Crypto Custody Accounting and Finance

Q: Why are SOC reports important for crypto custodians?

Institutional clients expect SOC 1 Type II and SOC 2 Type II reports as baseline due diligence requirements. The Type II distinction means controls must be evaluated over a period rather than at a point in time. The reports become competitive assets, with clients comparing SOC reports during custodian selection.

Crypto custody providers safeguard digital assets for institutional clients, RIAs, exchanges, and enterprises. Unlike exchanges that operate trading venues with high-velocity asset movement, custody is built around long-term asset safekeeping under trust-company-style accounting and operations. The combination of regulated entity status, customer-specific segregation, SOC reporting, insurance structures, and capital adequacy creates accounting and finance work distinct from any other crypto vertical. This page covers what makes crypto custody accounting distinct, and the services available to address it.

Executive Summary

Crypto custody providers operate as regulated financial institutions, often under state or federal trust charters that impose capital adequacy, governance, and reporting requirements.
Customer-specific asset segregation, SOC 1 and SOC 2 Type II reporting, and crime insurance structures are baseline expectations from institutional clients.
Custody revenue typically accrues as basis points on assets under custody (AUC), creating a recurring revenue model that is more stable than trading-driven exchange revenue.
MPC, multi-signature, and HSM-based custody architectures each have different operational and accounting implications for how assets are protected and accessed.
Qualified custodian status under the Advisers Act Custody Rule is the gateway to RIA business and a defining strategic position for custodians serving the institutional market.

What Crypto Custody Looks Like as a Business

Crypto custody providers hold digital assets for clients under various structural arrangements. The category includes:

Qualified custodians with trust company charters serving RIAs and institutional investors
Self-directed wallet platforms providing infrastructure for clients managing their own keys
Multi-signature platforms coordinating transaction approvals across distributed key holders
MPC custody networks using multi-party computation to eliminate single points of failure
Enterprise wallet providers serving corporate treasuries and operating businesses
White-label custody platforms providing infrastructure to other businesses (exchanges, neobanks, fintechs)
Specialized custodians focused on staking, NFTs, or specific asset classes

What makes custody distinct from other crypto businesses is the regulated entity model and the asset safekeeping focus. Most custody providers operating at scale hold a trust company charter (NYDFS limited purpose trust company, OCC trust charter, or state-chartered trust). Customer assets are segregated at the customer level rather than commingled in omnibus accounts. The revenue model is recurring (basis points on assets under custody) rather than transactional. Operating priorities focus on security architecture, audit reporting, and capital adequacy rather than trading liquidity or product velocity.

What Makes Crypto Custody Accounting Distinct

Trust company charter accounting and capital adequacy

Custodians operating under trust company charters face capital adequacy requirements set by chartering authorities. NYDFS limited purpose trust companies, OCC-chartered trust banks, and state-chartered trust companies each have specific minimum capital thresholds, allowable investments for capital, and ongoing reporting requirements. The accounting captures regulatory capital separately from operating capital, monitors capital adequacy ratios in real time, and supports the periodic regulatory reporting that chartering authorities require. Capital planning becomes a defining constraint on growth pacing and product expansion.

Customer-specific asset segregation

Custody architecture typically segregates assets at the customer level rather than commingling them. Each customer has dedicated wallets or wallet structures with assets attributed specifically to that customer. The accounting infrastructure tracks balances per customer per asset per chain, with continuous reconciliation between custodian books and on-chain holdings. The segregation model differs fundamentally from exchange omnibus accounts and creates different operational reality for onboarding, withdrawal processing, and reporting. Customer-specific segregation also affects insurance coverage structure and the legal status of customer assets in distress scenarios.

SOC 1 and SOC 2 Type II reporting

Institutional clients expect SOC 1 (financial reporting controls) and SOC 2 Type II (security and operational controls) reports as baseline due diligence requirements. SOC reports require ongoing accounting infrastructure that captures control activities, exceptions, and remediation. The Type II distinction means the controls must be evaluated over a period (typically twelve months) rather than at a point in time, requiring continuous documentation. The reports themselves become competitive assets — clients evaluating custodians compare SOC reports as part of their selection process. See our SOX compliance guide for the related framework that applies to public custodians.

