The rise of tokenized assets is reshaping the financial landscape, introducing new opportunities—and challenges—for registered investment advisors (RIAs) and institutional investors. As digital assets gain traction, so does the need for robust, flexible, and secure custody frameworks. In response to the evolving regulatory environment and operational complexities, a principles-based approach to crypto asset custody has emerged as a pragmatic path forward.
This framework, originally developed in response to the U.S. Securities and Exchange Commission’s (SEC) request for information on crypto custody, outlines five core principles designed to uphold investor protection while enabling RIAs to fully exercise economic and governance rights over tokenized assets.
Why Crypto Assets Are Different
Traditional financial assets operate under well-defined custody models where control equates to exclusion—only one party can possess or transfer an asset at a time. Crypto assets, however, function differently. Multiple parties may have access to the same private keys, and transfers can occur without centralized oversight.
Moreover, many crypto assets carry intrinsic economic and governance rights—such as staking rewards, yield farming opportunities, or voting power in decentralized protocols—that are embedded within the asset itself. Unlike traditional securities that generate passive income (e.g., dividends), these rights often require active participation from the holder.
This introduces a critical challenge: if third-party custodians do not support on-chain interactions, RIAs may be forced to temporarily withdraw assets from custody to exercise these rights—potentially violating existing regulatory expectations around asset safekeeping.
👉 Discover how secure custody solutions can empower institutional participation in tokenized finance.
The Five Principles of Crypto Asset Custody
These principles aim to preserve the core objectives of the SEC’s Custody Rule—security, transparency, and independent verification—while adapting them to the unique nature of digital assets.
Principle 1: Legal Status Should Not Define Custodial Eligibility
Under current regulations, only certain entities—such as banks or broker-dealers—are recognized as "qualified custodians." However, this narrow definition overlooks capable institutions like state-chartered trust companies or emerging regulated crypto-native firms.
Rather than relying solely on legal designation, custody eligibility should be based on substantive protection capabilities. A custodian should qualify if it meets rigorous standards, regardless of its formal classification. This includes:
- State-chartered trust companies regulated by state or federal authorities
- Entities registered under proposed federal crypto market structure legislation
- Any organization—registered or not—that demonstrates adherence to high client protection benchmarks
This shift ensures that innovation isn’t stifled by outdated structural assumptions.
Principle 2: Robust Protection Mechanisms Are Non-Negotiable
Effective custody requires more than compliance checkboxes—it demands technical rigor and operational resilience. All custodians should implement the following safeguards:
- Segregation of duties: No unilateral movement of assets; multi-party authorization required for transactions
- Asset isolation: Client holdings must be kept separate from other clients’ funds or the custodian’s balance sheet
- Secure hardware sourcing: Avoid compromised or vulnerable devices in key management infrastructure
Independent audits:
- SOC 1 and SOC 2 reports
- PCAOB-registered auditors for financial controls
- On-chain asset verification and disclosure
Technical audits:
- ISO 27001 certification
- Regular penetration testing
- Disaster recovery and business continuity planning
- Insurance coverage: Comprehensive insurance (including umbrella policies), or equivalent reserves if insurance is unavailable
- Risk disclosures: Annual reporting of key risks and mitigation strategies, with quarterly updates as needed
- Jurisdictional safeguards: Assets must not be held in jurisdictions where they could become part of bankruptcy proceedings
Additionally, custodians should enforce protections across all stages:
- Preparation: Evaluate wallet software, key generation processes, and tool provenance
- Key generation: Use multi-layered cryptographic schemes with both horizontal (peer-level) and vertical (tiered) access controls; require quorum verification with physical presence monitoring
- Key storage: Never store keys in plaintext; use geographically distributed, air-gapped systems; employ FIPS-compliant HSMs with dual redundancy
- Key usage: Enforce strict identity verification; use open-source cryptographic libraries; follow least-privilege access models
👉 Explore custody solutions built with institutional-grade security at their core.
Principle 3: Custody Rules Must Allow Exercise of Economic & Governance Rights
RIAs should be able to stake tokens, vote on governance proposals, or participate in yield-generating protocols without losing regulatory standing. If a third-party custodian cannot support these functions, transferring assets temporarily to a self-hosted wallet to exercise rights should not automatically constitute a "custody withdrawal."
However, such transfers must be justified in writing—demonstrating that the action cannot be performed within the custodial environment. Custodians should also be permitted to delegate signing authority to RIA-controlled wallets when appropriate.
This principle empowers advisors to unlock the full value of tokenized assets while maintaining fiduciary responsibility.
Principle 4: Flexibility for Best Execution Is Essential
RIAs have a duty to achieve best execution on trades. To fulfill this obligation, they must be allowed to move assets to secure trading venues—even if those platforms aren’t traditional custodians—as long as due diligence confirms their reliability and security.
Such transfers should not be deemed custody violations if:
- The platform is deemed suitable for best execution
- The transfer is temporary and purpose-specific
- Assets are returned promptly post-execution
Future regulation under proposed crypto market frameworks would further legitimize these pathways.
Principle 5: Self-Custody Is Permissible Under Strict Conditions
While third-party custody remains the preferred option, self-custody should be permitted when:
- No qualified third-party custodian offers adequate protection
- The RIA’s internal controls meet or exceed industry standards
- Self-custody is necessary to exercise economic or governance rights
In such cases, RIAs must:
- Annually revalidate the justification for self-custody
- Disclose the arrangement to clients
- Ensure audit compliance under the Custody Rule, including proof of asset segregation and security protocols
Frequently Asked Questions
Q: Why can’t traditional custodians handle crypto assets effectively?
A: Most legacy custodians lack support for on-chain interactions like staking or voting. They also often restrict access to private keys, making it impossible to activate embedded asset rights without full withdrawal.
Q: Does self-custody increase risk for investors?
A: Not necessarily—if proper safeguards are in place. The key is ensuring that internal systems match or exceed third-party security standards through audits, insurance, redundancy, and access controls.
Q: How do these principles align with current SEC rules?
A: They extend the intent of the Custody Rule—protecting client assets—into the digital realm. Rather than demanding rigid compliance, they focus on outcome-based protections tailored to crypto’s unique characteristics.
Q: Can non-security tokens follow these guidelines?
A: Yes. While the framework applies primarily to securities, RIAs are encouraged to apply similar standards across all digital asset types for consistency and fiduciary accountability.
Q: What happens if a custodian fails despite following these principles?
A: No system is immune to failure. However, adherence to these standards strengthens legal and regulatory defenses by demonstrating reasonable care and due diligence.
👉 Learn how leading platforms are implementing these custody principles today.
Toward a More Adaptive Custody Framework
A principles-based model offers the flexibility needed to navigate the rapidly evolving world of tokenized assets. By prioritizing substantive protection over legal form, enabling active asset participation, and allowing responsible self-custody, this approach empowers RIAs to serve clients effectively in a digital-first economy.
As regulation matures, these principles can serve as a foundation for clearer rules that balance innovation with investor safety—ensuring that the promise of tokenization is realized without compromising trust.
Keywords: crypto asset custody, tokenized assets, registered investment advisor (RIA), digital asset security, blockchain governance, staking rights, best execution in crypto