Custody: Digital Assets (SEC Enforcement)

SEC exams have made clear that advisers must evaluate whether crypto assets they hold for clients are “funds or securities,” and if so, comply with the Custody Rule. (2024-exam-priorities; 17 CFR 275.206(4)-2) The operational problem is rarely philosophical; it’s procedural: you need a repeatable method to classify each digital asset, select an eligible custody model, and prove to an examiner that your custody decisions were controlled, supervised, and documented.

SEC enforcement has also sharpened the edge of this requirement. In the Galois Capital matter, the SEC charged custody rule violations tied to maintaining crypto assets on FTX, which was not a qualified custodian, and the fund suffered significant losses during the platform’s collapse. (IA-6835) You do not need a complex program to start; you need a disciplined decision path, explicit prohibitions, and evidence that the firm follows them.

This page is written for a CCO or GRC lead who needs to operationalize custody controls for digital assets quickly, with an audit trail that stands up during SEC exams and in the wake of market stress events that expose custody weaknesses. (2024-exam-priorities)

Requirement (plain-English)

If you (as an investment adviser) have custody of client crypto assets that are securities, you must comply with the SEC Custody Rule and maintain those assets with a qualified custodian. Crypto trading platforms that are not registered broker-dealers do not qualify as custodians for this purpose, even if they are widely used or convenient. (17 CFR 275.206(4)-2; IA-6835)

Operationally, the requirement breaks into two controls you can execute:

1. Asset classification: Decide, document, and periodically revisit whether each crypto asset you hold is a security for custody-rule purposes. (2024-exam-priorities)
2. Custody eligibility: For any asset treated as a security, ensure the custody arrangement meets Rule 206(4)-2 and does not rely on a non-qualified platform. (17 CFR 275.206(4)-2; IA-6835)

Who this applies to

In-scope entities

• Registered Investment Advisers (RIAs) that have custody (directly or indirectly) of client funds or securities, including crypto assets treated as securities. (17 CFR 275.206(4)-2; 2024-exam-priorities)

In-scope operational contexts (practical triggers)

You should treat this requirement as “live” if any of the following are true:

• The firm trades or holds digital assets for client accounts or pooled vehicles and can move, transfer, or withdraw those assets (for example, control of private keys, platform credentials, or withdrawal workflows). (17 CFR 275.206(4)-2)
• A third party (exchange, trading venue, prime broker, wallet provider) holds assets where your instructions can cause movement of client assets. (17 CFR 275.206(4)-2)
• You maintain client crypto assets on a trading platform that is not an SEC-registered broker-dealer and you are treating those assets as securities or cannot substantiate why they are not securities. (IA-6835; 2024-exam-priorities)

Regulatory text

Regulatory excerpt (operator-relevant): “With respect to crypto assets that the SEC believes are funds or securities, advisers must comply with the Custody Rule requirements. Crypto asset trading platforms that are not registered broker-dealers do not qualify as custodians under Rule 206(4)-2.” (17 CFR 275.206(4)-2; 2024-exam-priorities)

What the operator must do with this text:

• Build a documented, reviewable process to determine whether each digital asset you custody is treated as a security for Custody Rule purposes. Examiners expect to see the analysis, not a verbal position. (2024-exam-priorities)
• If the asset is treated as a security, restrict custody to a qualified custodian arrangement under Rule 206(4)-2 and prohibit storage on non-qualified trading platforms. (17 CFR 275.206(4)-2; IA-6835)
• Implement supervisory controls that prevent “temporary” exceptions that become permanent (for example, leaving assets on an exchange after a trade). That pattern is enforcement-relevant in crypto custody. (IA-6835)

Public enforcement cases

In the Matter of Galois Capital Management LLC (IA-6835)

• What happened: The SEC charged Galois Capital with custody rule violations tied to maintaining crypto assets on FTX, which the SEC stated was not a qualified custodian, and the fund later experienced major losses following FTX’s collapse. (IA-6835)
• Why compliance teams should care: The case ties a practical custody decision (“we keep assets on a trading platform”) to a Custody Rule failure and to insolvency risk that the qualified custodian concept is meant to mitigate. (IA-6835)
• Outcome: The SEC announced a civil penalty of a material amount. (IA-6835)

What you actually need to do (step-by-step)

Step 1: Inventory your digital-asset custody footprint

Create a single register that answers:

• Which clients/vehicles hold digital assets?
• Which assets (by token) are held?
• Where are they held (custodian, trading platform, wallet type)?
• Who can initiate transfers/withdrawals (people, systems, third parties)?
• What credentials or keys exist, and who controls them?

