The institution’s crypto self-custody planning guide
When crypto markets turn sour, proper self-custody can mean the difference between safety and bankruptcy
Pinkeyes/Shutterstock modified by Blockworks
The need for crypto participants to implement digital asset self-custody was thrust into the spotlight during the 2022 crypto market collapse. This generated a boom in hardware wallet sales and a flurry of conversations discussing custody best practices.
As the crypto industry pushes through the fallout, it remains reliant on institutions to bring in resources that will enable future growth. For any institution, financial security is paramount, and the proven path to safety is enacting self-custody of digital assets. In reading this guide, you’ll learn all the ins and outs of self-custody, including its benefits, how to prepare for disasters, and what to consider when researching self-custody solutions.
- Self-custody offers several advantages over third-party or shared custody, such as enhanced security, control over funds, increased liquidity, increased transparency, and fewer third-party risks and dependencies.
- Institutions must enter self-custody thoughtfully, with well-defined plans and a commitment to execution. There are several critical factors that institutions should carefully consider, such as security, operational expertise, regulatory compliance, disaster recovery and backup, governance and accountability, legal and regulatory considerations, and insurance coverage.
- Institutional self-custody provides the safekeeping, governance, and control over the private keys associated with the institution’s digital assets. The following functional components are required to provide this self-custody service: secure lifecycle key management, key storage, and signature generation; multi-party approval; staking; and key backup and recovery.
- The adoption of institutional digital asset self-custody is on the rise as institutions seek to gain more control over their assets and reduce reliance on third-party custodians.
What is institutional digital asset self-custody?
In simple terms, institutional digital asset self-custody is where institutional investors directly manage and secure their digital assets without relying on custodial services.
Self-custody involves institutions taking responsibility for private key safety and associated digital assets.
Institutional digital asset self-custody offers several advantages over third-party or shared custody, such as:
- Enhanced security
- Control over funds
- Increased liquidity
- Increased transparency
- Fewer third-party risks and dependencies.
The case for institutional digital asset self-custody
While many benefits are associated with institutional self-custody, the dominant two are security and control. In particular, the ability to access and trade digital assets without dependency on a third party.
Events such as the FTX collapse highlight the risks of relying on third parties, especially those without proper transparency, oversight, and auditing. The following chart from a December 2022 Chainalysis report highlights the correlation between significant market events and withdrawals from centralized exchanges (CEX) to private wallets.
Each highlighted major negative market event correlated with a substantial spike in liquidity transfers from CEX wallets to private wallets—functioning the same as a traditional bank run would. The report notes that, of the transfers that the FTX, Celsius, and UST events generated, 68% to 77% were valued greater than $100,000, signaling that institutions were leading the flight to self-custody wallets in pursuit of asset security.
Liquidity is a further benefit of self-custody. In times of turbulence, market movements (positive or negative) can be dramatic. During such times, an institution’s time to liquidity can directly translate to significant gains or losses—even survival or bankruptcy.
The transfer of assets from cold custody storage to an online wallet routinely takes several hours to a full day, potentially longer during weekends and holidays. Self-custody of digital assets with highly secure online wallets can provide immediate liquidity 24 hours a day, 365 days a year.
Self-custody also increases transparency by cutting out the middle man—eliminating the often-present veil of secrecy that third-party custodians maintain. Advanced wallets now support integrated staking, giving institutions dashboard visibility and control over asset positions, including staked assets and associated rewards. Audit logs provide complete visibility and accountability for all transaction requests, approvals, policy modifications, user additions, and more.
This combination of total control, liquidity, and transparency is difficult to achieve by even the best custodial services.
Institutional Self-Custody Considerations
With total control comes total responsibility. Institutions must enter self-custody thoughtfully, with well-defined plans and a commitment to excellent execution. There are several critical factors that institutions should carefully consider; each helps ensure the effective implementation of self-custody practices and mitigates potential risks.
Implementing robust security measures is paramount. Institutions must establish comprehensive security protocols, including secure key generation, storage, use, and backup procedures. They must select reputable wallet solutions, implement multi-party approval schemes, use cryptography techniques, and regularly update security systems to protect against potential threats.
