US Self-Custody Regulations: Rules and Compliance Guide

This introduction frames how recent SEC staff FAQs reshape custody and capital rules for digital assets. The updates from May 15, 2025 and December 17, 2025 clarify how broker-dealers meet possession or control tests under Rule 15c3-3 and how capital haircuts apply to bitcoin and ether. The 2019 joint staff statement is withdrawn, narrowing guidance to the FAQ framework.

This Ultimate Guide explains who must meet these rules and why examiners now test continuous control evidence. You will read practical notes on custody, segregation, wallet designs, and how institutions show control when securities exist on-chain.

Expect clear, actionable concepts. We cover how HSM, multisig, and bank sub-custody models support compliance and reduce operational risk. The guide also previews capital treatment that can affect market-making economics and how firms should align controls to examiner expectations.

What “self-custody regulations” mean in the US crypto context

Understanding how direct key control maps to legal custody is essential for firms handling on-chain assets.

Defining direct key control versus third-party custody

Direct key control means an entity holds the private keys and signs transactions itself. Third-party custody means another firm holds keys or access on your behalf and accepts responsibility for protection.

For US law, control is both legal and operational. For crypto asset securities, the SEC’s FAQs tie control to demonstrable signing or directive authority on the blockchain.

Security versus compliance trade-offs

Holding keys improves operational control but raises security and governance needs. Firms must document key ceremonies, recovery plans, and approvals to avoid single points of failure.

• Decide wallet types (hot, warm, cold) and map them to controls.
• Choose HSMs, bank sub-custody with directive rights, or properly governed multisig to evidence control.
• Weigh who bears loss and how trust is contracted when keys are held on behalf of customers.

User intent and who this guide is for

Compliance officers, operations leads, general counsel, and tech teams will use this guide to convert SEC staff FAQs into actionable policies. It focuses on practical tasks, not academic theory.

Institutions and firms that run broker‑dealer desks, bank sub‑custody, or market-making support for ETF in‑kind flows will find targeted advice. Risk and security teams get checklists for incident playbooks and segregation.

Trading desks and authorized participants need clarity on how custody choices affect capital and trading readiness. Finance and audit will get steps to reconcile on‑chain activity with books and records.

• Operations: design signing flows and approval gates.
• Legal: draft contracts for directive rights and asset movement.
• Technology: integrate wallets into trading systems securely.

For a practical comparison of custody services, see our custody services comparison to evaluate providers and models.

Regulatory landscape at a glance: SEC, FINRA, CFTC, Fed, OCC, FinCEN, IRS, OFAC

Key U.S. agencies set distinct expectations for custody, customer protection, and transaction monitoring of digital assets.

The SEC leads on matters that touch securities and the Customer Protection Rule. It tests how broker-dealers show possession or control for crypto asset securities.

FINRA focuses on broker-dealer conduct and exams. Expect evolving checklists for on-chain control evidence and books-and-records systems.

Which agencies matter for digital assets and why

• SEC — Oversees securities and enforces the possession-or-control standard for tokenized securities.
• FINRA — Examines broker practices and may standardize on-chain testing methods.
• CFTC — Covers commodities and derivatives; it shapes how firms hedge and treat commodity tokens.
• Federal Reserve & OCC — Set bank supervisory expectations; Fed withdrawal of letters in April 2025 affects sub-custody routes.
• FinCEN — Enforces AML/CFT requirements and requires risk-based transaction monitoring and onboarding controls.
• IRS & OFAC — Tax reporting and sanctions screening that institutions must embed in operations.

SEC Customer Protection Rule mechanics: possession or control for crypto asset securities

When tokens qualify as securities, firms must show how possession or control attaches to blockchain keys.

Rule 15c3-3(b) governs how broker-dealers safeguard customer positions, but it does not apply to non-security crypto held by a broker-dealer. That makes correct legal classification essential before applying customer protection processes.

