Risk warning: Cryptoassets are largely unregulated in the UK. You could lose all your money, and FSCS protection does not apply. This site provides education, not financial advice.
Crypto Custody Explained: How Institutions Store Digital Assets Safely
Crypto8 min readJuly 16, 2026✓ Updated for 2026

Crypto Custody Explained: How Institutions Store Digital Assets Safely

How institutions store crypto safely: cold storage, multi-signature wallets, insurance and proof of reserves explained for UK investors.

JR
Joe Robertson · In crypto since 2017, writing since 2025
Published 16 Jul 2026

When a hedge fund holds £50 million in Bitcoin, it doesn’t sit on someone’s laptop with the keys scribbled on a Post-it note. Institutional crypto custody is a whole industry most retail investors never see — vaults, multi-signature wallets, insurance policies and audit trails built to survive a hack, a lawsuit, or a rogue employee. UK investors buying into crypto ETPs are relying on this infrastructure whether they realise it or not.

Custody sounds like a boring back-office detail. It isn’t. It’s the difference between an exchange collapse wiping out client funds overnight and one that survives exactly that scenario intact.

What Institutional Custody Actually Means

Custody is simply who holds the private keys that control access to crypto assets. For institutions, that responsibility sits with specialist custodians — companies like Coinbase Custody, Fireblocks, and BitGo — rather than the fund itself holding its own keys.

These custodians exist because institutions can’t take the operational risk of a single point of failure. If one employee loses a laptop, or a hacker phishes one set of credentials, self-custody at scale becomes a liability rather than a feature.

Regulated custodians in the UK and EU increasingly need specific licensing to operate, adding a compliance layer that pure self-custody solutions never had to satisfy. This shift has turned custody from a technical afterthought into its own regulated financial service, complete with its own fee structures and competitive market.

Cold Storage vs Hot Wallets at Scale

Cold storage means private keys generated and kept on devices never connected to the internet. Institutional custodians store the vast majority of client assets — often over 95% — in cold storage specifically to remove remote hacking as a realistic threat.

Hot wallets hold a small operational float needed for daily withdrawals and trading. This is deliberately the smallest possible balance, because hot wallets remain the most common target for exchange hacks. The 2026 collapse of a mid-sized Asian exchange traced directly back to an oversized hot wallet holding client funds that should have been in cold storage.

Balancing the two is a constant tension. More cold storage means better security but slower withdrawal times for clients who expect near-instant access to their funds. Some custodians now use a tiered system with warm wallets sitting between the two extremes, adding a small delay in exchange for meaningfully better security than a pure hot wallet.

Multi-Signature and Multi-Party Computation

Multi-signature wallets require several separate private keys to authorise any transaction, so no single compromised key can move funds alone. A typical institutional setup might need three out of five authorised signers to approve a withdrawal.

Multi-party computation, a newer approach, splits a single key into fragments distributed across separate secure locations, so the full key never exists in one place even momentarily. This closes a gap that pure multi-signature setups still had, where a full key briefly exists during the signing process itself.

Both approaches trade convenience for security. Retail investors rarely need this level of protection, but for institutions holding nine-figure sums, the extra friction is the entire point. Some custodians combine both techniques, layering multi-party computation inside a broader multi-signature approval structure for the largest client accounts.

How UK Crypto ETPs Handle Custody

UK-listed crypto exchange-traded products don’t hold the underlying Bitcoin or Ethereum themselves — they contract a regulated custodian to do it, then issue shares tracking the asset’s value. When you buy an ETP through a UK broker, you’re trusting that custodian chain, not holding crypto directly.

The FCA requires ETP issuers to disclose custody arrangements clearly, including which custodian holds the assets and what insurance covers them. Reading this section of the prospectus tells you far more about real risk than the headline price chart ever will.

This structure means ETP holders never deal with private keys, seed phrases, or wallet security directly. It’s the main appeal for investors who want crypto exposure without touching a wallet — but it also means full reliance on the custodian’s own security track record and its relationship with the fund issuer.

Insurance: What It Covers and What It Doesn’t

Most major custodians carry crime insurance covering theft from cold storage and, to a lesser extent, hot wallet breaches. Policy limits vary enormously — some custodians carry cover in the hundreds of millions, others considerably less relative to assets held.

Insurance rarely covers market losses, smart contract failures, or asset value drops. It exists specifically for theft and operational failure, not for the asset losing value because the market turned against you.

Read the actual policy limits, not just the marketing claim of “fully insured.” A custodian holding £2 billion in assets with a £100 million insurance policy is covering roughly 5% of holdings — a detail that rarely makes the front page of a custodian’s website. Ask specifically what percentage of total client assets under custody the policy would actually cover in a worst-case scenario, since insurers themselves often cap total payouts per incident regardless of the headline figure quoted.

Proof of Reserves and Why It Matters

Proof of reserves is a cryptographic method letting a custodian demonstrate it actually holds the assets it claims, without revealing individual client balances. Merkle tree audits are the most common technique, letting any client verify their own balance is included in the total.