Institutional self-custody requires expertise in digital asset management, cybersecurity, and compliance. Institutions must assess their internal capabilities and determine if they have the necessary knowledge, resources, and personnel to manage the complexities and risks associated with self-custody. Choosing security platforms with sufficient security and operational controls can help to keep requirements manageable.
Institutions must comply with relevant regulatory frameworks governing digital asset custody. In many regions, institutional self-custody is not subject to KYC (know-your-customer). Unfortunately, regulatory requirements may vary by jurisdiction. To properly comply with applicable KYC and AML (anti-money laundering) laws and regulations, institutions should consult legal experts familiar with their jurisdiction’s regulatory landscape.
Secure Key Storage
Private keys must be stored in a manner that prevents unauthorized access, protecting against key theft or misuse. Institutions typically store private keys electronically, using hardware and/or software wallets designed specifically to secure private keys with institutional control.
Wallets are typically either hot, warm, or cold. Hot wallets are online wallets that typically hold just enough digital assets to support planned near-term transactions. Hot wallets are internet-connected and typically used for outbound transactions. Institutional hot wallets should have at least moderate policy controls and frequently use API approvals for automated processing.
Warm wallets are also online; however, they are always controlled by strict policies and require at least some level of human approval versus API approvals. Warm wallets typically fund internal hot wallets as needed. Warm wallets may hold modest to large values in digital assets, with sufficient values to fund near and mid-term planned transactions.
Cold wallets are not connected to the internet. Cold wallets require approved users to be physically present with the wallet to authenticate and approve the transfer of digital assets to warm wallets. Cold wallets provide the highest level of security but are the most operationally intensive and require approvers to be physically present. As a result, transfers out of cold wallets are done as infrequently as possible, primarily holding assets for long-term storage.
Institutions holding large amounts of digital assets will typically use a combination of hot and cold, or hot, warm, and cold wallets to create layers of security and segment resources, users, and approvers.
Disaster Recovery and Backup
Copies of the private keys must be encrypted and stored for emergency recovery in case of a catastrophic system loss due to natural disasters or other failure event conditions. As an institution creates new keys and replaces existing keys, the institution must also update backup key copies. Therefore careful consideration of backup and recovery systems and processes is essential.
Adequate backup and disaster recovery plans are crucial to mitigate the risk of data loss, system failures, or other unforeseen events. Institutions should have well-defined backup procedures, redundant storage systems, and recovery protocols in place to ensure the continuity of operations and the ability to restore access to digital assets in case of emergencies.
Governance and Accountability
Institutions should establish clearly defined governance policies and accountability mechanisms to ensure proper oversight and control over the self-custody process. These policies and mechanisms should include:
- Defined roles and responsibilities
- Audit procedures
- Regular security assessments
- Adherence to internal and external compliance requirements
Legal and Regulatory Considerations
Institutions should seek legal counsel to assess the legal implications and obligations associated with self-custody. This includes:
- Understanding the legal ownership and fiduciary duties related to digital assets
- Contractual obligations
- Potential liability risks
- Any legal, regulatory, or organizational compliance constraints specific to their jurisdiction and company.
Evaluating insurance options is essential to mitigate potential losses due to theft, loss, or other security breaches. Institutions should assess whether they can obtain suitable insurance coverage to protect their digital assets and ensure that their self-custody systems and practices align with the requirements of the insurance policies.
Institutional Self-Custody Solutions
Self-custody technologies optimized for institutions provide the safekeeping, governance, and control over the private keys associated with the institution’s digital assets. The following functional components are essential for institutions to consider when comparing self-custody solutions.
Blockchains use private keys to digitally sign approved transactions, creating a unique, verifiable signature to authenticate a specific transaction and the approval signature. Institutions can use wallets that require single or multiple approval signatures; typically, institutional governance mandates more than one approver for transactions. Multi-party approval may be implemented in two ways:
- Using multiple signatures (multi-sig)
- Using multi-party computation (MPC)
The use of multiple signatures requires smart contracts or similar on-chain processing, which adds costs and complexity while not being universally supported by all digital asset types.
MPC allows multiple parties to each control a share of a private key to partially sign a transaction. A complete signed transaction is generated when a predefined number of parties have partially signed confirming their approval. This form of multi-party approval appears to the blockchain as a single signature transaction, because a single private key is collectively used (in the form of key shares) to create a single signed transaction. MPC for multi-party approvals works with all protocols and has the lowest cost and complexity.