What 15c3-3(b) covers — and what it excludes

15c3-3(b) targets safeguarding customer securities and cash. Non-security crypto falls outside the rule, so firms need separate guardrails for those holdings.

Establishing control under 15c3-3(c) for on-chain securities

To meet 15c3-3(c), a broker-dealer must show demonstrable authority to protect and direct movements of on-chain securities. That requires documented controls, signing evidence, and audit trails examiners can test.

Control locations: broker-dealer, bank sub-custody, multisig arrangements

Qualifying control locations include BD-held private keys in an HSM, a bank with documented directive rights, or multisig where the broker-dealer’s signing role is provable.

• Contracts and playbooks must encode directive rights and contingency steps.
• Asset custody processes should align with books-and-records and reconciliation requirements.

For legal context and exam guidance, see the SEC FAQs memo and a practical compliance overview on how firms meet asset custody requirements.

How recent SEC FAQs reshape broker-dealer crypto custody

Broker-dealers now face clearer tests for showing control over crypto assets, driven by the FAQ framework.

The 2019 joint staff statement has been withdrawn, and the FAQ framework is the reference point examiners use to assess custody for securities on-chain.

From SPBD reliance to practical control locations

Firms can no longer lean on SPBD status as a primary safe harbor. The staff accepts multiple control-location models.

That expands options: HSM-held keys, bank sub-custody with documented directive rights, or governed multisig arrangements.

Documentation and key management expectations

Examiners expect clear documentation of key lifecycles, approval gates, and exception handling.

Key management must show role separation, rotation policies, and incident playbooks tied to operational risk controls.

Audit trails and system evidence

Systems should log signing actions, directive requests, reconciliations, and on‑chain movements.

Durable audit trails are the decisive evidence that control is real and persistent over time.

Net capital and trading implications: “readily marketable” BTC/ETH and inventory haircuts

Broker-dealers may treat proprietary bitcoin and ether as “readily marketable” for net capital if they meet the staff’s posture. That allows application of Rule 15c3-1 Appendix B’s 20% commodity haircut to BTC/ETH positions.

Capital impact is straightforward: a 20% haircut reduces net capital by a portion of inventory value. For example, a $50 million average intraday BTC/ETH inventory implies roughly a $10 million deduction. That deduction affects trading capacity and intraday risk limits.

Practical effects for trading desks and APs

• The 20% haircut changes whether teams prefer cash or in-kind workflows based on spread and balance-sheet cost.
• Net capital deductions scale with inventory, so market makers must size positions with capital efficiency in mind.
• Inventory policies should tie into finance reporting so haircut treatment is documented and auditable.

Operational alignment and custody needs

Custody and settlement setups must match trading requirements to avoid delays in creation/redemption cycles. Faster movement and clear control evidence reduce settlement friction.

Operational readiness includes secure asset movement for in‑kind baskets plus reconciled records showing availability of positions for ETP activity. Coordination between trading, custody, and compliance teams is critical.

Bank partnerships and control-location strategy after supervisory withdrawals

After the Federal Reserve withdrew earlier supervisory letters on April 24, 2025, many broker-dealers found faster, clearer paths to bank partnerships for custody needs.

Using bank sub-custody with directive rights to meet 15c3-3(c)

Bank sub-custody can qualify as a control location when contracts give explicit directive rights and the bank documents execution of instructions. Firms should insist that agreements spell out who may instruct movements and under what conditions.

Contract language, incident playbooks, and examiner comfort

Contracts must include segregation, reconciliation rules, SLAs for execution, and how keys are handled in the bank environment. Incident playbooks should describe manual directives, escalation steps, and evidence capture so auditors can recreate events.

• Capture logs of directive requests and confirmations tied to on‑chain outcomes.
• Align bank services with internal compliance and 15c3-3(c) requirements.
• Maintain governance around keys and access to support audit readiness.

For practical custody contracting tips, see this custody services guidance that institutions may also use when drafting terms.

