The Custody Architecture Divide: Why Most Crypto Custodians Can't Meet U.S. Banking Standards

Here's a paradox that should concern every institution entering crypto: some of the industry's most prominent custody providers — Fireblocks and Copper among them — cannot legally serve as qualified custodians under U.S. banking regulations, despite protecting billions in digital assets.

The reason? A fundamental architectural choice that seemed cutting-edge in 2018 now creates an insurmountable regulatory barrier in 2026.

The Technology That Divided the Industry

The institutional custody market split into two camps years ago, each betting on a different cryptographic approach to securing private keys.

Multi-Party Computation (MPC) splits a private key into encrypted "shards" distributed across multiple parties. No single shard ever contains the complete key. When transactions require signing, the parties coordinate through a distributed protocol to generate valid signatures without ever reconstructing the full key. The appeal is obvious: eliminate the "single point of failure" by ensuring no entity ever holds complete control.

Hardware Security Modules (HSMs), by contrast, store complete private keys inside FIPS 140-2 Level 3 or Level 4 certified physical devices. These aren't just tamper-resistant — they're tamper-responsive. When sensors detect drilling, voltage manipulation, or temperature extremes, the HSM instantly self-erases all cryptographic material before an attacker can extract keys. The entire cryptographic lifecycle — generation, storage, signing, destruction — occurs within a certified boundary that meets strict federal standards.

For years, both approaches coexisted. MPC providers emphasized the theoretical impossibility of key compromise through single-point attacks. HSM advocates pointed to decades of proven security in banking infrastructure and unambiguous regulatory compliance. The market treated them as equally viable alternatives for institutional custody.

Then regulators clarified what "qualified custodian" actually means.

FIPS 140-3: The Standard That Changed Everything

The Federal Information Processing Standards don't exist to make engineers' lives difficult. They exist because the U.S. government learned — through painful, classified incidents — exactly how cryptographic modules fail under adversarial conditions.

FIPS 140-3, which superseded FIPS 140-2 in March 2019, establishes four security levels for cryptographic modules:

Level 1 requires production-grade equipment and externally tested algorithms. It's the baseline — necessary but insufficient for protecting high-value assets.

Level 2 adds requirements for physical tamper-evidence and role-based authentication. Attackers might successfully compromise a Level 2 module, but they'll leave detectable traces.

Level 3 demands physical tamper-resistance and identity-based authentication. Private keys can only enter or exit in encrypted form. This is where the requirements become expensive to implement and impossible to fake. Level 3 modules must detect and respond to physical intrusion attempts — not just log them for later review.

Level 4 enforces tamper-active protections: the module must detect environmental attacks (voltage glitches, temperature manipulation, electromagnetic interference) and immediately destroy sensitive data. Multi-factor authentication becomes mandatory. At this level, the security boundary can resist nation-state attackers with physical access to the device.

For qualified custodian status under U.S. banking regulations, HSM infrastructure must demonstrate at minimum FIPS 140-2 Level 3 certification. This isn't a suggestion or best practice. It's a hard requirement enforced by the Office of the Comptroller of the Currency (OCC), Federal Reserve, and state banking regulators.

Software-based MPC systems, by definition, cannot achieve FIPS 140-2 or 140-3 certification at Level 3 or above. The certification applies to physical cryptographic modules with hardware tamper-resistance — a category that MPC architectures fundamentally don't fit.

The Fireblocks and Copper Compliance Gap

Fireblocks Trust Company operates under a New York State trust charter regulated by the New York Department of Financial Services (NYDFS). The company's infrastructure protects over $10 trillion in digital assets across 300 million wallets — a genuinely impressive achievement that demonstrates operational excellence and market confidence.

But "qualified custodian" under federal banking law is a specific term of art with precise requirements. National banks, federal savings associations, and state banks that are members of the Federal Reserve system are presumptively qualified custodians. State trust companies can achieve qualified custodian status if they meet the same requirements — including HSM-backed key management that satisfies FIPS standards.

Fireblocks' architecture relies on MPC technology on the backend. The company's security model splits keys across multiple parties and uses advanced cryptographic protocols to enable signing without key reconstruction. For many use cases — especially high-velocity trading, cross-exchange arbitrage, and DeFi protocol interactions — this architecture offers compelling advantages over HSM-based systems.

But it doesn't meet the federal qualified custodian standard for digital asset custody.

Copper faces the same fundamental constraint. The platform excels at providing fintech companies and exchanges with fast asset movement and trading infrastructure. The technology works. The operations are professional. The security model is defensible for its intended use cases.

