Crypto Custody

By | April 23, 2024

The Markets in Crypto-Asset Regulation (Regulation (EU) 2023/1114 – ‘MiCA’) aims at furthering one of the main applications of the distributed ledger technology (DLT, which is the crypto asset ecosystem. MiCA’s approach consists of ensuring an adequate degree of investor protection, financial stability, market fairness, and integrity, in the aftermath of the Crypto Winter, where billions of Euros in asset value was lost in less than two years. In this respect, MiCA subjects crypto-asset service providers (‘CASPs’) handling custody and administration of crypto-assets on behalf of clients to both licensing and financial supervision. In our paper, we explore the EU legal framework for crypto custody and we seek to identify whether MiCA meets its legislative objectives and whether it provides a sufficiently solid foundation for the future of the emerging crypto industry.  

Why is there a need to regulate crypto custodians? 

During the Crypto Winter, crypto custodians were unable to deliver on their promise of safeguarding their clients’ assets and instead have played and continue to play a pivotal role in crypto malfunctions, in at least the following six ways: 

Crypto custodians 

  1. were unable to prevent the loss of private keys related to their clients’ assets; 
  2. applied custody policies insufficient to address cyber-risks, misrepresentations, theft, and fraud; 
  3. mixed custody business with risk-exposed activities of crypto exchanges, brokers, investments, and lending; 
  4. commingled numerous clients’ assets with their own assets; 
  5. executed deficient bookkeeping, asset earmarking, internal controls, and business continuity practices; and 
  6. reused client assets for proprietary trading. 

The strengths and weaknesses of the MiCA crypto custody framework 

Our paper analyzes the extent to which these malfunctions persist after the coming into force of MiCA in June 2023 and whether further legislative action needs to be taken. Having a closer look at the MiCA crypto custody rules, we assume two different perspectives:  

  • Under the ‘institutional resilience’ perspective, we inquire whether MiCA ensures that the crypto custodians are soundly organized, and whether misconduct stemming from events inside the intermediaries is adequately addressed.  
  • Under the ‘asset resilience’ perspective, we review the extent to which the existence or value of the crypto-asset is secured by way of regulation in the event of malfunctions, distress, and the insolvency of the custodian, the token-issuer, the DeFi application, or any third party, as the case might be. 

Our paper first introduces MiCA’s background, makes the case for regulating crypto custody in the aftermath of the Crypto Winter and discusses international regulatory proposals on the topic. We then focus on MiCA’s custody rules identifying its strengths and weaknesses. In this regard, we first attempt to highlight its scope, where issues of delineation emerge in relation to three aspects: the application of EU financial legislative acts other than MiCA; the extent to which MiCA applies to fully decentralized applications; and MiCA’s definition of ‘custody’. Afterwards, we discuss the licensing and operational requirements applicable to all CASPs, and in particular the provisions affecting the crypto custodians under MiCA. Based on our analysis, we issue policy considerations. 

Key Findings of the Paper: Institutional resilience vs. Asset resilience 

MiCA’s focus is on what we have called herein ‘institutional resilience’, ensuring that the custodian is soundly organized and governed and must not reuse clients’ assets on their own accounts. Under MiCA’s CASP rules, all crypto custodians are fiduciaries, and subject to governance, conflicts of interest, asset segregation, and operational risk requirements. The provisions on the custodian’s liability also heighten the custodian’s propensity to safeguard clients’ assets. 

At the same time, MiCA lacks strength on ‘asset resilience’ (i.e. providing safeguards for cases where the custodian, third parties, the token-issuer, or DeFi application, as the case may be, encounter difficulties). This deficiency is partly due to the nature of DLT, where the existence of the asset relies on the recognition by and the functioning of other nodes, and partly due to the fact that MiCA does not regulate private law, and the insolvency proceedings regarding crypto-assets in particular. To some extent, the product regulations for asset-referenced tokens and e-money tokens compensate for this gap, but holders of other crypto-assets are left unprotected. In this regard, MiCA, in terms of protection, trails behind TradFi regulation where depositaries play a much stronger role in ensuring asset resilience, through a detailed legal framework focusing on asset protection and express powers to the custodians that allow for oversight of other service providers, and representation of clients’ interests in legal proceedings against third parties.  


Prof. Dr. Dirk Zetzsche is Professor of Financial Law (inclusive finance) at the University of Luxembourg.  

Dr. Julia Sinnig is a Postdoctoral Researcher at the University of Luxembourg. 

Areti Nikolakopoulou is a Doctoral Researcher at the University of Luxembourg. 

This post was adapted from their paper, “ Crypto Custody,” available on SSRN 

Leave a Reply

Your email address will not be published. Required fields are marked *