Qualified Custodian for Crypto: What Institutions Need to Know
July 01, 2026
Key Takeaways
A qualified custodian is a financial institution authorized by the SEC to hold client assets, including banks, broker-dealers, FCMs, and certain state-chartered trust companies
The SEC’s September 2025 no-action letter confirmed that state-chartered trust companies can serve as qualified custodians for crypto assets under specific conditions
RIAs managing client crypto assets must use a qualified custodian or meet strict self-custody requirements under the Custody Rule
Due diligence requirements include SOC 2 Type II reports, audited financial statements, asset segregation agreements, and risk disclosures
For registered investment advisers (RIAs), hedge funds, and institutional investors, the question of custody isn’t optional, it’s a regulatory requirement. When client assets include cryptocurrencies or digital assets, finding a qualified custodian becomes both a compliance imperative and an operational challenge. Understanding blockchain custody fundamentals is essential before navigating these requirements.
This guide explains what makes a custodian “qualified” under SEC rules, how the regulatory landscape has evolved for crypto custody, and what institutions need to verify before selecting a digital asset custodian.
What Is a Qualified Custodian?
A qualified custodian is a financial institution that meets the SEC’s standards for safeguarding client assets under the Investment Advisers Act of 1940. The SEC Custody Rule (Rule 206(4)-2) requires registered investment advisers who have custody of client funds or securities to maintain those assets with a qualified custodian. For a deeper dive into custody frameworks, see our institutional digital asset custody guide.
SEC Definition of Qualified Custodian
Under current SEC regulations, the following entities qualify as qualified custodians:
Banks: Federally regulated banks and savings associations that are subject to capital requirements, regular examinations, and deposit insurance protections.
Registered Broker-Dealers: Securities broker-dealers registered with the SEC and FINRA, subject to net capital rules and customer protection requirements.
Futures Commission Merchants (FCMs): For commodity-related assets, FCMs registered with the CFTC provide qualified custody services.
Foreign Financial Institutions: Certain foreign banks and financial institutions that meet specific criteria for asset segregation and regulatory oversight.
State-Chartered Trust Companies: As clarified in the SEC’s September 2025 no-action letter, state-chartered trust companies can qualify as “banks” for custody purposes when they meet specific conditions.
The key principle underlying this regulatory status is investor protection: assets must be properly segregated from the custodian’s own assets, protected in the event of the custodian’s bankruptcy, and subject to independent verification.
The SEC Custody Rule Explained
The Custody Rule establishes the framework for how investment advisers must handle client assets. Understanding this rule is essential for any institution managing digital assets for clients.
Core Requirements
If an RIA maintains custody over client assets (meaning they can access or control them), the Custody Rule imposes several key requirements:
1. Qualified Custodian Requirement
Client funds and securities must be maintained with a qualified custodian. The custodian must hold assets in accounts that clearly identify the client as the beneficial owner or in the name of the investment adviser as agent or trustee for the clients.
2. Account Statements
The qualified custodian must send account statements directly to clients at least quarterly. These statements must identify the amount of funds, securities, and transactions during the reporting period.
3. Surprise Examination
An independent public accountant must conduct an annual surprise examination to verify client assets. This examination must be unannounced and occur at a time randomly chosen by the accountant.
4. Internal Control Reports
Advisers that maintain custody (or their qualified custodians) must obtain an internal control report from an independent public accountant that describes the controls in place for safeguarding client assets.
What Constitutes “Custody”?
The SEC defines custody broadly. An adviser has custody if it:
Holds client funds or securities directly
Has authority to obtain possession of client assets
Has the ability to deduct fees from client accounts
Acts as general partner of a fund or in a similar capacity
Has signatory authority over client accounts
For crypto assets, custody typically means controlling the private keys that enable transactions on the blockchain. If an RIA controls—or can access—the private keys for client crypto assets, the adviser has custody under SEC rules.
Qualified Custodians for Crypto Assets
The crypto custody landscape has evolved significantly since the SEC first applied the Custody Rule to digital assets. Several developments have clarified how institutions can meet SEC-compliant custody requirements. For an overview of available options, explore our crypto custody solutions guide.
The September 2025 No-Action Letter
A pivotal moment came on September 30, 2025, when the SEC Division of Investment Management issued a no-action letter confirming that state-chartered trust companies can serve as qualified custodians for crypto assets. This letter addressed years of regulatory uncertainty about whether crypto-focused custodians could meet SEC standards.
