Crypto custody is getting more serious. On Feb. 3, Canada’s investment industry regulator CIRO published a new Digital Asset Custody Framework for dealer members that run crypto trading platforms.
Exchanges also keep pushing “proof of reserves” reports as a trust signal. On Feb. 5, BTCC said its January proof-of-reserves showed a 136% total reserve ratio.
Still, the biggest danger has not changed. A single operational failure—bad key handling, weak approvals, or sloppy recordkeeping—can still turn into permanent loss.
Crypto Is Entering a New Era — Here’s How to Get Onboard
Blockchain technology is changing how people buy, sell, and store value—and we’re still early in that shift. In Crypto Revolution, Bryce Paul breaks down what this new financial era means, how cryptocurrencies work, and how everyday people can start navigating the space safely and intelligently.
What Happened
CIRO’s new custody framework spells out what it expects from platforms and the custodians they use. It is risk-based and tiered, meaning the required controls rise as the size and complexity of custody rises.
The framework leans on familiar “traditional finance” ideas. It points to independent audits, control testing (like SOC reports), documented procedures, and insurance expectations aimed at theft and internal fraud.
News coverage also highlighted why CIRO is doing this now. The regulator said the framework reflects “technological, operational, and legal risks” that are unique to digital assets and draws on lessons learned from recent market stress.
In the U.S., accounting and policy shifts may also widen the playing field for custody. A Conference Board policy note said SAB 122 replaced SAB 121 and gave firms more discretion in how they reflect custody-related risks, which it said could make it easier for major banks to offer custody services.
Why It Matters
Custody risk is not just “will it get hacked?” It is also legal and operational.
Legal risk is simple but scary: if a platform fails, do you still own your crypto, or do you become just another creditor in bankruptcy? The answer depends on structure, contracts, and how assets are held and recorded.
Operational risk is the day-to-day reality. Keys need to be protected. Withdrawals need strong approvals. Balances need to be reconciled. Logs need to be monitored. These steps are boring, but they are where losses often start.
Proof of reserves can help, but it is not a full safety badge. A PoR report may show assets at a point in time, but it may not show all liabilities, hidden leverage, or off-platform obligations.
That is why stronger standards matter. A real framework pushes firms to prove controls, not just promise them.
Opportunities and Risks
Better standards create real opportunities for investors who want cleaner, more professional custody. CIRO’s framework pushes platforms toward clearer processes and third-party checks like audits and SOC-style controls. Over time, that can reduce “unknown unknowns” for customers.
There is also a path toward more mainstream custody options. If more large financial firms get comfortable offering custody—helped by changes like SAB 122—investors may see more competition, more consistent procedures, and tighter risk management.
But the risks remain sharp. Insurance is often misunderstood. Even when a custodian has coverage, it may have strict limits, narrow definitions of what counts as a covered loss, and exclusions that matter in real crises. A framework can encourage insurance, but it cannot make insurance “whole” your portfolio.
Counterparty risk also hides in plain sight. If you are earning yield, your assets may be lent out, rehypothecated, or pooled. Proof-of-reserves headlines do not automatically answer those questions. A 136% reserve ratio sounds strong, but it does not replace a full view of how the business takes risk.
Investor Takeaway
Use this checklist before you trust any exchange, custodian, lender, or prime broker with meaningful size.
1) Segregation and legal structure. Ask whether customer assets are segregated from company assets in both records and wallets. Ask what happens in insolvency. Get the exact wording on ownership and whether the platform can use your assets for its own purposes. CIRO’s approach is built around reducing these legal and operational gaps.
2) Controls you can verify. Ask for audited financials and a recent controls report (like SOC coverage), and ask who performed the work. Ask how keys are held (multi-signature, HSMs, and who can approve changes). Ask how withdrawals are approved and monitored.
3) Insurance reality check. Ask what type of policy it is (crime/fidelity style versus generic cyber), what the limit is, and what is excluded. Ask whether coverage applies across hot, warm, and cold storage, and whether internal fraud is covered.
4) Counterparty exposure. If you are earning yield, assume you are taking credit risk. Ask if assets are lent out, who the borrowers are, what collateral is required, and whether withdrawals can be gated.
5) Proof of reserves. Read PoR reports, but treat them as one data point. Ask what the report does not cover, how often it is updated, and whether it includes liabilities in a meaningful way.
Conclusion
Custody is getting safer at the edges. New frameworks like CIRO’s are raising the floor on controls, audits, and basic governance.
But the fastest path to permanent loss is still operational failure and unclear legal rights. For investors, the best defense is simple: demand proof of controls, read the contracts, and avoid yield programs where you cannot explain exactly who owes you what.
Stay sharp,
The Crypto Compass