Proven Track Record
Historically, cryptographic algorithms, such as threshold key management and signature generation using MPC, are thoughtfully designed, developed, peer-reviewed, third-party audited for vulnerabilities, and then deployed and field tested for several years before general use in commercial applications. Some of today’s MPC wallets use MPC algorithms with nearly a decade of commercial deployment, undergoing years of real-world vulnerability testing in live environments and third-party attestations. Other wallets may use new and relatively unproven MPC algorithms and implementations, with little or no real-world deployments or third-party attestations.
When selecting an MPC-based self-custody solution, institutions are encouraged to conduct due diligence on the core technology, track record of the cryptography team, timeline of deployment in live commercial applications, and the security assessments of respected third parties. After all, minimizing risk is a core objective of institutional self-custody, including solution-sourcing risk.
Institutions widely use staking to receive rewards on held digital assets. Institutional wallets should natively support staking directly from the wallet or through a staking partner integration to enable seamless staking, reporting, and unstaking of digital assets.
Secure Lifecycle Key Management
Cryptographic tools and protocols are used to generate public-private key pairs. Private keys must be securely generated, distributed, stored, used, updated, backed up, and destroyed to protect against unauthorized use or theft before, during, and after use.
Protection of private keys is essential, but not sufficient. It is equally important to establish and enforce policies determining the conditions under which the keys can be used. Otherwise, a bad actor could modify policies, allowing them to transfer assets for fraudulent purposes.
Institutions typically require a variety of policy types such as quorum approvals, checklists, conditional (if, then, else), and operational policies. Self-custody systems must ensure these policies are consistently enforced, and protected from unauthorized modifications.
Self-Hosted For Complete Independence
A primary objective of self-custody is to have total and exclusive control over owned digital assets, with no dependence on third parties. Cloud-hosted Wallet as a Service (WaaS) offers the convenience of letting a third party host wallet infrastructure, typically including the provider hosting one or more MPC key shares. However, this convenience comes with a cost relative to control.
Using a WaaS for self-custody reduces the institution’s responsibility for infrastructure hosting, and creates a co-dependence on the WaaS provider. In most cases, the institution can not execute transactions, change quorum policies, create backups, or recover lost private key materials without the WaaS provider’s participation. Similar to a custodian, if the WaaS provider becomes insolvent and is frozen by regulators, the assets may become lost or stranded. Self-hosted wallets are required for truly independent self-custody.
How to Get Started
Conducting a thoughtful approach to institutional self-custody can be intimidating. Breaking the process into manageable tasks is a great way to get started and ensure due diligence. Conducting these evaluations can lead to critical insights, both positive and negative, empowering institutions to make thoughtful and informed decisions.
Start with a list of criteria to achieve the optimal balance between secure self-custody and practical, frictionless operations. This planning guide provides a framework for reviewing requirements and formulating criteria.
Any security solution is only as strong as its weakest link. Therefore, a thorough review and vetting of technology options, vendor partners, and their track records can help reduce the potential need to change technologies or partners during the evaluation process.
Presentations and demonstrations are great, but nothing will replace the hands-on experience of test-driving the wallet(s) that will be used for institutional self-custody. Many wallets support the option to test drive and evaluate both the wallet user interface in a sandbox environment.
These wallets allow institutions to create policies, add users, assign roles, and conduct test quorum transaction approvals. Some wallets also provide the opportunity to simulate and evaluate the deployment experience of hosting wallet infrastructure.
Blockdaemon Can Help
Blockdaemon has been the industry’s most trusted blockchain infrastructure provider since 2018. In 2022, Blockdaemon acquired Sepior, adding world-renowned cryptographers to Blockdaemon’s team and industry-proven MPC wallet technology to its portfolio.
Today, Blockdaemon works with many of the world’s largest banks, custodians, exchanges, and institutions to support institutional self-custody, qualified custody, and other digital asset services and solutions.
Please contact Blockdaemon via this link to learn more about how the team can help you achieve your self-custody goals and more.
This content is sponsored by Blockdaemon
Don’t miss the next big story – join our free daily newsletter.