Where Do Client Assets Really Live?
Your client just bought Bitcoin. You ask where they hold it. They say “on Coinbase.” What does that actually mean?
It means Coinbase holds the private keys that control the Bitcoin. Your client does not own a Bitcoin directly. They own a claim against Coinbase that Coinbase will return Bitcoin if asked. This distinction defines everything about custody.
If Coinbase is hacked, your client’s Bitcoin may disappear. If Coinbase is seized by regulators, your client’s Bitcoin may be frozen. If Coinbase becomes insolvent, your client may wait years for partial recovery. Your client is trusting Coinbase completely.
This is custodial holding. The exchange holds custody.
Alternatively, your client could use a hardware wallet and hold the private keys themselves. In this arrangement, only your client can move the Bitcoin. An attacker would need physical access to the device. Coinbase’s security does not matter. Your client faces different risks: losing the device, forgetting the recovery phrase, or having it stolen.
This is self-custody. The client holds custody.
Between these extremes sits a third option: a qualified custodian. Your firm uses a bank or trust company chartered specifically to hold digital assets on behalf of advisory clients. This custodian holds keys in cold storage, undergoes regular audits, maintains insurance, and is subject to regulatory oversight. Your client gets security without managing technical complexity.
Understanding these three fundamental custody models is the foundation of digital asset advisory.
The Technical Reality: Private Keys and Control
Before discussing custody solutions, you need to understand what custody actually means in digital assets.
Cryptocurrency is not held in accounts the way bank balances are. Cryptocurrency exists on a blockchain, a public ledger. When someone owns Bitcoin, what they really own is the ability to move it. This ability comes from a private key, a cryptographic secret that proves ownership and authorizes transactions.
The private key is the Bitcoin. If you have the private key, you have the Bitcoin. If you do not have the private key, you do not control the Bitcoin, regardless of what any company claims you own.
This is fundamentally different from traditional custody. If your client has $100,000 in a brokerage account, they do not hold the securities directly. The broker holds them in street name. But federal law protects the client. If the broker fails, the Securities Investor Protection Corporation (SIPC) covers losses up to $500,000 per account. The client never had physical control of the securities, but the regulatory framework provides protection.
Cryptocurrency has no SIPC equivalent. No federal insurance covers cryptocurrency held at an exchange. If the exchange fails or is hacked, there is no automatic protection. This means custody becomes critically important in ways that traditional investors may not experience.
Most clients using an exchange never think about this. They create an account, buy Bitcoin, and assume Coinbase holds it securely. Most of the time, they are right. Coinbase is a well-capitalized, publicly traded company with strong security practices. But FTX was also considered a leading exchange. Until it was not.
When you recommend custody arrangements to clients, you are making decisions about their exposure to counterparty risk. Understanding the mechanics of private keys and control allows you to evaluate those risks properly.
Hot Storage: Convenience and Vulnerability
Hot storage means private keys are kept on internet-connected devices or services. This includes exchange accounts, software wallets on phones, browser extension wallets, and any arrangement that enables transactions without physically interacting with a separate device.
Advantages of hot storage are straightforward. Transactions are immediate. There is no hardware to purchase or manage. Software wallets are free or low-cost. Someone with minimal technical knowledge can buy Bitcoin and hold it in a hot wallet with no special setup.
This convenience is real. For a client who wants to trade actively or needs liquidity, hot storage enables that activity. Many advisors recommend against frequent trading, but if a client insists, hot storage is necessary.
The problem is vulnerability. Internet-connected devices are exposed to malware, phishing, hacking, and social engineering. When the Mt. Gox exchange was hacked in 2014, attackers were able to steal approximately 650,000 Bitcoin because the exchange held keys on internet-connected systems. When FTX collapsed in 2022, approximately 477 million dollars of cryptocurrency was moved from FTX wallets in what appeared to be unauthorized access, possible either during the exchange’s failure or immediately after.
These were not small security failures. They were sophisticated attacks or, in FTX’s case, outright misappropriation. Yet they resulted in total losses for customers.
For exchange custody specifically, the risks include exchange insolvency (the exchange goes bankrupt or disappears with customer funds), regulatory seizure (government authorities freeze customer assets), and withdrawal restrictions (the exchange limits how much customers can withdraw, as happened during 2022 market stress).
Some exchanges carry insurance. Coinbase maintains insurance policies covering certain loss scenarios. But coverage is typically limited. It may not cover all loss types, may have high deductibles, and may be inadequate relative to total customer assets held. Insurance should not be relied on as a primary protection mechanism.
Clients who hold Bitcoin on an exchange should understand what they are accepting: convenience in exchange for complete dependence on that exchange’s security, solvency, and regulatory standing.
