.png)
Frameworks, core principles and top case studies for SaaS pricing, learnt and refined over 28+ years of SaaS-monetization experience.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
The institutional cryptocurrency landscape has reached an inflection point. As digital assets mature from speculative instruments into legitimate components of corporate treasuries and investment portfolios, the question is no longer whether to engage with crypto, but how to do so safely. For SaaS executives navigating this terrain—whether managing company Bitcoin holdings, exploring blockchain integration, or evaluating Web3 business models—the custody decision stands as perhaps the most critical junction point.
The stakes are substantial. According to Chainalysis, cryptocurrency-related crime resulted in $24.2 billion in illicit transaction volume in 2023 alone, with exchange hacks and custody failures representing a significant portion of those losses. Meanwhile, institutional adoption continues to accelerate: Fidelity Digital Assets reported in their 2023 Institutional Investor Study that 74% of institutional investors find digital assets appealing, with security and custody infrastructure cited as primary enablers of this confidence.
For executives accustomed to the regulated, insured world of traditional banking, the crypto custody ecosystem presents both familiar concepts and entirely new risk vectors. This guide provides a systematic framework for evaluating custody providers—a practical checklist grounded in both technological realities and regulatory requirements that can inform your decision-making process.
Why Custody Decisions Deserve Executive Attention
Unlike traditional financial assets where custody is relatively standardized, cryptocurrency custody exists on a spectrum ranging from complete self-custody to fully managed institutional solutions. This flexibility is simultaneously a feature and a vulnerability. The irreversible nature of blockchain transactions means that custody failures—whether through technical compromise, operational error, or fraud—typically result in permanent, unrecoverable losses.
The Mt. Gox collapse of 2014, which resulted in the loss of 850,000 Bitcoin (valued at approximately $450 million at the time), established custody security as the cryptocurrency industry's defining challenge. More recently, the 2022 collapse of FTX highlighted how even large, seemingly reputable platforms can fail catastrophically when proper custody segregation and controls are absent. FTX's commingling of customer assets with proprietary trading operations led to an estimated $8 billion shortfall—a cautionary tale about the importance of custody architecture.
For SaaS companies, these risks intersect with unique operational considerations: regulatory compliance across multiple jurisdictions, integration with existing financial systems, and the need for real-time access that doesn't compromise security. The custody decision directly impacts your company's risk profile, operational efficiency, and regulatory standing.
Understanding the Custody Spectrum
Before diving into the evaluation checklist, it's essential to understand the fundamental custody models available:
Self-Custody (Cold Storage): Your organization maintains complete control over private keys, typically using hardware security modules (HSMs) or air-gapped devices. This provides maximum control but requires substantial internal expertise and infrastructure.
Qualified Custodian: Regulated financial institutions that hold crypto assets on behalf of clients, similar to traditional securities custody. These entities typically operate under banking charters or trust company licenses and offer institutional-grade insurance and compliance frameworks.
Exchange-Integrated Custody: Cryptocurrency exchanges that offer custody services alongside trading functionality. Convenient but historically the source of significant security breaches and regulatory scrutiny.
Multi-Signature Solutions: Technology-based approaches requiring multiple parties to authorize transactions, distributing key management across several entities or individuals.
Each model involves distinct trade-offs between security, convenience, regulatory compliance, and operational complexity. Most institutional-grade solutions employ hybrid approaches, combining elements of multiple models.
The Practical Evaluation Checklist
Security Architecture and Key Management
The foundation of any custody evaluation begins with understanding how private keys—the cryptographic credentials that control asset access—are generated, stored, and used.
Key generation methodology: Assess whether keys are generated in secure, audited environments using industry-standard cryptographic libraries. According to the Blockchain Security Report 2023 by CER, 67% of custody-related breaches stemmed from compromised key generation or storage processes. Providers should demonstrate their key generation occurs in hardware security modules (HSMs) certified to FIPS 140-2 Level 3 or higher standards.
