Skip to main content

Crypto Custody Providers: How to Evaluate Them

The due diligence checklist treasury and ops teams use to vet crypto custody providers: licensing, insurance fine print, segregation proof, key management questions, SLAs, and exit terms.

Written by Eco
Crypto Custody Providers: How to Evaluate Them


A crypto custody provider is a regulated company that safeguards the private keys controlling a client's digital assets, so the client holds a legal claim on those assets rather than the keys themselves. Choosing one is closer to hiring a bank vault operator than buying software: the contract, the charter, and the insurance certificate matter as much as the technology. The stakes are not abstract. The stablecoin market alone holds $310.6B as of July 2026, per DeFiLlama, and on December 12, 2025 the OCC conditionally approved five national trust bank charters for custody-focused firms in a single day. This article is the evaluation checklist: the specific questions a treasury or operations lead should put to any custodian before wiring the first dollar. For the landscape of provider categories, see PLACEHOLDER-digital-asset-custody, and for how the custody models differ technically, see PLACEHOLDER-digital-asset-custody.

What Does a Crypto Custody Provider Actually Do?

A crypto custody provider generates, stores, and uses private keys on behalf of clients under a safekeeping agreement, typically as a chartered trust company or bank. Unlike an exchange account, custodied assets are supposed to sit in segregated wallets, off the provider's own balance sheet, retrievable by the client even if the provider fails.

The mechanics are straightforward to describe and hard to do well. The custodian holds signing keys in some combination of cold storage, hardware modules, and distributed key shares. When a client instructs a withdrawal, the request passes through identity checks, policy rules, and a quorum of human or cryptographic approvers before a transaction is signed and broadcast onchain. One industry evaluation guide notes that "leading custodians maintain 90-95% of assets in cold storage while keeping only the liquidity necessary for operational needs in more accessible systems," per Cobo's institutional custody guide.

Think of the arrangement like a safe deposit box with one difference that changes everything: the box's contents are bearer instruments. Whoever holds the key holds the asset. That is why every section of this checklist ultimately asks the same question in a different costume. If this company disappeared tomorrow, would your assets come back to you, and how quickly? If you are new to the category, PLACEHOLDER-crypto-custodian covers the fundamentals before the diligence layer.

Which Licenses and Charters Matter?

Licensing determines which regulator examines the custodian, what capital it must hold, and what happens to client assets in an insolvency. The main regimes are OCC national trust charters, state trust charters (including New York's limited purpose trust companies), NYDFS BitLicenses, and EU authorization under MiCA. Each carries different supervision depth and different client protections.

The federal option is newest at scale. Anchorage Digital Bank became the first federally chartered crypto bank when the OCC announced "conditional approval of the conversion of Anchorage Trust Company, a South Dakota chartered trust company, to become Anchorage Digital Bank, National Association" on January 13, 2021. It stayed alone for years. Then on December 12, 2025, the OCC conditionally approved charters for First National Digital Currency Bank (a Circle entity) and Ripple National Trust Bank, plus conversions for BitGo Bank & Trust, Fidelity Digital Assets, and Paxos Trust Company. These charters permit custody and related trust activities. They do not allow deposit-taking and they carry no FDIC insurance, a distinction worth stating plainly to any internal stakeholder who hears "national bank" and assumes otherwise.

State charters remain the workhorse. For registered investment advisers, the SEC staff clarified in a September 30, 2025 no-action letter that advisers and registered funds may "use state trust companies to custody crypto assets and related cash and/or cash equivalents, provided certain conditions are met," including segregation and a bar on lending or rehypothecating client assets without written consent, as summarized by Morgan Lewis. In the EU, custody is a licensed activity under MiCA Article 75, which requires a client-by-client register of positions and quarterly statements. A comparison:

Regime

Regulator

What it signals

What to ask for

National trust charter

OCC (US federal)

