SCI-COBook a conversation
ServicesInsightsAboutContactBook a conversation →
← InsightsNew Rails

Crypto custody isn't just a vendor decision.

March 20265 min read

In crypto, protecting value means protecting keys. That makes custody a control-model decision before it becomes a sourcing decision.

The first thing to understand is what custody changes

Banks already know how to safeguard value.

They hold cash, control access, separate duties, run vaults, reconcile positions, and move money through established settlement structures.

Crypto changes one thing.

When a bank holds crypto assets, it is also holding the keys that control access to that value on a network.

If those keys are lost, compromised, or misused, the value is at risk.

That is the operational point that is still underappreciated in many banking discussions.

In crypto, protecting value means protecting keys.

It is not just a payment problem.

It is a safeguarding problem.

Why this feels different from normal payments

In rails like FAST, card schemes, or SWIFT, the network mainly coordinates instructions and positions.

It tells banks what to debit, credit, confirm, or net. Final settlement then happens through separate interbank or central-bank settlement arrangements.

The message matters. But the message is not the asset.

Crypto compresses those layers.

The network is not just passing a payment instruction. It is updating control of the asset on the ledger itself.

When crypto is sent, the sender loses control of that value immediately. The receiver does not get handed new keys. The value moves to an address the receiver already controls with its own keys.

That is why custody matters earlier, and more deeply, than it first appears.

Why this is a banking question

Banks already exist to store value safely.

They are trusted to do that at scale. They already know how to combine vaulting, approvals, segregation, reconciliation, surveillance, and auditability around valuable assets.

The form is changing. The responsibility is not.

If a bank is willing to safeguard cash, securities, and reserves, it should think carefully before deciding that digital value belongs somewhere else by default.

Why vendor selection is the wrong starting point

Once that is clear, the conversation often narrows too quickly.

Should we build it ourselves?
Should we use a specialist provider?

Those are fair questions. They are just not the first questions.

Custody is a control choice before it is a sourcing choice.

Who approves movement? Who responds if access is lost? Who proves to the regulator and the customer that the assets were protected properly?

That is why the real decision is not who holds the keys.

It is which control model the bank is willing to defend.

Why in-house is harder than it sounds

That does not mean every bank should build everything itself.

But if a bank wants to run custody in-house, the threshold is high.

Running custody internally means more than implementing a platform. It means sustaining a full operating environment around it:

  • key management and signing governance
  • wallet and address segregation so one compromise does not expose the full position
  • segregation of duties and approval boundaries
  • continuous reconciliation and exception ownership
  • recovery procedures and compromise response
  • 24/7 operating support and escalation
  • evidence strong enough for audit, customers, and regulators

Without that surrounding discipline, in-house custody creates the appearance of control without the proof.

Why third parties are a parallel, not an escape

Banks already use third parties in the physical cash world.

Armored carriers move cash.
Cash-vault operators process it.
ATMs are serviced by specialist firms.

The bank still owns controls, reconciliation, loss management, oversight, and the customer relationship.

Crypto custody should be viewed in a similar way.

Specialist partners can be useful. They may have stronger infrastructure, broader asset support, or a faster route to market.

But they do not remove the bank's accountability.

The bank still has to explain:

  • how customer assets are protected
  • how incidents are escalated and contained
  • how records reconcile across internal and external environments
  • how provider concentration is managed
  • how the model can be exited if the provider weakens, fails, or no longer fits strategy

That is why third-party custody should be treated like outsourced execution inside a bank-owned control framework, not like a handoff of the problem.

Why hybrid is often the practical answer

For many banks, the practical answer today may still be hybrid.

That does not mean vague compromise. It means a hard split between control ownership and specialist execution.

A workable hybrid model usually keeps certain responsibilities firmly in-house:

  • policy and risk appetite
  • accountable ownership
  • books-and-records accountability
  • reconciliation logic and exception governance
  • oversight of provider performance and incidents

Then it uses partners where they are genuinely stronger:

  • safekeeping infrastructure
  • selected connectivity and servicing capabilities
  • operational scale that would not yet be efficient to replicate internally

This is often the most realistic near-term answer.

The bank should not give away the control spine. It also does not need to build every component on day one.

The practical test leadership teams should use

  1. Which responsibilities are truly non-delegable for this bank? If the answer is unclear, the sourcing conversation is premature.

  2. Is custody strategic infrastructure, or a supported capability? That choice affects investment, talent, governance, and the standard of internal build-out required.

  3. What happens during a live incident? The model has to work when access is disrupted, approvals are delayed, records diverge, or a provider is degraded.

  4. Can the bank exit the model cleanly? If not, the bank may have bought speed at the cost of future control.

These are not secondary questions. They are the decision.

The real decision

The wrong opening question is which vendor to use.

The better question is which parts of safeguarding digital value are core banking responsibilities, and which parts can be delegated without weakening control.

Some banks will outsource more in the early years. Some will build more themselves. Many will land somewhere in the middle.

But none of them should treat the issue as peripheral.

Crypto custody goes to the heart of what a bank is trusted to do.

All insights

Next →

Most crypto pilots prove the tech. Very few prepare the bank.

Could your bank defend its custody model under real scrutiny?

The harder question is not who the provider is. It is whether the bank can show that control and resilience would still hold when it matters. If that conversation is becoming real in your bank, let’s talk.

Book a conversation →