This inventory becomes the backbone for both compliance and incident response if a platform freezes withdrawals or enters bankruptcy proceedings. (IA-6835)

Step 2: Perform and document a “security status” analysis per asset

Examiners will ask how you determined whether the Custody Rule applies to crypto assets you hold. The SEC has signaled this explicitly in exam priorities. (2024-exam-priorities)

Minimum viable artifact:

• A memo per asset (or asset class) documenting your Howey-style analysis and conclusion (security vs not), with sign-off by Compliance and Legal.

Control design notes:

• Require review when you add a new token, change strategy, or change custody venue.
• Version the memo and keep prior conclusions. “We changed our mind” is acceptable; “we can’t find the analysis” is the problem. (2024-exam-priorities)

Step 3: Define your approved qualified custodian criteria and verify it

For any crypto asset you treat as a security, verify your custody provider meets qualified custodian requirements under Rule 206(4)-2. (17 CFR 275.206(4)-2)

For crypto, enforcement has made one point operationally crisp:

• If the “custodian” is a crypto trading platform that is not a registered broker-dealer, treat it as not a qualified custodian for securities custody under Rule 206(4)-2. (IA-6835)

Minimum verification package (keep it on file):

• Evidence of the custodian’s registration/regulated status as relevant to qualified custodian categories.
• Contract excerpts showing custody relationship terms, account structure, and reporting/statement delivery expectations. (17 CFR 275.206(4)-2)

Step 4: Implement a hard prohibition on non-qualified platform custody (with exceptions handled as incidents)

Write a policy that makes these rules enforceable:

• Prohibit holding crypto asset securities on non-qualified trading platforms.
• If assets must pass through a venue for execution, require immediate post-trade sweep to the qualified custodian (or another controlled arrangement consistent with your custody position).

Make exceptions operationally painful:

• Exception requires CCO approval, documented rationale, compensating controls, and a defined exit path.
• Treat an exception as an incident with enhanced monitoring until resolved, because platform insolvency risk is a real custody driver. (IA-6835)

Step 5: Align disclosures and client communications to your actual custody reality

Your disclosures must match:

• Where the assets are held,
• Whether the venue is a qualified custodian for securities custody, and
• What insolvency, withdrawal, and platform risk exists when assets sit on a trading venue. (IA-6835)

Examiners commonly test for “paper compliance,” where policies say one thing and operations do another. Your disclosure review should be tied to the custody inventory from Step 1. (2024-exam-priorities)

Step 6: Put oversight into your third-party risk management (TPRM) workflow

Treat the custodian and any crypto trading venue as third parties that require ongoing oversight:

• Due diligence at onboarding (regulatory status, controls, financial condition, service model).
• Ongoing monitoring (material changes, service interruptions, public stress events).
• Offboarding plan (how you move assets if the platform becomes distressed).

SEC exam priorities call out safeguarding client assets and third-party oversight themes that intersect here. (2024-exam-priorities)

Where Daydream fits: Daydream is useful as your system of record for mapping each digital asset to its security-status memo, linking each custody relationship to qualified custodian verification evidence, and generating an examiner-ready document package aligned to SEC exam priorities. (2024-exam-priorities)

Required evidence and artifacts to retain

Use this as an exam-ready checklist:

• Digital Asset Custody Inventory (accounts/vehicles, assets, locations, access/control map)
• Per-asset security-status memo (Howey analysis), with approvals and version history (2024-exam-priorities)
• Qualified custodian verification file for each custody provider (status evidence + rationale) (17 CFR 275.206(4)-2)
• Prohibited platform list (and the rule that unregistered trading platforms are not qualified custodians for securities custody) (IA-6835)
• Custody agreements and account documentation showing custody structure and statements (17 CFR 275.206(4)-2)
• Exception log (approvals, compensating controls, exit plan)
• Third-party due diligence and ongoing monitoring records for custodians and trading venues (2024-exam-priorities)
• Disclosure support file mapping disclosures to the actual custody footprint (IA-6835)

Common exam/audit questions and hangups

Expect variations of:

• “Which crypto assets do you treat as securities, and where is the analysis?” (2024-exam-priorities)
• “Show me evidence that your custodian is a qualified custodian under Rule 206(4)-2.” (17 CFR 275.206(4)-2)
• “Do you hold any crypto assets on exchanges? Are those exchanges qualified custodians?” (IA-6835)
• “Walk me through your transfer controls. Who can move client assets and what approvals exist?” (17 CFR 275.206(4)-2)
• “How do you monitor custody third parties for distress or material changes?” (2024-exam-priorities)

Typical hangup: teams can describe the custody model verbally but cannot produce a clean document trail tying asset classification to custody decisions. That gap is avoidable with a structured evidence pack.

