SEC Custody Framework for Tokenized Fund Assets
The SEC’s custody rules for investment companies and investment advisers form a critical regulatory layer that any tokenized ETF structure must satisfy. With $180 billion in digital assets now held by qualified custodians in the United States and the March 2025 rescission of Staff Accounting Bulletin No. 121 removing the most significant barrier to bank participation in digital asset custody, the infrastructure for tokenized fund custody is materializing faster than the regulatory framework can adapt.
Qualified Custodian Requirements Under Rule 206(4)-2
The Investment Advisers Act custody rule, Rule 206(4)-2, requires investment advisers to maintain client assets — including fund assets for advisers that manage registered investment companies — with qualified custodians. Qualified custodians include banks, registered broker-dealers, futures commission merchants, and certain foreign financial institutions.
For digital assets, the qualified custodian determination has been the single most contested regulatory question. The SEC’s position, articulated through enforcement actions and staff guidance rather than formal rulemaking, has been that entities must satisfy all traditional qualified custodian requirements plus demonstrate digital asset-specific safeguarding capabilities. State-chartered trust companies with fiduciary authority — such as Anchorage Digital Bank (federally chartered), BitGo Trust Company (South Dakota), and Coinbase Custody Trust Company (New York) — have established themselves as qualified custodians for digital assets.
The practical implications for tokenized ETFs are significant. Fund shares represented as blockchain tokens require custody solutions that maintain private key security, support the operational requirements of creation and redemption, and generate the audit evidence necessary for 40 Act compliance. Current qualified custodians holding tokenized fund shares use multi-signature wallets, hardware security modules (HSMs), and geographic distribution of key material to satisfy these requirements.
SAB 121 Rescission and Bank Custody Expansion
Staff Accounting Bulletin No. 121, issued in March 2022, required entities custodying crypto assets to record a liability and corresponding asset on their balance sheets. This accounting treatment effectively imposed punitive capital charges on banks holding digital assets, as the liabilities counted against capital adequacy ratios under Basel III framework requirements.
The rescission of SAB 121 in March 2025 eliminated this barrier. Major custody banks — BNY Mellon, State Street, JPMorgan, and Citigroup — had paused or limited digital asset custody expansion during SAB 121’s effective period. Post-rescission, these institutions are expanding digital asset custody capabilities, with BNY Mellon — which serves as fund-level custodian for BlackRock’s BUIDL ($2.01 billion AUM across 8 chains) — announcing support for tokenized fund shares on Ethereum and Polygon networks within 90 days of the rescission. BUIDL’s multi-custodian model (Anchorage Digital, BitGo, Coinbase, Copper, and Fireblocks) demonstrates the expanding qualified custodian ecosystem post-SAB 121.
The entry of major custody banks into tokenized fund custody addresses a critical gap identified by the Investment Company Institute. The ICI’s 2024 survey of fund sponsors found that 73% cited custody infrastructure as the primary obstacle to tokenized ETF launches, ahead of regulatory clarity (68%) and market demand (41%). With qualified custodians now able to hold tokenized fund shares without balance sheet penalties, this infrastructure constraint is rapidly dissolving.
Section 17(f) Compliance for On-Chain Fund Shares
Section 17(f) of the Investment Company Act imposes specific custody requirements on registered investment companies that supplement the general advisory custody rules. Fund assets must be held by custodians meeting the Act’s requirements, with the fund’s board approving custodial arrangements.
For tokenized ETF shares, Section 17(f) compliance requires that the custodian maintain exclusive control over the private keys governing the fund’s token smart contract. This presents a technical challenge: smart contract administration functions — such as minting new shares during creation events and burning shares during redemptions — require private key access that must be reconciled with custodial control requirements.
The emerging solution involves multi-party computation (MPC) key management, where custodial control is maintained through cryptographic key shares distributed across the custodian’s infrastructure. This approach satisfies the exclusive control requirement while enabling the operational flexibility needed for tokenized fund administration.
Custody of Underlying Portfolio Assets
Beyond fund share custody, tokenized ETFs holding digital asset portfolios face separate custody requirements for the underlying positions. A tokenized Bitcoin ETF, for example, requires qualified custody for both the tokenized fund shares (the wrapper) and the Bitcoin holdings (the underlying). These custody arrangements may involve different custodians, different key management protocols, and different regulatory requirements.
