Custody Frameworks for Digital Securities Under SEC Rules

Custody of digital securities — the secure holding and control of private cryptographic keys that confer ownership over security tokens — represents one of the most complex regulatory challenges in the tokenized securities market. Unlike traditional securities, where custody is well-defined (physical possession of certificates or book-entry records at the DTCC), security token custody requires reconciling blockchain-based key management with SEC custody rules that predate distributed ledger technology by decades.

The SEC’s custody framework for digital securities operates through three overlapping regulatory regimes: the Customer Protection Rule (Rule 15c3-3), the Investment Advisers Act custody rule (Rule 206(4)-2), and Staff Accounting Bulletin 121 (SAB 121). Each imposes distinct requirements that security token custodians must navigate.

The Qualified Custodian Requirement

Under the Investment Advisers Act custody rule, investment advisers managing client assets must maintain those assets with a “qualified custodian” — defined as a bank, registered broker-dealer, registered futures commission merchant, or foreign financial institution meeting specific criteria.

For security tokens, the qualified custodian must demonstrate the ability to:

1. Maintain exclusive control over the private keys that control the security token wallets, preventing unauthorized transfers.
2. Segregate client assets from the custodian’s proprietary assets, ensuring that customer tokens are not commingled with the custodian’s own holdings.
3. Provide regular account statements reflecting the client’s security token holdings, valuations, and transaction history.
4. Submit to annual surprise examinations by independent public accountants who verify the existence and security of custodied assets.

Custody Models in Practice

Traditional Third-Party Custody

tZERO and INX use third-party qualified custodians for customer security tokens. Under this model, the custodian holds the private keys in cold storage (offline hardware security modules), and the ATS platform accesses tokens only for trade execution through API integrations with the custodian’s signing infrastructure.

Advantages: regulatory clarity, separation of trading and custody functions, established insurance frameworks. Disadvantages: settlement latency (custodian must approve and sign each transaction), higher costs ($20K-$50K annual custody fees), and operational complexity from managing multiple custodial relationships.

Integrated Self-Custody

Securitize obtained a no-action letter from the SEC regarding its digital transfer agent operations, which includes elements of custody through its DS Protocol. Under this model, the compliance-enforcing smart contract controls token transfers, and the transfer agent maintains both the on-chain and off-chain records of ownership.

This integrated approach reduces settlement latency (the transfer agent can authorize transactions immediately) and eliminates the need for separate custodial agreements, but creates concentration risk — a single entity controls issuance, record-keeping, and effective custody of the security tokens.

Special Purpose Broker-Dealer Custody

The SPBD framework, introduced through the SEC’s 2021 Joint Statement, creates a third custody pathway specifically designed for digital asset securities. Prometheum is the first entity to operate under this framework, holding private keys for digital asset securities under enhanced reporting and operational requirements.

SPBD custody is limited to digital asset securities (tokens classified as securities under the Howey test) and imposes additional conditions including: daily reconciliation of on-chain and off-chain records, enhanced cybersecurity requirements, quarterly reporting to the SEC and FINRA, and restrictions on proprietary trading. Prometheum Capital was approved in 2024 as the first SEC-registered SPBD and Qualified Custodian, and has since expanded its structure with Prometheum Coinery LLC (digital transfer agent, registered May 2025) providing end-to-end blockchain securities infrastructure.

SAB 121 and Bank Custody

Staff Accounting Bulletin 121 (SAB 121), issued in March 2022, requires entities that custody crypto-assets to record those assets as both an asset and a corresponding liability on their balance sheets. This accounting treatment has significant implications for bank custody of security tokens:

Capital impact. Banks that custody security tokens under SAB 121 must hold capital against the corresponding balance sheet liability, effectively making crypto custody far more expensive than traditional securities custody. For a bank custodying $1 billion in security tokens, the capital charge could exceed $80 million — a prohibitive cost that has deterred most banks from offering digital asset custody services.

