Regulatory Framework and Custody Compliance

Key Regulatory Developments: 2025-2026

SEC Broker-Dealer Custody Requirements

The December 17, 2025 SEC rules were largely a response to the FTX collapse, which revealed how few institutional custodians had documented procedures for customer asset protection. The rules apply to broker-dealers holding crypto on behalf of customers.

Required written policies must address:

• Private key management: how keys are generated, stored, accessed, and rotated
• Cybersecurity protocols: specific controls against known attack vectors (supply chain attacks, insider threats, social engineering)
• Blockchain malfunction procedures: what to do if a network experiences a 51% attack or consensus failure
• Hard fork and airdrop handling: how the custodian treats duplicate assets arising from chain splits
• Insolvency and wind-down: how customer assets are separated from company assets and returned if the custodian fails

These requirements are operational, not just capital-based. A broker-dealer with $10 billion in assets but no written procedures for hard fork handling is out of compliance. This is a meaningful shift from the pre-2025 approach, where crypto custody lived in a regulatory gray area.

SEC SAB 122: The Bank Custody Unlock

For three years, SEC Staff Accounting Bulletin 121 (April 2022) quietly blocked traditional banks from custodying crypto at scale. SAB 121 required any entity safeguarding customer crypto-assets to record those assets as a liability on its balance sheet at fair value, with a corresponding asset entry. Banks face capital requirements based on balance sheet liabilities; under SAB 121, custodying $1 billion in customer Bitcoin would force a bank to hold capital against that $1 billion liability, even though the bank had no economic exposure to the price.

The result: BNY Mellon, State Street, JPMorgan, and other traditional custodians stayed on the sidelines. The economics didn't work. SAB 121 effectively prevented insured depository institutions from competing in crypto custody.

SEC SAB 122, issued January 23, 2025, superseded SAB 121. The new guidance instructs reporting entities to apply existing accounting standards (ASC 450 for contingent loss recognition, with relevant disclosures) rather than the unique fair-value liability treatment. Practically, custodial entities can now apply standard banking accounting to safeguarded crypto. The capital obstacle is gone.

SAB 122 is the change that made everything else possible. OCC Letter 1183 mattered legally, but without SAB 122 the economics would still have blocked bank entry. Together they unlocked traditional bank custody for the first time since the SEC accounting guidance had effectively closed the door in 2022.

OCC Interpretive Letter 1183

Before Letter 1183 (March 7, 2025), national banks interested in offering crypto custody services needed to obtain a specific OCC non-objection letter before engaging in those activities. This created a slow, unpredictable approval process that discouraged traditional banks from entering the market.

Letter 1183 clarified that national banks can offer crypto custody and stablecoin services as part of their normal banking activities, subject to existing safety and soundness standards. They don't need pre-approval for each new service type.

The downstream effect: major US banks that were watching from the sidelines are now building crypto custody infrastructure. JPMorgan, BNY Mellon, and State Street had been moving cautiously; with SAB 122 removing the accounting obstacle and Letter 1183 removing the approval obstacle, both barriers fell in the same nine-month window. For users, this means more institutional-quality custody options at competitive prices in the near future.

GENIUS Act and the Federal Stablecoin Framework

The Guiding and Establishing National Innovation for U.S. Stablecoins Act (GENIUS Act) was signed into law on July 18, 2025. It is the first explicit federal framework for payment stablecoin issuers in the United States.

Core requirements for permitted payment stablecoin issuers:

• 1:1 reserves in US dollars or short-term US Treasury securities. No fractional backing. No riskier reserve assets.
• Monthly public attestations of reserve composition by an independent CPA, with the issuer's CEO and CFO certifying.
• Annual independent audits for issuers above $50 billion in market capitalization.
• Dual federal/state regulatory regime: large issuers ($10B+) regulated federally by OCC or Federal Reserve; smaller issuers may opt for state regulation under approved state frameworks.
• Anti-money-laundering, sanctions, and Bank Secrecy Act compliance treated as a primary obligation, not a downstream consideration.
• Bankruptcy priority: stablecoin holders have a senior claim on reserves in the event of issuer insolvency.

GENIUS applies to stablecoin issuers like Circle (USDC) and PayPal (PYUSD). It does not directly regulate exchanges, self-custody, or non-stablecoin tokens. The CLARITY Act (House July 17 2025, in Senate as of April 2026) addresses the broader SEC/CFTC jurisdictional question for non-stablecoin digital assets.