Under this guidance, state-chartered trust companies qualify as “banks” for custody purposes when they meet specific conditions:
Authorization: The trust company must be authorized by the relevant State Banking Authority to provide custody services for crypto assets and related cash or cash equivalents.
Written Policies: The custodian must implement written internal policies and procedures reasonably designed to safeguard crypto assets against theft, loss, misuse, and misappropriation.
Audited Financial Statements: The custodian must provide audited financial statements prepared in accordance with GAAP by an independent public accountant.
Internal Control Reports: A Type II SOC report (or equivalent) from an independent public accountant must confirm that controls are suitably designed and operating effectively for custodial services. Learn more about what this certification entails in our SOC 2 Type II certification announcement.
Custody Agreement Protections: Written agreements must ensure that custodial assets are not lent, pledged, hypothecated, or rehypothecated without client consent, and that all assets are segregated from the custodian’s own assets.
Types of Crypto Qualified Custodians
Institutions seeking qualified custody for digital assets have several options:
State-Chartered Trust Companies: Following the 2025 no-action letter, state trust companies with appropriate authorizations can serve as qualified custodians. States like Wyoming, South Dakota, and New York have established regulatory frameworks for digital asset custody. For Bitcoin custody specifically, these frameworks provide clear compliance pathways.
National Banks with OCC Approval: Federally chartered banks that have received OCC approval to provide crypto custody services qualify automatically under the Custody Rule.
Broker-Dealers with Crypto Operations: Some registered broker-dealers have obtained SEC and FINRA approval to custody certain digital assets.
Prime Brokerage Arrangements: Institutions may use prime brokerage structures where a qualified custodian holds assets while the broker-dealer facilitates trading.
Self-Custody Considerations
The SEC’s proposed Safeguarding Rule (2023) contemplated a pathway for RIA self-custody of certain digital assets when qualified custodians are unavailable. This would require:
Written determination that the asset cannot be custodied by a qualified custodian
Reasonable safeguards against loss and adviser insolvency
Independent verification of transfers within one business day
Annual surprise examination or audit verification
Notification to the independent accountant of any discrepancies
However, self-custody remains the exception rather than the rule. The SEC’s preference is clearly for qualified custodian arrangements that provide independent oversight and investor protections.
Due Diligence Checklist for Selecting a Qualified Custodian
Selecting a qualified custodian for crypto assets requires rigorous due diligence. The following framework helps RIAs and fund managers evaluate potential custodians. For a comprehensive evaluation methodology, refer to our guide on evaluating crypto custody firms.
Regulatory Status Verification
1. Confirm Qualified Custodian Status
Verify the custodian’s charter or registration (bank charter, broker-dealer registration, trust company license)
For state trust companies, confirm authorization from the State Banking Authority to provide crypto custody
Request documentation of regulatory examinations and any enforcement actions
2. Review Regulatory History
Check SEC, FINRA, and state regulatory databases for any disciplinary history
Review the custodian’s compliance track record
Assess the regulatory framework in the custodian’s jurisdiction
Financial and Operational Due Diligence
3. Obtain Audited Financial Statements
Request the most recent audited financial statements (GAAP-compliant)
Verify the auditor’s independence and credentials
Assess the custodian’s capital adequacy and financial stability
4. Review Internal Control Reports
Obtain SOC 2 Type II reports covering security, availability, and confidentiality
For custody-specific controls, request SOC 1 reports if available
Review the scope of the examination and any exceptions noted
Verify that controls are operating effectively, not just designed appropriately
5. Evaluate Insurance Coverage
Understand the scope of the custodian’s insurance (crime, cyber, professional liability)
Determine coverage limits and whether they apply to client assets
Note that insurance is a risk mitigation tool, not a substitute for operational security
Technical and Security Assessment
6. Assess Key Management Architecture
Understand how private keys are generated, stored, and managed
Evaluate the use of hardware security modules (HSMs), multi-party computation (MPC), or other cryptographic protections
Review key recovery and disaster recovery procedures
7. Review Security Certifications
ISO 27001 certification for information security management
Penetration testing results and vulnerability assessments
Incident response capabilities and historical security performance
Contractual Protections
8. Negotiate Custody Agreement Terms
Asset segregation requirements: client assets must be held separately from custodian assets
Prohibition on rehypothecation without explicit written consent
Clear ownership rights in the event of custodian bankruptcy
Defined service levels and liability provisions
Audit rights and reporting requirements
9. Document Risk Disclosures
Prepare and deliver risk disclosures to clients as required by the no-action letter
Document the rationale for selecting the custodian as being in clients’ best interest
Maintain records of the due diligence process
Ongoing Monitoring Requirements
Selecting a qualified custodian is not a one-time event. The SEC expects ongoing oversight and annual due diligence reviews.
