Why Institutions Are Rethinking Custody: The Checklist That Separates Safe from Risky
Choosing a crypto custody provider has become a technical and legal minefield for institutions, and a new framework from the Bitcoin Foundation shows why brand reputation alone is not enough to protect digital assets. The review, updated in June 2026, compares custody models, security controls, regulatory status, and exchange workflows across major institutional providers, revealing that the best choice depends entirely on an organization's specific risk profile, regulatory environment, and operational needs.
What Makes a Custody Provider Actually Safe?
Institutions often assume that a well-known name or the phrase "bank-grade security" means their assets are protected. The reality is far more granular. A custody provider's security posture depends on how private keys are generated, stored, approved, and recovered, along with whether those processes are independently audited. The Bitcoin Foundation's framework emphasizes that vague marketing language should be ignored unless concrete evidence backs it up.
The most credible security signals include the following technical and audit measures:
- Multi-signature and MPC controls: Private keys are split across multiple parties or cryptographic shares, so no single person or system can move funds without approval from others.
- Cold storage separation: The majority of assets are kept offline, away from internet-connected systems that could be hacked.
- Third-party audit reports: SOC 2 Type 2, ISO 27001, or penetration-testing summaries provide independent verification of security practices.
- Address whitelisting and withdrawal policies: Transfers can only go to pre-approved addresses, and high-value moves require additional approvals or time delays.
- Role-based permissions: Different team members have different levels of access, preventing any single employee from unilaterally moving large amounts.
The absence of public audit evidence is itself a red flag. If a provider cannot or will not share SOC 2 reports, penetration-test summaries, or insurance schedules, that opacity should trigger deeper due diligence before signing a contract.
Why Regulatory Status Is Not Magic Armor
Institutions often assume that a "qualified custodian" or "bank-chartered" provider automatically meets their compliance needs. The Bitcoin Foundation's review challenges this assumption by distinguishing between different types of regulatory status and what they actually mean. A trust company, national trust bank, registered crypto firm, and technology provider may all use the word "custody" while carrying different legal obligations and protections.
The key questions institutions should ask include which legal entity actually signs the custody contract, which entity holds the assets, which regulator oversees it, and which customer types are eligible. For example, Coinbase Prime operates through Coinbase Custody Trust Company, a New York fiduciary and qualified custodian, making it a strong fit for US institutions, funds, and corporate treasuries. Anchorage Digital Bank, by contrast, holds an OCC (Office of the Comptroller of the Currency) charter as a crypto-native national trust bank, offering federal oversight but potentially less flexibility for smaller clients.
Qualified custody status is especially important for investment advisers, funds, and institutions with strict control requirements. However, the exact regulatory fit depends on client type, state law, product terms, and legal review. A provider that is perfectly compliant for a hedge fund may not meet the requirements of a corporate treasury or a fintech platform.
How to Evaluate a Custody Provider for Your Institution
The Bitcoin Foundation's methodology provides a practical framework for comparing custody options. Rather than relying on marketing claims, institutions should conduct structured due diligence across several dimensions:
- Regulation and legal structure: Verify the provider's qualified custodian status, trust company status, bank charter, or local registration, and confirm which legal entity holds your assets and which regulator oversees them.
- Security architecture: Request detailed documentation on how private keys are generated, stored, and approved; ask for SOC 2, ISO 27001, or penetration-test reports; and verify that withdrawal policies include multi-approval thresholds and address whitelisting.
- Operational fit: For exchanges and trading platforms, test the provider's API limits, sandbox environment, webhook reliability, and settlement tools; confirm that the provider supports hot, warm, and cold wallet separation; and verify that reporting integrates with your finance, compliance, and audit workflows.
- Asset coverage and pricing: Confirm which cryptocurrencies and tokens the provider supports, understand the fee structure (custody fees, withdrawal fees, setup costs), and verify that minimums and contract terms align with your organization's size and needs.
- Incident procedures and insurance: Ask how the provider handles security breaches, whether they carry insurance, and what the claims process looks like if assets are lost or stolen.
The Bitcoin Foundation emphasizes that a demo is not proof of production capacity. Exchanges and high-volume traders should demand production-grade API documentation, clear service-level agreements (SLAs), and sandbox testing that matches real-world behavior before committing to a provider.
Why One Provider Cannot Be "Best" for Everyone
The June 2026 review compares ten major institutional custody options, including Coinbase Prime, Kraken Custody, Anchorage Digital Bank, Fireblocks, Fidelity Digital Assets, Gemini Custody, Copper, Zodia Custody, Hex Trust, and Komainu. Each has different strengths and limitations depending on the buyer's use case.
For example, Fireblocks is described as having very strong exchange and fintech fit due to its APIs, wallet infrastructure, and settlement workflows, but it functions primarily as a technology provider rather than the legal custodian itself. This means an institution using Fireblocks must still select a separate qualified custodian to hold assets, adding complexity but also flexibility. Fidelity Digital Assets appeals to institutions seeking a traditional finance brand and integrated trading platform, but its asset scope may be narrower than some competitors. Hex Trust and Komainu excel in Asia-Pacific markets but may require extra due diligence for US-focused institutions.
The Bitcoin Foundation's methodology weights public audit signals, qualified custody status, key-management architecture, governance controls, asset coverage, exchange integration, support maturity, and pricing transparency. However, the framework explicitly states that the best provider for one company may be wrong for another because funds, exchanges, treasuries, and fintech apps have different risk policies and operational requirements.
What Should Institutions Do Next?
The review concludes that choosing a custody provider should never be a shortcut decision. Institutions should conduct an internal request for proposal (RFP), involve legal counsel, and directly contact multiple providers to understand their specific capabilities. A ranking or review is a starting point, not a replacement for due diligence.
The custody landscape has matured significantly, with multiple qualified options available for different institutional needs. However, this maturity also means that institutions must be more rigorous in their evaluation. Vague security claims, missing audit evidence, unclear regulatory status, and poor API documentation are all reasons to keep looking. The cost of choosing the wrong provider is not just financial; it is reputational and operational, affecting an institution's ability to serve clients, comply with regulations, and recover from incidents.