Three federal agencies reversed their crypto custody rules in a single 100-day window in 2025, and the European Union switched on a one-license regime covering 27 countries six months earlier. Custody, the question of who holds your crypto and on what legal terms, has moved from a regulatory grey zone to the most contested compliance frontier in digital assets. Crypto custody regulations now diverge sharply across jurisdictions, and the framework you operate under depends on where you bank, where your customers live, and which charter your custodian holds.
Key Takeaways
- The SEC issued SAB 122 on January 23, 2025, rescinding SAB 121 and removing the balance-sheet liability requirement that had blocked publicly traded banks from offering crypto custody since March 31, 2022.
- MiCA Article 75 requires EU crypto-asset service providers to hold client crypto-assets on separate distributed-ledger addresses from their own holdings, the only on-chain segregation rule codified in primary law worldwide.
- Anchorage Digital Bank received the first OCC national trust charter for a crypto firm on January 13, 2021, holding the unique status for over four years before BitGo Bank & Trust received approval in December 2025.
- Coinbase Custody Trust Company has operated as a NY DFS limited-purpose trust since October 23, 2018, safeguarding over $220 billion in client assets under New York Banking Law fiduciary standards.
- MiCA’s CASP capital requirements scale by service: €50,000 for advice and order routing, €125,000 for custody and exchange, and €150,000 for trading platforms, with one license passporting across all 27 EU member states.
Editor’s Choice
- BitGo custodied approximately $90 billion in client assets by July 2025 and received OCC approval for a national trust bank charter in December 2025.
- Fireblocks secured over $10 trillion in cumulative transaction volume across more than 300 million wallets and over 2,400 institutional clients.
- BNY provides fund services for over 80% of US, Canadian, and EMEA digital asset exchange-traded products and over 50% of tokenized fund assets globally.
- The OCC, FDIC, and Federal Reserve withdrew or rescinded restrictive crypto guidance in 92 days from January 23 to April 24, 2025.
- MiCA Title V rules for CASP authorization applied from December 30, 2024, with a transitional regime running until July 1, 2026 for service providers active under prior national law.
What Crypto Custody Regulations Mean
Crypto custody regulation governs how third parties hold cryptocurrencies and digital assets on behalf of clients, with rules that diverged sharply between traditional asset custody and crypto under SEC Staff Accounting Bulletin 121 from March 31, 2022, until its rescission on January 23, 2025. Regulation (EU) 2023/1114 sets a single standard through Article 75, which requires crypto-asset service providers to segregate holdings of crypto-assets on behalf of their clients from own-account holdings and to hold client crypto-assets on separate addresses on the distributed ledger.
The dividing line between regulated and unregulated crypto runs through one question: who holds the private keys? Self-custody wallet statistics put the keys in the holder’s control, with no intermediary. Institutional custody hands the keys to a regulated entity, typically a trust company, national bank, or licensed virtual currency business, that owes fiduciary or contractual duties to the client. Authorities in both jurisdictions treat segregation, the requirement to keep client assets walled off from the custodian’s own balance sheet, as the structural safeguard that anchors every other rule.
Two regulators built the US crypto custody regulations stack from opposite ends from 2020 onward, and Brussels built one rulebook from scratch.
The US Framework: SEC, OCC, FDIC, Federal Reserve
SEC Staff Accounting Bulletin 121, issued on March 31, 2022, and effective for financial periods ending after June 15, 2022, required entities responsible for safeguarding crypto-assets to record both a liability and a corresponding asset on the balance sheet at the fair value of the crypto-assets being safeguarded. The capital impact made bank custody economically prohibitive for nearly three years, and most publicly traded banks declined to offer the service until the rule was reversed.
On January 23, 2025, the SEC issued SAB 122, formally rescinding SAB 121, with full retrospective application required for annual periods beginning after December 15, 2024, and early adoption permitted in any interim or annual filing on or after January 30, 2025. The reversal returned crypto custody to ordinary fiduciary accounting treatment, the same off-balance-sheet model that applies to traditional asset custody at trust banks. SEC and CFTC regulations on cryptocurrencies document the broader federal supervisory shift over the same period.
The OCC built the federal-bank track in parallel. Interpretive Letter 1170, issued July 22, 2020, concluded that national banks and federal savings associations may provide crypto-asset custody services in either a fiduciary or non-fiduciary capacity. Interpretive Letter 1172, issued September 21, 2020, authorized national banks to hold deposits as reserves for stablecoins backed on a 1:1 basis by a single fiat currency and held in hosted wallets. The federal stablecoin layer was reinforced years later through the GENIUS Act stablecoin approval framework.
