Standard 8: Safekeeping of Assets

the standard firms must implement institutional grade custody this includes a custody framework with appropriate controls commensurate with assets under management; segregation of client assets from proprietary assets with clear documentation and reconciliation; and multi layer security architecture including physical security and cybersecurity controls firms must maintain comprehensive insurance coverage appropriate to assets under management and custody model and conduct regular security assessments and maintain incident response procedures introduction digital asset custody is quite different from traditional securities custody digital assets are controlled by private keys, which act as bearer instruments once a transaction is completed, it cannot be reversed unlike traditional assets, there is no central authority or clearinghouse to recover lost or stolen assets if a private key is lost, the asset is permanently gone, even if legal ownership documents exist successful hacking incidents can also lead to irreversible losses custody failures in digital assets are final; for example, incidents like mt gox and quadrigacx resulted in total customer asset losses with limited options for recovery investment managers should use secure and reliable custody solutions for digital assets the choice of custody depends on the firm's ability to operate and its risk level it is essential to carefully evaluate third party custodians, paying attention to their security features and financial health adding multiple security layers, such as hardware security modules and multi signature systems, can improve safety, especially when managing assets in house clear procedures for approving transactions help prevent unauthorized transfers good custody practices are based on engineering principles—such as systematic controls, backup safeguards, and ongoing monitoring—rather than just vigilance, ensuring the safety and integrity of digital assets firms can develop a disciplined approach to custody security by treating it as an engineering process this includes ensuring proper segregation of duties so no single person can authorize transfers alone, keeping detailed logs of all custody activities and access, regularly testing security through penetration tests and audits, and understanding that institutional custody may reduce operational flexibility compared to less secure options 8 1 custody models digital asset custody operates through three primary models, each presenting distinct advantages, risks, and operational requirements model selection depends on firm strategy, risk tolerance, operational capabilities, regulatory requirements, and asset liquidity needs no single model proves universally optimal—firms often combine multiple approaches creating hybrid architectures matching specific requirements table 1 digital asset custody model true 191,470 left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type takeaway message custody governance fails when individuals who make investment decisions also control asset movement without independent verification effective custody requires segregation between trading authority and custody authorization—no single individual should be able to complete an asset transfer unilaterally, regardless of their seniority or role best practice is implementing multi party authorization for all material asset movements, with authorization requirements documented in custody procedures and enforced through technical controls where possible the governance framework should clearly specify who can initiate transfers, who must approve, what documentation is required, and what controls prevent circumvention 8 2 third party custodian due diligence investment managers using third party custodians need to carefully check that these custodians have strong security measures, good operational skills, financial stability, and follow regulations the quality of custodians can vary a lot—some have top level security and full insurance, while others may not have enough capital or proper controls it is important to do a thorough review before choosing a custodian and to keep checking their performance regularly during the relationship 8 2 1 key due diligence areas a comprehensive custodian assessment should cover the following mission critical operational domains regulatory status and compliance managers must verify if a custodian is a "qualified custodian" under the investment advisers act or a state/nationally chartered trust company in the u s , look for institutions compliant with the 2026 digital asset banking act and the clarity act, which mandate 1 1 asset reserves and quarterly independent audits technology and security architecture assess the private key storage technology, favoring hardware security modules (hsms), multi party computation (mpc), and geographically distributed multi signature arrangements review the provider’s cold vs hot wallet allocation policies and verify cybersecurity certifications like soc 2 type ii or iso 27001 insurance coverage verify policy limits for crime (theft/fraud), cyber (hacking), and specie (physical loss) adequate insurance should cover a significant portion of the total assets under custody investigate the financial ratings of insurance carriers and clarify policy exclusions—such as losses due to protocol level forks or certain defi interactions financial condition and stability review audited financial statements to ensure