This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency markets are highly volatile. Always do your own research before making any investment decisions.
On September 3, 2024, the SEC charged a former registered investment adviser for failing to use a qualified custodian for crypto assets classified as securities. That high-profile enforcement action — which arrived as advisory firms pivoted toward digital asset exposure — has ratcheted up regulatory pressure for investment advisers active in crypto.
Advisers now face heightened enforcement of the SEC’s “Custody Rule,” with updated guidance changing alongside tokenization and DeFi operations, according to recent SEC actions. As institutional interest in crypto keeps accelerating, and the FTX collapse spotlights operational risks, market data shows one question stands out: must investment advisers hold crypto tokens with a qualified custodian, and what’s regulatory compliance now require in this fast-shifting climate?
According to Sidley, the federal Custody Rule — Rule 206(4)-2 under the Investment Advisers Act of 1940 — requires registered investment advisers to keep client securities, now including many crypto assets, with a “qualified custodian.” These custodians must be regulated banks, broker-dealers, or trust companies subject to rigorous oversight. The SEC’s recent enforcement actions drive one message home: holding crypto outside approved custodians leads to violations. Furthermore, on September 3, 2024, the SEC fined a former adviser who failed to keep securities-like crypto with a qualified custodian.
Sidley documents a $225,000 penalty imposed for that violation, showing how not following the rules can become a costly — and public — error for advisers managing crypto funds and wallets. Citing Iqeq, SEC staff have emphasized that registered investment advisers (RIAs) and registered investment companies must follow the Custody Rule for all assets in scope, or face severe penalties. This holds true even as new asset types seem to emerge every quarter. Advisers that don’t check their crypto custodians’ regulated status expose both themselves and clients to stiff penalties and, often at the same moment, the risk of fund losses.
$225,000 — Penalty for 2024 crypto custody failure, per Sidley.
Crypto Assets Scope Under SEC Oversight
The SEC has dramatically expanded the custody rule’s reach to cover not just assets already regulated as securities, but a wider universe of digital assets, per Morganlewis. And because “crypto assets not already in scope” — including tokens with utility or governance traits — are now seen as subject to federal standards, the compliance burden is much broader. Amendments to both the Investment Company Act of 1940 and the Advisers Act mean investment advisers can’t simply leave a digital asset out of compliance requirements just because it isn’t classified under traditional securities law, as SEC actions and Morganlewis reporting confirm.
Who Qualifies as a Custodian for Digital Assets?
According to Iqeq, state-chartered trust companies (STCs) are now expressly recognized as qualified custodians for digital assets — so long as they meet strict federal standards.
Morganlewis lays out the steps clearly: RIAs and registered funds have to get and review the STC’s latest annual financials, which must be audited by independent public accountants and prepared in line with accepted accounting principles.
According to Sidley, adviser or fund due diligence can’t just be a box checked at the launch of a relationship. In addition to yearly financials and SOC-1 control reports, advisers need to tell clients about any real custody risks and prove using a state trust company truly serves their clients’ best interests. The custody deal itself must include protections like restrictions on rehypothecation and bans on unauthorized asset pledges, plus confirmation that assets always remain in the client’s name.
Safeguards and Investor Protections
Sidley underscores that adviser-custodian agreements must deliver real-time recordkeeping and always keep client crypto assets separated (“segregated”). That’s about more than just completing paperwork. If there’s a reporting error or client and firm assets get mixed, regulatory investigations may follow. Trust companies are required to provide both audited financial statements and up-to-date internal control reports — usually of the SOC-1 type — that tackle cybersecurity, operational stability, and specific controls to protect crypto assets, SEC guidance confirms.
Advisers must also share clear risks with clients and board members — especially around gaps in jurisdiction, technical slips, or limited insurance. there’s now an expectation to keep records of each “best interest” analysis, update risk reviews regularly, and give clients the reasoning behind every custody provider choice.
Iqeq notes that SEC’s no-action relief only applies to digital assets and related cash that support crypto transactions — traditional asset custody remains a separate legal challenge. Advisers must also guarantee contract provisions like bans on unauthorized rehypothecation and always designate managed crypto assets in the client’s or fund’s name, not the custodian’s. SEC staff have raised the bar: compliance isn’t just a formality, but an ongoing, active duty for every adviser active in digital assets.
Due Diligence and Ongoing Review
Investment advisers have to commission annual financial audits and fresh SOC-1 (or equivalent) control reports from crypto custodians, according to Morganlewis.
Morganlewis makes it clear: if an adviser or fund can’t do the work to support real confidence in a custodian’s compliance — with both federal, state, and operational requirements — delegating custody isn’t allowed.
Enforcement Actions and Notable Penalties
SEC enforcement, especially after the FTX failure, has clearly shifted gears. The $225,000 penalty imposed on a former adviser in September 2024 shows just how high the stakes can be.
The SEC’s Division of Investment Management has built a reputation for pursuing cases where RIAs let digital assets leave controlled custody — or land in “rogue” wallets, or interact with smart contracts lacking solid accounting controls. Lost private keys, unauthorized rehypothecation, or token launches without adequate support all invite investigation. When things go wrong, advisers can face more than fines — lawsuits, reputational harm, and mandated operational fixes are common, as clients chase compensation for any losses.
Advisers on the wrong end of SEC enforcement often have to overhaul their compliance programs, work with outside auditors or consultants, and take further steps before regaining client trust.
Growing Demand for Digital Asset Custody
Sidley points out that “the demand for the custody services for digital assets has grown considerably” — a change fueled by bigger institutional bets, the launch of diversified crypto funds, and ever-higher compliance hurdles. Now, entrants like fintech startups, bank affiliates, and crypto-only specialists all race to help RIAs meet strict due diligence requirements, while bringing in tools like on-chain analytics, multi-signature custody, and real-time protections.
Morganlewis states the SEC expects advisers to check a custodian’s ability to safeguard crypto assets both through technology (for example, advanced key management) and solid operations (proving there’s no commingling, with live transaction logs and continuous regulatory reporting).
Best-Interest Determinations for Clients
Today’s advisers must prove they’re not just meeting the rules — they need to document that their custody system puts client interests above all else. This “best-interest” analysis has become central to SEC expectations. It should clearly lay out both the business logic (cost, tech, resilience) and the risk factors shaping the choice of trust company or platform for every crypto asset and related cash.
Compliance as the New Baseline
Compliance duties for crypto custody have moved from technical checklists to a full-time, foundational practice for advisers and fundsCustody Breakthrough: SEC Staff Grants Relief for…,. SEC’s evolving “Custody Rule” will almost certainly keep tightening as new DeFi protocols, blockchain tools, and custody models enter the market. Now, every adviser is expected to maintain detailed oversight of digital asset custodians and keep comprehensive records showing their rationale and risk assessment as crypto goes from niche play to institutional core holding.
Looking ahead, market participants will have to stay nimble as the SEC updates guidance in step with changing token standards, new cybersecurity threats, and multi-jurisdictional legal frameworks.
Disclaimer: The content on this page is for informational purposes only and does not constitute financial advice. Always do your own research before making investment decisions.
Elena Petrova is a regulatory correspondent specializing in crypto law and policy with over 10 years of financial journalism experience. Formerly a finance reporter at Reuters, Elena covers SEC enforcement, MiCA implementation, and global stablecoin regulations. She holds a J.D. from Georgetown Law and is a member of the New York State Bar. Her regulatory analysis is frequently referenced by compliance officers and legal teams at major exchanges.
Conflicts of interest
I have no current legal practice or retainer relationships with any cryptocurrency company. Past employment relationships are listed publicly.
