Custody: Digital Assets Trend (SEC Trend 2025)

To meet the custody: digital assets trend (sec trend 2025) requirement, treat any crypto asset that may be a security as subject to the SEC Investment Adviser Custody Rule and keep it only with a qualified custodian, not an unregistered crypto trading platform. Operationalize this by (1) documenting a security-status analysis per asset, (2) verifying custodian qualification (for platforms, broker-dealer registration), and (3) tightening policies, disclosures, and ongoing reviews.

Key takeaways:

• Apply Rule 206(4)-2 controls to digital assets you treat (or the SEC may treat) as securities. ¹
• Do not rely on unregistered crypto trading platforms for custody of digital asset securities. ²
• Expect exams to ask for your Howey/security-status analysis, qualified custodian proof, and custody governance artifacts. ³

This requirement page translates an emerging SEC enforcement and examination focus into an operator-ready checklist: if your advisory business touches digital assets, you need a defensible position on whether each asset is a security and, if it is (or plausibly could be), you need custody arrangements that satisfy the Custody Rule. The SEC has been explicit that it will evaluate Custody Rule compliance for crypto assets it believes are “funds or securities,” and it has also signaled that crypto trading platforms that are not registered broker-dealers do not qualify as custodians under Rule 206(4)-2. ⁴

This is not a theoretical debate about crypto. It is an operational question: where are client assets held, who controls private keys or withdrawal rights, what contractual protections exist, and what records prove your decisions were reasonable at the time. The first public enforcement action squarely teeing up these issues (Galois Capital) adds urgency and provides exam teams a pattern to test. ²

If you need a system to track asset-by-asset security analysis, custodian qualification, third-party due diligence, and recurring reviews, Daydream can serve as the workflow and evidence hub so your team can answer exam requests without scrambling.

What the requirement means (plain English)

If you are an investment adviser and you have custody (or may have custody) of digital assets that are securities, the SEC expects you to follow the same Custody Rule playbook you follow for traditional securities: keep client funds and securities with a qualified custodian and meet the rule’s safeguarding and oversight expectations. ¹

For digital assets, the SEC has signaled a specific custody risk: a crypto trading platform that is not a registered broker-dealer does not qualify as a custodian under Rule 206(4)-2 for digital asset securities. ² So your operational standard needs to be: no custody of digital asset securities on unregistered trading platforms, even if the platform is popular, liquid, or requested by clients. ²

Who it applies to

Applies primarily to:

• SEC-registered investment advisers (RIAs) that hold, control, or have access to client crypto assets that are (or could be viewed as) securities. ⁵
• Advisers to private funds where the fund holds digital assets and the adviser or its agents can direct transfers, access wallets, or otherwise meet the custody definition under the rule. ¹

Operational contexts where this tends to show up:

• The fund holds assets on a crypto exchange or platform account.
• The adviser uses a third party (platform, wallet provider, administrator) to custody assets.
• The adviser has any ability to move assets (private key control, whitelisted withdrawals, API-enabled withdrawals, shared multisig authority).

If your firm “doesn’t custody,” you still need to prove it. Examiners often test custody by mapping who can initiate or approve transfers and who controls credentials.

Regulatory text

Operator-focused excerpt (provided): “With respect to crypto assets that the SEC believes are funds or securities, advisers must comply with the Custody Rule requirements. Crypto asset trading platforms that are not registered broker-dealers do not qualify as custodians under Rule 206(4)-2.” ⁴

What you must do in practice:

1. Decide, document, and maintain whether each digital asset you hold for clients is treated as a security for purposes of your custody controls (commonly via a Howey-style analysis memo per asset). ³
2. Use only a qualified custodian for any digital asset you treat as a security, and do not place those assets on a platform that is not qualified (the SEC has highlighted unregistered platforms as a problem). ⁶
3. Build repeatable oversight so this stays true over time: custodian status can change, product offerings evolve, and assets can drift into “security-like” risk.