Neither company uses HSMs on the backend. Both rely on MPC technology. Under current regulatory interpretations, that architectural choice disqualifies them from serving as qualified custodians for institutional clients subject to federal banking oversight.

The SEC confirmed in recent guidance that it will not recommend enforcement action against registered advisers or regulated funds that use state trust companies as qualified custodians for crypto assets — but only if the state trust company is authorized by its regulator to provide custody services and meets the same requirements that apply to traditional qualified custodians. That includes FIPS-certified HSM infrastructure.

This isn't about one technology being "better" than another in absolute terms. It's about regulatory definitions that were written when cryptographic custody meant HSMs in physically secured facilities, and haven't been updated to accommodate software-based alternatives.

Anchorage Digital's Federal Charter Moat

In January 2021, Anchorage Digital Bank became the first crypto-native company to receive a national trust bank charter from the OCC. Five years later, it remains the only federally chartered bank focused primarily on digital asset custody.

The OCC charter isn't just a regulatory achievement. It's a competitive moat that becomes more valuable as institutional adoption accelerates.

Clients using Anchorage Digital Bank have their assets custodied under the same federal regulatory framework that governs JPMorgan Chase and Bank of New York Mellon. This includes:

• Capital requirements designed to ensure the bank can absorb losses without threatening customer assets
• Comprehensive compliance standards enforced through regular OCC examinations
• Security protocols subject to federal banking oversight, including FIPS-certified HSM infrastructure
• SOC 1 and SOC 2 Type II certification confirming effective internal controls

The operational performance metrics matter too. Anchorage processes 90% of transactions in under 20 minutes — competitive with MPC-based systems that theoretically should be faster due to distributed signing. The company has built custody infrastructure that institutions including BlackRock selected for spot crypto ETF operations, a vote of confidence from the world's largest asset manager launching regulated products.

For regulated entities — pension funds, endowments, insurance companies, registered investment advisers — the federal charter resolves a compliance problem that no amount of innovative cryptography can solve. When regulations require qualified custodian status, and qualified custodian status requires HSM infrastructure validated under FIPS standards, and only one crypto-native bank operates under direct OCC supervision, the custody decision becomes straightforward.

The Hybrid Architecture Opportunity

The custody technology landscape isn't static. As institutions recognize the regulatory constraints on pure MPC solutions, a new generation of hybrid architectures is emerging.

These systems combine FIPS 140-2 validated HSMs with MPC protocols and biometric controls for multi-layered protection. The HSM provides the regulatory compliance foundation and physical tamper-resistance. MPC adds distributed signing capabilities and eliminates single points of compromise. Biometrics ensure that even with valid credentials, transactions require human verification from authorized personnel.

Some advanced custody platforms now operate as "temperature agnostic" — able to dynamically allocate assets across cold storage (HSMs in physically secured facilities), warm storage (HSMs with faster access for operational needs), and hot wallets (for high-velocity trading where milliseconds matter and regulatory requirements are less stringent).

This architectural flexibility matters because different asset types and use cases have different security-versus-accessibility trade-offs:

• Long-term treasury holdings: Maximum security in cold storage HSMs at FIPS Level 4 facilities, with multi-day withdrawal processes and multiple approval layers
• ETF creation/redemption: Warm storage HSMs that can process institutional-scale transactions within hours while maintaining FIPS compliance
• Trading operations: Hot wallets with MPC signing for sub-second execution where the custody provider operates under different regulatory frameworks than qualified custodians

The key insight is that regulatory compliance isn't binary. It's context-dependent based on the type of institution, the assets being held, and the regulatory regime that applies.

NIST Standards and 2026's Evolving Landscape

Beyond FIPS certification, the National Institute of Standards and Technology (NIST) has emerged as the cybersecurity benchmark for digital asset custody in 2026.

Financial institutions offering custody services increasingly must meet operational requirements aligned with the NIST Cybersecurity Framework 2.0. This includes:

• Continuous monitoring and threat detection across custody infrastructure
• Incident response playbooks tested through regular tabletop exercises
• Supply chain security for hardware and software components in custody systems
• Identity and access management with least-privilege principles

Fireblocks' framework aligns with NIST CSF 2.0 and provides a model for banks operationalizing custody governance. The challenge is that NIST compliance, while necessary, isn't sufficient for qualified custodian status under federal banking law. It's a cybersecurity baseline that applies across custody providers — but doesn't resolve the underlying FIPS certification requirement for HSM infrastructure.