Cold Storage: Security Through Offline Control
Cold storage means private keys are kept on devices that are never connected to the internet. The most common form is a hardware wallet, a physical device about the size of a car key that generates and stores private keys entirely offline.
How does this work? When you set up a hardware wallet, the device generates a seed phrase, typically a sequence of 12 or 24 randomly generated words. This seed phrase can regenerate all the private keys for all cryptocurrency addresses on that wallet. The device itself is the single point of failure protection: if it is lost, you can restore the wallet with a new device using the seed phrase.
To authorize a transaction with a hardware wallet, the client connects it to a computer, the wallet software shows the transaction details on the hardware wallet display, the client verifies those details are correct, and the client physically confirms the transaction on the device itself. The private key never leaves the device. An attacker would need the device plus knowledge of any PIN or passphrase.
Hardware wallets from reputable manufacturers (Ledger, Trezor, Coldcard) provide strong protection. Prices typically range from under 100 dollars to several hundred dollars. They are appropriate for any holding a client would be upset to lose permanently.
The tradeoff is inconvenience. Every transaction requires physical access to the device. A client cannot authorize a trade on their phone while sitting in a meeting. If they want to sell quickly during market volatility, they need to go find the hardware wallet. This limitation is intentional: the inconvenience is a feature that prevents impulsive decisions and, more importantly, that prevents automated attacks.
For long-term holdings that clients do not plan to actively trade, cold storage is the appropriate solution. For operational funds a client needs frequent access to, hot storage may be necessary, with cold storage holding the bulk of assets.
Multisignature Wallets: Multiple Keys, Distributed Control
Multisignature (multisig) technology adds a layer of security by requiring multiple private keys to authorize a transaction. A typical arrangement might be “2-of-3,” meaning three keys exist but any two must sign a transaction. If one key is lost, stolen, or compromised, the other two can still control the funds.
Multisig eliminates single points of failure. This is valuable for inheritance planning: a spouse and an adult child could each hold one key, with a third key held by a trust company. If one key is lost, the other two can still access funds. If one key holder becomes incapacitated, the other two can continue managing assets.
Multisig also enables institutional governance. A corporate treasury might configure a 2-of-3 or 3-of-5 setup requiring multiple executives to approve large transactions, preventing any single person from unilaterally moving funds.
However, multisig adds complexity. Setup is more technical. Transaction authorization requires coordination. Recovery procedures must be carefully documented.
For individual clients with modest holdings, multisig is unnecessary complexity. A hardware wallet with a properly secured seed phrase backup provides sufficient protection. Multisig becomes relevant for substantial holdings (generally six figures or more) or institutional accounts requiring multiple approvals.
Qualified Custodians: Professional Custody with Regulatory Oversight
When a registered investment adviser holds digital assets on behalf of clients, the Investment Advisers Act requires using a qualified custodian. Historically this meant banks or registered broker-dealers, none of which offered digital asset custody.
This created a regulatory gap. The SEC addressed it through two mechanisms. First, in September 2025, the SEC issued a no-action letter confirming that state-chartered trust companies could serve as qualified custodians for digital assets under specific conditions: the trust company maintains assets in accounts designed to protect them from the custodian’s creditors, the trust company is subject to state regulatory oversight, and the trust company has appropriate security measures.
Second, the Office of the Comptroller of the Currency began granting national trust bank charters to digital asset firms. Anchorage Digital Bank received the first charter in 2021. In December 2025, the OCC conditionally approved five additional charters, including BitGo, Fidelity Digital Assets, and Paxos. These charters subject the institutions to federal bank supervision, including capital requirements, cybersecurity standards, and regular examinations.
This expansion of qualified custodians has transformed the landscape for RIAs managing digital assets.
A qualified custodian provides several benefits. The custodian holds private keys in cold storage. The custodian undergoes regular audits and examinations. The custodian maintains insurance coverage. The custodian is subject to regulatory oversight designed to prevent misappropriation and fraud.
From a client perspective, qualified custodian custody is more secure than exchange custody and more practical than self-custody. The client avoids managing keys and seed phrases. The custodian handles security. The arrangement complies with regulatory requirements.
The tradeoff is cost and minimum account sizes. Qualified custodians typically charge annual fees ranging from 0.25% to 1% of assets, and many require minimum account sizes of $25,000 to $100,000.
For many RIAs, an even simpler solution is recommending spot cryptocurrency ETFs. An ETF eliminates custody complexity entirely. The ETF holds cryptocurrency through its own qualified custodian. The client holds ETF shares through their existing brokerage. No special custody infrastructure is required.