Federal examination, capital and liquidity conditions, fiduciary standard

The charter approval letter and any operating agreement conditions

NY limited purpose trust

NYDFS

Part 200 supervision plus trust fiduciary duties

Charter status and most recent examination cycle

Other state trust charter

State banking authority

Varies widely by state; SEC no-action conditions apply for RIA use

GAAP-audited financials and the internal control report

MiCA CASP authorization

EU national competent authority

Custody policy, segregation, statutory liability for lost assets

The authorization scope and the Article 75 custody policy

Which regime you should require depends on who you are. A decision tree for the common cases:

  • If you are an SEC-registered adviser or fund: require a qualified custodian, meaning a bank, an OCC trust bank, or a state trust company meeting the September 2025 no-action conditions.

    • If the custodian is a state trust company: ask for the audited GAAP financials and the independent internal control report the letter requires.

  • If you are a corporate treasury with no adviser obligations: a chartered trust entity is still the floor. An unlicensed technology provider holding your keys is a vendor, not a custodian.

  • If you serve EU clients: require MiCA CASP authorization for the custody entity itself, not just an affiliate.

  • If the provider only sells self-custody software and never controls keys: this checklist mostly does not apply; you are evaluating software, and your own controls become the audit surface.

What Does the Insurance Policy Actually Cover?

Custody insurance is usually a commercial crime policy covering theft of private keys, insider malfeasance, and sometimes key loss, with a fixed aggregate limit shared across all clients. It is not deposit insurance. Evaluating it means reading the coverage triggers, the exclusions, the deductible, and the ratio of the limit to assets under custody.

Providers publish headline numbers, and the details underneath them are where diligence happens. BitGo, for example, discloses a $250 million policy covering "copying and theft of private keys," "insider theft or dishonest acts by BitGo employees or executives," and "loss of keys," applicable to "digital assets where the private keys are held 100% by BitGo Trust Company," per BitGo's own disclosure. Every clause there is doing work. Coverage attaches to assets under a specific legal entity, under specific storage conditions, up to an aggregate cap.

Questions worth asking in writing: Is the limit per incident or aggregate across all clients? A $250 million aggregate limit spread over tens of billions in custodied assets covers a small fraction of a catastrophic loss. Does coverage extend to assets in hot wallets, staking contracts, or sub-custodians, or only cold storage?Who pays the deductible?Can you purchase excess coverage dedicated to your own assets? Several custodians offer client-specific excess policies, which converts insurance from marketing into an instrument you can size. Ask for the certificate of insurance naming the carrier syndicate, not a summary page. In the EU, statute adds a backstop of a different kind: under MiCA, a custodian's liability for lost assets "shall be capped at the market value of the crypto-asset that was lost, at the time the loss occurred," per Article 75. A liability cap is not a payment guarantee, so the insurance questions still apply.

How Do You Verify Segregation and Bankruptcy Remoteness?

Segregation means client assets are held apart from the custodian's own assets, onchain and on the internal ledger, so an insolvency court treats them as client property rather than estate property. Verification runs through the contract language, the wallet architecture, and the custodian's regulatory guidance, not through a salesperson's assurance.

Two 2023 events made this the sharpest question on the checklist. In the Celsius bankruptcy, the court ruled on January 4, 2023 that under the platform's terms of use, "title to and ownership of all Earn Assets unequivocally transferred to the Debtors," making customer crypto property of the bankruptcy estate, as Morrison Foerster's analysis details. The customers had clicked accept on a contract that quietly made them unsecured creditors. Nineteen days later, NYDFS issued guidance telling its regulated custodians to "separately account for and segregate customer virtual currency from the corporate assets of the VCE Custodian and its affiliated entities, both on-chain and on the VCE Custodian's internal ledger accounts," and to take possession "only for the limited purpose of carrying out custody and safekeeping services" without creating a debtor-creditor relationship, per the January 23, 2023 industry letter.