The collapse of FTX in 2022 made proof of reserves a standard expectation rather than a nice-to-have. Reputable custodians now publish regular attestations, though the quality and frequency still varies considerably between providers.

A proof of reserves audit only confirms assets exist at the moment of the snapshot. It says nothing about liabilities, so a custodian can technically pass an audit while still being insolvent overall if obligations exceed the assets shown. A proper audit needs to combine proof of reserves with proof of liabilities to mean much at all, and few custodians publish both together.

Regulatory Requirements for UK Custodians

Firms providing crypto custody services to UK clients fall under the FCA’s cryptoasset registration regime, which requires anti-money laundering controls and ongoing supervision. Full authorisation requirements are tightening further as the FCA’s broader crypto regime rolls out from 2026 onwards.

When I looked into how UK institutional investors actually choose a custodian, regulatory status came up more often than fees or speed. A custodian without clear FCA registration is an immediate red flag for any serious UK institutional allocator.

Some custodians hold licences across multiple jurisdictions simultaneously — UK, EU, US — partly to reassure clients and partly because global institutional mandates often require it as a condition of doing business at all. The compliance overhead of maintaining multiple licences has become a genuine competitive moat for the larger custody providers.

Choosing a Custodian: Questions Worth Asking

Before trusting any custodian with meaningful funds, ask how assets are split between cold and hot storage, and what percentage that actually is in practice rather than in theory. Ask who holds the insurance policy and what specific events it covers.

Ask how often proof of reserves audits happen, and whether an independent third party performs them or the custodian marks its own homework. Finally, ask what happens to client assets specifically if the custodian itself becomes insolvent — segregated client accounts should, in theory, remain untouched by the custodian’s own creditors, but the legal structure needs checking, not assumed.

Nine times out of ten, the answer to these questions is buried several pages into a technical whitepaper rather than the marketing homepage. It’s worth the extra reading before moving significant sums.

Lessons From Custody Failures

Mt. Gox in 2014 and FTX in 2022 remain the two cautionary tales every custody discussion eventually circles back to. Both collapsed not because the underlying technology failed, but because controls around who could move client funds were weak or deliberately bypassed.

Neither company published meaningful proof of reserves before collapsing. Both cases pushed the whole industry toward the audit standards and segregation rules now considered baseline practice at any custodian worth using. Regulators cite both cases repeatedly when justifying new custody rules, and UK policymakers have referenced FTX specifically when shaping the FCA’s current cryptoasset framework.

UK-based investors who lived through either collapse often say the same thing afterwards: they wish they’d asked about custody structure before investing, not after the exchange stopped processing withdrawals. That single lesson, repeated across two major collapses eight years apart, is why custody now gets asked about first rather than last in any serious due diligence process for UK institutional crypto exposure.

What This Means for You

If you hold crypto directly, self-custody with a hardware wallet remains the gold standard for security, at the cost of taking full personal responsibility for your keys. If you invest through an ETP or fund, check who the underlying custodian is and what insurance actually covers.

Never assume “regulated” automatically means “fully protected.” Read the custody and insurance disclosures in any fund prospectus before committing meaningful money, and treat marketing language like “bank-grade security” as a starting point for research, not a guarantee.

This article is for educational purposes only and does not constitute financial advice. Cryptocurrency investments involve significant risk. Always do your own research.

Free weekly newsletter

Stay ahead of the market

Join our community of nearly 5,000 across YouTube, LinkedIn, X, and Facebook — weekly crypto, AI, and digital lifestyle insights every Thursday. No spam. Unsubscribe any time.

Share:X / TwitterFacebookLinkedInPinterest
Disclosure: Some links in this article may be affiliate links. If you click and purchase, DigiTech Lifestyle may earn a small commission at no extra cost to you. This never influences our editorial stance — we only recommend products we genuinely believe in.

Partner picks

Build a smarter digital stack

Explore curated AI, automation, wealth, and creator tools selected for practical value, transparent pricing, and clear use cases.

Browse tools

Disclosure: some links may be affiliate links. DigitechLifestyle may earn a commission at no additional cost to you.

Related articles
Crypto ETPs vs ETFs: What UK Investors Need to Know
Crypto
Crypto ETPs vs ETFs: What UK Investors Need to Know
Read article →
Crypto Airdrops Explained: How to Find and Claim Free Tokens Safely
Crypto
Crypto Airdrops Explained: How to Find and Claim Free Tokens Safely
Read article →
UK Tokenisation Taskforce: BlackRock, Goldman Sachs and 52 Others Join £33bn Push
Crypto
UK Tokenisation Taskforce: BlackRock, Goldman Sachs and 52 Others Join £33bn Push
Read article →
More from DigiTech Lifestyle
Latest NewsCrypto GuidesAI & TechnologyExchange ReviewsDeFi & BlockchainFree ToolsResources