capitalization is adequate relative to the aum in 2026, regulators often expect tier 1 capital ranges between $6m and $25m for digital asset trust banks assess the sustainability of their business model and the stability of their ownership structure governance and internal controls evaluate the management team’s technical expertise and the independence of the board confirm strict segregation of duties—ensuring no single custodian employee can authorize a transfer—and review transaction approval hierarchies operational capabilities confirm support for required blockchains, tokens, and activities like staking or governance voting assess the quality of api integrations, reporting frequency, and the responsiveness of technical support during periods of high market volatility 8 2 2 ongoing monitoring due diligence is a continuous process ongoing monitoring identifies deteriorating conditions before they result in asset loss quarterly reviews verify updated financial statements, 1 1 reserve attestations, insurance renewals, and operational metrics (e g , system uptime and error rates) annual re assessment conduct a comprehensive refresh including on site visits (where practical), reviews of business continuity test results, and deep dives into new security audit findings event driven reviews trigger immediate re evaluations following security "near misses," regulatory enforcement actions, or significant changes in the custodian's management or ownership concentration monitoring maintain custodian concentration limits to prevent over reliance on a single provider fiduciaries should have contingency plans—and ideally pre onboarded secondary custodians—to facilitate rapid asset migration if a primary provider fails takeaway message assuming all qualified custodians offer equivalent protection is a common mistake insurance coverage, security architecture, financial stability, and regulatory status vary significantly across providers marketing claims about “institutional grade security” require verification through independent due diligence best practice is conducting documented custodian due diligence that includes soc 2 type ii reports (or equivalent), insurance certificates with coverage details, financial statements or evidence of financial stability, security architecture review, and regulatory status verification this diligence should be refreshed periodically—custodian circumstances change, and the assessment from two years ago may not reflect current conditions 8 3 self custody security framework firms electing for self custody must implement a comprehensive security framework based on defense in depth principles this ensures that no single failure—whether technical, physical, or human—can result in asset loss self custody security integrates specialized technology with rigorous physical controls and procedural safeguards to create redundant protection against both external hackers and internal collusion 8 3 1 key management architecture the architecture design determines the "threshold of failure " a robust setup ensures that multiple independent breaches must occur simultaneously to compromise a private key hardware security modules (hsms) fiduciaries should use hsms for secure key generation and storage these devices are tamper resistant and perform all cryptographic operations internally, meaning the private key never touches a network connected computer standard units should be fips 140 2 level 3 (or the newer 140 3) certified, which requires identity based authentication and physical tamper response mechanisms that "zeroize" (erase) keys if the device is opened deployment best practices include geographic distribution of hsms and using diverse hardware vendors to mitigate supply chain vulnerabilities multi signature (multi sig) configurations multi sig removes "single key risk" by requiring m of n signatures to authorize a move operational wallets (2 of 3) provides redundancy while maintaining speed for daily activities treasury wallets (3 of 5 ) increases security by requiring a broader consensus cold storage (4 of 7) the gold standard for large holdings, maximizing security through geographic and organizational distribution shamir’s secret sharing (sss) sss is a cryptographic method that "shards" a private key into multiple pieces unlike mpc, where the key is never fully formed, sss temporarily reconstructs the key to perform a signature use case primarily used for secure off chain backups and disaster recovery control reassembled keys must be destroyed immediately after use to prevent "residual" key fragments from remaining in memory 8 3 2 physical and procedural controls technology alone cannot ensure security it is important to also have physical security measures and clear procedures in place these help prevent unauthorized access and reduce errors during operations for digital asset managers, combining technology with physical safeguards and well defined processes is essential for effective security management physical security hsms and backup shards should be stored in high security facilities like bank vaults or professional safety deposit boxes access must be restricted via biometrics and logged with 24/7 video surveillance procedural controls written protocols must cover the entire key lifecycle generation, storage, rotation, and destruction procedures should be granular enough for trained personnel to follow without improvisation segregation of duties fiduciaries must separate the roles of key