Self-custody regulations

Institutions that take direct responsibility for on‑chain private keys must meet clear operational and disclosure expectations.

Meeting examiners’ expectations means mapping technical processes into durable policy and audit evidence. Firms should show who can sign, how signing happens, and how movements tie to books and records.

Key requirements when an institution controls private keys

• Implement strict access controls and segregation that map roles which may initiate versus approve movements.
• Document how private keys are generated, stored, rotated, and retired. Require dual authorizations and approval limits for high‑risk actions.
• Run hardened environments with role separation and continuous monitoring to provide an evidence trail for examiners.
• Keep system logs that tie signing events to specific on‑chain transactions so auditors can reconcile custody and ledger records.

Disclosures for retail-facing flows when assets are non-securities

When a broker‑dealer holds non‑security crypto for customers, it must disclose which protections apply and which do not. Make clear that Rule 15c3-3(b) customer protections do not cover these holdings.

Withdrawal procedures should ensure only authorized personnel trigger transfers, with logs linking approvals, keys used, and the on‑chain outcome.

Qualified custody vs. self-custody: compliance, security, and operational trade-offs

Institutional teams weigh control, insurance, and auditability when picking a custody model for digital assets. The choice affects who holds signing authority, who bears recovery responsibility, and how fast withdrawals occur.

Direct control, withdrawal ability, and key-management responsibilities

Direct control gives institutions immediate withdrawal ability and full operational flexibility.

That freedom concentrates responsibility for private keys, backups, and error prevention on internal teams. Mistakes can cause irreversible loss, so tight procedures and recovery plans are essential.

Insurance, audits, and policy controls with qualified custodians

Qualified custodians deliver insured cold storage, SOC audits, and policy‑based access controls. They shift many operational tasks to a regulated custodian and simplify compliance reporting.

When hybrid models make sense for balance and risk

Many institutions keep liquid trading balances in-house and place long-term holdings with a custodian. This balances security, trust, and operational cost.

Decisions should map to liquidity needs, business continuity plans, and examiner expectations for evidence and control.

Technology choices that align with regulatory “control” expectations

Choose architectures that create verifiable signing authority and persistent audit trails. Examiners look for technical evidence that links approvals to on‑chain outcomes. That means selecting tech that shows who approved a move, when it happened, and how signatures were generated.

HSM-based key control and signed directive authority

Hardware Security Modules (HSMs) centralize key material in a tamper-resistant appliance. They produce signed directives and immutable logs that map signing events to business approvals.

HSMs support policy-enforced signing and provide cryptographic proof examiners can test against books and records.

Multisignature setups: 2-of-3 and governance design

Two-of-three multisig spreads authority across parties and reduces single‑point failures. It also documents quorum rules and signer identities.

Well-written governance binds threshold settings to approval workflows and recovery steps. That combination helps show sustained control of digital assets.

MPC wallets for enterprise use at scale

Multi‑party computation (MPC) splits private keys into shares so no full key is ever reconstructed. MPC enables role-based policies, comprehensive logs, and scalable operations without central key exposure.

When paired with systems that link directive requests to blockchain transactions, MPC wallets offer an auditable path to demonstrate control and operational ability.

• Link directive workflows to on‑chain outcomes so examiners can trace moves.
• Expose approval steps, threshold settings, and recovery procedures in policy and systems.
• Match the chosen technology to business needs for latency, throughput, and custody posture.

Books and records, examiner testing, and evidence of control over time

Practical audit evidence must link signing events to on‑chain movements and the people who approved them. Examiners look for an unbroken trail that converts technical events into legal proof.

Proving directive authority, movement logs, and chain-of-custody

Document who requested a transfer, who authorized it, and which cryptographic key produced the signature. Retain signed directives, HSM or wallet logs, and on‑chain transaction IDs together in one records system.

Aligning internal controls to standardized examiner checklists

Map authorization thresholds, exception handling, and reconciliations to expected checklist items. Run periodic tests so the system keeps producing consistent evidence over time.

