Counterparty and custody risk in digital-asset strategies

In 2022, fund investors learned the difference between holding digital assets and being owed them. Customers of Celsius and FTX believed they had the first and discovered, in bankruptcy court, that the difference was decided by wallet architecture and terms of service — not by the word “custody” on a webpage. Crypto fund custody risk has since become a standard chapter of operational diligence. This brief lays out the post-2022 checklist and the regulatory map as it stands in early 2026 — less settled than most pitch decks imply.

The record from 2022 is a commingling record

The court-appointed examiner in the Celsius bankruptcy reported in November 2022 that the platform’s “Custody” program did not give customers segregated wallets. Deposits flowed first into commingled “Main” wallets, where traceability to individual customers was lost, with periodic manual transfers toward an aggregate target. The examiner concluded that customers faced uncertainty about which assets, if any, belonged to them as of the bankruptcy filing. At FTX, the second interim report of John J. Ray III, filed in June 2023, found the exchange had commingled customer deposits with corporate funds from inception, using them for corporate expenditures and insider benefit.

The lesson is structural, not moral. Wallet segregation, ledger traceability, and contract language decided outcomes. The diligence questions follow directly: omnibus or segregated wallets? Does the internal ledger keep an audit trail of each client’s beneficial interest? Can the custodian show, on chain, which assets correspond to the fund’s claim?

The legal relationship matters more than the label

In January 2023, in the immediate aftermath of FTX, the New York Department of Financial Services issued guidance on custodial structures for its licensed virtual-currency entities: take possession of customer assets solely for safekeeping, not creating a debtor-creditor relationship; do not commingle them with proprietary or non-customer assets; never use customer crypto to secure the custodian’s own obligations; and disclose the arrangement in writing, with acknowledgment, before the first transaction.

NYDFS updated that guidance in September 2025, carrying the same principles forward and tightening them: separate accounting of customer assets both on chain and on internal ledgers; omnibus wallets permitted only with clear audit trails of each customer’s beneficial interest; sub-custody arrangements requiring prior regulatory approval, for-benefit-of account titling, and segregation from both the custodian’s and the sub-custodian’s corporate assets.

The guidance binds only New York licensees and New York trust companies. Its diligence value is broader: it is the most explicit regulatory articulation of sound crypto custody, and a fund can hold any custodian — chartered anywhere — against it. Read the custody agreement itself for the legal relationship, rehypothecation rights, and liens. Celsius and FTX demonstrated that terms of service and operating practice, not labels, drive what happens in an insolvency.

Qualified custody remains unsettled in the United States

For SEC-registered advisers, the Custody Rule — Rule 206(4)-2, adopted in its current form in 2009 — requires a qualified custodian for client “funds and securities.” Crypto assets that are not securities sit awkwardly outside that phrase. The SEC’s 2023 Safeguarding Rule proposal would have closed the gap by extending custody requirements to all client assets, but the Commission withdrew it — the withdrawal was published in the Federal Register on June 17, 2025 — stating it does not intend to issue final rules and would re-propose if it acts again. As of early 2026, no adopted crypto-specific adviser custody rule exists.

What does exist is staff-level relief. A September 30, 2025 no-action letter from the Division of Investment Management permits registered advisers and registered funds to treat state-chartered trust companies as qualified custodians for crypto — conditioned on initial and annual due diligence covering state authorization, audited financials, and SOC reports; written custodial agreements with specified terms; and risk disclosure. It is relief, not a rule, and its conditions double as a diligence checklist for any trust-company custodian. Separately, SAB 122, published in January 2025, rescinded the prior guidance that had forced custodians to carry customer crypto on their own balance sheets, restoring conventional off-balance-sheet custody treatment.

The commodities side is thinner. NFA Compliance Rule 2-51, effective May 2023, imposes anti-fraud, anti-manipulation, and supervision duties on members engaged in digital asset commodity activities — but no qualified-custodian requirement for spot crypto. A diligence file on a CFTC-side strategy should state that gap plainly.

Jurisdiction decides which protections travel

Offshore, the Cayman regime matured on its own track. CIMA’s December 2024 rule for virtual-asset custodians and trading platforms requires client assets to be segregated from proprietary and group-entity assets and protected from third-party creditors, with per-client registers of positions, clearly identifiable segregated wallets, frequent reconciliation of internal ledger balances to on-chain balances, and key-management standards including a key compromise protocol tested annually. Trading platforms must advise clients of the option to use a third-party custodian and record that acknowledgment — a question worth borrowing for any fund leaving assets on a venue, Cayman or not. The licensing regime for custodians and platforms came into force on April 1, 2025.

None of these frameworks travels automatically. CIMA’s rules bind Cayman VASPs; NYDFS guidance binds New York licensees; the SEC staff position covers SEC-registered advisers. A Cayman fund using a U.S. custodian, or a U.S. fund trading on an offshore venue, inherits only what actually binds each counterparty. The first task in custody diligence is therefore a map: every venue and custodian the strategy touches, the regime that governs each, and what it does and does not require.

Proof of reserves is an attestation, not an audit

In March 2023, the PCAOB’s Office of the Investor Advocate published an advisory on proof-of-reserves reports: they are not audits, are not performed under PCAOB standards, and are not subject to PCAOB inspection. The procedures likely do not address the entity’s liabilities, the rights and obligations of asset holders, or whether assets were borrowed to inflate apparent reserves. They speak to a point in time, with no assurance assets were not lent or moved afterward, and none on internal controls. Its language was unambiguous: “exercise extreme caution.”

Treat a proof-of-reserves report as one data point, not a solvency conclusion. Ask whether liabilities were covered, ask for representations on borrowed assets, and ask what the counterparty’s audited financial statements show.

The checklist

Eight questions, each traceable to the record above: how much of the strategy sits on exchanges at any time, and why; omnibus versus segregated wallets, with a verifiable audit trail; custody versus debtor-creditor language in the agreements, and any rehypothecation rights; the custodian’s charter, SOC reports, and audited financials; the sub-custody chain, its approvals, and account titling; reconciliation cadence between internal ledgers and the chain; key-management protocols and independent security audits; and the precise scope of any proof-of-reserves work. The pattern across all eight is the same: documentation and structure decide outcomes, and every protection is jurisdiction-dependent. Verify what binds each counterparty, not what its marketing implies.

SetOne Labs pressure-tests custody and counterparty arrangements in digital-asset strategies for managers and the allocators evaluating them. To examine a custody map in confidence, begin a conversation.

SetOne Labs provides advisory services and general information. Nothing here is legal, tax, or investment advice.