For individual holders, GENIUS matters indirectly: the stablecoins you use for trading or DeFi will increasingly be issued under the GENIUS framework, with stronger reserve guarantees and clearer legal protections in issuer bankruptcy. Older or unregulated stablecoins still exist but face market-share pressure as GENIUS-compliant alternatives become the institutional standard.

NYDFS and the BitLicense Framework

New York's Department of Financial Services (NYDFS) remains the most demanding state regulator for crypto businesses. The BitLicense, introduced in 2015, requires any company engaged in virtual currency business activity involving New York customers to obtain either a BitLicense or a limited-purpose trust charter.

NYDFS sub-custodian requirements: if a NYDFS-licensed company wants to use a third-party custodian for some of the assets it holds on behalf of customers, that sub-custodian must itself be chartered or licensed by NYDFS or an equivalent regulatory authority in its home jurisdiction. This prevents regulatory arbitrage where a New York company moves assets to an unregulated foreign entity.

NYDFS also requires BitLicense holders to maintain a "cybersecurity program" that includes specific controls: multi-factor authentication, access controls, audit trails, penetration testing, incident response plans, and annual cybersecurity reports to NYDFS. These requirements are modeled on what good security looks like in practice - which means the security principles in this course align directly with what regulated custodians are required to implement.

Self-Custody vs Institutional: What the Regulations Say

The regulatory framework distinguishes sharply between individual self-custody and institutional custody of client assets.

Qualified custodians as of April 2026

Who qualifies as a "qualified custodian" for investment adviser purposes has expanded significantly in 2025-2026:

• National banks with OCC trust powers (expanded by SAB 122 + Letter 1183)
• State trust companies with written crypto custody policies (effective September 30, 2025)
• NYDFS-licensed trust companies (BitLicense holders with trust charter, e.g. Coinbase Custody Trust, Gemini Trust, Paxos)
• Wyoming Special Purpose Depository Institutions (SPDIs): Kraken Bank and Custodia Bank are the two operational charters as of 2026
• Nevada, South Dakota, and Texas state-chartered digital asset trust companies
• OCC conditional national trust banks: the December 2025 cohort included Circle and Ripple, with three additional approvals not all publicly named at the time of writing. Anchorage Digital, which received its national trust bank charter in 2021, remains the longest-operating example of this category.

International Frameworks (Brief Survey)

The course focuses on US regulation, but most serious crypto users interact with international frameworks indirectly through exchange choice, stablecoin issuer jurisdiction, or cross-border payments. The major regimes as of April 2026:

For exchange selection: jurisdiction matters. An exchange regulated under MiCA, NYDFS, MAS, or the FSA carries a different operational risk profile than an unlicensed offshore venue. The cost of regulated trading is real (lower leverage, fewer assets, more KYC), but the protections against operator misconduct are also real.

Travel Rule and Reporting Obligations

The FinCEN Travel Rule (31 CFR 1010.410(f)) requires Virtual Asset Service Providers (exchanges, custodians) to share originator and beneficiary identification for transfers of $3,000 or more. The EU MiCA equivalent reduces the threshold to €1,000 and adds first-mile identity verification requirements. As of 2026, both regimes are in active enforcement.

Practical effects you may notice:

• Exchanges request beneficiary information when you withdraw to an external wallet above the threshold. Some exchanges require you to attest that the receiving wallet is yours; others require KYC on the receiving address.
• Cross-exchange transfers between two licensed VASPs may include automated Travel Rule data exchange under protocols like TRP, OpenVASP, or Sumsub Travel Rule.
• Withdrawals to self-custody hardware wallets are still permitted, but documentation requirements vary by exchange and may include declaring the wallet ownership.
• Form 1099-DA (effective Jan 1, 2025) and Rev. Proc. 2024-28 (wallet-by-wallet cost basis, effective Jan 1, 2025) interact with Travel Rule data: exchanges report what they observe; you owe accurate reconciliation across self-custody and exchange holdings (covered in Module 5).

For individuals, the Travel Rule does not restrict self-custody. It does mean exchange withdrawals come with more documentation friction than they did pre-2024. Plan accordingly: do KYC at one good exchange, withdraw cleanly to self-custody, keep your records.

What This Means for You