• Connect directive authority to specific movement logs and on‑chain results.
• Reconcile wallet balances to general ledger daily and record overrides.
• Keep key ceremony notes, rotations, and access revocations as auditable artifacts.

Risk management for self-custody: cyber, operational, and theft scenarios

Effective risk programs assume compromises will happen and focus on limiting harm. Recent exchange failures highlight that moving control in‑house reduces counterparty risk but increases demands on security and operations.

Segregation matters. Split holdings across hot, warm, and cold environments to shrink the blast radius. Keep operational balances minimal and map each environment to clear approval rules.

Segregation, access controls, and incident response design

Access controls must enforce least privilege and multi-person approvals for high-risk operations. Monitor signing events and alert on anomalous flows to reduce theft risk.

Incident response playbooks should include steps for key compromise, operational failure, and suspected fraud. Predefine containment, communication, and recovery actions so teams act quickly under pressure.

• Harden key management with HSMs or secure enclaves and strict network segmentation.
• Run tabletop and live-fire exercises to validate runbooks and timelines.
• Design risk assessments for irreversible transfers and payload-manipulation phishing.

Inventory policy should define what stays online for operations versus cold storage. That balance guides availability and exposure decisions and supports examiner and auditor review.

Implementation playbooks: models institutions are deploying

Institutions deploy four practical models to convert custody theory into repeatable operations.

Broker-dealer control with HSM or multisig

Direct key control via HSMs or governed multisig gives fast operational ability and clear signing logs. This model produces strong evidence of control but requires mature governance, monitoring, and audit capabilities.

Bank sub-custody using directive rights

Placing assets with a bank that accepts directive rights makes the bank the control location while the broker-dealer keeps operational direction. Contracts, SLAs, and incident playbooks are essential to prove who instructed movements.

Crypto custodian tech under bank or trust wrappers

Specialist custodians wrapped by a bank or trust combine tooling and supervisory oversight. This solution reduces internal burden while still allowing firms to show reconciled custody and verified flows.

Smart-contract escrow with transfer-agent co-sign

On-chain escrow tied to a transfer agent uses blockchain logic to enforce corporate actions and settlement steps for securities. It can automate flows while keeping verifiable records for examiners.

• Select a model based on scale, product mix, and expected examiner comfort.
• Map keys and directive paths to verifiable records across custody solutions.
• Balance implementation speed, integration complexity, and operational risk.

Vendor and partner selection: custodians, wallets, and integrated trading

Prioritize partners who can prove custody controls, fast execution, and documented recovery plans.

Start by verifying audit posture. Look for SOC 1 or SOC 2 Type II reports and clear attestations of the range of services offered. Confirm insurance limits and insured cold storage coverage that match your asset mix.

Evaluate wallet architecture for policy-enforced withdrawals and layered access that reduce theft risk. Ask how private keys or key shares are stored, rotated, and recovered.

Security certifications, audits, and insurance considerations

Require evidence of independent audits, multi-signature controls, and insurance schedules. Contracts should state SLAs, audit access, and reporting cadence.

Latency, hot/cold architecture, and policy-enforced withdrawals

Measure latency for trading workflows and API reliability across hot, warm, and cold paths. Integrated trading options can speed flows but must preserve segregation and approval gates for high-value withdrawal events.

Conclusion

Conclusion

Today, US examiners expect designs that combine governance, on‑chain evidence, and clear contracts. Institutions must choose where operational control sits — with in‑house systems, bank sub‑custody, or qualified custodians — and map that choice to durable audit trails. This approach helps firms show control for securities and supports net capital treatment for commodity tokens like BTC and ETH.

Over time, firms, custodians, and exchanges that align tech, legal language, and incident playbooks will reduce the risk of catastrophic failure. Test procedures regularly, refine solutions, and keep records that let examiners and internal teams trust the asset custody story.