The SEC’s approval of spot Bitcoin ETFs in January 2024 established precedents for digital asset custody in registered fund structures. Coinbase Custody serves as the primary custodian for eight of the eleven approved spot Bitcoin ETFs, highlighting both the concentration risk and the institutional acceptance of digital asset custody solutions.
For tokenized ETFs holding traditional securities — where the fund structure is tokenized but the underlying assets are conventional equities or bonds — custody requirements are simpler. The underlying securities remain with traditional qualified custodians (BNY Mellon, State Street, etc.), while only the fund share layer requires digital asset custody infrastructure.
Insurance and Indemnification Requirements
The SEC has not issued specific insurance requirements for digital asset custody, but standard industry practice and fund board expectations require custodians to maintain insurance coverage for digital asset holdings. SOC 2 Type II certification, which verifies controls around security, availability, and confidentiality, has become the baseline standard for digital asset custodians serving registered funds.
Current insurance coverage for digital asset custody remains limited compared to traditional securities. Lloyd’s of London and specialized insurers provide coverage typically ranging from $100 million to $500 million per custodian, compared to SIPC coverage of $500,000 per customer for broker-dealer custody. This insurance gap represents a risk factor that fund boards must evaluate when approving tokenized fund custodial arrangements.
The DTCC’s role in settling tokenized ETF transactions adds an additional custody dimension. DTCC’s subsidiary, DTCC Digital Assets, is developing settlement infrastructure that could serve as an intermediary custody layer between fund-level custody and investor-level custody of tokenized fund shares.
International Custody Considerations
Tokenized ETFs operating across jurisdictions face custody requirements from multiple regulators. The FCA’s custody requirements for digital asset funds differ from SEC requirements, as do those of the Hong Kong SFC and Singapore MAS. Fund sponsors must ensure that custody arrangements satisfy the requirements of each jurisdiction where the fund operates or is distributed.
The comparison between US and EU custody requirements for tokenized funds reveals significant divergence in approach. The EU’s MiCA framework establishes specific custody requirements for crypto-asset service providers that differ from the SEC’s qualified custodian framework, creating compliance complexity for funds operating in both jurisdictions.
Regulatory Outlook
The SEC is expected to issue updated custody guidance specific to digital assets in 2026, potentially through rulemaking rather than staff guidance. The rescission of SAB 121, combined with increasing institutional demand for tokenized fund products, creates pressure for regulatory clarity that informal guidance cannot adequately provide.
Fund sponsors should monitor the SEC’s rulemaking agenda for custody-related proposals. In the interim, working with established qualified custodians that have digital asset capabilities — and documenting compliance with both Section 17(f) and Rule 206(4)-2 — provides the most defensible approach to tokenized ETF custody.
Custody Technology Standards and Best Practices
The SEC has not established prescriptive technology standards for digital asset custody, but industry best practices and examination expectations have coalesced around several requirements:
Key management architecture: Qualified custodians must demonstrate multi-layered key management that prevents single-point-of-failure compromise. Industry standards include: multi-party computation (MPC) distributing key shares across 3+ geographically separated facilities; hardware security modules (HSMs) meeting FIPS 140-2 Level 3 certification for key generation and storage; and threshold signature schemes requiring multiple approvals for transaction authorization. The qualified custodian analysis examines these technology standards in detail.
Disaster recovery and business continuity: Custodians must maintain disaster recovery plans specific to digital asset operations, including: backup key material in geographically diverse, physically secured facilities; procedures for key rotation in the event of suspected compromise; and business continuity plans addressing blockchain network outages, smart contract emergencies, and cybersecurity incidents. The SEC’s examination staff has increasingly focused on BCP adequacy for digital asset custodians.
SOC 2 Type II compliance: System and Organization Controls (SOC 2) Type II reports — which verify controls around security, availability, processing integrity, confidentiality, and privacy over a specified audit period — have become the minimum compliance standard for digital asset custodians serving registered funds. All major digital asset custodians (Coinbase Custody, BitGo, Anchorage, Fireblocks) maintain current SOC 2 Type II certifications.
