Bitcoin Custody Regulatory Landscape: US, EU, and Global

Crypto Custody Regulation Overview

Crypto custody regulation determines who can hold digital assets on behalf of clients, under what conditions, and with what protections. For investment advisers, exchanges, funds, and fintech companies, the regulatory framework governing custody directly affects operational structure, licensing costs, and which jurisdictions are viable for business.

The landscape has shifted rapidly since 2024. The US rescinded SAB 121 (the accounting rule that discouraged banks from offering crypto custody), the OCC removed its pre-clearance requirement for bank-provided crypto custody, and the EU's MiCA regulation established a unified custody framework across 27 member states. The following guide covers the current state of custody regulation in the US, EU, and major global markets, with a focus on practical requirements for institutions and self-custody considerations.

US Federal Custody Framework

US crypto custody regulation operates across multiple federal agencies, each with overlapping authority. The SEC governs custody for investment advisers and funds, the OCC regulates national banks, and state regulators issue trust company charters.

SEC Custody Rule for Investment Advisers

Rule 206(4)-2 under the Investment Advisers Act of 1940 requires registered investment advisers (RIAs) to maintain client funds and securities with a "qualified custodian." Under this rule, RIAs must arrange for surprise examinations by independent public accountants or use a qualified custodian that delivers account statements directly to clients.

In February 2023, the SEC proposed replacing this rule with a broader "Safeguarding Rule" (Rule 223-1) that would have expanded the definition of custody to cover all client "assets," explicitly including crypto. The SEC withdrew this proposal in June 2025 along with 13 other Gensler-era rule proposals. The original Rule 206(4)-2 remains in effect, and in December 2025 the SEC published a "Custody Rule Modernization: A Model Framework" document signaling ongoing work toward updated rules.

SAB 121 Rescission

On January 23, 2025, the SEC rescinded Staff Accounting Bulletin 121, which had required institutions holding crypto for clients to record those holdings as balance sheet liabilities. SAB 121 had been a major barrier to bank participation in crypto custody because it imposed punitive capital requirements. Its replacement, SAB 122, allows institutions to assess crypto custody risks using existing FASB and IAS contingency guidance, removing the blanket balance sheet treatment.

Qualified Custodian Definition

Under the Advisers Act, only four categories of entities qualify as "qualified custodians" authorized to hold client assets:

• Banks (national banks, federal savings associations, Federal Reserve member state banks)
• Registered broker-dealers
• Registered futures commission merchants (FCMs)
• Certain foreign financial institutions meeting specific conditions

State-chartered trust companies historically fell into a gray area. On September 30, 2025, the SEC Division of Investment Management issued a no-action letter confirming that state-chartered trust companies supervised by state banking authorities and permitted to exercise fiduciary powers may be treated as "banks" for purposes of crypto asset custody. This was significant for entities like Coinbase Custody Trust Company (NY charter) and BitGo Trust Company (SD and NY charters), which can now serve as qualified custodians for RIAs holding digital assets.

OCC Guidance for National Banks

The Office of the Comptroller of the Currency has issued a series of interpretive letters defining how national banks can engage with crypto custody:

• Interpretive Letter 1170 (July 2020): confirmed that national banks may provide crypto custody services under existing safekeeping authority, subject to dual controls, segregation of duties, and AML compliance
• Interpretive Letter 1179 (November 2021): reaffirmed crypto custody authority but imposed a requirement for written supervisory non-objection before banks could begin offering these services
• Interpretive Letter 1183 (March 2025): rescinded the non-objection requirement, allowing banks to offer crypto custody without pre-clearance while maintaining safe and sound banking practices

Following this deregulatory shift, the OCC conditionally approved national trust charters for several crypto firms in late 2025 and early 2026: Circle, BitGo, Fidelity, and Paxos received conditional approvals in December 2025, with Coinbase receiving approval in April 2026. Anchorage Digital Bank N.A. had previously been the only crypto firm holding a full OCC national trust bank charter.

GENIUS Act Custody Provisions

The GENIUS Act, signed into law on July 18, 2025, primarily regulates stablecoin issuance but contains specific custody requirements. Entities providing custodial services for stablecoin reserves must be supervised by a federal payment stablecoin regulator, a primary financial regulatory agency, or qualifying state supervisors. The law prohibits commingling of customer assets and stablecoin reserves, and explicitly confirms bank authority to provide custody for payment stablecoins. Final implementing regulations are required by July 2026.

US State-Level Custody Charters

Several US states have created specialized charter types for digital asset custody. These charters allow companies to operate as regulated financial institutions without obtaining a full bank charter.

New York's NYDFS trust charter remains the most common path for institutional crypto custodians. A NY trust charter provides significant interstate operating flexibility and, following the SEC's September 2025 no-action letter, these entities now clearly qualify as custodians for registered investment advisers. For a comparison of custodians and their capabilities, see the custody comparison tool.