custodian, transaction initiator, and final approver this ensures that unauthorized transfers require a high level of collusion background checks comprehensive background checks (criminal, credit, and employment) are mandatory for any staff with custody access, with immediate revocation of privileges upon termination key generation ceremonies the most critical moment for any self custody system is the key generation ceremony this formal procedure ensures the key is secure from the moment of inception entropy verification use multiple independent, "true" random number generators to ensure the key isn't predictable witnessing use multiple participants and independent observers to document every step no visibility rule no single individual should ever see the complete seed phrase or private key during the process immediate backup generated keys must be moved into their final secure storage (e g , sss shards in bank vaults) immediately following the ceremony takeaway message self custody fails when key management architecture includes single points of failure a hardware wallet in one location, a seed phrase in one safe, or signing authority concentrated with one person—each creates a vector that must be eliminated for institutional grade security best practice is implementing defense in depth multi signature or mpc arrangements requiring multiple parties, geographic distribution of key components, and operational procedures ensuring no single person can complete high value transactions the architecture should be designed so that multiple independent failures—technical, physical, and human—must occur simultaneously before assets are compromised 8 4 custody tier framework and governance effective custody requires organizing assets into distinct security levels based on their operational utility this tiered framework balances the need for maximum security with the requirement for immediate liquidity strategic holdings are kept in highly restricted environments, while assets for daily operations are managed in more accessible tiers this approach ensures that protection levels are commensurate with the risk profile and trading frequency of the underlying assets 8 4 1 custody tier structure firms should allocate assets across four distinct levels, each with specific access controls and security architectures tier 1 cold storage (60–80% of assets) this tier provides the highest security for long term strategic holdings architecture air gapped hsms or qualified custodians using high threshold multi signature (e g , 3 of 5 or 4 of 7) controls geographic distribution of key holders, storage in bank grade physical vaults, and a mandatory 24–48 hour delay for withdrawals usage strategic reserves and core long term positions not required for active operations tier 2 warm storage (15–30% of assets) warm storage balances institutional security with moderate operational flexibility architecture mpc or 2 of 3 multi signature institutional custody controls segregated storage with dual approval requirements and withdrawal whitelisting access is typically measured in hours (2–6 hours) usage operational reserves, funding for active rebalancing, and approved defi protocol interactions tier 3 hot wallets (5–10% of assets) hot wallets provide maximum flexibility but carry elevated risk due to persistent internet connectivity architecture exchange based accounts or dedicated hot wallet servers with single signature authority for speed controls real time transaction monitoring, automated reconciliation, and strict programmatic transaction limits usage active trading, immediate liquidity needs, and market making operations tier 4 protocol positions (variable) this tier encompasses assets deployed directly into smart contracts for yield or utility architecture smart contract controlled assets with protocol dependent access (e g , staking or liquidity pools) controls position specific risk monitoring and documented "emergency exit" procedures for protocol failures or de pegging events usage staking, lending, and yield optimization strategies 8 4 2 rebalancing governance to maintain the integrity of the tier framework, fiduciaries must implement a disciplined rebalancing process threshold monitoring automated alerts should trigger when the allocation in any tier deviates significantly from policy targets (e g , a "hot" wallet exceeding 10% of aum) sweep procedures excess funds in tier 3 should be "swept" to tier 1 or 2 daily to minimize the potential impact of a hack approval hierarchies moving assets from cold to hot tiers must require higher level executive approval than moving from hot to cold, reflecting the increased risk profile audit trails every movement between tiers must be logged with a clear business rationale and verified against the firm's internal ledger 8 5 settlement infrastructure & collateral management institutional digital asset management requires robust settlement systems that minimize counterparty risk and maximize capital efficiency in the 2026 landscape, the industry has shifted away from keeping assets on centralized exchanges instead, fiduciaries utilize off exchange settlement (oes) and tri party frameworks that allow for seamless execution while keeping assets under the protection of a regulated custodian 8 5 1 off exchange settlement framework off exchange settlement minimizes the need to move assets between custody and exchanges, reducing "hot wallet" exposure and simplifying the trade lifecycle bilateral