OCC Bulletin 2025-2, dated March 7, 2025, transmits Interpretive Letter 1183, which reaffirms permissibility of activities under IL 1170, IL 1172, and IL 1174 for national banks and federal savings associations and rescinds Interpretive Letter 1179 from November 18, 2021, eliminating the supervisory non-objection process. The OCC also withdrew from interagency crypto statements dated January 3, 2023, and February 23, 2023, while requiring banks to conduct crypto-asset activities in a safe, sound, and fair manner and in compliance with applicable law.
The FDIC issued Financial Institution Letter FIL-7-2025 on March 28, 2025, rescinding FIL-16-2022 from April 7, 2022 and clarifying that FDIC-supervised institutions may engage in permissible crypto-related activities without receiving prior FDIC approval. On April 24, 2025, the FDIC and the Board of Governors of the Federal Reserve System jointly withdrew the agency statements on crypto-asset risks dated January 3, 2023 and February 23, 2023.
The four federal agencies divide the custody stack along distinct supervisory lanes:
- SEC: sets the accounting treatment for safeguarded crypto-assets at SEC-registered entities, governed by SAB 122 since January 23, 2025.
- OCC: charters and supervises national banks and federal savings associations offering crypto custody, with authority anchored in Interpretive Letters 1170, 1172, and 1183.
- FDIC: supervises insured state-chartered banks engaging in crypto-related activities under FIL-7-2025, without prior-notification gating.
- Federal Reserve: supervises member banks and bank holding companies, having joined the FDIC’s April 24, 2025 withdrawal of the 2023 interagency crypto-risk statements.
Federal authority is only half the picture: state-level rules added a parallel custody track from 2015 onward.
NY DFS BitLicense and the State-Level Custody Layer
Title 23, Chapter I, Part 200 of the New York Codes, Rules and Regulations, the BitLicense framework adopted in 2015, requires licensees to hold virtual currency in a manner that protects customer assets, maintain comprehensive books and records, and disclose the material terms of custody services. The DFS has treated segregation as the default since 2015, with any departure framed as a regulator-approved exception.
The Department emphasizes that equitable and beneficial interest in customer virtual currency must always remain with the customer, and any exception from the general segregation requirement requires the Department’s prior written approval. In practice, BitLicensees implement either per-customer wallets or omnibus accounts with internal-ledger attribution.
On September 30, 2025, an Industry Letter required VCE Custodians to separately account for and segregate customer virtual currency from corporate assets of the VCE Custodian and its affiliated entities, both on-chain and on internal ledger accounts, replacing earlier guidance from January 23, 2023. The 2025 letter classifies establishing new sub-custody relationships as a material business change requiring prior Department approval, and limits sub-custodians to entities that are Department-licensed or regulated under substantially similar standards.
The DFS also pioneered the limited-purpose trust charter as a custody vehicle. On October 23, 2018, the New York State Department of Financial Services authorized Coinbase Global, Inc. to form Coinbase Custody Trust Company LLC as a New York limited purpose trust company, qualifying as a fiduciary under Section 100 of the New York Banking Law and licensed to custody clients’ digital assets in trust on their behalf. Coinbase later expanded its federal custody footprint when it secured conditional OCC approval for a national trust charter in early 2026. Coinbase has reported that its institutional custody business safeguards over $220 billion in customer assets, with the trust company subject to the same capital requirements and audit standards as a traditional financial custodian.
Why it matters: The September 30, 2025 NY DFS letter elevated sub-custody from a standard contractual matter to a regulator-approved structural change. Custodians using third-party sub-custodians must now reapply for permission and obtain “F/B/O” account titling, raising the bar for the institutional segregation chain.
Across the Atlantic, the EU built one set of crypto custody regulations for 27 countries.
MiCA Title V: One License Across 27 EU Member States
Markets in Crypto-Assets Regulation entered into force on June 29, 2023, with Title III provisions for asset-referenced tokens and e-money tokens applying from June 30, 2024, and Title V provisions for the authorisation and ongoing operation of crypto-asset service providers applying from December 30, 2024. Member States may apply transitional measures permitting CASPs that provided their services in accordance with applicable law before December 30, 2024 to continue to do so until July 1, 2026, or until they are granted or refused MiCA authorisation.