So the diligence is textual before it is technical. Pull the custody agreement and search for title language: the agreement should state that title remains with you at all times. Ask whether your assets sit in segregated onchain wallets or in an omnibus wallet, a shared pool tracked on the custodian's books, and if omnibus, how the internal ledger is reconciled and audited. Ask whether the custodian can lend, pledge, or rehypothecate your assets under any circumstance. The failure mode is real: Nevada's regulator found that Prime Trust, a licensed custodian, "was unable to honor customer withdrawals due to a shortfall of customer funds caused by a significant liability on the Respondent's balance sheet owed to customers" in June 2023, per CoinDesk's reporting on the regulatory filing. A charter reduces this risk. It does not eliminate it, which is why the contract and the audit trail carry the weight. Related reading on attestation practices: PLACEHOLDER-proof-of-reserves.

Key Management Architecture: Six Questions for the Security Team

Key management architecture is the system of hardware, cryptography, and human process that controls how private keys are created, stored, and used to sign. The dominant designs are multi-party computation (MPC), multisignature wallets, and hardware security modules (HSMs), usually layered together, with quorum policies deciding who can move what.

You do not need to out-engineer the custodian's security team. You need to ask questions whose answers separate mature programs from decks. Six that work:

First, how are keys generated and where do they live? An HSM, a tamper-resistant hardware device, keeps keys inside dedicated hardware. MPC splits a key into shares held by separate parties or machines, so no complete key ever exists in one place. Multisig requires several independent onchain signatures. Each is defensible; the answer you want is specific, not "bank-grade." Second, what quorum is required to sign, and can any single employee, including the CEO, move assets alone?Third, what happens if a key share, a data center, or the company's headquarters is destroyed? Disaster recovery should include geographically distributed, offline backup material with a rehearsed restoration procedure. Prime Trust's post-mortem is the cautionary tale: the company lost access to a legacy wallet because it "no longer had the physical devices," engraved steel backup plates, "needed even to access the old wallet," per Decrypt's review of the bankruptcy filing.

Fourth, which independent attestations exist? Ask for the SOC 1 Type II and SOC 2 Type II reports, which test controls over a period of months rather than a point in time, and read the exceptions section rather than the cover letter. The CryptoCurrency Security Standard adds a crypto-specific layer: CCSS is "a set of requirements for all information systems that make use of cryptocurrencies," audited across 41 aspect controls at three ascending levels, per C4, the standards body. Fifth, how does the policy engine work? Withdrawal allowlists, velocity limits, and time delays should be enforceable per account, and changes to policy should themselves require quorum. Sixth, has the custodian ever had a security incident, and will they say so in writing? The answer's candor is data. Deeper technical background lives in PLACEHOLDER-mpc-wallet and PLACEHOLDER-cold-storage-explained.

SLAs and Reporting: The Operational Fine Print

Service level agreements define how fast the custodian must execute withdrawals, settle transfers, respond to incidents, and deliver reporting. For treasury operations, the binding constraints are usually cold storage retrieval time, cut-off windows, and reconciliation quality, and these belong in the contract rather than the sales conversation.

Custody marketing emphasizes security; operations teams live with latency. Cold storage is deliberately slow, since retrieving keys from offline systems involves physical process and human quorum. The practical questions: What is the contractual maximum time from withdrawal instruction to onchain broadcast, for hot and for cold storage?Are there daily cut-off times or weekend gaps that would stall a Friday evening redemption until Monday? A payments company sweeping stablecoin float daily has very different tolerance than a fund rebalancing quarterly, so score the SLA against your own cadence, not against an industry ideal.

Reporting deserves equal weight. MiCA sets a useful floor even for non-EU relationships: custodians must keep "a register of positions, opened in the name of each client" and provide a statement of position "at least once every three months and at the request of the client concerned," per Article 75. In practice you should demand more: API access to real-time balances and transaction history, exportable data your finance system can reconcile daily, and named support contacts with an escalation path measured in minutes for suspected security events. If your assets earn staking rewards or participate in governance, ask how rewards are calculated, reported, and taxed in the statements. Teams running stablecoin operations at scale should also map custody SLAs against settlement needs; PLACEHOLDER-stablecoin-treasury-management covers that intersection.