Exchange Custody: The Convenience Cost
Exchange custody is the most common arrangement for individual cryptocurrency investors. Clients buy Bitcoin on Coinbase, leave it there, and assume Coinbase holds it securely.
Leading exchanges like Coinbase, Kraken, and Gemini are publicly traded or well-capitalized. They have security teams and underwrite insurance. For most clients, holding cryptocurrency on a regulated US exchange is safer than self-custody.
But “safer than self-custody” is not the same as “safe.” Exchanges face unique risks that traditional custodians do not.
First, exchange insolvency. FTX was valued at 32 billion dollars in 2022. In November 2022, it collapsed. Customers lost access to their assets for months, and some waited over a year for partial recovery. FTX was not hacked. It was a fraud. Founder Sam Bankman-Fried allegedly used customer funds for risky trading and personal loans. The lesson was clear: even large, apparently credible exchanges can fail catastrophically.
Second, regulatory seizure. If an exchange becomes the subject of regulatory action, authorities may freeze customer assets. This has happened in other countries and could happen in the United States.
Third, withdrawal restrictions. During periods of market stress, some exchanges have restricted customer withdrawals. In 2022, crypto lender Celsius halted withdrawals when it became insolvent. Clients discovered they could not access their assets.
Exchange insurance policies exist but are limited. Coverage may not apply to all loss scenarios. Deductibles may be high. Coverage may be less than total customer assets held.
For clients using exchanges, the appropriate guidance is to limit exchange balances to amounts they are comfortable losing completely. Move long-term holdings to more secure arrangements. Understand that exchange insurance is limited protection, not comprehensive coverage.
Self-Custody: Full Control and Full Responsibility
In self-custody, the client or advisor holds the private keys directly. No third party controls the cryptocurrency. This eliminates counterparty risk entirely.
If a client holds a hardware wallet with their seed phrase secured properly, no exchange failure, no hack, no regulatory action can affect their Bitcoin. They have complete control.
This control comes with complete responsibility. If the client loses the hardware wallet and does not have a backup seed phrase, the cryptocurrency is gone permanently. If an attacker steals the device and knows the PIN, the funds are stolen with no recourse. There is no insurance. There is no customer service. There is only the private key.
Self-custody is appropriate for technically sophisticated clients who understand these responsibilities and are willing to accept them. For most advisory clients, self-custody creates more risk than it eliminates.
That said, some clients have legitimate reasons to prefer self-custody. They may have ideological commitments to decentralization and personal responsibility. They may want privacy that custody through an institution does not provide. For these clients, the advisory role shifts from recommending a custody solution to educating them on security practices and documenting their understanding of risks.
Best practices for self-custody clients include using hardware wallets from reputable manufacturers, securing seed phrase backups on paper stored in fireproof safes or bank safety deposit boxes, never storing seed phrases digitally, using unique strong passwords and hardware two-factor authentication for related accounts, and maintaining operational security by not discussing holdings publicly.
Custody Decision Framework
Matching custody to client circumstances requires systematic evaluation. Use this framework to organize custody recommendations.
Start with asset value. A client with 10,000 dollars of cryptocurrency has different needs than one with 500,000 dollars. Modest holdings might appropriately be in exchange custody or an ETF. Substantial holdings warrant qualified custodian arrangements.
Second, evaluate technical sophistication. Self-custody requires understanding wallets, seed phrases, and security practices. Clients who lack this understanding should not self-custody regardless of their preference.
Third, consider regulatory requirements. If you are a registered investment adviser with custody of digital assets, qualified custodian requirements apply. If clients hold assets independently and you provide advice only, regulatory requirements differ.
Fourth, assess use case. Active traders need liquidity and therefore hot storage. Long-term investors can use less accessible but more secure arrangements.
Fifth, evaluate estate planning implications. Self-custody requires that heirs understand how to recover assets. Custodial solutions may have beneficiary designations.
Using this framework:
A client with modest holdings (under 25,000 dollars) and limited technical knowledge is appropriate for a spot cryptocurrency ETF. No direct custody is required. Assets trade through existing brokerage infrastructure. Cost is low (ETF expense ratios are typically 0.2% to 0.25% annually).
A client with moderate holdings (25,000 to 100,000 dollars) and some technical interest might be appropriate for a regulated exchange with strong security practices. They accept exchange counterparty risk in exchange for the ability to actively trade or rebalance their holdings.
A client with significant holdings (100,000 to 500,000 dollars) and sophisticated technical understanding might use a hardware wallet for bulk holdings with a qualified custodian as a backup for custody under advisory management.