The single-license design is the strategic break with the US model. One authorization granted by a national competent authority, such as France’s AMF, Germany’s BaFin, or Ireland’s Central Bank, passports across all 27 EU member states. A custodian authorized in one capital can serve clients in every other capital without filing separately, with passporting now live across all 27 EU member states. The full set of MiCA regulations compliance requirements sets the baseline obligations every authorized CASP must meet on an ongoing basis.
Capital requirements under MiCA Title V scale by service: CASPs offering reception and transmission of orders, advice, or portfolio management must hold minimum own funds of €50,000; CASPs providing custody, exchange of crypto-assets, execution of orders, placing of crypto-assets, or transfer services must hold minimum own funds of €125,000; and CASPs operating a trading platform must hold minimum own funds of €150,000. The own-funds requirement is measured against fixed overheads, set at one-quarter of the previous year’s fixed overheads, plus any threshold imposed by the national competent authority.
The capital tiers map directly to risk profile. Custody sits in the middle band because client funds and assets pass through the CASP’s books, but the CASP does not warehouse market risk the way a trading-venue operator does.
One Article inside MiCA goes further than any US rule.
MiCA Article 75: On-Chain Segregation Becomes Law
Article 75 of Regulation (EU) 2023/1114 governs custody and administration of crypto-assets on behalf of clients, requiring that crypto-asset service providers segregate holdings of crypto-assets on behalf of their clients from own-account holdings. On the distributed ledger, clients’ crypto-assets must be held on separate addresses from those on which their own crypto-assets are held, and the means of access to clients’ crypto-assets must be clearly identified as such.
Article 75 breaks new ground globally. US frameworks require book-entry segregation; the custodian’s internal accounting must show client assets ring-fenced from corporate assets, but they do not extend to the chain itself. A US trust company can hold customer Bitcoin and corporate Bitcoin in the same on-chain wallet so long as the internal ledger keeps them apart and audits confirm the split. MiCA closes that gap and requires the chain to reflect the segregation directly.
Article 75 also requires CASPs to maintain a register of positions opened in the name of each client corresponding to the client’s rights to the crypto-assets, to record any operation in the name of each client without undue delay, and to provide clients with a position statement at least once every three months and at the request of the client. The quarterly position statement is the routine confirmation that every other rule depends on, the touchstone document an auditor or insolvency administrator can compare against the on-chain ledger.
Article 75(8) provides that a crypto-asset service provider holding crypto-assets on behalf of clients shall be liable to its clients for any loss of crypto-assets or of the means of access to the crypto-assets resulting from incidents attributable to the provider, with liability not exceeding the market value of the crypto-assets lost at the time the loss occurred. Article 70(3) requires CASPs holding clients’ funds other than e-money tokens to deposit those funds with a credit institution or central bank no later than the end of the business day following the day on which the funds were received, in segregated accounts separate from the CASP’s own funds.
By the numbers: MiCA Article 75 codifies four custody pillars: separate distributed-ledger addresses, individual client position registers, quarterly statements, and statutory liability up to the market value of lost client crypto-assets, per Regulation 2023/1114. No US framework imposes the on-chain address-separation requirement that Article 75 sets as a baseline.
The on-chain segregation rule shifts custody enforcement from a forensic exercise to a real-time, publicly verifiable test. An auditor or insolvency administrator can check separation directly on the ledger, not by reconciling the custodian’s internal books. By contrast, cryptocurrency compliance risks in jurisdictions without on-chain segregation rules continue to depend on internal-ledger reviews and routine attestation cycles.
While Brussels was finalizing crypto custody regulations, Washington was reversing them.
The 2025 US Regulatory Pivot Calendar
The single most consequential change to US crypto custody regulations in years happened over a single quarter. Three federal agencies reversed restrictive guidance in 92 days, faster than any comparable banking pivot in the post-2008 era.
On January 23, 2025, the SEC issued SAB 122 to formally rescind SAB 121, removing the balance-sheet liability requirement that had blocked publicly traded banks from offering crypto custody. On March 7, 2025, the OCC issued Bulletin 2025-2 transmitting Interpretive Letter 1183, which reaffirmed crypto-asset activities under IL 1170, IL 1172, and IL 1174 and rescinded the supervisory non-objection process from IL 1179.
