SEC Releases Investor Bulletin on Crypto Wallet and Custody Basics
The U.S. Securities and Exchange Commission (SEC), through its Office of Investor Education and Advocacy, released a detailed Investor Bulletin on "Crypto Asset Custody Basics for Retail Investors" on Friday, December 12, 2025. This move is widely seen by the crypto community as a significant shift in the regulator's stance, emphasizing investor education and risk disclosure rather than just enforcement, recognizing the increasing exposure of retail investors to digital assets.
Key Focus Areas of the SEC Guidance
The SEC's guide focuses on clarifying the fundamental concept of custody and the trade-offs between the two major models: Self-Custody and Third-Party Custody. The core concept highlighted by the SEC is that a crypto wallet does not store the crypto assets themselves, but rather the "private keys" or passcodes needed to access and transact with the assets on the blockchain. The guidance warns that the loss of a private key results in permanent, irretrievable loss of access to the crypto assets, and the compromise of a private key leads to the permanent theft of assets with virtually no recourse. The SEC provides a clear comparison between the two main types of wallet storage, emphasizing the security-convenience trade-off. Hot Wallets (Online Storage), which are software or web-based wallets connected to the internet, offer convenience but carry a higher risk of hacking, phishing, and cybersecurity threats. In contrast, Cold Wallets (Offline Storage), which use physical devices or paper backups to store private keys entirely offline, offer stronger protection against online threats but carry the risk of physical loss, theft, damage, or permanent loss of assets if the device or paper key is lost.
Self-Custody vs. Third-Party Custody
The bulletin advises investors to weigh the benefits and drawbacks of managing their own keys versus relying on a service provider. With Self-Custody, the investor has sole control and full responsibility for security, backup, and technical setup, with the primary risks being the loss of private keys, hacking due to poor security practices, and human error. Conversely, in Third-Party Custody, a service provider (like an exchange or qualified custodian) holds the keys, exposing the investor to counterparty risk (custodian failure, bankruptcy, or fraud) and the hacking of the custodian's systems. For investors who choose a third-party service, the SEC urges detailed due diligence and poses critical questions. Investors must ask if the custodian engages in "rehypothecation" (lending out client assets for its own purposes) and whether consent is required. They must also determine if the custodian commingles client assets in a single pool or holds them in segregated customer accounts, as commingling can increase investor losses if the custodian fails. Finally, the SEC stresses the importance of understanding the custodian's safeguards, including how and where assets are stored (hot or cold storage) and the types of physical and cyber security protocols in place, along with the contingency plan if the custodian is hacked, shuts down, or goes bankrupt, and whether they provide insurance and its terms. The release of this educational guidance coincides with a broader regulatory shift, following the SEC's recent approval of a tokenization pilot by the DTCC and remarks from SEC Chair Paul Atkins indicating a pivot toward supporting the integration of traditional finance and blockchain technology.