Crypto custody · MiCA · Client assets
Crypto Custody Under MiCA: The Rules for Holding Client Assets
Custody is where MiCA gets strict. The moment a CASP holds client crypto-assets — or the keys to them — the custody-service rulebook imposes a documented rulebook the supervisor will test line by line. Most custody-related deficiencies trace back to treating it as a technical problem rather than a regulated one.
Crypto custody under MiCA is the service — defined in Regulation (EU) 2023/1114 and governed by the custody-service rulebook — of safekeeping crypto-assets or the means of access to them (typically private cryptographic keys), or exercising control over crypto-assets on behalf of clients, subject to mandatory custody agreements, a register of client positions, a written custody policy, and segregation of client assets from the CASP's own assets.
Quick facts
| Parameter | Value |
|---|---|
| Legal basis | MiCA Regulation (EU) 2023/1114, the custody-service rulebook — providing custody and administration of crypto-assets on behalf of clients |
| What custody means | Safekeeping of crypto-assets or the means of access (private keys), or exercising control over crypto-assets on behalf of clients |
| Custody agreement | Mandatory written agreement with each client detailing the CASP's duties and responsibilities |
| Register of positions | Each client's entitlement recorded in a register; movements from client instructions recorded as soon as possible |
| Custody policy | Written internal rules and procedures for safekeeping/control; a summarised version supplied to clients electronically on request |
| Asset segregation | Client crypto-assets must be clearly segregated from the CASP's own assets |
| Licence class | Custody is a Class 2 service under MiCA Annex IV — €125,000 minimum capital floor minimum |
Why custody is the high-trust service
Of the ten crypto-asset services in MiCA’s Annex IV, custody is the one that puts client wealth directly in the CASP’s hands. When a firm holds a client’s crypto-assets — or, more precisely, the private keys that control them — the client is trusting the firm with assets that can be moved irreversibly. MiCA reflects that trust with a dedicated rulebook: The custody-service rulebook, on providing custody and administration of crypto-assets on behalf of clients.
The common failure pattern is treating custody as an engineering problem. Teams invest heavily in multi-party-computation wallets, hardware security modules, and multi-signature schemes — and then present a supervisory file with no documented custody policy, a thin custody agreement, and a register of positions that cannot evidence a client’s entitlement at a point in time. Strong technology with weak governance still fails.
What “custody” means under MiCA
MiCA defines custody and administration of crypto-assets on behalf of clients as the safekeeping of crypto-assets or the means of access to them — where applicable, in the form of private cryptographic keys — or the exercise of control over such crypto-assets on behalf of clients.
Two consequences follow:
- Holding the keys is custody. If the firm controls the private keys, it is providing custody, even where the firm frames its product as a “wallet” or a “non-custodial-feeling” interface.
- Control is custody. Even without holding keys outright, a firm that can exercise control over client crypto-assets is in custody scope.
This is why the custody question is rarely “do we offer custody” and more often “have we accidentally built a custody service while calling it something else.”
The four pillars of custody compliance
The custody-service rulebook builds custody compliance on four documented obligations. A supervisory file is tested against all four.
1. The custody agreement
The CASP must enter into an agreement with each client that details the CASP’s duties and responsibilities. This is not a commercial term sheet — it is a regulatory requirement. The agreement defines what the firm holds, on what terms, with what responsibilities, and how the client instructs movements.
2. The register of positions
The custodian must maintain a register of positions opened in the name of each client, showing that client’s entitlement to crypto-assets. Movements resulting from client instructions must be recorded in the register as soon as possible.
The register is the evidentiary heart of custody. At any moment, the firm must be able to show what a specific client is entitled to. A register that reconciles slowly, or that aggregates client holdings without client-level entitlement, fails the purpose.
3. The custody policy
The CASP must establish a custody policy — internal rules and procedures to ensure the safekeeping or control of the crypto-assets, or of the means of access to them. A summarised version of the policy must be made available to clients in electronic format on request.
The policy must describe the firm’s actual arrangements: key-generation and key-management procedures, access controls, segregation arrangements, the technology in use, and the incident procedures. A generic template that does not reflect the firm’s specific custody architecture is a deficiency.
4. Segregation of client assets
Client-held crypto-assets must be clearly segregated from the CASP’s own assets. Segregation has to hold in both operations and records, so that in an insolvency or supervisory event, client entitlements remain identifiable and separable. Co-mingling client and firm assets in shared wallet structures defeats the core protection.