Custody architecture: MPC, multi-signature, and HSM

Different custody architectures create different operational realities. Multi-signature setups require coordinated approvals from multiple key holders for transactions. MPC (multi-party computation) generates signatures collaboratively without ever assembling a complete private key, eliminating single points of failure. HSM-based architectures use specialized hardware to protect keys with physical and logical security guarantees. Each architecture has different operational accounting implications: how transactions are authorized, how the audit trail is maintained, and how key rotation events are documented. The choice of architecture also affects insurance pricing and the SOC report scope.

Crime insurance and specie coverage

Custodians carry crime insurance and specie insurance policies covering theft, employee dishonesty, and physical loss of stored assets. Coverage typically comes from Lloyd’s syndicates and specialty insurers familiar with digital asset risks. Premiums are substantial and vary based on storage architecture, controls assessment, and the underlying risk profile. The accounting captures premium expense, the relationship between insurance coverage and assets under custody, and the operational evidence (penetration testing, audit results, control evaluations) that supports insurance underwriting. Some custodians also maintain self-insurance reserves alongside or in lieu of full external coverage.

Custody fee revenue recognition

Custody revenue typically accrues as a percentage of assets under custody (basis points on AUC), often combined with per-transaction fees, deposit/withdrawal fees, or service-tier fees. The basis-point fee model is recurring and relatively stable compared to exchange trading fees, but it creates revenue forecasting challenges because AUC fluctuates with both asset price movements and net client flows. The accounting recognizes fees as earned over the service period, with monthly or quarterly billing cycles tied to AUC measurements. Tiered fee structures, fee waivers for strategic clients, and minimum fees all affect the revenue accounting.

Qualified custodian status and the RIA market

The Advisers Act Custody Rule (Rule 206(4)-2) requires RIAs to hold client assets with qualified custodians. For digital assets, qualified custodian status typically requires a trust company charter or other regulatory recognition that meets the rule’s definition. Custodians serving the RIA market position around qualified custodian status as a market-defining attribute. The accounting and operational standards required to maintain qualified status are demanding, but the market access is significant — RIAs cannot generally use custodians that don’t meet the standard.

Staking-as-a-service revenue

Many custodians offer staking-as-a-service to clients holding proof-of-stake assets. The custodian operates validators or delegates to validators on the client’s behalf, retaining a portion of staking rewards as service revenue. The accounting captures the revenue mechanics (gross staking rewards minus client distributions) and the operational considerations (validator operations, slashing risk treatment, client transparency on rewards earned and distributions made). Staking adds a meaningful revenue line for custodians while introducing operational and counterparty risk that requires explicit policy.

Onboarding investment and customer lifetime economics

Onboarding institutional clients to custody platforms involves substantial upfront investment: KYC verification, legal documentation, technical integration, account setup, and operational training. The cost is typically not directly recovered but is justified by the recurring revenue from the resulting AUC over the client lifetime. The accounting captures these onboarding costs as period expenses while the financial planning models the breakeven on each client cohort and the long-term unit economics. Client retention rates affect both revenue forecasts and the implicit return on onboarding investment.

Services for Crypto Custody Providers

Fractional CFO leadership

Senior finance leadership for crypto custody operations. Capital adequacy planning under trust charter requirements, AUC growth and revenue forecasting, fee structure design, insurance program oversight, qualified custodian positioning strategy, fundraising support, institutional client diligence response, and the strategic finance work that supports custody platforms scaling into institutional markets. For our general fractional CFO services, see the fractional CFO services page.

Accounting and bookkeeping

Day-to-day accounting work for custody operations. Trust company financial reporting, customer-specific asset segregation accounting, AUC measurement and revenue recognition, staking revenue tracking with client distribution accounting, insurance program accounting, and the consolidated reporting that supports both internal management and regulatory filings. See startup accounting services for broader scope.