A client with substantial holdings (over 500,000 dollars) who is an institution or ultra-high-net-worth individual is appropriate for a qualified custodian with institutional features, potentially including multisig arrangements.
An RIA-managed account of any size should use qualified custodians (OCC-chartered banks or state trust companies with SEC no-action relief).
Evaluating Custodians: Due Diligence Questions
If a client or your firm is considering a new custodian, thorough due diligence protects against choosing an inadequate provider.
Start with regulatory status. Is the custodian state-chartered, OCC-chartered, or operating under an SEC no-action letter? Do they have the authority to serve as qualified custodians for RIAs? Are there any pending regulatory actions or enforcement orders against them?
Second, evaluate security practices. What percentage of customer assets are held in cold storage? What security certifications do they maintain (SOC 2, ISO 27001)? Do they conduct regular third-party security audits? What is their track record with security incidents?
Third, assess insurance coverage. Do they maintain insurance policies covering customer assets? What types of losses does insurance cover? What are the coverage limits? Is coverage provided by a reputable insurer?
Fourth, review custody and operational practices. How are private keys generated and stored? Are there segregation controls preventing commingling of customer assets? What is their disaster recovery and business continuity process?
Fifth, understand fees. What is the annual custody fee? Are there minimum account sizes? Are there transaction fees for deposits or withdrawals?
Sixth, evaluate the organization itself. How long have they been in operation? Who are their major investors or shareholders? Do they have qualified management with relevant industry experience?
Seventh, request references. Have other RIAs used them? Can they provide multiple references willing to discuss their experience?
This due diligence takes time. It is worth doing thoroughly. A custody mistake can create significant client problems.
The Special Case of Spot Cryptocurrency ETFs
For many RIAs and their clients, spot cryptocurrency ETFs simplify custody entirely.
A spot cryptocurrency ETF is a fund that holds actual cryptocurrency and distributes share ownership. When a client buys shares of an iShares Bitcoin Trust (trading under symbol IBIT), they own a pro-rata share of the Bitcoin held by the trust. The trust holds Bitcoin through its qualified custodian.
From a custody perspective, this is elegant. The client holds ETF shares through their existing brokerage. The brokerage is a traditional qualified custodian and is SIPC-insured. The ETF holds cryptocurrency through its own qualified custodian. The client has three layers of custody protection without needing to manage a single key.
What does the client give up? They cannot use Bitcoin for transactions. They cannot participate in staking or decentralized finance. They pay an expense ratio (iShares Bitcoin Trust charges 0.21% annually). They rely on the ETF’s operational practices.
For clients whose goal is purely investment exposure to Bitcoin or Ethereum, these trade-offs are often more than acceptable. The simplicity, cost, and regulatory clarity may be preferable to direct custody arrangements.
Client Conversations: From Technical to Practical
Translating custody concepts for client conversations requires bridging the gap between technical detail and practical decision-making.
When a client says they hold crypto on Coinbase, you might ask: “That means Coinbase holds the keys that control it. If Coinbase is hacked or fails, your Bitcoin could be at risk. How much do you have there, and how comfortable are you with that risk?”
If they respond that they have 50,000 dollars and are not comfortable, walk through alternatives: A qualified custodian like Fidelity Digital Assets provides bank-level security and regulatory oversight. A hardware wallet gives you direct control, but you are responsible for security. A spot Bitcoin ETF holds Bitcoin through a custodian, but you hold shares through your regular brokerage.
If they ask about getting a hardware wallet, explain: “A hardware wallet is like a safe that holds the key to your Bitcoin. You need to protect that safe and remember the combination. If you lose both, your Bitcoin is gone forever. Before you go that route, let me make sure you understand what you are taking on.”
These conversations require empathy. Clients are often attracted to self-custody for philosophical reasons or because they heard that they should be. Your job is to educate them on trade-offs without dismissing their preferences. Some clients will choose self-custody despite your recommendation. Document that conversation and their understanding of risks.
Custody Compliance and Documentation
Proper documentation protects both you and your clients. For any client with digital asset exposure, document the following.
First, the client’s understanding of custody options and risks. Record the conversation where you explained the differences between exchange custody, qualified custodians, self-custody, and ETFs. This might be meeting notes or a signed acknowledgment.
Second, the custody arrangement chosen. Is it an ETF held through their brokerage? An exchange account they maintain independently? Direct custody at a qualified custodian? Hardware wallet self-custody?
Third, the rationale for the choice. Why is this custody solution appropriate for this client? Base your rationale on their asset value, technical sophistication, use case, and preferences.
Fourth, client acknowledgment of risks. For self-custody or exchange custody, document that the client understands the risks they are accepting. Many firms use a risk disclosure form that clients sign before opening exchange accounts or purchasing hardware wallets.