settlement structures trades occur directly between counterparties, supported by credit relationships rather than pre funding settlement occurs on a t+0 to t+2 basis, with netting agreements significantly reducing transaction volume settlement workflow the process moves from trade execution (credit limit verification) to a confirmation phase (blockchain address matching), and finally to the settlement phase where net positions are moved on chain with cryptographic finality 8 5 2 tri party collateral management tri party structures solve the "trust" dilemma in institutional trading by using a neutral third party to manage collateral according to programmatic rules tri party custody model a qualified custodian assets for both parties trading permissions are granted without moving the assets, allowing for instant, book entry settlement with maximum regulatory clarity network settlement model specialized platforms connect counterparties assets remain in segregated wallets, and atomic swaps ensure "delivery versus payment" (dvp), meaning both sides of the trade occur simultaneously or not at all smart contract escrow collateral is locked in a transparent on chain contract this eliminates counterparty credit risk and enables 24/7 automated release logic, though it requires rigorous smart contract auditing netting arrangements bilateral netting aggregates 50+ individual trades into a single net payment this typically results in an 85%+ reduction in blockchain transactions, providing massive savings on gas fees and reducing operational overhead 8 5 3 banking infrastructure traditional banking remains the critical link for cash management and on ramp/off ramp activity current standards require a multi bank strategy to ensure redundancy redundancy requirements maintain at least three active banking relationships across different regions activity testing each relationship must process transactions monthly to ensure the rails remain open emergency transfer procedures (moving capital between banks) must be tested quarterly 8 5 4 digital collateral management the "collateral evolution" has moved basic crypto toward sophisticated, yield bearing instruments that combine blockchain efficiency with traditional stability stablecoin framework stablecoins (primarily usdc and usdt) are now the primary 24/7 settlement rail for institutional finance regulatory compliance under the 2026 genius act, fiduciaries should only use stablecoins with 1 1 liquid reserves (cash/t bills) and monthly independent attestations collateral utility programmable stablecoins allow for real time margin adjustments and automated yield bearing collateral through integration with tokenized money market funds table 2 stablecoin framework true 165,165,165,166 left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type tokenized securities as collateral tokenized treasuries and money market funds (mmfs) represent a transformative shift in digital asset management these instruments combine the high credit quality and legal stability of traditional government backed securities with the 24/7 programmable efficiency of blockchain technology this allows managers to utilize yield bearing instruments as collateral, optimizing capital efficiency while maintaining a conservative risk profile key features products are typically sec registered with daily net asset value (nav) calculations and are 1 1 backed by government securities or repurchase agreements primary benefits tokenized securities provide institutional grade regulatory clarity and established oversight they generate yield while simultaneously serving as collateral for trading and are available for atomic settlement 24/7, bypassing traditional banking hours implementation considerations managers should prioritize sec registered products with proven track records it is essential to maintain diversification across multiple issuers and platforms to prevent concentration risk managers must also verify that their selected execution venues or prime brokers accept these specific tokenized instruments for margin purposes 8 5 5 account control agreements account control agreements (acas) are essential legal instruments in digital asset lending and prime brokerage they allow a secured party (lender) to "perfect" their security interest in digital assets held by a third party custodian without requiring the physical transfer of those assets to the lender’s own wallet this "tri party" framework provides a secure and efficient way to manage collateralized loans and margin trading aca framework requirements real time enforcement the custodian must possess the technical capability to enforce control instructions within minutes the system must be able to block transfers or freeze accounts instantly without further borrower approval once a "notice of exclusive control" is triggered legal perfection managers must obtain legal opinions confirming the perfection of the security interest under relevant laws, such as ucc article 12 (governing controllable electronic records) which gained widespread adoption by 2026 technical integration the custodian’s api must integrate directly with the lender’s risk management systems to support automated margin calls and liquidation procedures critical capabilities response speed maximum response time for control instructions must be documented in a service level agreement (sla), typically requiring action within 15 minutes granular controls the infrastructure should support partial