On March 28, 2025, the FDIC issued FIL-7-2025 rescinding the prior-notification requirement of FIL-16-2022. On April 24, 2025, the FDIC and Federal Reserve jointly withdrew the agency statements on crypto-asset risks dated January 3, 2023 and February 23, 2023. That joint withdrawal completed the policy reset.
| Date (2025) | Agency | Action | What changed |
| January 23 | SEC | SAB 122 issued | Balance-sheet liability for safeguarded crypto removed |
| March 7 | OCC | Bulletin 2025-2 / IL 1183 | Supervisory non-objection process rescinded |
| March 28 | FDIC | FIL-7-2025 | Prior-notification rule rescinded |
| April 24 | FDIC + Fed | Joint withdrawal | 2023 interagency crypto statements pulled |
Source: SEC, OCC, FDIC, Federal Reserve press releases
Worth noting: The 92-day window represents a coordinated, agency-level reset rather than a single legislative act. Each reversal sat inside that agency’s existing authority, which is why the pivot moved this quickly and did not need congressional action.
The pivot also broke a four-year solo run, since Anchorage Digital Bank, which received the first OCC national trust charter for a crypto firm on January 13, 2021, was the only crypto company holding that distinction for over four years before BitGo Bank & Trust received approval in December 2025.
Across the same year, CoinLaw’s coverage of 100+ regulatory events shows the crisis-to-license pattern in reverse: clarity, not collapse, drove this round of license activity. These regulatory shifts redrew the competitive map.
Where the Big Custodians Stand: BitGo, Anchorage, Coinbase, BNY, Fireblocks
The institutional custody market splits across federal trust banks, state limited-purpose trust companies, and national bank custody arms. Each charter type carries a distinct supervisory regime and capital model.
Anchorage Digital Bank, conditionally approved by the OCC on January 13, 2021, primarily provides custody services for digital assets and cryptocurrencies to institutional clients and offers crypto custody, staking, settlement, and on-chain governance services under OCC oversight. BitGo Bank & Trust received approval in December 2025 to operate as a national trust bank chartered and regulated by the OCC, and BitGo’s institutional digital asset custody platform reached approximately $90 billion in assets under custody by July 2025. As of December 2024, BitGo safeguarded $81.6 billion in digital assets, with Bitcoin representing 49.2% of holdings, and maintains SOC 2 Type II audited security controls.
BNY provides fund services for over 80% of the digital asset exchange-traded products in the US, Canada, and EMEA, and provides fund administration and custody for over 50% of the tokenized fund assets globally. In November 2025, BNY launched the Dreyfus Stablecoin Reserves Fund (BSRXX), an institutional money market fund supporting stablecoin issuer reserves, and in July 2025 was selected as primary custodian for Ripple USD reserves.
Fireblocks operates institutional MPC-CMP wallet infrastructure that has secured over $10 trillion in cumulative transaction volume across more than 300 million wallets and over 2,400 institutional clients. The Palo Alto-based firm reports approximately $90 billion in assets on its platform, serves over 4,600 entities across 100 countries, supports 1,550+ digital assets on 69 blockchain networks, and carries $250 to $320 million in insurance coverage. Fireblocks launched its Trust Company under a NYDFS limited-purpose trust charter in mid-2025, adding qualified custodian status to its existing MPC-based wallet and policy engine.
| Custodian | Charter / Regulator | AUC (latest disclosed) | Technology |
| Coinbase Custody Trust Co. | NY DFS limited-purpose trust (2018) | Over $220 billion | Hardware-backed cold storage |
| Anchorage Digital Bank | OCC national trust (Jan 2021) | Not publicly disclosed | HSM, sharded keys |
| BitGo Bank & Trust, N.A. | OCC national trust (Dec 2025) | Approximately $90 billion (Jul 2025) | Multi-sig, MPC |
| Fireblocks Trust Company | NY DFS trust charter (2025) | Approximately $90 billion on platform | MPC-CMP, $250 to $320 million insurance |
| BNY | National bank | 50%+ of tokenized fund assets globally | Bank-grade infrastructure |
Source: Coinbase, Anchorage, BitGo, Fireblocks, BNY corporate disclosures
Worth noting: Coinbase Custody, BitGo, and Fireblocks each cluster around the $90 billion to $220 billion AUC band. The market is fragmented across charters, with no single custodian dominant in the way that BNY dominates US fund custody.
