Building Digital Asset Custody: Three Ways Companies Fail, and How To Fix It

Building digital asset custody infrastructure is a complex process which presents multiple challenges. In this blog, we examine the top three concerns custodians face and explore some potential solutions.

Challenge One: Security Architecture and Key Management

These two elements comprise the fundamentals of digital asset custody and, arguably, represent its most distinctive and difficult challenges compared to traditional custody. This process encompasses not just cybersecurity but also operational design, legal/ compliance robustness and client trust. The combination of high-value assets, irreversible transactions and rapidly evolving threats makes dealing with private key management uniquely demanding. Any lapse – technical or human – can have catastrophic, unrecoverable consequences. Within this field, 3 different areas need to be addressed:

• Creating secure, scalable and auditable systems
  Custodians must find the right balance between maximum security (cold storage, air-gapped, multi-signature setups) and operational efficiency (speed, liquidity and ease of access). This balance is challenging to strike and highly context-dependent, particularly for institutional clients with varying risk appetites.
• Ensuring secure key management
  To avoid high-profile failures (such as those seen when the cryptocurrency exchange FTX collapsed in November 2022), ensuring operational risks and controls frameworks.  FTX in the end was fraud and providing a regulated environment, with a fully auditable risk and controls framework will mitigate the risks . In digital asset custody, control over the private key equals control over the assets therefore the design and control in relation to key access is important. Private keys enable decryption and transaction signing. How can keys be lost or compromised and focusing how to be able to solve this is how Custodians manage this risk.
• Balancing latency, security and flexibility
  Financial institutions working with digital assets expect bank-grade security, low latency for execution of trades and the flexibility to interact with a variety of services. However, digital assets differ from traditional finance, where roles such as custody, clearing and settlement are all separate and intermediated. Digital asset custodians often need to combine all these functions, which increases pressure on their systems.

Customising the custody model for each client’s needs – from long-term holders of assets to active traders – means constantly recalibrating this balance. There are now multiple technical solutions within security architecture and key management. Cold (offline) storage used to be considered the most secure; depending on the design may be considered operationally inefficient Hot (online) wallets enable speed and may be vulnerable to hacks. To balance this risk, Multi-Party Computation (MPC) and sharding techniques can be deployed to help split private keys across multiple trusted parties, minimising single points of failure and reducing insider threats and hacking risk. Hardware Security Modules (HSMs) are another solution. They create tamper-proof, multi-signature-required systems used by both banks and digital custodians, enhancing resilience by being co-located and vendor-diverse and by holding master keys in escrow, spreading control across multiple service providers.

Challenge Two: Integration and Interoperability

Digital asset custodians must manage the complexity of stitching together disparate technologies, as well as integrating manual processes that still exist in traditional finance, while still providing seamless workflows. This fragmentation can create technical debt and introduce operational inefficiency or security vulnerabilities, making it one of the top three foundational challenges in building digital asset custody infrastructure.

• Security and operational risks of differing and multiple integrations
  Custodians must align with clients’ systems and the wider tech landscape presenting multiple challenges. Institutional clients expect straight-through processing and compatibility with existing banking, trading, and compliance systems (e.g., SWIFT, FIX, ISO 20022). This is hard to deliver in an ecosystem without mature integration protocols or shared settlement layers. Poor integrations can lead to inefficient operations, loss of assets or security gaps. For example, a misaligned custody integration with an exchange or DeFi protocol could result in losses due to timing mismatches or misrouted funds.
• Different blockchains, different rules
  Each blockchain has its own smart contract logic, address format, and asset metadata structures.Custodians must build custom integrations for each chain or use costly third-party bridges and middleware, increasing potential attack surfaces and costs.
• Flexible infrastructure for a wide range of digital assets
  Digital asset custodians are now expected to support not just a wide range of cryptocurrencies but also on-chain settlement assets like stablecoins and tokenised deposits as well as tokenised real-world assets. As the digital asset market matures, infrastructure must adapt to meet these needs.

Challenge Three: Regulatory and Legal Fragmentation

The lack of harmonisation across jurisdictions globally remains a foundational challenge to digital asset custody. Unlike security or technology (which custodians can build or control), legal frameworks are externally imposed, fragmented and slow to harmonise. This makes regulatory and legal uncertainty not only a compliance problem but also a strategic risk. For institutional digital asset custodians, navigating this complexity is non-negotiable. Two specific areas of difficulty arise within this problem set. Custodians must:

• Work across jurisdictions with different rules and regulations
  Digital asset custody is inherently cross-border but custody agreements and asset protections are jurisdiction-specific. Custodians must build bespoke legal and compliance frameworks per region, which is resource-intensive and limits scalability.
• Handle the variability of legal enforceability of trust structures or asset segregation
  In common law jurisdictions such as the UK, custodians typically hold client assets in trust, a legal mechanism offering strong protection in insolvency scenarios. In civil law jurisdictions, where trust structures may not exist, asset protection relies on statutory schemes, and some countries still have legal gaps or unclear positions. This fragmentation forces custodians to customise legal structures per jurisdiction, increasing legal complexity and risk.

Since regulatory and legal fragmentation is not likely to be resolved in the short-term custodians must instead rely on using contracts and trust law. They must select the jurisdictions they work in based on legal certainty and continue to pro-actively engage with regulators and monitor new developments. For institutional clients, digital asset custodians like Zodia Custody can also offer help with onboarding and training to ensure that custody activities comply with local and international regulations. [AK1] [AE2] Looking ahead, some regulators are now considering cross-border recognition of licensing or registration regimes – a development that, if adopted, could significantly streamline processes while still maintaining a secure framework for market participants to operate in. This evolution could mark a major shift in how custodians engage globally, reducing friction while preserving regulatory safeguards.

By layering traditional legal principles with innovative contract structures and staying ahead of regulatory developments, custodians are able to operate securely even in a fragmented and rapidly changing global policy environment – building trust while pushing the legal system to evolve to embrace emerging technologies and business models.