Storage infrastructure: Evaluate the physical and logical separation between hot wallets (connected to the internet for operational transactions) and cold storage (offline key storage). Reputable custodians typically maintain 95% or more of client assets in cold storage, with multi-layer security protocols governing any transfer to hot wallets.
Multi-signature and multi-party computation: Modern institutional custody increasingly employs multi-signature schemes or multi-party computation (MPC) technology, which mathematically distributes key control across multiple parties or systems. This eliminates single points of failure. Ask potential custodians to detail their signature threshold requirements and how they distribute authorization authority.
Access controls and authentication: Beyond cryptographic security, examine the operational security layer. Does the provider employ comprehensive identity and access management? What authentication factors are required for different transaction types? Coinbase Institutional, for example, requires multiple employee authentications for any withdrawal from cold storage, with enforced separation of duties.
Disaster recovery and business continuity: Key loss represents existential risk in cryptocurrency custody. Providers should demonstrate robust key backup procedures, geographically distributed redundancy, and tested recovery protocols. Request documentation of their disaster recovery testing schedule and results.
Regulatory Compliance and Legal Framework
The cryptocurrency regulatory landscape remains fragmented and evolving, but compliance fundamentals increasingly mirror traditional financial services.
Licensing and regulatory status: Prioritize custodians operating under explicit regulatory frameworks. In the United States, this typically means state trust company charters (like those held by Anchorage Digital, BitGo, or Gemini Trust), federal banking charters, or broker-dealer registrations. The European Union's Markets in Crypto-Assets (MiCA) regulation, which took full effect in 2024, establishes a comprehensive licensing regime for crypto service providers operating in EU markets.
Segregation of assets: A fundamental principle borrowed from traditional finance—client assets must be held separately from the custodian's proprietary assets. This segregation should be both legal (clear ownership designation) and operational (separate wallet infrastructure). The absence of proper segregation was central to the FTX collapse. Request clear documentation of how your assets would be treated in the event of the custodian's bankruptcy or insolvency.
Insurance coverage: While insurance doesn't replace robust security, it provides an additional risk mitigation layer. Evaluate both the scope and limits of coverage. Some custodians offer insurance for hot wallet holdings only, while comprehensive policies cover both hot and cold storage. According to a 2024 report by Marsh McLennan, institutional custody insurance policies typically range from $100 million to over $1 billion in coverage limits. Understand deductibles, exclusions, and claims processes.
Audit and compliance certifications: Look for SOC 2 Type II certifications covering security, availability, and confidentiality controls. ISO 27001 certification demonstrates comprehensive information security management. Additionally, annual proof-of-reserves audits—where independent auditors verify that the custodian holds sufficient assets to meet all client liabilities—have become industry standard following high-profile failures.
Anti-money laundering (AML) and know-your-customer (KYC) procedures: Custodians must maintain robust AML/KYC programs comparable to traditional financial institutions. This includes transaction monitoring, sanctions screening, and suspicious activity reporting. While these requirements may feel burdensome during onboarding, they're essential for regulatory compliance and indicate operational maturity.
Operational Capabilities and Integration
Technical security and regulatory compliance establish necessary conditions, but operational factors determine day-to-day usability and efficiency.
Asset coverage: Not all custodians support all cryptocurrencies. Bitcoin and Ethereum are universally supported, but if your strategy involves other assets—stablecoins, DeFi tokens, or specific blockchain ecosystems—verify explicit support. Consider both current needs and potential future requirements. According to data from Coinbase, institutional clients typically interact with 8-12 different digital assets on average.
Transaction capabilities and latency: Understand transaction processing times, particularly for withdrawals from cold storage. Some custodians process cold storage withdrawals within hours; others may require 24-48 hours. For SaaS companies with operational needs—such as processing customer payments in crypto or managing liquidity—these timing parameters directly impact business operations.
API and system integration: Modern custody should integrate seamlessly with your existing financial infrastructure. Evaluate API documentation, webhooks for real-time notifications, and compatibility with accounting systems. Does the custody platform provide transaction-level data suitable for automated reconciliation? Can it integrate with treasury management systems you already use?