EU MiCA Custody Requirements

The Markets in Crypto-Assets Regulation (MiCA, Regulation EU 2023/1114) established the first comprehensive crypto regulatory framework across all EU member states. Stablecoin and e-money token provisions took effect June 30, 2024, with the full CASP (Crypto-Asset Service Provider) licensing regime effective December 30, 2024. A grandfathering period extends up to July 1, 2026 at member state discretion.

MiCA imposes specific obligations on CASPs providing custody:

• Client crypto-assets must be segregated from company assets; CASPs cannot use client assets for their own account
• Client fiat received (other than e-money tokens) must be deposited with an EU credit institution or central bank by the end of the next business day
• CASPs bear civil liability for losses of client assets attributable to the provider
• Wallet governance must cover hot/cold storage policies, key ceremony procedures, and access controls
• Outsourcing of custody functions requires clear disclosure to clients
• Full KYC and AML procedures are mandatory for all custody CASPs

For detailed analysis of MiCA's broader impact on stablecoins and issuance, see our research on MiCA and US stablecoin frameworks.

Global Custody Regulation by Jurisdiction

Beyond the US and EU, major financial centers have adopted varying approaches to crypto custody regulation. The following table summarizes the current state of custody frameworks across key jurisdictions.

United Kingdom

The UK passed the Financial Services and Markets Act 2000 (Cryptoassets) Regulations 2026 on February 4, 2026, establishing the statutory basis for a comprehensive crypto regulatory regime. The new framework is expected to come into force on October 25, 2027. Crypto firms can begin applying for FCA authorization starting September 30, 2026. The FCA's consultation paper CP25/14 specifically addresses stablecoin issuance and cryptoasset custody standards. Until the new regime takes effect, crypto firms must register with the FCA under the Money Laundering Regulations for AML/CTF purposes.

Singapore

The Monetary Authority of Singapore (MAS) regulates crypto custody under the Payment Services Act 2019 and the Financial Services and Markets Act 2022. Customer assets must be segregated, held on trust, and safeguarded with financial institutions in Singapore. MAS guidelines require maintaining separate blockchain addresses for customer and firm assets, daily reconciliations, and storing approximately 90% of customer assets in offline cold wallets. Since June 30, 2025, foreign digital token service providers serving Singapore clients must hold a Part 9 license under the FSMA.

Japan

Japan's FSA mandates that at least 95% of user funds be stored in offline cold wallets, one of the strictest cold storage ratios globally. User assets must be audited annually. The FSA published final guidelines for crypto asset custody and stablecoin issuance set to take effect July 2026, and is considering shifting crypto regulations into the securities law framework. Exchanges must maintain liability reserves to protect users in the event of loss or breach.

Hong Kong

Hong Kong's VASP licensing regime under the Anti-Money Laundering Ordinance (AMLO) has been active since June 1, 2023. As of early 2025, nine entities held VASP licenses. The SFC requires at least 98% of client assets be stored in cold wallets. In June 2025, the FSTB and SFC published consultation papers to expand the licensing regime to cover VA dealing and VA custodian services as distinct activities. Proposed capital requirements include HK$5 million paid-up share capital (HK$10 million for custodians) and HK$3 million liquid capital. Operating without a license carries penalties of up to 7 years imprisonment and HK$5 million in fines.

Switzerland

FINMA released Guidance 2026/1 on January 12, 2026, addressing risks associated with the custody of crypto-based assets. Swiss banks may hold crypto as segregable custody assets with bankruptcy protection, provided they are held in readiness for customers at all times and either held in individual custody or in collective custody with clearly identifiable customer shares. A broader reform of the Financial Institutions Act (FinIA) is underway, expected to replace the current FinTech license with two new categories: Payment Instrument Institutions and Crypto-Institutions, with entry into force expected from 2027.

FATF Travel Rule and Custody Providers

The FATF's Recommendation 16 (the Travel Rule) requires VASPs to transmit originator and beneficiary information alongside qualifying transfers. In June 2025, the FATF revised Recommendation 16 to expand its scope to include fraud prevention and proliferation financing, and mandated Confirmation of Payee (CoP) verification for cross-border transfers. As of 2025, 73% of responding jurisdictions (85 of 117) had passed Travel Rule legislation.

Thresholds vary by jurisdiction: the US applies its rule above $3,000, the EU and UK apply it to every transaction with no de minimis threshold, and most other jurisdictions follow the FATF recommendation of $1,000. Custody providers that execute transfers must implement Travel Rule compliance systems. KYC/AML compliance is a baseline requirement for custodians in virtually every regulated jurisdiction.

Self-Custody and Regulatory Treatment

Self-custody (where users hold their own private keys) occupies a distinct regulatory position. In the US, the GENIUS Act explicitly exempts entities that provide hardware or software for customer self-custody of stablecoins or private keys from the commingling prohibition that applies to custodial providers. This distinction is significant: self-custody wallet providers are generally not classified as custodians and do not need trust charters or qualified custodian status.

