Regulators now treat crypto custody as a standalone activity requiring specific authorization. The technical and operational requirements go far beyond what exchange licenses demand, and the gap between what's written in regulation and what supervisors actually expect is significant.

Why custody licensing is different

Holding someone else's crypto assets creates a specific set of risks that regulators have started addressing separately from trading or exchange activities. When an exchange goes down, clients lose access to trading. When a custodian fails, clients lose their assets. That distinction drives different regulatory requirements.

Under the EU's MiCA regulation, custody and administration of crypto-assets on behalf of clients is one of several crypto-asset services requiring CASP (Crypto-Asset Service Provider) authorization. But MiCA's custody provisions, found primarily in Article 75, impose obligations that go beyond the general CASP framework. Custodians must establish a custody policy, maintain adequate insurance or own funds, and segregate client assets both legally and operationally.

The UK, Switzerland, and Singapore have taken different but converging approaches. Each jurisdiction treats custody as an activity that demands specific operational capabilities, not just a financial services license bolted onto existing infrastructure.

MiCA's custody requirements: the detail regulators focus on

MiCA's Article 75 requires crypto-asset custodians to "ensure that the crypto-assets of their clients, or the means of access to such crypto-assets, are safeguarded." That language, while simple, has generated extensive regulatory guidance from ESMA and national competent authorities on what safeguarding actually means in practice.

The areas where applications face the most scrutiny:

Key management architecture. Regulators want to understand the entire lifecycle of private keys: generation, storage, use, backup, and destruction. Hardware security modules (HSMs) are expected, not optional. Multi-party computation (MPC) key management is increasingly accepted but requires detailed documentation of the mathematical properties and failure modes. Applicants using basic multisig arrangements without HSM backing may find their applications questioned.

The specific question regulators ask is: what happens if your key management infrastructure is compromised? Not whether it could be, but what you do when it is. Incident response plans that assume breaches won't happen are rejected. Plans that detail key rotation procedures, client notification timelines, and asset recovery mechanisms are what supervisors want to see.

Cold storage ratios. Most institutional custodians hold 90% to 98% of client assets in cold storage (offline, air-gapped systems). Regulators don't prescribe specific ratios, but they expect applicants to justify their approach. A custodian holding 60% in hot wallets will need to explain why, and the explanation needs to be more convincing than "our clients need liquidity." Insurance requirements and capital buffers increase proportionally with hot wallet exposure.

Client asset segregation. MiCA requires legal and operational segregation of client assets from the custodian's own assets. In practical terms, this means omnibus wallet structures (pooling multiple clients' assets in shared addresses) require robust internal accounting systems that can attribute assets to individual clients at any point in time. Some regulators prefer individually segregated wallets per client, though this creates operational challenges for custodians handling thousands of institutional accounts across multiple blockchain networks.

UK FCA: the registration that's harder than it sounds

The UK requires crypto custody providers to register with the FCA under the Money Laundering Regulations. This is technically an AML registration, not a full authorization, but the FCA has used its MLR powers to conduct detailed assessments of custody providers' operational capabilities.

The FCA's crypto registration process has become notoriously difficult. Between 2020 and 2025, the FCA rejected or saw withdrawal of over 85% of crypto firm applications. Many of these were exchange applications, but custody-specific applications have faced similar rejection rates.

Common reasons for rejection of custody applications:

Inadequate demonstration of how client assets would be protected in the event of the custodian's insolvency (the FCA wants legal opinions confirming that client assets held in trust or under custodial arrangements would not form part of the custodian's estate in bankruptcy)
Insufficient technical documentation of key management systems (the FCA's crypto team includes technical staff who can, and do, evaluate the security architecture)
MLRO candidates lacking specific crypto AML experience (general financial services AML experience is not sufficient)
Failure to address the risks of blockchain forks, airdrops, and staking for custodied assets (the FCA expects policies covering these scenarios)

The UK is expected to introduce a more formal crypto custody licensing regime as part of its broader crypto regulatory framework, potentially by late 2026 or 2027. Firms currently operating under MLR registration should prepare for more intensive requirements when the new regime arrives.

Switzerland FINMA: the gold standard for institutional custody

FINMA has developed arguably the most detailed regulatory expectations for crypto custody providers. Swiss-licensed crypto custodians operate under banking or securities dealer licenses (depending on the scope of activities), with FINMA applying specific conditions related to crypto asset handling.

FINMA's guidance requires custodians to:

Maintain at minimum CHF 300,000 in capital specifically allocated to custody operations
Undergo annual external audits by FINMA-approved auditors with specific review of key management and cold storage procedures
Implement transaction signing processes that require multiple authorized individuals (no single point of failure for large transactions)
Maintain insurance coverage for crypto-specific risks, including private key theft, employee fraud, and operational errors leading to asset loss

The insurance requirement is where many applicants encounter reality. Crypto-specific insurance coverage is expensive and the market for it is thin. Annual premiums for institutional custody insurance range from 0.5% to 2% of assets under custody, with significant variation based on the custodian's security architecture, cold storage ratio, and claims history. Some global insurers have entered this market (Lloyd's syndicates are the most active), but coverage terms are restrictive, with high deductibles and extensive exclusion clauses for social engineering attacks and insider theft.

Singapore MAS: operational requirements in detail

The Monetary Authority of Singapore requires crypto custody providers to hold a Capital Markets Services (CMS) license or a Major Payment Institution (MPI) license under the Payment Services Act, depending on the scope of services. MAS has published specific guidance for custodians covering technology risk management.

MAS's technology risk management guidelines, while not crypto-specific, apply with additional expectations when applied to digital asset custody:

Penetration testing of key management infrastructure at least annually by independent security firms
Disaster recovery testing with documented evidence of asset recoverability within specific time windows (typically 4 to 24 hours)
Staff background checks including criminal records, credit checks, and prior employer verification for all personnel with access to key management systems
Physical security requirements for cold storage locations, including access controls, surveillance, and environmental protections

What actually trips up institutional custody applicants

Across all four jurisdictions, certain issues recur in failed or delayed applications:

Outsourced key management. Custodians that outsource their core key management to third-party technology providers face intense questioning about operational resilience. Regulators want to understand what happens if the technology provider fails, is breached, or terminates the relationship. "We'll switch providers" is not an adequate answer without a documented migration plan and testing evidence.

Proof-of-reserves without substance. Following the collapse of several crypto firms in 2022 and 2023, regulators scrutinize proof-of-reserves claims. Merkle-tree attestations from auditors are expected. Self-certified reserves, blockchain screenshots, or reports from non-audit firms carry minimal weight with regulators.

Multi-chain complexity. Custody providers that support multiple blockchain networks need policies for each network's specific risks: different consensus mechanisms, different fork handling procedures, different staking dynamics. A custody policy written for Bitcoin doesn't apply to Ethereum, and certainly doesn't cover Solana or newer L2 networks. Regulators expect chain-specific operational documentation.

Governance around new asset onboarding. When a custodian decides to support a new crypto asset, what process governs that decision? Regulators expect a formal asset listing policy covering security review, smart contract audit (for token-based assets), liquidity assessment, and legal analysis of the asset's classification. Custodians that "support everything" without a structured review process raise supervisory concerns about operational risk management.

The crypto custody licensing landscape is converging across major jurisdictions toward a set of common expectations: institutional-grade key management, meaningful insurance, genuine asset segregation, and detailed operational documentation. Firms building custody operations should design their infrastructure around these requirements from the start, not retrofit compliance after the technology is built. Regulators can tell the difference.