Staking and yield generation: If your custody strategy includes generating yield on holdings, assess the provider's staking capabilities, supported networks, and fee structures. Institutional staking has grown significantly—according to Staked's 2023 Institutional Staking Report, 48% of institutions now stake at least a portion of their eligible holdings. Understand how staking rewards are calculated, distributed, and reported for tax purposes.
User experience and controls: The custody interface should provide clear visibility into holdings, transaction history, and pending operations. Look for granular permission systems that support your internal controls—different employees may need different authorization levels. Can you configure multi-user approval workflows for high-value transactions?
Customer support and service level agreements (SLAs): When issues arise—whether technical problems, transaction questions, or emergency situations—responsive support becomes critical. Evaluate the provider's support model: dedicated account management versus general support queues, response time commitments, and escalation procedures. Request references from existing institutional clients regarding their support experiences.
Financial Considerations and Fee Structures
Custody pricing models vary significantly and can materially impact total cost of ownership, particularly as asset values fluctuate.
Fee models: Common approaches include:
- Assets under custody (AUC) fees: Typically 0.05% to 0.50% annually based on total value held
- Transaction fees: Per-transaction charges for deposits, withdrawals, or trading activity
- Platform or subscription fees: Fixed monthly or annual charges regardless of asset value
- Hybrid models: Combinations of the above
According to BitGo's 2024 Institutional Custody Report, the average all-in cost for institutional custody ranges from 10 to 50 basis points annually, depending on asset volume and service complexity. Understand how fees scale with growth and whether volume discounts apply.
Minimum commitments: Some institutional custodians require minimum asset commitments—often $1 million to $10 million—or minimum monthly fees. Ensure these align with your current holdings and growth trajectory.
Hidden costs: Beyond headline fees, consider:
- Network transaction fees (gas costs on Ethereum, for example)
- Wire transfer fees for fiat currency movements
- Premium services (expedited withdrawals, dedicated support)
- Integration and onboarding costs
Risk Management and Insurance Deep Dive
Given the irreversible nature of blockchain transactions, understanding the provider's comprehensive risk management framework deserves detailed examination.
Insurance structure: Not all custody insurance is created equal. Distinguish between:
- Crime insurance: Covers theft by employees or third parties
- Specie insurance: Covers loss from various causes, often including cybersecurity events
- Errors and omissions: Covers losses from operational mistakes
Lloyd's of London has emerged as a leading underwriter for crypto custody insurance, but policies vary dramatically in coverage scope. Request specific policy documentation, understand co-insurance requirements, and verify that coverage limits are sufficient for your anticipated holdings plus growth.
Proof of reserves: This practice, where custodians publicly prove they hold sufficient assets to meet all client obligations, has become increasingly important post-FTX. Kraken pioneered this approach, and it's now considered best practice. Look for custodians that conduct proof-of-reserve audits at least quarterly, preferably by recognized accounting firms using Merkle tree verification or similar cryptographic proof methods.
Cybersecurity practices: Beyond key security, evaluate the provider's broader cybersecurity posture:
- Penetration testing frequency and scope
- Bug bounty programs
- Incident response procedures and history
- DDoS mitigation capabilities
- Vulnerability management processes
Third-party dependencies: Modern custody infrastructure often relies on various third parties—cloud providers, HSM vendors, blockchain infrastructure providers. Understanding these dependencies helps assess concentration risk. Following the 2021 AWS outage that temporarily impacted several crypto platforms, many custodians implemented multi-cloud strategies to reduce single points of failure.
Red Flags and Disqualifying Factors
Certain characteristics should immediately raise concerns or disqualify providers from consideration:
Lack of regulatory clarity: Providers operating without clear regulatory authorization or those promising to help you "avoid" regulatory oversight represent unacceptable risk in the current environment.
Commingled assets: Any indication that client assets are not strictly segregated from the custodian's own holdings should be disqualifying. This includes rehypothecation (lending out client assets) without explicit, separate agreement.