Consulting and advisory

Project-based engagements for specific custody challenges. Trust charter application support and capital adequacy modeling. SOC 1 and SOC 2 Type II readiness preparation. Custody architecture financial analysis comparing MPC, multi-sig, and HSM approaches. Insurance program structuring and underwriting support. Qualified custodian positioning. Audit readiness for custodians pursuing first audit or transitioning auditors. Documentation supporting institutional client diligence, AML compliance reviews, or potential acquisitions. See accounting consulting services for additional detail.

Frequently Asked Questions

What is a qualified custodian for digital assets?

A qualified custodian under the Advisers Act Custody Rule is typically a regulated entity authorized to hold client assets, often a trust company chartered at the state or federal level. For digital assets, qualified custodian status typically requires a trust company charter (such as NYDFS limited purpose trust company or OCC trust charter) or equivalent regulatory recognition. Qualified custodian status is the gateway to serving RIA clients who must use qualified custodians under the Custody Rule.

What capital adequacy requirements apply to crypto custodians?

Trust company charters set minimum capital requirements that vary by chartering authority and jurisdiction. NYDFS limited purpose trust companies face specific capital minimums plus operational capital requirements. OCC-chartered trust banks face federal capital adequacy frameworks. State-chartered trust companies face state-level requirements. The accounting captures regulatory capital separately from operating capital and monitors capital adequacy ratios continuously.

How is custody revenue recognized?

Custody fees are typically recognized as earned over the service period, calculated as a percentage of assets under custody (basis points on AUC) often combined with per-transaction fees and service-tier fees. AUC fluctuates with both asset price movements and net client flows, creating revenue forecasting challenges. Tiered fee structures, fee waivers for strategic clients, and minimum fees all affect the actual revenue recognition.

Why are SOC reports important for crypto custodians?

Institutional clients expect SOC 1 Type II (financial reporting controls) and SOC 2 Type II (security and operational controls) reports as baseline due diligence requirements. The Type II distinction means controls must be evaluated over a period rather than at a point in time. The reports become competitive assets, with clients comparing SOC reports during custodian selection. SOC reports require ongoing accounting infrastructure that captures control activities, exceptions, and remediation.

How do MPC and multi-signature custody architectures differ?

Multi-signature setups require coordinated transaction approvals from multiple distinct key holders, with each holder having a complete signing key. MPC (multi-party computation) generates signatures collaboratively without ever assembling a complete private key, eliminating single points of failure. HSM-based architectures use specialized hardware to protect keys. Each has different operational accounting implications for transaction authorization, audit trail, and key rotation. The choice also affects insurance pricing and SOC report scope.

How is staking-as-a-service revenue accounted for?

Custodians offering staking-as-a-service operate validators or delegate on the client’s behalf, retaining a portion of staking rewards as service revenue. The accounting captures gross staking rewards earned, distributions made to clients, and the net retained as custodian revenue. Operational considerations include validator operations, slashing risk treatment, and client transparency reporting on rewards earned and distributed.

What insurance do crypto custodians typically maintain?

Custodians carry crime insurance and specie insurance covering theft, employee dishonesty, and physical loss of stored assets, typically from Lloyd’s syndicates and specialty insurers familiar with digital asset risks. Premiums are substantial and vary based on storage architecture, controls assessment, and risk profile. Some custodians also maintain self-insurance reserves alongside or in lieu of full external coverage.

Talk to Ridgeway Financial Services

Reviewed by YR, CPA
Senior Financial Advisor

Emergency Financial Advisory Services: CFO and Controller Support When Finance Breaks Down

When finance leadership disappears, when the controller resigns, when the close slips and audit requests

USDC vs USDT vs PYUSD vs RLUSD: A CFO’s Framework for Choosing Settlement Stablecoins in 2026

Choosing a settlement stablecoin is often framed as a liquidity decision, but for finance leaders

Stablecoin Reserve Administrator

Stablecoin issuers face a layered oversight challenge that the standard “monthly reserve attestation” framing doesn’t

Capital Markets Infrastructure Accounting and Finance

Capital markets infrastructure providers build the technology and operational backbone serving institutional securities trading, post-trade