Regulatory response. Congress passed legislation overturning SAB 121 in 2024, but it was vetoed by President Biden. The SEC’s Crypto Task Force — launched January 21, 2025, by Acting Chairman Mark Uyeda and led by Commissioner Hester Peirce — addressed custody directly at its April 25, 2025 “Know Your Custodian” roundtable. In 2025, the Task Force issued guidance clarifying that registered investment companies and advisors may use state trust companies for custodying crypto assets, and that broker-dealers may hold crypto and tokenized assets subject to prescribed requirements. The December 11, 2025 landmark no-action letter allowing the DTC to operate tokenization services on permissionless blockchains — with a pilot planned for H1 2026 and public launch in H2 2026 — further signals that custody infrastructure is being integrated with traditional settlement systems.

Practical impact. SAB 121 has channeled security token custody toward non-bank entities (broker-dealers and specialized custodians) rather than the banking system, creating a structural difference between digital and traditional securities custody. If SAB 121 is modified, bank entry into security token custody could significantly expand the qualified custodian universe.

Key Management and Security

The physical security of private cryptographic keys is the foundation of digital securities custody. Industry-standard key management practices include:

Hardware security modules (HSMs). Institutional custodians store private keys in tamper-resistant HSMs that prevent key extraction, requiring multi-party authorization for any transaction signing. Leading HSM providers include Thales, Utimaco, and Ledger Enterprise.

Multi-signature (multisig) wallets. Security tokens are held in wallets requiring multiple private keys to authorize transactions (e.g., 3-of-5 multisig), distributing control across multiple individuals and physical locations.

Geographic distribution. Key shards or multisig keys are stored in geographically distributed secure facilities, ensuring that no single point of failure (natural disaster, physical breach, or insider threat) can compromise the entire key set.

Insurance. Institutional custodians maintain crime insurance and errors-and-omissions coverage for custodied digital assets. Insurance coverage for security token custody typically ranges from $100 million to $500 million per custodian, though coverage terms vary significantly.

Choosing a Custody Solution

For security token issuers and investors, custody selection should consider:

1. Regulatory status. Verify that the custodian is a qualified custodian under the applicable regulatory regime — bank, registered broker-dealer, or SPBD.
2. Insurance coverage. Confirm the scope and limits of insurance coverage for digital asset custody.
3. Segregation practices. Ensure customer tokens are segregated from the custodian’s proprietary holdings and from other customers’ holdings.
4. Key management architecture. Review the custodian’s HSM infrastructure, multisig configuration, and geographic distribution of key storage.
5. Settlement integration. Evaluate how the custody solution integrates with the ATS platform’s trade execution and settlement processes.
6. Audit and examination history. Review FINRA examination results and annual surprise examination reports for the custodian.

Emerging Custody Technologies

Several emerging technologies are reshaping digital securities custody:

Multi-Party Computation (MPC). MPC custody solutions distribute key material across multiple parties using cryptographic protocols, enabling transaction signing without any single party ever possessing the complete private key. Unlike traditional multisig (which requires multiple independent keys), MPC operates at the cryptographic protocol level, providing similar security guarantees with greater flexibility. Institutional custodians including Fireblocks, Copper, and Curv (acquired by PayPal) have deployed MPC-based custody for digital securities.

Institutional DeFi custody. Some security token platforms are exploring institutional DeFi custody models where smart contracts — rather than centralized key holders — control token custody. Under this model, tokens are held in audited smart contracts with governance-controlled withdrawal mechanisms. The regulatory classification of smart contract custody under the qualified custodian requirement remains uncertain, as no smart contract has been registered as a bank, broker-dealer, or other qualified custodian category.

Account abstraction. Ethereum’s ERC-4337 account abstraction standard enables programmable custody accounts with features including multi-party approval, spending limits, and recovery mechanisms. For security token custody, account abstraction could enable compliance-aware custody accounts that automatically enforce Rule 144 holding periods and accredited investor transfer restrictions at the account level.

Custody Insurance and Risk Allocation

The risk allocation framework for digital securities custody differs from traditional securities:

Insurance coverage gaps. Standard financial institution bonds (FINRA Rule 4360) require broker-dealers to maintain fidelity bonds covering employee dishonesty, forgery, and computer systems fraud. For digital asset custody, coverage specifically for private key theft, smart contract exploitation, and blockchain-level attacks may require supplemental policies. Lloyd’s of London and specialized crypto insurers (Evertas, Breach Insurance) offer digital asset-specific coverage, with premiums typically ranging from 1-3% of covered value annually.