Custodian Liability and Insurance Standards
Liability standards under crypto custody regulations vary by regulator. New York BitLicensees operate under 23 NYCRR Part 200 with the equitable and beneficial interest of the customer preserved at all times and segregation required by default. Trust companies chartered by NY DFS or the OCC layer fiduciary duty on top of that, with capital, audit, and supervision parallel to traditional custody banks operating under Section 100 of the New York Banking Law.
MiCA Article 75(8) sets statutory liability for CASPs holding crypto-assets, capping the provider’s liability at the market value of the crypto-assets lost at the time the loss occurred and excluding losses resulting from incidents not attributable to the provider, including problems inherent to the operation of the distributed ledger technology that are not under the provider’s control. The codified liability cap closes a gap US frameworks leave to contract: in the US, custodian liability typically tracks whatever the custody agreement says, which means terms vary across providers and across product lines.
Insurance backstops the regulatory framework rather than replacing it. Fireblocks reports $250 to $320 million in insurance coverage as part of its institutional infrastructure stack. FDIC deposit insurance does not extend to crypto holdings even at FDIC-supervised banks, and MiCA does not introduce an EU-level deposit guarantee for crypto. Private specie insurance, typically placed through Lloyd’s syndicates and large commercial brokers, fills the gap.
Frequently Asked Questions (FAQs)
SAB 121 required entities safeguarding crypto-assets to record both a liability and corresponding asset on the balance sheet at fair value, treating crypto custody differently from traditional asset custody. SAB 122, issued January 23, 2025, rescinded SAB 121 and applies retrospectively to annual periods beginning after December 15, 2024, with early adoption permitted from January 30, 2025.
MiCA Article 75 requires CASPs to hold client crypto-assets on separate distributed-ledger addresses from their own-account holdings. The text does not require a unique wallet per client, but client crypto-assets and CASP own-account crypto-assets must sit on different on-chain addresses, with the means of access clearly identified and individual position registers maintained per client.
Yes. OCC Interpretive Letter 1170, issued July 22, 2020, authorized national banks and federal savings associations to provide crypto-asset custody services in either a fiduciary or non-fiduciary capacity. OCC Bulletin 2025-2, dated March 7, 2025, reaffirmed that authority and rescinded the supervisory non-objection process described in Interpretive Letter 1179. Banks must still conduct the activity in a safe, sound, and fair manner under standard supervisory review.
A NY DFS limited-purpose trust company is chartered under Section 100 of the New York Banking Law to act as a fiduciary for a narrow set of activities such as custody of virtual currencies. Coinbase Custody Trust Company, authorized October 23, 2018, is a fiduciary under Section 100 of the New York Banking Law and is held to the same capital requirements and audited in the same manner as a traditional financial custodian.
Member States may apply transitional measures permitting CASPs that provided their services in accordance with applicable law before December 30, 2024 to continue to do so until July 1, 2026, or until they are granted or refused MiCA authorisation, whichever is sooner. Member States may shorten the transitional period, so the practical deadline varies by jurisdiction.
Conclusion
Custody policy moved on two tracks this year. MiCA Title V applied on December 30, 2024. The EU finished its single-rulebook design that day. Article 75 sets a segregation requirement that crypto-asset service providers shall hold clients’ crypto-assets on separate addresses on the distributed ledger from those on which their own crypto-assets are held. The US went the other direction inside a 92-day window, rescinding SAB 121, the OCC supervisory non-objection process, and the FDIC prior-notification rule between January 23 and April 24, 2025.
The practical effect is a wider lane for institutional custody on both sides of the Atlantic, but with structurally different compliance regimes. EU CASPs work under one license, capital tiers from €50,000 to €150,000, and chain-level segregation rules. US custodians work under a stack of federal accounting rules, OCC interpretive letters, FDIC supervisory guidance, and state-level frameworks like NY DFS BitLicense, with book-entry segregation as the floor.
Banks and trust companies stand to benefit most from the US reversal: the federal supervisory path is now open, federal accounting no longer penalizes balance-sheet exposure, and the OCC’s Anchorage and BitGo charters establish a viable pathway. EU custodians benefit from a passporting regime that turns 27 national markets into one. CoinLaw’s coverage across 18 regulatory events suggests these openings tend to attract new entrants within 12 months; where the next custody charters and CASP authorizations land will set the institutional map for the rest of the decade.