restrictions or "springing" controls rather than simple all or nothing account blocks, allowing for more nuanced risk management 8 6 insurance and risk transfer comprehensive insurance provides a critical layer of protection against custody related losses and enables the transfer of risk to traditional carriers with robust capital reserves today, the digital asset insurance market has matured, but remains complex due to varying exclusions and specific "security warranties" that can void a policy if not strictly followed 8 6 1 custodian insurance evaluation most institutional custodians include insurance as a core component of their service offering however, the quality and breadth of protection differ significantly between providers investment managers must conduct a granular analysis of these programs to ensure that coverage aligns with the fund’s risk profile and asset allocation coverage structure assessment the most critical distinction in an insurance program is between dedicated and shared coverage dedicated coverage provides specific policy limits for a single client, ensuring clear claim priority and preventing the "first come, first served" exhaustion of funds shared coverage pools limits across the custodian's entire client base in the event of a platform wide breach, allocation formulas may leave individual funds with inadequate recovery verification requirements managers should obtain insurance certificates, policy declarations specifying the structure (dedicated vs shared), and financial strength ratings (e g , a m best or s\&p) for the underlying carriers coverage scope analysis actual protection is often dictated by the specific "wallet tier" where assets reside cold storage typically receives the most comprehensive coverage with the lowest deductibles due to its offline nature hot & warm storage coverage is often severely limited or excluded entirely for internet connected wallets, despite these tiers carrying the highest operational risk defi & staking standard custody policies frequently exclude assets deployed in smart contracts or staking protocols verification requirements review the complete policy wording, including asset coverage lists (specifying supported blockchains/tokens) and exclusion schedules to identify protection gaps exclusions and warranties policy "fine print" can render insurance void if specific conditions are not met common exclusions many policies do not cover social engineering (even if mfa was bypassed), losses from "authorized but fraudulent" transactions, or vulnerabilities in third party smart contracts security warranties these are contractual requirements the manager or custodian must follow to maintain coverage common warranties include mandatory use of fips certified hsms, specific multi signature thresholds, and strict incident notification timeframes verification requirements documentation must show that current operational procedures (e g , 3 of 5 multi sig) match the warranties specified in the insurance contract claims process requirements a policy is only valuable if it pays out efficiently during a crisis managers should evaluate the following notification windows procedures often require formal notice within 24–72 hours of a suspected incident submission standards requirements for forensic analysis, security logs, and transaction records needed to substantiate a claim track record research the carrier's historical claims experience and average settlement timeframes within the digital asset sector 8 6 2 custodian insurance landscape the digital asset insurance market is segmented by provider type, each offering different levels of protection and operational trade offs institutional managers must match their specific strategy—whether long term holding or active defi participation—to the appropriate insurance profile qualified custodians these providers typically offer dedicated "crime and specie" policies with clear limits and bankruptcy protection they provide client specific certificates and align with the 2026 clarity act standards however, they often exclude hot wallets and offer minimal protection for assets deployed in staking or defi protocols technology platforms these entities utilize shared coverage pools that include technology errors and omissions (e\&o) components this provides better coverage for api driven transactions and broader asset support it should be noted that shared limits across the entire client base can lead to "limit exhaustion" during systemic events, and claims procedures are often technically complex exchange custodians often feature exchange wide policies with massive aggregate limits, providing a seamless experience for high frequency traders however, assets are frequently commingled, and coverage may be tied to the exchange's overall solvency rather than specific client accounts, creating significant bankruptcy risk bank custodians banks leverage traditional, multi billion dollar financial institution policies with extensive e\&o coverage and balance sheet protection however, they are often restricted to "blue chip" assets (btc, eth) and require highly restrictive security models that can hinder operational speed takeaway message insurance evaluation helps managers distinguish between those with a deep understanding of coverage and those who see it as just a basic service when reviewing insurance programs, evaluators should ask for clear and complete documentation this includes insurance certificates from custodians