Protocols like Spark enable self-custodial Bitcoin and stablecoin management, allowing users to maintain control of their private keys while accessing fast, low-cost transfers. This model sidesteps many custody regulatory requirements because the user, not a service provider, retains control of the assets. For a deeper comparison of custody models, see our research on self-custodial vs custodial wallets.

Choosing a Custody Jurisdiction

The right jurisdiction depends on your business model, target clients, and risk tolerance. Key factors to evaluate:

• US trust charters (NY or federal) provide the broadest market access for serving US investment advisers and funds, especially after the September 2025 no-action letter
• MiCA CASP licensing provides a single-passport framework across all 27 EU member states, reducing the cost of multi-country operations
• Singapore and Hong Kong offer access to Asian institutional markets with strict but clear custody standards
• Switzerland provides bankruptcy-protected custody with a well-established financial infrastructure
• Dubai (VARA) has emerged as a hub for crypto companies seeking a clear regulatory framework outside traditional Western jurisdictions

Institutions serving global clients typically need licenses in multiple jurisdictions. The trend across all major markets is toward explicit segregation requirements, civil liability for custodian-attributable losses, and mandatory KYC/ AML compliance. Companies that build their custody infrastructure to the highest common denominator (typically Japan's 95% cold storage or Hong Kong's 98%) can more easily satisfy requirements across jurisdictions.

Frequently Asked Questions

What is a qualified custodian for crypto assets?

Under the US Investment Advisers Act, a qualified custodian is a bank, registered broker-dealer, registered futures commission merchant, or certain foreign financial institutions authorized to hold client assets. For crypto specifically, the SEC's September 2025 no-action letter confirmed that state-chartered trust companies supervised by state banking authorities (such as those chartered in New York, Wyoming, or South Dakota) qualify as "banks" for custody of digital assets. This allows RIAs to use entities like Coinbase Custody or BitGo Trust as qualified custodians.

Do banks need permission to offer Bitcoin custody?

Not anymore. The OCC's Interpretive Letter 1183, issued in March 2025, rescinded the earlier requirement that national banks obtain written supervisory non-objection before offering crypto custody. Banks may now offer these services under their existing safekeeping authority, provided they conduct the activity in a safe and sound manner. Separately, the rescission of SAB 121 in January 2025 removed the accounting barrier that had made crypto custody economically impractical for most banks.

What does MiCA require for crypto custody providers?

MiCA requires Crypto-Asset Service Providers offering custody to segregate client assets from company assets, deposit client fiat with an EU credit institution by the next business day, implement robust wallet governance (hot/cold storage policies, key ceremony procedures), and bear civil liability for losses attributable to the provider. CASPs must also implement full KYC/AML procedures and disclose any outsourcing of custody functions. The CASP licensing regime has been active since December 30, 2024.

Which country has the strictest crypto custody rules?

Japan and Hong Kong impose the most prescriptive custody requirements. Japan mandates that 95% of customer assets be held in offline cold wallets with annual audits. Hong Kong requires 98% cold storage under its SFC-administered VASP regime. By comparison, the US and EU specify governance and segregation requirements but do not mandate specific cold-to-hot storage ratios, giving custodians more operational flexibility.

How does the GENIUS Act affect crypto custody?

The GENIUS Act, signed into law on July 18, 2025, primarily regulates stablecoin issuance but includes custody provisions. It requires entities providing custody of stablecoin reserves to be supervised by a federal or qualifying state regulator, prohibits commingling of customer assets and reserves, and confirms that banks have authority to provide stablecoin custody services. It also explicitly exempts self-custody wallet providers from the commingling prohibition.

Is self-custody regulated?

Self-custody itself is generally not regulated as a custody service, because no third party holds the user's assets. Providers of self-custody wallets (hardware or software that enables users to hold their own keys) are typically not classified as custodians under US, EU, or most other regulatory frameworks. The GENIUS Act explicitly carved out this exemption. However, if a self-custody wallet provider adds features that give it control over user funds (such as social recovery with provider-held keys), it may cross into custodial territory and trigger licensing requirements.

What is the FATF Travel Rule threshold for custody providers?

The FATF recommends that VASPs share originator and beneficiary information for transfers above $1,000. However, thresholds vary by jurisdiction: the US sets its threshold at $3,000, while the EU and UK apply the rule to all transactions with no minimum. Custody providers that execute transfers must implement Travel Rule compliance systems. Pure custodians that do not execute transfers have fewer Travel Rule obligations but must still support information sharing when receiving assets.

This guide is for informational purposes only and does not constitute legal or financial advice. Regulatory frameworks for crypto custody are evolving rapidly. Dates, requirements, and licensing statuses referenced here are based on publicly available information as of mid-2026. Always consult qualified legal counsel and verify current regulations with the relevant authority before making compliance decisions.