The obligation teams forget: facilitating client rights
Beyond hold-and-return, the custody-service rulebook imposes an active obligation. A CASP providing custody must facilitate the exercise of the rights attached to the crypto-assets — and any event likely to create or modify a client’s rights must be recorded immediately in that client’s register of positions.
In practice this covers events such as forks, airdrops, governance rights, and similar protocol-level events that change what a holder is entitled to. A custody model designed only to store and release assets — with no process for handling rights-modifying events — misses an obligation the supervisor will probe.
How custody fits the CASP class structure
Custody is a Class 2 service under MiCA Annex IV. A CASP offering custody therefore carries at least the Class 2 prudential floor of €125,000, plus the ongoing fixed-overheads-based requirement, plus the obligation to maintain insurance against the liability risks custody creates for clients. A firm that adds custody to a Class 1 authorisation is undertaking a class variation, not a minor product addition.
This is why “do we hold the keys” is a strategic question at authorisation, not an operational detail. The answer drives the licence class, the capital, the insurance, and the depth of the governance file.
What a clean custody file looks like
A custody file that passes supervisory review consistently contains:
- A client custody agreement template, with duties and responsibilities clearly allocated
- A documented register-of-positions process — how entitlements are recorded, how client-instruction movements are captured “as soon as possible”, and how reconciliation works
- A custody policy describing the firm’s actual key-management, access-control, and segregation arrangements, plus the summarised client-facing version
- Evidence of operational and record-level segregation of client assets from firm assets
- A documented process for rights-modifying events (forks, airdrops, governance) feeding the register
- The insurance arrangement covering custody-related liability
Working with counsel on a custody file
The diagnostic for counsel: ask how the firm’s custody policy and register-of-positions process will be evidenced to the supervisor — concretely, not as “we comply with the custody-service rulebook”. Counsel that has processed custody-bearing CASP files can describe the specific documentation a supervisor expects and the common deficiency patterns. The firms in our index with relevant custody-file experience are listed below.
Pitfalls and nuances
1 Treating custody as purely a technology problem
Strong key management — MPC, HSMs, multi-sig — is necessary but not sufficient. The custody-service rulebook is a governance rulebook: agreement, register, policy, segregation, facilitation of client rights. A CASP with excellent wallet technology and no documented custody policy still fails the supervisory review.
2 Missing or generic custody policy
The custody policy must set out the firm's actual internal rules and procedures for safekeeping and control — and a summarised version must be available to clients electronically on request. A template policy that does not describe the firm's specific key-management and access controls is a substantive deficiency.
3 Weak register of positions
The register must record each client's entitlement and reflect movements from client instructions as soon as possible. A reconciliation process that lags, or a register that cannot evidence a specific client's entitlement at a point in time, undermines the core protection custody is meant to provide.
4 Co-mingling client and firm assets
Holding client crypto-assets in the same wallet structure as firm assets, without clear segregation in both operations and records, breaches the segregation requirement. In an insolvency or supervisory event, client entitlements must be identifiable and separable — co-mingling defeats that.
5 Ignoring the facilitation-of-client-rights obligation
A custodian must facilitate the exercise of rights attached to the crypto-assets, and any event likely to create or modify a client's rights must be recorded immediately in that client's register of positions. Custody models built only around 'hold and return' miss this active obligation.
Frequently asked questions
What counts as crypto custody under MiCA?
Safekeeping crypto-assets or the means of access to them — typically private cryptographic keys — or exercising control over crypto-assets on behalf of clients. Holding the keys is custody, even briefly.
Does a CASP need a written agreement with custody clients?
Yes. The custody-service rulebook requires a custody agreement with each client setting out the CASP's duties and responsibilities. It is mandatory, not a commercial nicety.
What is the register of positions?
A register the custodian maintains showing each client's entitlement to crypto-assets, with movements resulting from client instructions recorded as soon as possible.
Must client crypto-assets be kept separate from the CASP's own assets?
Yes. MiCA requires client-held crypto-assets to be clearly segregated from the CASP's own assets — operationally and in the records — so client entitlements are identifiable at all times.
Get matched
Working through a crypto-licensing decision?
Get an editorial shortlist of firms matched to your business — customer market, model, jurisdiction, and stage. Free, and not influenced by sponsorship.
Get a firm shortlist →Sources cited
- Regulation (EU) 2023/1114 (MiCA), Article 75 — regulation
- ESMA — Markets in Crypto-Assets Regulation (MiCA) — regulator
- ESMA MiCA implementation page — official document