Frequent implementation mistakes (and how to avoid them)

1. Assuming “exchange custody” counts because the platform is reputable.
   Fix: require documented qualified custodian verification and bar non-registered trading platforms for securities custody. (IA-6835; 17 CFR 275.206(4)-2)

2. Doing one global Howey memo and applying it to every token.
   Fix: write memos per token or per clearly defined token category and document why grouping is reasonable. Examiners want to see a decision method, not a slogan. (2024-exam-priorities)

3. Letting operational convenience override custody rules post-trade.
   Fix: enforce sweeping/off-platform rules and monitor any balances left on trading venues as exceptions. (IA-6835)

4. Policies that ban non-qualified custody but no technical or operational enforcement.
   Fix: add preventive controls (approved wallet list, access restrictions, reconciliation, exception workflow) and test them.

5. Weak third-party offboarding plans.
   Fix: maintain a rehearsed migration playbook to move assets if a platform halts withdrawals or enters distress, and keep it tied to your inventory. (IA-6835)

Enforcement context and risk implications

The SEC has connected crypto custody failures to real loss scenarios in enforcement, not just paperwork violations. In Galois, the SEC cited custody rule issues alongside the platform collapse that contributed to large fund losses, and imposed a civil penalty of a material amount. (IA-6835) You should treat this as a high-scrutiny topic in exams because the Division of Examinations has explicitly called out custody rule compliance for crypto assets it views as funds or securities. (2024-exam-priorities)

Practical 30/60/90-day execution plan

First a defined days (stabilize and stop the bleeding)

• Build the custody inventory and identify any assets sitting on non-qualified venues.
• Implement an immediate prohibition and an exception workflow for any non-qualified custody exposure. (IA-6835)
• Start per-asset security-status memos for the highest exposure assets first. (2024-exam-priorities)

Days 31–60 (formalize and evidence)

• Finalize qualified custodian verification files for each custodian relationship. (17 CFR 275.206(4)-2)
• Update written policies and procedures to reflect the actual custody workflow, including post-trade handling.
• Refresh disclosures so they align with the custody inventory and the firm’s custody position. (IA-6835)

Days 61–90 (operational hardening and exam readiness)

• Add ongoing monitoring for custody third parties (material change triggers, service interruptions, distress indicators). (2024-exam-priorities)
• Run a tabletop exercise: “exchange halts withdrawals” and validate offboarding steps from your inventory.
• Build an examiner request packet: asset memos, custodian verification, contracts, exception log, and monitoring evidence. (2024-exam-priorities)

Frequently Asked Questions

Do we violate the Custody Rule if we temporarily hold crypto on an exchange to execute trades?

The enforcement risk increases when crypto asset securities remain on a trading platform that is not a qualified custodian. Build a process that treats any exchange balances as exceptions with a defined sweep-off requirement and documented approvals. (IA-6835)

How detailed does the Howey analysis need to be for each token?

It needs to be detailed enough that an examiner can follow your facts, reasoning, and conclusion for that asset. Keep it written, approved, and versioned, and tie it to the custody decision for that token. (2024-exam-priorities)

What proof should we keep that a custodian is “qualified” under Rule 206(4)-2?

Keep a verification memo plus supporting evidence showing why the custodian fits a qualified custodian category and how the arrangement meets the Custody Rule expectations. If the venue is an unregistered trading platform, do not treat it as qualified for crypto asset securities custody. (17 CFR 275.206(4)-2; IA-6835)

We only advise a fund that trades crypto; the fund opens the accounts. Do we still have custody exposure?

You may have custody depending on your authority and ability to move assets or direct withdrawals, even if accounts are in the fund’s name. Map authority, keys, credentials, and transfer workflows in your custody inventory and document the conclusion. (17 CFR 275.206(4)-2)

Does the SEC explicitly focus on crypto custody in exams?

Yes. The SEC Division of Examinations stated it will consider whether advisers are complying with the Custody Rule for crypto assets it believes are funds or securities. (2024-exam-priorities)

What is the fastest way to get examiner-ready on this topic?

Produce three binders (physical or digital): custody inventory, per-asset security-status memos, and qualified custodian verification files, plus an exception log for anything held off-policy. That evidence set maps directly to what exam teams request. (2024-exam-priorities)