showing coverage limits and insurance providers, detailed policy wording with any exclusions clearly marked, and proof of additional coverage policies it is also important to perform a gap analysis to identify uncovered risks and understand how they are managed additionally, a claims process framework should be reviewed to ensure proper handling of claims during due diligence, key questions should be addressed what happens if a custodian experiences a security breach? can you walk through the claims process step by step? what are the notice requirements for filing claims? who is responsible for submitting claims? what portion of assets is covered by dedicated insurance versus shared coverage? where are the coverage gaps, and what measures are in place to address them? vague statements about having "comprehensive insurance" without supporting documentation often indicate a lack of understanding of insurance coverage clear, detailed documentation and a thorough review process are essential for effective risk management in digital asset investments 8 7 multi custodian architecture and selection concentration risk in digital asset custody represents an existential threat to fund operations unlike traditional finance, where sub custody is an invisible operational layer, the "bearer instrument" nature of digital assets means that a single provider failure can lead to total, irreversible loss today, institutional policies increasingly mandate a multi custodian architecture this approach moves beyond simple safekeeping, treating custody as a strategic resilience layer that prevents single points of failure, mitigates jurisdictional risk, and ensures 24/7 market access 8 7 1 custodian selection framework selecting the right mix of custodians involves matching specific operational needs—such as trading frequency and asset diversity—with the appropriate regulatory and security profile primary decision factors regulatory requirements qualified custodian status mandatory for regulated fund vehicles, more flexibility for separately managed accounts, institutional allocators typically expect qualified custody consider jurisdiction specific rules and investor requirements trading activity level high frequency trading requires custody with exchange connectivity and apis, daily/weekly rebalancing needs warm wallet capabilities, monthly plus rebalancing emphasizes cold storage with scheduled access asset diversity bitcoin/ethereum only provides widest custodian options, mid cap assets require verification of specific token support, defi participation needs mpc with protocol connectivity, staking requirements need specialized support risk tolerance conservative approach emphasizes qualified custodians with bankruptcy remote structures, balanced approach combines qualified custody with technology platforms, progressive approach accepts more self custody with sophisticated controls table 3 custodian provider comparison true 165,165,165,166 left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type 8 7 2 due diligence framework a thorough evaluation of custodians involves a systematic review of various aspects to ensure reliability and efficiency this process helps investment managers, especially those handling digital assets, to select the most suitable custodians for their needs key areas of assessment include security measures, compliance with regulations, operational capabilities, technological infrastructure, and customer support by carefully analyzing these factors, digital asset managers can make informed decisions, reducing risks and enhancing the safety of their investments this standardized approach ensures consistency and thoroughness in evaluating custodians, which is essential for maintaining trust and integrity in digital asset management regulatory assessment qualified custodian status under investment advisers act or equivalent licenses in all operating jurisdictions with capital adequacy regulatory examination history and outstanding actions legal opinions confirming bankruptcy remote structure aml/kyc procedures and sanctions screening capabilities operational evaluation uptime history targeting 99 9%+ availability with downtime documentation asset coverage breadth across blockchains and token types integration capabilities through apis and technical documentation transaction processing capacity and scaling plans reporting quality, frequency, and customization options customer support responsiveness and technical expertise financial analysis balance sheet strength with capital adequacy relative to custody assets audited financial statements showing profitability trends funding sources and runway adequacy (minimum 18 months) credit ratings if available from recognized agencies ownership structure stability and shareholder quality business model sustainability and revenue concentration analysis technical architecture security architecture including hsms, multi signature, mpc implementation key management procedures and geographic distribution cold versus hot storage allocation policies third party security audits and penetration testing results incident history including breaches, near misses, and responses cybersecurity certifications (soc 2 type ii, iso 27001) business continuity and disaster recovery with tested procedures governance and controls board composition with independent directors and relevant expertise management team experience in both traditional finance and digital assets internal control