Compliant Custody

At Upvest, investment platforms can choose between two options for security token custody. Our non-custodial option, which gives sole access to the investors, and the custody option, which is developed working closely with the requirements of the German regulator.

Illustration for compliance at upvest

What is custody, and how does it apply in blockchain?

Custodians exist to protect investors and keep financial instruments safe throughout transactions. Broadly speaking, they take on two core duties: the assumption of care over financial assets and safe custody activity over these assets. Their role is to protect and store financial instruments on an investor’s behalf.

In the blockchain space, asset custody is commonly interpreted as following private keys. Control the private key, and you can transact with—and therefore control—the assets associated with an account. If it’s not your account, and the private key has been willingly given to you (i.e., it hasn’t been stolen) the owner is trusting you with control over their assets. This control and its accompanying ability to hold assets on a user’s behalf typically constitutes custody. 

When do I need a custodian?

If you have control over a user’s private key and are dealing with regulated securities—which include digital securities—you require a custodian. At that point, you either need to build out a compliance team to ensure that you’re complying with custodial requirements or contract with a third-party custodian to fulfil the custodial function.

What are the regulatory requirements for custody of cryptos?

Starting in 2020, the BaFin (Germany’s Federal Financial Supervisory Authority) will require all entities that take custody over crypto assets, including digital securities, to possess a BaFin-issued license. BaFin defines crypto custody as the “holding, managing, or safekeeping of ‘crypto-assets’”. An entity that holds a traditional custodian license (such as a bank) cannot also hold a crypto custody license. See more information from BaFin here.

Why are so many blockchain wallets custodial?

Managing and securing private keys can be extremely challenging. They are complicated to remember and difficult to store safely, and there is a high risk of loss or theft. If lost, key seeds cannot be restored, and the assets in the associated wallet are lost as well, creating a bad user experience.

Many platforms turn to key management solutions to simplify their users’ experiences and help ensure private keys are securely stored. Usually, this involves storing the private key for the user. Since access to a user’s key also provides access to their assets, the key holder becomes a custodian of those assets and is thus subject to the licensure and regulatory requirements of being a custodian.

How is Upvest noncustodial?

Unlike custodial solutions, we never directly access a user’s private key. Instead, we provide key management as a technical service. Our cryptographic engine, the Upvest Enclave, immediately encrypts plaintext keys and seeds such that the user’s password is required in order to sign any transaction. Because the user must be involved in order to access their key (and therefore their assets), they are never required to give up control in the form of legal custodianship. Assets remain in their custody at all times. For more information on the Upvest Enclave, please visit our security page.

Do I need a custody license if I use Upvest’s wallet API?

No. A user password is always needed to access an Upvest wallet. Since we never store passwords, we never have access to the user’s funds, and neither do you. Because the user is involved every step of the way, they never relinquish legal custody of their assets, so no custodian—and therefore no custody license—is needed.

What happens if a user loses their password? How can it be reset without giving Upvest access to their wallet?

Lost password? No problem. You can easily help a user reset their credentials using the Upvest Recovery Kit. Our recovery kit stores encrypted metadata in a scannable, QR-code format that a user can safely store in plain sight. When the user sends you the information encrypted in the QR code, you can decrypt it using your public key, which sets into motion a chain of decryptions that allows the user to securely reset their credentials. As always, user input is required to initiate and continue the process, and plaintext private keys are never accessible to Upvest, you, or anyone else. For a more detailed explanation, please see our Recovery docs.

How do I know Upvest is compliant with regulatory requirements?

We’ve designed Upvest to be a technical solution that links your application to the blockchain rather than a wallet, exchange or other entity that engages in regulated activity. We’ve consulted with leading law firms to confirm our technical design and ensure that in keeping control with the user, our solution does not fall under definitions of regulated activity. To learn more, get in touch with our compliance team.

Contact us here


This page reflects compliance information as understood to the best of our ability. It is not intended to constitute legal advice.