Exit and Portability: Can You Leave Cleanly?

Exit terms govern how you retrieve assets and data when the relationship ends, whether by your choice or the custodian's failure. Strong terms specify offboarding timelines, supported withdrawal destinations, data export formats, and fees. Weak or absent terms convert a vendor decision into a hostage negotiation at the worst possible moment.

This is the least-asked section of the checklist and the one bankruptcy dockets keep vindicating. When Prime Trust failed, some customer assets were stranded not by fraud alone but by operational decay, including deposits routed back into wallets the company could no longer open. Exit diligence assumes bad weather. How long does full offboarding take, contractually?Are withdrawal fees fixed in the agreement, or discretionary?Can you withdraw to self-custody addresses you control, and to another custodian directly?What happens to your assets and records if the custodian is acquired, exits your jurisdiction, or enters receivership? The NYDFS updated its custodial guidance on September 30, 2025, and reading how a custodian maps its own practices to that guidance is a fast way to gauge insolvency preparedness.

Then test it. Before moving size, run a full cycle with a small balance: deposit, hold, withdraw to a new destination, and time every step against the SLA. A custodian that performs the drill without friction has told you more than any certification. Keep a standing quarterly withdrawal test in your treasury calendar; portability is a muscle, and it atrophies.

Where This Checklist Falls Short

A checklist verifies structure, not judgment. It cannot price concentration risk across custodians, it lags regulation that is still moving quickly, and it depends on documents that describe controls rather than prove their daily execution. Treat it as the floor for diligence, and pair it with ongoing monitoring rather than a one-time review.

Three limitations deserve honesty. First, paperwork can be current while operations rot; Prime Trust held a state trust license while its wallet backups sat unaccounted for, and no document request would have surfaced engraved plates missing from a drawer. Periodic withdrawal tests and onchain monitoring catch what PDFs cannot. Second, the regulatory ground is moving under this article: the OCC approved five charters in December 2025 and more applications are pending, while the SEC has signaled further custody rule modernization in its December 2025 framework paper. A checklist written today needs re-validation every couple of quarters. Third, this framework evaluates single custodians in isolation. It will not tell you whether to split assets across two providers, how much operational overhead that split costs, or when self-custody with institutional tooling beats third-party custody outright. That comparison is its own analysis; see PLACEHOLDER-digital-asset-custody.

What This Means in Practice

In practice, custodian evaluation reduces to six document requests: the charter or license, the insurance certificate, the custody agreement's title and segregation clauses, the SOC reports, the SLA schedule, and the exit terms. A provider that produces all six quickly, in writing, has passed the meta-test of transparency that predicts everything else.

Sequence matters less than completeness, but a workable order is regulatory status first, since a missing charter ends the conversation; then segregation language, since it decides what an insolvency means for you; then keys, insurance, SLAs, and exit. Write the answers into the contract, not the vendor file. And revisit annually: the Celsius ruling reshaped contract language across the industry within months, as the Arnold & Porter advisory on that decision anticipated, and charter status changed for at least five major providers in a single week of December 2025.

Custody is also only one leg of institutional digital asset operations. Once assets are safeguarded, treasury teams still need to move stablecoins between chains, venues, and counterparties efficiently. Eco builds orchestration infrastructure that gives businesses and their custodians a single integration for stablecoin liquidity across markets, which is the operational layer this series turns to in PLACEHOLDER-stablecoin-orchestration.

Methodology: regulatory facts are drawn from OCC news releases (January 13, 2021 and December 12, 2025), the NYDFS industry letters of January 23, 2023 and September 30, 2025, the SEC staff no-action letter of September 30, 2025 as analyzed by Morgan Lewis, and MiCA Article 75. Insurance figures come from BitGo's published policy disclosure. Market data is from DeFiLlama as of July 7, 2026. Incident details cite court and regulatory filings as reported by CoinDesk, Decrypt, and Morrison Foerster.

Did this answer your question?