framework with soc 2 type ii attestation segregation of duties in custody operations transaction authorization procedures preventing single person control audit committee oversight with external audit reports red flags lack of a 1 1 reserve attestation, pending regulatory enforcement, vague security descriptions, or "shared" insurance limits that could be exhausted by other clients 8 7 3 multi custodian allocation using different types of custodians helps lower risk by avoiding over reliance on a single provider it also improves the overall management of digital assets diversification is no longer optional; it is a baseline requirement for institutional resilience allocation review conduct quarterly re assessments of each custodian’s risk profile if a provider’s financial health or regulatory status changes, an immediate rebalancing evaluation is required contingency planning maintain "warm" backup relationships with secondary custodians this includes having legal agreements and api integrations pre configured migration testing periodically rehearse asset migration procedures (e g , a "paper exercise" or small scale transfer) to estimate the time required for an emergency exit—typically targeting a 1–2 week window for full migration in a crisis allocator due diligence considerations institutional allocators assess custody by examining the security measures, settlement processes, insurance coverage, and how custodians are chosen if they cannot show strong security controls, provide complete insurance documents, or clearly explain settlement procedures, it indicates weaknesses in custody practices custody model and architecture what is your custody model and why did you choose it? describe your custody architecture including key management and security layers if you use third party custodians, provide your due diligence report evaluating their capabilities, financial condition, insurance coverage, and security controls if you self custody, walk through your key management architecture including multi signature arrangements, hardware security modules, and access controls show your custody tier framework with allocation targets and actual allocations when did you last rebalance? settlement infrastructure how do you handle off exchange settlement? what bilateral and tri party arrangements exist? walk through a complete settlement workflow from execution through post settlement reconciliation what netting arrangements exist with counterparties? show settlement documentation describe your banking infrastructure how many banking relationships do you maintain and why? how do you utilize stablecoins and tokenized securities as collateral? do you have account control agreements in place? how do they function operationally? security controls and authorization walk through your transaction authorization process who can initiate, approve, and execute asset movements? what security audits have been completed? provide results of most recent penetration test and soc 2 audit how do you protect private keys and prevent unauthorized access? show key management procedures have you had any security incidents in the past two years? if so, how did you respond? can the ceo override transaction approvals? walk through the override process if it exists insurance and risk transfer what insurance coverage do you maintain? provide complete insurance certificates showing limits and carriers is custodian insurance dedicated or shared? what is the claims process? what supplemental insurance do you carry directly? show gap analysis identifying uncovered risks provide your insurance coordination document showing how multiple policies respond walk through a hypothetical custody loss scenario which insurance responds and what is the recovery process? multi custodian architecture how many custodians do you use and what is the allocation across them? walk through your custodian selection process show due diligence reports on current custodians what concentration limits exist preventing over reliance on single custodian? how quickly could you migrate to backup custodian if primary relationship failed? show recent custodian review documentation with quarterly monitoring operational controls how do you authorize large transfers? walk through a $10m withdrawal from cold storage what are your reconciliation procedures and frequency? provide sample daily reconciliation report show your wallet inventory with all addresses and purposes what counterparty concentration limits exist for settlement? how do you manage collateral optimization across venues and counterparties? documentary evidence requirements custody policy with security controls, tier framework, and authorization procedures third party custodian due diligence reports with annual updates self custody key management architecture diagrams (if applicable) soc 2 type ii reports from all custodians recent penetration test and security audit results settlement agreements and bilateral credit arrangements credit support annex (csa) documentation with collateral schedules account control agreements for prime brokerage (if applicable) insurance policies and certificates showing coverage (custodian and direct) insurance coordination document and gap analysis custodian selection documentation including rfp and evaluation multi custodian allocation policy with concentration limits daily custody reconciliation reports with break resolution documentation incident response logs and resolution documentation