, prioritize systems by exposure, and test NIST PQC algorithms in non‑prod. Maintain agility to rotate algorithms.
SOC 2 Type II, ISO 27001, and evidence of DORA‑aligned resilience for EU‑facing services.
Multi‑party computation splits key control across devices or teams so no one can sign alone.
A signature appears from a threshold of participants. FROST is a modern design.
Hardware Security Module that protects keys in tamper‑resistant hardware. Often validated under FIPS 140.
A rule that requires originator and beneficiary information to travel with crypto transfers between service providers.
EU regulation for digital operational resilience that applies from 17 January 2025.
EU framework for crypto assets with stablecoin rules from June 2024 and CASP rules from December 2024.
Treat custody as a control system, not a wallet. Define your risk model, choose the right operating and deployment model, demand audit evidence, and test recovery. If you build with these principles, you protect assets, speed settlement, and stay ready for audits.
If you want to review an architecture or run a pilot, our team will map controls to your risks and regulatory scope, then deliver a deployment plan that you can take to your board and auditors.