Public enforcement cases

In the Matter of Galois Capital Management LLC (IA-6835)

• What happened: The SEC brought an enforcement action that, among other things, put digital asset custody squarely under the Custody Rule lens and treated a major crypto trading platform used by the adviser as not qualifying as a custodian under Rule 206(4)-2. ²
• Why it matters to operators: Exam teams now have a concrete example to reference when asking: “Show me how you determined your custodian is qualified for digital asset securities, and show me why you believed this platform relationship was compliant.” ²
• Control lesson: If your custody model depends on a crypto trading platform relationship, you need proof of qualified custodian status or you need a migration plan.

What you actually need to do (step-by-step)

Step 1: Inventory your digital-asset touchpoints

Create a single inventory that lists:

• Each digital asset held (including wrapped assets, tokens received through forks/airdrops, and staking rewards if applicable).
• Where it is held (platform, wallet type, omnibus vs segregated).
• Who can move it (roles, individuals, third parties, multisig participants).
• What systems connect to it (trading OMS, APIs, treasury ops).

This inventory becomes your custody risk register for exams.

Step 2: Document security-status analysis per asset (decision memo)

For each asset category you hold, generate a short “security-status and custody posture” memo that includes:

• Your conclusion (treat as security / not a security / uncertain but treated as security for custody controls).
• Rationale and review approvals.
• The custody control implications (qualified custodian required, permitted venues, prohibited venues). ³

If you do not have internal expertise, route the memo through counsel. Keep the output; exams often grade “process and documentation,” not perfection.

Step 3: Validate qualified custodian status (and do it like third-party risk)

For each custodian or platform involved:

• Confirm whether it meets the Custody Rule’s qualified custodian definition. ¹
• For crypto platforms, verify whether it is a registered broker-dealer if you are treating the platform as a custodian for digital asset securities. ²

Run this as a third-party due diligence workflow:

• Entity legal name, registrations, scope of services.
• Contract review: who has title, who has control, withdrawal rights, sub-custodian usage.
• Financial and operational resilience questions tailored to crypto custody failure modes (insolvency, commingling, transfer controls).

Step 4: Write and enforce “no unregistered platform custody” rules

Put the rule in writing, then enforce it operationally:

• Policy: prohibit custody of digital asset securities at unregistered crypto trading platforms. ²
• Procedure: onboarding checklist must include registration verification and approval gates.
• Exception handling: if you allow exceptions at all, define who can approve them and what compensating controls are mandatory; many firms choose “no exceptions” for this risk.

Step 5: Align client disclosures and governing documents to the custody reality

Make sure your disclosures and offering docs match reality:

• Where assets are held and what protections exist.
• The role of third parties in custody and any limitations.
• Material risks specific to digital asset custody (including platform failure risk, if applicable to your arrangement). ³

Step 6: Implement ongoing monitoring and an annual reassessment

At minimum:

• Re-check custodian qualification status on a recurring basis.
• Revisit security-status memos when assets materially change or when your trading/custody model changes.
• Test access controls and withdrawal permissions as part of periodic controls testing.

Daydream tip: build a standing “Crypto Custody Review” workflow with tasks, owners, and evidence upload requirements so you can produce a clean exam packet on demand.

Required evidence and artifacts to retain

Keep artifacts in an exam-ready folder structure:

• Digital asset inventory and custody mapping (systems, wallets, roles).
• Security-status / Howey analysis memos per asset (and approvals). ³
• Qualified custodian verification packet (registration checks, due diligence notes). ⁶
• Custody agreements, account opening documents, and any sub-custody disclosures.
• Policies and procedures covering digital asset custody decisions and prohibitions. ²
• Client disclosures and communications relevant to custody and platform risks. ³
• Ongoing monitoring logs and annual review results.

Common exam/audit questions and hangups

Expect variations of:

• “List all digital assets held and identify which you treat as securities; show the supporting analysis.” ³
• “Identify every third party involved in custody; show qualified custodian status and due diligence.” ¹
• “Do any assets sit on a trading platform? If yes, explain why that platform qualifies as custodian under Rule 206(4)-2.” ²
• “Who can initiate withdrawals? Show access control evidence and approval logs.”

Hangups that slow teams down:

• No single inventory of wallets/exchange accounts.
• Analysis exists in email threads, not a controlled memo.
• “We thought the platform was big enough” as a substitute for qualified custodian verification.

