The principle of custody services for securities and other traditional assets is well established and enshrined in law. Put most simply, custody separates by legal mechanisms an assets holder from its beneficiary. This protects beneficial owners in cases where the holder of their assets becomes insolvent. In the UK, a comparable legal framework has not been defined for crypto assets despite market demands driving the increasing incorporation of businesses providing ‘crypto custodian’ services under the FCA’s general ‘cryptoasset’ registration regime.

Selection of digital asset custodians

Source: Teamblockchain

The custodian sector is highly fragmented. While some larger providers of digital asset storage solutions remain associated with the larger exchanges, there is a growing new breed of pure custody providers seeking to capitalise and on and foster the growing adoption of digital assets by those most familiar and comfortable with traditional finance (or “trad-fi”) and the norms thereof. Trust is the cornerstone of wide-spread participation in financial markets. While the popularity of digital assets has grown exponentially in recent years, owners of digital assets remain very few in comparison to those participating in traditional financial markets. While price volatility is a factor, a key barrier to wider adoption is also trust in the operation of the market and its service providers. In the absence of policy from regulators in the UK on digital asset custody, contractual terms between customers and crypto custodians are key to understanding the level of protection that may be afforded. Significant crypto hacks, thefts, fraud and insolvencies have made asset protection and security a priority for many market participants. A key divergence in custodian practices is around the practice of segregating custody assets. Another norm of trad-fi, segregation establishes clear ownership rights over specific assets ascribed to each custodial client. Unfortunately, a common practice in the crypto market is for client assets to be held in omnibus accounts in which case, under insolvency proceedings, they could be viewed as the service provider’s assets and available to creditors.

For those who acknowledge the value of a clear custodian regime to holders of crypto assets, there still remain significant challenges and risks facing those providing these services. Cyber security is a fundamental risk to a market which can’t place physical walls and safe doors around its assets. Custodians are particularly vulnerable. In December 2021, BitMart, a provider of custodial services, suffered a hack in which $150 million worth of crypto assets were stolen from customer hot wallets. The security of private keys is paramount. There are inherent vulnerabilities at many stages in the operational framework including generation, storage, backup and customer account recovery arrangements. Manual processes within the custody framework are also vulnerable to phishing and social engineering attacks. The secure management of digital assets also presents challenges beyond cyber security. Operationally, service providers should have governance, systems and controls in place to mitigate customer impact from operational failures. These failures could manifest for example as system outages, the failure of third-party providers, or human error. Operational resilience plans are integral to identifying and mitigating against these risks, just as we see in trad-fi.

There is currently a degree of regulatory for providers of crypto custody services. At present market norms and client demands largely determine the level of protection afforded to clients and the operational frameworks in place to support that. We anticipate that UK policy in this area will formalise expectations, but the details remain unpredictable - although policy is unlikely to match the level of regulation applied to securities in the near future. If at minimum the custodians of crypto assets are required to disclose how client assets are held, then at least crypto asset owners will be able to make more informed decisions about the degree of protection they would like. Outside of the UK, international regulatory divergence means that custody practices vary between jurisdictions and customers may not always be aware of what regulatory regime a custodian is under. However, the development of strong market norms through regulation in jurisdictions like the UK, EU and US would encourage a move towards global minimum accepted standards which may be helpful to digital asset owners. The tokenisation of real-world assets is no longer a concept - it’s a financial paradigm shift. From equities and commodities to real estate and intellectual property, blockchain technology is unlocking trillions in previously illiquid assets, transforming how value moves across the global economy. Investors will need their digitised assets looked after and so the demand for digital custodians is set to expand. We will unpick these themes through a series of further articles on cyber, operational and regulatory risk as we explore ways to enhance trust in the digital custodian sector.

This article first appeared in Digital Bytes (11th of February, 2025), a weekly newsletter by Jonny Fry of Team Blockchain.