Penetration testing and vulnerability assessment: Digital asset custodians undergo regular penetration testing by independent security firms, with results shared with fund boards as part of custodian due diligence. Testing scope includes: smart contract interaction security; API endpoint security; social engineering attack resistance; and physical security of key management facilities.
Custody Considerations for Specific Asset Types
Different tokenized fund portfolio compositions present distinct custody requirements:
Tokenized Treasury funds: Products like BUIDL and BENJI hold traditional US Treasury securities through conventional qualified custodians (BNY Mellon), with only the fund share layer tokenized. This dual-custody model — traditional custody for underlying assets, digital custody for fund tokens — represents the lowest-risk custody architecture for tokenized funds.
Spot crypto ETFs: Spot Bitcoin and Ethereum ETFs require qualified custody of the underlying crypto assets themselves. Coinbase Custody’s dominant position — custodying for 8 of 11 approved spot Bitcoin ETFs — creates concentration risk that the SEC has acknowledged but not directly addressed. The spot Bitcoin ETF custody analysis examines this concentration risk in detail.
Multi-asset tokenized ETFs: Funds holding both traditional securities and digital assets require coordinated custody across traditional and digital custodians. Portfolio rebalancing — selling tokenized equities and purchasing crypto assets, or vice versa — must flow through custody arrangements that maintain Investment Company Act compliance at all times during the settlement process.
DeFi-integrated funds: Funds participating in DeFi protocols face custody chain-of-control challenges when assets leave the custodian’s direct control and enter smart contract-governed protocols. The SEC has not formally addressed whether assets deposited in DeFi protocols remain within the custodian’s “possession or control” for purposes of Rule 15c3-3 and Section 17(f).
Emerging Regulatory Developments
Several regulatory developments will shape the custody landscape for tokenized funds in 2026-2027:
Proposed custody rule modernization: The SEC’s Spring 2026 regulatory agenda includes a proposed rulemaking to modernize custody requirements for digital assets. Expected provisions include: explicit qualified custodian standards for digital asset custody; technology-neutral key management requirements; insurance and bonding requirements specific to digital asset custody; and reporting requirements for digital asset custody operations.
OCC interpretive letters: The Office of the Comptroller of the Currency has issued interpretive letters confirming that national banks may provide digital asset custody services (Interpretive Letter 1170, July 2020) and may hold reserves for stablecoin issuers (Interpretive Letter 1174, September 2020). These OCC interpretations expand the universe of national banks eligible to serve as qualified custodians for tokenized fund assets.
State regulatory expansion: Several states — including Wyoming (through its SPDI charter), Nebraska (through its digital asset bank charter), and Texas (through its digital asset custody trust charter) — have created regulatory frameworks specifically for digital asset custody. State-chartered entities with fiduciary powers qualify as custodians under SEC rules, expanding the custody provider landscape beyond federally chartered institutions.
Comparison with EU Depositary Standards
The SEC’s qualified custodian framework and the EU’s UCITS depositary regime represent fundamentally different custody philosophies for tokenized fund assets. Under the UCITS Directive, the depositary performs three functions — safekeeping, cash flow monitoring, and oversight — creating a broader supervisory role than the SEC’s custody-focused approach. For tokenized fund assets, the EU depositary must verify the accuracy of DLT-based share registers and monitor on-chain cash flows, while the SEC’s qualified custodian must maintain “possession or control” of fund assets without equivalent oversight obligations.
MiCA’s full enforcement in July 2026 adds a CASP authorization layer for EU-based digital asset custodians, requiring operational resilience standards under DORA that have no direct US equivalent. ESMA’s custody standards for tokenized fund assets — published at esma.europa.eu — specify segregation requirements, key management standards, and insurance minimums that exceed current SEC qualified custodian requirements for digital assets. The BaFin Kryptoverwahrgeschaft licensing and France’s AMF CASP authorization represent national implementations of this EU framework.
The US-EU custody comparison examines these differences in detail. The FINRA broker-dealer requirements cover broker-dealer custody obligations distinct from fund-level custody. The broker-dealer infrastructure analysis examines how custody technology integrates with broker-dealer operational systems. The institutional investor guide covers custody due diligence for institutional allocators evaluating tokenized fund products. The SEC publishes custody rule guidance at sec.gov.
For inquiries regarding this analysis: info@etftokenisation.com