SEC Publishes Guidance on Crypto Custody: Self-Custody Takes Center Stage

Policy Shift at the U.S. Regulatory Agency

The U.S. Securities and Exchange Commission (SEC) has published a new "Investor Bulletin" that comprehensively educates investors about the fundamental principles of cryptocurrency self-custody ^[1]. The move is noteworthy, as the agency under former Chairman Gary Gensler had taken a hard line against various crypto firms ^[1].

What is remarkable is less the specific content of the bulletin than the fact that the SEC is providing education on self-custody at all. For years, this particular area was considered a gray zone from the perspective of U.S. regulators, and in some cases even an implicit risk to investor protection ^[2].

Hot Wallets versus Cold Wallets

In the investor bulletin, the SEC first explains the differences between hot and cold wallets. While internet-connected hot wallets are convenient but vulnerable to cyberattacks, cold wallets are considered more secure but carry the risk of loss or physical damage ^[1].

The bulletin is explicitly directed at retail investors and is not a regulatory text, but rather a purely informational resource. The SEC explains in broad terms that digital assets do not "sit in wallets," but are controlled through cryptographic keys ^[2].

Seed Phrase as Critical Factor

The agency places particular emphasis on protecting the seed phrase. Anyone who loses or shares these recovery words risks losing their entire cryptocurrency holdings ^[1].

The SEC makes clear that crypto investors bear sole responsibility when they manage their crypto assets themselves. Technical errors, lost private keys, or successful hacking attacks can lead to complete loss of assets ^[1].

Third-Party Custody as an Alternative

As an alternative, the bulletin presents custody through third-party providers such as crypto exchanges or specialized custodians. However, the SEC also warns of risks in individual cases, such as insolvencies, hacks, or the use of customer funds for their own purposes ^[1].

The bulletin very clearly emphasizes investor responsibility. Those who self-custody also bear the risk themselves. Those who use third-party providers depend on their security and solvency. The SEC presents both models side by side without making a recommendation ^[2].

Security Tips and Privacy

The SEC provides general security tips for crypto investors. These include strong passwords, two-factor authentication, caution against phishing attacks, as well as the clear recommendation not to disclose either private keys or information about one's own crypto holdings ^[1].

It is noteworthy that the SEC even explicitly provides guidance on protecting one's own privacy in the bulletin. Investors should take care to keep information about their crypto holdings as confidential as possible, both regarding the amount of assets held and the specific form of custody ^[2].

"Keep your crypto assets private. Do not share the amount or type of your crypto holdings with others!" the bulletin states ^[2].

Contradiction with KYC Requirements

This recommendation is striking insofar as it stands in clear tension with the massively expanded KYC, AML, and Travel Rule requirements in recent years. While regulators and legislators worldwide are pushing for ever more comprehensive data collection, identity verification, and transaction reporting, the same agency is now advising retail investors to keep their financial information as secret as possible ^[2].

Signal Effect for the Market

The SEC is thereby effectively acknowledging that self-custody is a legitimate and relevant component of the market. Just a few years ago, such a representation from the U.S. regulatory environment would have been hardly imaginable ^[2]. A significant portion of Bitcoin holdings are self-custodied. Since the insolvencies of major exchanges like FTX at the latest, awareness of counterparty risks has also reached beyond the Bitcoin community ^[2].