Frequent implementation mistakes (and how to avoid them)

1. Treating “exchange account” as custody-compliant by default. Fix: require qualified custodian determination before opening any account used for client assets. ⁶
2. No documented security-status rationale. Fix: make an asset intake gate that requires a written memo before trading or custody. ³
3. Letting client preference drive custody venue. Fix: hard prohibition in policy, with compliance monitoring tied to the approved custodian list. ²
4. One-and-done diligence. Fix: schedule periodic re-validation and trigger reviews on material changes.

Enforcement context and risk implications

The SEC has already brought a case tying crypto platform custody practices to Custody Rule expectations, giving exam staff a roadmap for inquiries into qualified custodian status for digital assets treated as securities. ² The SEC Division of Examinations has also signaled it will consider whether advisers are complying with the Custody Rule for crypto assets the SEC believes are funds or securities. ³

Your risk profile spikes if:

• You custody on platforms that cannot clearly meet the qualified custodian standard.
• You cannot show a repeatable, documented decision process for asset classification and custody selection.

30/60/90-day execution plan

First 30 days: stabilize and map

• Assign an owner for digital asset custody governance (CCO or delegate with explicit authority).
• Build the digital asset inventory and custody map (accounts, wallets, access, third parties).
• Freeze new digital asset onboarding until the intake controls exist (or require CCO sign-off).
• Draft the “security-status memo” template and approval workflow. ³

Days 31–60: remediate and formalize

• Complete security-status memos for in-scope assets; mark “uncertain” assets as treated as securities for custody controls until resolved.
• Verify qualified custodian status for each custody arrangement; document the evidence. ¹
• Update policies: approved custodian list, explicit prohibition on unregistered platform custody for digital asset securities. ²
• Update disclosures to match custody reality and identified risks. ³

Days 61–90: operationalize and test

• Implement ongoing monitoring: periodic custodian status checks, change triggers, access reviews.
• Run a tabletop “SEC exam request” drill using the exam document list as your checklist. ³
• Centralize evidence in Daydream (or your GRC system) with an exam-ready binder structure and retention rules.

Frequently Asked Questions

Do we need to apply the Custody Rule to every crypto asset we touch?

Apply the Custody Rule controls to crypto assets you treat as securities or that the SEC may view as securities. Keep a written, asset-by-asset analysis so you can justify your scope decisions. ⁴

Can an unregistered crypto exchange ever be a “qualified custodian” for digital asset securities?

The SEC has stated that crypto asset trading platforms that are not registered broker-dealers do not qualify as custodians under Rule 206(4)-2 for these purposes. Treat this as a hard gating criterion in onboarding and ongoing monitoring. ²

What evidence will examiners expect first for digital asset custody?

Expect requests for your security-status (Howey-style) analysis, proof of qualified custodian status, custody agreements, and written policies that prohibit non-qualified custody models. ⁷

We don’t hold private keys. Could we still have “custody” exposure?

Yes. Custody analysis depends on your authority and ability to access or transfer client funds or securities, including through third parties or contractual rights. Map who can move assets and document why your structure does or does not create custody under the rule. ¹

How do we handle assets where security status is uncertain?

Document the uncertainty and default to a conservative custody posture (treat as security for custody controls) until you have a defensible conclusion. Keep the memo and approval trail because exams test your process. ³

Where does Daydream fit operationally?

Use Daydream to run the repeatable workflows behind this trend: asset intake and security-status memos, qualified custodian verification, third-party due diligence, annual reviews, and an exam-ready evidence binder with clear ownership and timestamps. ³

Related compliance topics

• 2025 SEC Marketing Rule Examination Focus Areas
• Access and identity controls
• Access Control (AC)
• Access control and identity discipline
• Access control management

Footnotes

1. 17 CFR 275.206(4)-2

2. IA-6835

3. 2024-exam-priorities

4. 2024-exam-priorities; Source: 17 CFR 275.206(4)-2

5. 17 CFR 275.206(4)-2; Source: 2024-exam-priorities

6. 17 CFR 275.206(4)-2; Source: IA-6835

7. 2024-exam-priorities; Source: 17 CFR 275.206(4)-2; Source: IA-6835