As crypto custody regulations mature in 2026, we're seeing clearer delineation between different regulatory tiers:

• OCC-chartered banks: Full federal banking oversight, qualified custodian status, HSM requirements
• State-chartered trust companies: NYDFS or equivalent state regulation, potential qualified custodian status if HSM-backed
• Licensed custody providers: Meet state licensing requirements but don't claim qualified custodian status
• Technology platforms: Provide custody infrastructure without directly holding customer assets in their own name

The regulatory evolution isn't making custody simpler. It's creating more specialized categories that match security requirements to institutional risk profiles.

What This Means for Institutional Adoption

The custody architecture divide has direct implications for institutions allocating to digital assets in 2026:

For registered investment advisers (RIAs), the SEC's custody rule requires client assets to be held by qualified custodians. If your fund structure requires qualified custodian status, MPC-based providers — regardless of their security properties or operational track record — cannot satisfy that regulatory requirement.

For public pension funds and endowments, fiduciary standards often require custody at institutions that meet the same security and oversight standards as traditional asset custodians. State banking charters or federal OCC charters become prerequisites, which dramatically narrows the field of viable providers.

For corporate treasuries accumulating Bitcoin or stablecoins, the qualified custodian requirement may not apply — but insurance coverage does. Many institutional-grade custody insurance policies now require FIPS-certified HSM infrastructure as a condition of coverage. The insurance market is effectively enforcing hardware security module requirements even where regulators haven't mandated them.

For crypto-native firms — exchanges, DeFi protocols, trading desks — the calculus differs. Speed matters more than regulatory classification. The ability to move assets across chains and integrate with smart contracts matters more than FIPS certification. MPC-based custody platforms excel in these environments.

The mistake is treating custody as a one-size-fits-all decision. The right architecture depends entirely on who you are, what you're holding, and which regulatory framework applies.

The Path Forward

By 2030, the custody market will likely have bifurcated into distinct categories:

Qualified custodians operating under OCC federal charters or equivalent state trust charters, using HSM infrastructure, serving institutions subject to strict fiduciary standards and custody regulations.

Technology platforms leveraging MPC and other advanced cryptographic techniques, serving use cases where speed and flexibility matter more than qualified custodian status, operating under money transmission or other licensing frameworks.

Hybrid providers offering both HSM-backed qualified custody for regulated products and MPC-based solutions for operational needs, allowing institutions to allocate assets across security models based on specific requirements.

The question for institutions entering crypto in 2026 isn't "which custody provider is best?" It's "which custody architecture matches our regulatory obligations, risk tolerance, and operational needs?"

For many institutions, that answer points toward federally regulated custodians with FIPS-certified HSM infrastructure. For others, the flexibility and speed of MPC-based platforms outweighs the qualified custodian classification.

The industry's maturation means acknowledging these trade-offs rather than pretending they don't exist.

As blockchain infrastructure continues evolving toward institutional standards, reliable API access to diverse networks becomes essential for builders. BlockEden.xyz provides enterprise-grade RPC endpoints across major chains, enabling developers to focus on applications rather than node operations.

Sources

• Multi-Party Computation vs. Hardware Security Modules: What is better for your custody? | Scalable Solutions
• Why Hardware Security Modules Outperform MPC for Institutional Crypto Custody - Digital Ascension Group
• Institutional Crypto Wallet Security: Complete Guide to Enterprise Digital Asset Custody - Cobo
• MPC Wallet Security Guide | Institutional Custody Solution - Cobo
• Digital Ascension Group Launches Institutional Crypto Custody Offering That Meets Five Essential Security Standards
• U.S. Crypto Custody Rules: New Standards & What's Ahead | Fireblocks
• Fireblocks Trust: Qualified Custody and Proven Security Built for Institutional Scale | Fireblocks
• Do I need a qualified cryptocurrency custodian to hold my digital assets? | Fireblocks
• Writing the Playbook: Anchorage Digital Marks Five Years of Federal Regulation in Crypto Banking
• Providing custody at scale and supporting prudent regulation at Anchorage Digital
• FIPS 140-3 Security Requirements For Cryptographic Modules
• Federal Information Processing Standard (FIPS) 140-3, Security Requirements for Cryptographic Modules
• A Guide to FIPS 140-3 | Keyfactor
• Top Institutional Crypto Custody Providers (2026) - Hashlock
• SEC Staff Provides Guidance on Crypto Custody