key generation ceremony documentation (if applicable) wallet inventory with addresses, purposes, and authorization levels transaction authorization logs showing approval workflows board minutes approving custody arrangements common pitfalls & remediation custodian selected without rigorous due diligence custodian chosen based on reputation or convenience without assessing financial strength, security architecture, insurance coverage, regulatory status, or operational controls marketing claims accepted without verification remediation implement comprehensive due diligence covering soc 2 type ii reports, insurance certificates with coverage details, financial statements, security architecture review, and regulatory standing document findings and reassess annually—custodian circumstances change multi signature is nominal, not real multi sig wallet exists but one person controls multiple keys, or keys are stored together, or approval can be bypassed through management override the control exists on paper only remediation ensure genuine key independence different individuals, different locations, different organizational reporting lines test periodically by confirming no single person or location compromise could authorize transactions document key holder roles and geographic distribution hot wallet balances exceed operational needs convenience drives holding large balances in internet connected wallets, creating unnecessary exposure to compromise a single security failure can result in material loss remediation limit hot wallet holdings to operational minimums—typically under 5% of assets implement automated sweeps to cold storage when balances exceed thresholds monitor hot wallet activity daily with alerts for unusual patterns senior executives can override custody controls ceo or cio can bypass approval requirements citing urgency or authority override capability negates the control structure entirely—if one person can move assets unilaterally, multi sig provides no protection remediation eliminate override authority completely, regardless of seniority or circumstances every transaction follows standard approval workflow document this explicitly in custody policy and test that technical controls enforce it security assessments infrequent or absent penetration testing and security audits performed once at launch or never vulnerabilities accumulate undetected as systems evolve and threat landscape changes remediation conduct penetration testing at least annually and after significant infrastructure changes require soc 2 type ii audits for any custody operations track findings to remediation with defined timelines incident response undocumented or untested no defined procedures for security breach, or procedures exist but have never been exercised during actual incident, confusion about roles and communication delays worsen outcomes remediation document incident response covering detection and classification, escalation matrix, communication protocols, containment procedures, and recovery steps conduct tabletop exercises at least annually update procedures based on exercise findings physical security neglected focus on cybersecurity while physical protection of key material, hardware wallets, and seed phrase backups receives inadequate attention physical compromise can bypass all technical controls remediation implement physical security for all key material restricted access, surveillance, tamper evident storage, and environmental controls distribute backups geographically include physical security in periodic security assessments key recovery procedures untested recovery process documented but never executed assumptions about access, timing, and coordination unvalidated until actual emergency—when discovering problems is too late remediation test key recovery procedures at least annually under realistic conditions simulate various scenarios key holder unavailable, hardware failure, facility inaccessible document test results and remediate gaps immediately third party custodian oversight lapses after onboarding initial due diligence performed but ongoing monitoring neglected custodian control environment may deteriorate without detection remediation require annual soc report review and attestation updates from custodians monitor for regulatory actions, security incidents, or material changes maintain escalation procedures for identified deficiencies—and willingness to transition if issues aren't resolved insurance coverage assumed adequate without analysis reliance on custodian's insurance without understanding coverage limits, exclusions, deductibles, or claim procedures gaps discovered only when filing a claim remediation obtain and review custodian insurance policies—not just certificates conduct gap analysis against actual risk exposures consider supplemental direct coverage for gaps document coverage coordination and test claims process understanding assets concentrated with single custodian majority of holdings with one provider regardless of quality—creating single point of failure if custodian experiences security breach, insolvency, or operational failure remediation implement multi custodian architecture with concentration limits (30 40% maximum per custodian) maintain backup custodian relationships with tested onboarding document migration procedures for rapid transition if needed key controls & documentation true 165,165,165,166 left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type