Annual Assessment Obligations
Under the 2025 no-action letter, RIAs and registered funds must conduct annual assessments to maintain a reasonable basis for believing that the state-chartered trust company is authorized to provide custodial services. This includes:
Reviewing updated audited financial statements
Obtaining current SOC reports
Assessing any changes in regulatory status or authorization
Evaluating the custodian’s performance and any incidents
Updating risk disclosures as necessary
Recordkeeping Requirements
Maintain comprehensive records of:
Initial and ongoing due diligence documentation
Custody agreements and amendments
Client communications and disclosures
SOC reports and audited financial statements
Any incidents or concerns and their resolution
How Cobo Supports Institutional Custody Needs
For institutions navigating the qualified custodian landscape, Cobo provides enterprise-grade digital asset custody infrastructure designed to meet rigorous compliance requirements.
Cobo’s custody solutions include:
Multi-Model Custody Options: Choose from custodial wallets with bank-grade security, MPC wallets with distributed key management, or smart contract wallets with programmable governance—all through a unified platform.
Regulatory Alignment: SOC 2 Type II certification and ISO 27001 compliance.
Enterprise Security: Hardware security modules (HSMs), Intel SGX trusted execution environments, and MPC custody protocols protect assets across hot, warm, and cold storage tiers.
Comprehensive Reporting: Real-time dashboards, transaction monitoring, and audit-ready reporting support compliance and oversight requirements.
Institutional Track Record: Since 2017, Cobo has secured billions in digital assets with zero security incidents, serving exchanges, funds, fintechs, and institutional investors globally.
Whether you’re an RIA implementing crypto allocation strategies, a fund manager launching a digital asset fund, or an institution building crypto treasury operations, Cobo provides the custody infrastructure to meet your compliance and operational requirements.
Conclusion
The qualified custodian requirement is a cornerstone of investor protection under SEC rules. For crypto assets, this requirement has evolved from regulatory uncertainty to clearer guidance, particularly with the September 2025 no-action letter confirming that state-chartered trust companies can serve as qualified custodians.
Institutions managing client crypto assets must approach custodian selection with the same rigor applied to traditional asset custody—if not more. The due diligence process should verify regulatory status, assess financial stability, evaluate security architecture, and establish robust contractual protections.
As the digital asset custody landscape continues to mature, institutions have more options than ever for meeting regulatory custody standards. The key is selecting a partner that combines regulatory compliance, operational excellence, and the technical capabilities needed to secure digital assets at institutional scale.
FAQ
What makes a custodian “qualified” under SEC rules?
A qualified custodian is a financial institution authorized by the SEC to hold client assets under the Custody Rule (Rule 206(4)-2). This includes banks, registered broker-dealers, futures commission merchants, certain foreign financial institutions, and state-chartered trust companies that meet specific conditions outlined in the September 2025 no-action letter.
Do RIAs need a qualified custodian for crypto assets?
Yes. If an RIA has custody of client crypto assets—meaning the ability to access or control private keys—the Custody Rule requires using a qualified custodian. Limited exceptions exist for self-custody under the proposed Safeguarding Rule, but these require meeting strict conditions including independent verification.
Which crypto custodians are qualified custodians?
Qualified custodians for crypto include: (1) state-chartered trust companies authorized by their State Banking Authority to provide crypto custody and meeting the conditions in the SEC’s 2025 no-action letter; (2) national banks with OCC approval for crypto custody; and (3) registered broker-dealers with SEC/FINRA approval for digital asset custody.
What is the SEC Custody Rule?
The SEC Custody Rule (Rule 206(4)-2 under the Investment Advisers Act) requires registered investment advisers who have custody of client funds or securities to maintain those assets with a qualified custodian. The rule mandates quarterly account statements, annual surprise examinations, and internal control reports to protect client assets.
How do state trust charters work for crypto custody?
State-chartered trust companies operate under state banking laws and supervision. Following the SEC’s September 2025 no-action letter, these entities can serve as qualified custodians for crypto assets if they: are authorized by their State Banking Authority, implement safeguarding policies, provide audited financial statements and SOC reports, and enter into custody agreements that ensure asset segregation and prevent unauthorized rehypothecation.