Keep these records as part of the client file for as long as the custody arrangement exists. If the custody arrangement changes, update the documentation.
The Monday Morning Conversation
When a client asks about custody, use this structure to organize your response.
First, understand their situation. How much cryptocurrency do they have? Where is it currently held? Are they planning to buy more? Are they looking to trade actively or hold long-term? Are they technically sophisticated?
Second, explain the three basic models: exchange (convenient but risky), qualified custodian (professional and regulated), self-custody (full control but full responsibility).
Third, map their situation to a recommendation. “Given your holdings of 75,000 dollars and your interest in active trading, exchange custody at a major regulated exchange like Coinbase or Kraken makes sense because you need liquidity. But understand that if the exchange fails, you could lose your Bitcoin. So keep most of it somewhere less liquid. Or consider a qualified custodian that I can integrate with your advisory account, which provides bank-level security.”
Fourth, answer their specific questions. Do not move forward until they understand the custody model and its trade-offs.
Fifth, document their choice and understanding. If they choose self-custody, document their acknowledgment of risks. If they choose exchange custody, document their understanding of counterparty risk. If you are using a qualified custodian, document your firm’s custody procedures.
This conversation makes custody concrete. You are not discussing abstract blockchain concepts. You are discussing where their money lives and what risks they face.
- Custody means control of private keys. Whoever holds the private keys controls the cryptocurrency. Understanding this fundamental principle clarifies every custody decision.
- Exchange custody offers convenience but creates counterparty risk. FTX proved that exchanges can fail catastrophically. Exchange insurance is limited. Clients using exchanges should understand the risks they are accepting.
- Qualified custodians provide regulatory compliance with security. RIAs managing digital assets must use qualified custodians (OCC-chartered banks or state trust companies). These custodians hold assets in cold storage and undergo regular audits.
- Self-custody transfers responsibility entirely to clients. Clients who self-custody have complete control but also complete responsibility for security. This is appropriate only for technically sophisticated clients who understand the risks.
- Spot cryptocurrency ETFs eliminate custody complexity. For clients whose goal is investment exposure, ETFs provide access through familiar brokerage infrastructure. The trade-off is inability to use cryptocurrency for transactions or staking.
- Custody decisions should match client profiles. A systematic framework considering asset value, technical sophistication, regulatory requirements, and use case leads to appropriate recommendations.
- Documentation protects both advisors and clients. For every custody arrangement, document the client’s understanding, the rationale for the choice, and acknowledgment of risks.
The Advisor’s Edge
Most financial advisors view cryptocurrency custody as a technical problem to solve or avoid. They either steer clients toward spot ETFs (simplest solution) or decline to advise on digital assets altogether (risk avoidance).
Your approach is different. You understand custody trade-offs deeply. You can explain to a client why exchange custody creates different risks than self-custody. You can evaluate qualified custodians and assess whether they are appropriate for your firm’s clients.
You recognize that custody is not separate from advice. A client holding 500,000 dollars of Bitcoin on Coinbase has a significant exposure to exchange counterparty risk. Recommending they move to a qualified custodian is not a technical detail. It is a material change to their risk profile.
You approach custody conversations systematically. You ask about their holdings and where they are held. You explain the options. You help them evaluate their own technical sophistication and risk tolerance honestly. You guide them to an arrangement that matches their situation, not your preference.
You maintain thorough documentation. If a client chooses self-custody despite your recommendation, you have evidence of the conversation and their understanding. If you recommend a qualified custodian and they accept, you have documentation of the custody arrangement and your firm’s procedures.
This approach positions you as someone who understands digital assets beyond the hype. You know custody mechanisms, regulatory requirements, security practices, and trade-offs. You can have conversations with sophisticated clients about their cryptocurrency holdings with the same competence you bring to traditional securities custody.
This is what the Certified Digital Asset Specialist™ (CDAS™) credential represents. Digital asset advisory is not about predicting Bitcoin prices. It is about understanding how these assets work, how to hold them securely, and how to integrate them into comprehensive financial plans. Custody is foundational to that integration.
For a practical guide to the ETF vehicles that simplify custody for most clients, see Bitcoin and Crypto ETFs: A Practical Guide for Financial Advisors.
Sources and Notes: CDAS Module 1, Chapter 3 (Blockchain Technology and Security) and Module 2, Chapter 10 (Custody and Security for Digital Assets), Certified Digital Asset Specialist™ course curriculum, IBF. OCC interpretive letters on digital asset custody. SEC custody rule requirements for RIAs. FTX bankruptcy proceedings as referenced for counterparty risk illustration. This article is refreshed annually.