Custodian liability standards. The standard of care for digital securities custodians has not been definitively established by the SEC or courts. Traditional custodians are generally held to a negligence standard for custody losses. Whether this standard applies to losses arising from smart contract vulnerabilities, blockchain network attacks, or sophisticated key compromise remains untested in litigation. The SEC Crypto Task Force has identified custodian liability standards as a discussion topic, with industry participants advocating for a defined standard of care that accounts for the unique risk profile of digital asset custody. For Reg D 506(c) and Reg A+ token offerings, disclosure of custody arrangements and associated risks is a standard requirement in offering documents.

Custody Developments: 2025-2026

The digital securities custody landscape has evolved significantly through recent regulatory and market developments:

Crypto Task Force custody guidance. The SEC’s Crypto Task Force directly addressed custody at its April 25, 2025 “Know Your Custodian” roundtable — the fourth of six roundtables conducted through Q1 2026. The Task Force’s 2025 guidance clarified two critical points: registered investment companies and advisors may use state trust companies for custodying crypto assets, and broker-dealers may hold crypto and tokenized assets subject to prescribed requirements. This guidance expands the universe of qualified custodians for security tokens beyond the prior framework, which effectively limited digital asset custody to specialized firms and SPBDs.

DTC no-action letter. The December 11, 2025 SEC no-action letter allowing the DTC to operate tokenization services on permissionless blockchains represents the most significant custody development since the SPBD framework. If DTC tokenization services become operational — with a pilot planned for H1 2026 and public launch in H2 2026 — tokenized securities could be custodied through the same DTC participant arrangements that custody traditional equities and bonds. This would effectively resolve the custody gap that has constrained institutional adoption by enabling security tokens to be held within existing brokerage and custodial account structures.

Prometheum custody expansion. Prometheum Capital’s approval as the first SEC-registered SPBD and Qualified Custodian in 2024, followed by its expansion to include Prometheum Coinery LLC (digital transfer agent, registered May 2025), demonstrates the viability of vertically integrated custody-and-transfer-agent models. Prometheum’s end-to-end infrastructure — custody, ATS trading, transfer agent services, and capital formation — provides an alternative to the third-party custody model that currently dominates the market.

Institutional custody scale. The growth of institutional tokenized products — BlackRock’s BUIDL fund at $1.87 billion AUM, Securitize at $4 billion+ total tokenized AUM with institutional partners including Apollo, Hamilton Lane, KKR, and Morgan Stanley — has brought institutional-grade custody providers into the digital securities market. The custody infrastructure required for a $1.87 billion tokenized fund differs fundamentally from early-stage security token custody: it demands multi-billion-dollar insurance coverage, integration with institutional portfolio management systems, and interoperability with traditional settlement infrastructure.

GENIUS Act custody implications. The GENIUS Act’s stablecoin framework, if enacted, would affect custody arrangements for platforms that settle security token trades in stablecoins. Custody solutions would need to accommodate both the security token itself and the stablecoin payment leg of DvP settlement, with separate custody requirements for each asset type. Federally regulated stablecoins held by qualified custodians may receive more favorable treatment under Rule 15c3-3 than current platform-specific stablecoin arrangements.

SAB 121 status. While SAB 121 remains technically in effect, the Crypto Task Force’s custody guidance and the broader regulatory shift under Chairman Atkins suggest that its practical impact may diminish. The Task Force’s guidance allowing state trust companies to custody crypto assets and broker-dealers to hold tokenized assets provides alternative pathways that reduce the balance sheet burden that SAB 121 imposed on bank custodians. If SAB 121 is formally modified or withdrawn, bank entry into security token custody would significantly expand the qualified custodian universe and reduce custody costs for institutional participants.

For the ATS platform comparison analyzing custody models across major platforms, see our comparisons section. For the SPBD framework analysis, see our detailed guide. For clearing and settlement processes that interact with custody operations, see our guide. For interoperability standards that affect cross-platform custody, see our analysis. For the SEC’s official custody guidance, see SEC Staff Statement on Digital Asset Securities Custody.