Opacity around security practices: While custodians rightfully maintain operational security by not disclosing all details publicly, they should be willing to demonstrate their security architecture to prospective clients under NDA. Refusal to provide this visibility suggests inadequate practices.
Unaudited or unproven technology: Custody is not the place for experimental technology. Proven, audited solutions should be strongly preferred over novel approaches, regardless of claimed advantages.
Poor incident response history: Research the provider's history with security incidents. Not all incidents are disqualifying—the question is how they were handled. Prompt disclosure, clear communication, and demonstrable improvements post-incident indicate maturity. Cover-ups or repeated similar incidents suggest systemic problems.
Unrealistic promises: Guarantees of "zero risk," claims of "unhackable" systems, or promises of returns significantly above market rates should trigger skepticism. The most reputable providers acknowledge inherent risks while demonstrating how they mitigate them.
The Decision Framework: Putting It All Together
After completing your evaluation using this checklist, synthesize your findings through a weighted scoring matrix aligned with your organization's priorities. For most SaaS executives, the weighting might look like:
- Security architecture: 30%
- Regulatory compliance: 25%
- Operational capabilities: 20%
- Financial terms: 15%
- Risk management: 10%
Your specific situation may justify different weightings. A company holding crypto as long-term treasury assets might weight security and compliance more heavily, while one conducting frequent transactions might emphasize operational capabilities.
Implementation and Ongoing Management
Selecting a custodian is not a "set and forget" decision. Establish clear governance practices:
Quarterly reviews: Assess the custodian's performance against SLAs, review security updates, and verify continuing compliance with your criteria. The cryptocurrency industry evolves rapidly—providers that meet your standards today may change practices or face new challenges.
Diversification strategy: For substantial holdings, consider splitting assets across multiple custodians to reduce concentration risk. While this adds operational complexity, it provides resilience against provider-specific failures.
Internal controls: Even with an institutional custodian, maintain robust internal authorization procedures. Define clear signing authority, implement multi-person approval for significant transactions, and maintain detailed records of all custody-related decisions.
Regulatory monitoring: Stay informed about evolving regulations affecting both your organization and your custodian. The SEC's expanding scrutiny of crypto platforms, including custody arrangements, means requirements are likely to increase rather than decrease.
Testing and validation: Periodically test critical processes—withdrawal procedures, disaster recovery contacts, and insurance claim protocols—to ensure they function as documented when needed.
Conclusion: Security as Strategy
Cryptocurrency custody represents a convergence of technology, finance, and risk management that requires careful, systematic evaluation. The checklist provided here offers a structured approach to what can otherwise feel like an overwhelming decision.
The most sophisticated security architecture, comprehensive insurance, and regulatory compliance frameworks are worthless if they don't align with your organization's specific needs, risk tolerance, and operational requirements. The right custodian for a high-frequency trading operation differs fundamentally from the right solution for a SaaS company holding Bitcoin as a treasury reserve.
As digital assets become increasingly integrated into mainstream finance and technology infrastructure, custody decisions today establish the foundation for tomorrow's operations. According to a recent PwC survey, 83% of traditional hedge funds expect to invest in digital assets by 2026, with secure custody cited as the primary prerequisite. For SaaS executives, the question isn't whether to engage seriously with custody selection, but how quickly you can establish the secure infrastructure necessary for confident participation in the digital asset ecosystem.
The cryptocurrency industry's maturation has produced sophisticated custody solutions that, when properly evaluated and implemented, can meet institutional standards for security and compliance. By systematically working through this checklist—prioritizing security architecture, demanding regulatory clarity, ensuring operational fit, and maintaining ongoing governance—you can make informed custody decisions that protect your assets while enabling your strategic objectives.
The reset isn't just about choosing a custodian; it's about establishing a custody practice that evolves with your organization and the broader digital asset ecosystem. Start with the fundamentals outlined here, but recognize that excellence in custody, like excellence in any critical business function, requires continuous attention, refinement, and adaptation.