Skip to content

Custodial Treasury Security: Inventory & Controls Framework

Proper documentation and classification of custodial accounts is essential for institutional treasury security. This guide covers the security assessment, classification, and control frameworks for crypto assets held with third-party custodians.

Classification Process

Use this dual classification to determine appropriate security controls for each custodial account.

Step 1: Impact Assessment

Evaluate the consequences if this account is compromised or unavailable.

Financial Impact

Calculate the total value at risk in this account:

  • Current market value of all assets held
  • Include value of any active positions (e.g., staked assets, DeFi deposits)

Operational Impact

Assess the consequences if this account becomes unavailable:

  • What specific operations require this account?
  • Do you have a secondary custody account that can handle these operations?
  • What is the financial impact if unavailable for 7 days?

Impact Classification

LevelFinancial ExposureOperational Dependency
Low<$100KNo critical operations depend on it
Medium$100K - $1MImportant but alternative funding available
High$1M - $10MCritical operations, limited alternatives
Critical>$10MBusiness-critical, no alternatives for weeks

Step 2: Operational Assessment

Evaluate how frequently and urgently this account must be accessed.

Transaction Frequency

Document typical transaction patterns:

  • Transactions per month
  • Typical transaction sizes
  • Predictability of transaction timing

Access Urgency

Define response time requirements:

  • What is the maximum acceptable delay for routine transactions?
  • Are there scenarios requiring same-day execution?
  • What are the consequences of 24-hour, 72-hour, or 7-day delays?

Coordination Requirements

Assess how transactions are executed:

  • How many approvers are needed for typical transactions?
  • Are transactions handled manually or through automated systems?
  • Do approvers need to coordinate across timezones?

Note: Single-approver configurations should only be used for low-value operational accounts (<$10K) with additional compensating controls like strict spending limits and daily reconciliation.

Operational Classification

TypeFrequencyResponse WindowExample Use Cases
Cold Vault<5 tx/month48-72 hoursLong-term reserves, infrequent rebalancing
Warm Storage5-50 tx/month4-24 hoursScheduled payments, planned operations
Active Operations>50 tx/month<4 hoursTrading capital, frequent operational expenses
Time-CriticalUnpredictable<2 hoursCollateral management, market-sensitive operations

Step 3: Security Control Matrix

Combine impact and operational assessments to determine required controls.

Use CaseImpactOperationalApproversMFA RequirementWhitelist DelayAdditional Controls
Primary Reserve (>$50M)CriticalCold Vault5-7Hardware mandatory72 hoursGeographic distribution
Secondary Reserve ($10M-$50M)CriticalCold Vault4-5Hardware mandatory48 hoursGeographic distribution
Active Treasury ($1M-$10M)HighWarm Storage3-4Hardware mandatory24 hoursDaily reconciliation, velocity limits
Trading CapitalHighActive Ops3Hardware mandatoryNoneReal-time monitoring, simulation required
DeFi PositionsMedium-HighWarm Storage3Hardware mandatory24 hoursContract whitelist, position monitoring
Liquidation ProtectionMedium-HighTime-Critical2Hardware requiredNonePre-approved destinations, automated alerts
Operational WalletMediumActive Ops2Hardware required12 hoursDaily caps, weekly audit
PaymentsLowActive Ops2Standard TOTP6 hoursPer-tx cap, monthly aggregate limit

Step 4: Enhanced Controls for High-Risk Accounts

For Critical and High impact accounts, implement additional security layers beyond the baseline controls.

Transaction Verification

  • Test transactions: Send maximum $100 to new addresses before executing full transaction
  • Multi-channel confirmation: Request via one channel, approve via separate channel
  • Simulation requirement: All transactions must be simulated before execution
  • Address verification: Verify new addresses against three independent sources

Access Security

  • Hardware security keys (FIDO2/WebAuthn) mandatory for all approvers
  • IP whitelisting with 24-hour change approval delay
  • Device fingerprinting with new device approval process
  • Session timeout and re-authentication for sensitive operations
  • Dedicated credentials: Use separate email addresses and passwords exclusively for custody access, not shared with other corporate systems

Device Security

  • Dedicated secure workstations for custody access only
  • Network isolation on separate VLAN/segment
  • VPN mandatory for all platform access
  • Full disk encryption with automatic screen lock
  • MDM-enforced security baseline with remote wipe capability

Documentation Templates

Registration Template

Use this template when initially documenting a custodial account.

CUSTODIAL ACCOUNT REGISTRATION
 
Account Name: [Descriptive name]
Custodian: [Provider name and legal entity]
Account ID: [Custodian reference number]
Network(s): [Bitcoin, Ethereum, etc.]
Registration Date: YYYY-MM-DD
Registered By: [Name]
 
CLASSIFICATION
Impact Level: [Low / Medium / High / Critical]
Operational Type: [Cold Vault / Warm Storage / Active Operations / Time-Critical]
 
Justification:
- Financial exposure: $XXX,XXX,XXX
- Operational dependency: [Description]
- Recovery time objective: [X hours/days]
 
ASSETS CONTROLLED
Asset   | Network  | Value     | Purpose
--------|----------|-----------|------------------------------
BTC     | Bitcoin  | $XXX,XXX  | [Reserve/Trading/Operations]
ETH     | Ethereum | $XXX,XXX  | [Reserve/Trading/Operations]
USDC    | Ethereum | $XXX,XXX  | [Reserve/Trading/Operations]
 
CUSTODY MODEL
Type: [Qualified Custodian / Co-managed / MPC Platform]
Key Management: [MPC 3-of-5 / Multi-sig 2-of-3 / HSM]
Key Control: [Custodian only / Co-managed / Client-controlled]
Recovery Capability: [Yes - describe / No]
 
INITIAL ACCESS SETUP
Primary Administrator: [Name, added YYYY-MM-DD]
Initial Approvers: [Names, added YYYY-MM-DD]
 
Note: Complete access details documented in Access Change Template
Note: Security configuration documented in Security Configuration Template
 
ATTESTATION
This account [meets / deviates from] security standards for its classification.
 
[If deviation: Explain gap and compensating controls]
 
CONTACTS
Security Owner: [Name, email, phone]
Backup Contact: [Name, email, phone]
Custodian Support: [Name, email, phone]
 
Last Updated: YYYY-MM-DD
Updated By: [Name]

Access Change Template

Use this template when modifying user access to a custodial account.

CUSTODIAL ACCOUNT ACCESS CHANGE
 
Account Name: [Name]
Custodian: [Provider]
Account ID: [Reference]
Change Date: YYYY-MM-DD
Changed By: [Name]
 
ACCESS MODIFICATIONS
 
Additions:
Name/Role | Access Level | MFA Method     | Justification
----------|--------------|----------------|------------------------------
[Name]    | [Approver]   | [Hardware key] | [Reason for addition]
 
Removals:
Name/Role | Access Level | Removal Reason
----------|--------------|-------------------------------
[Name]    | [Approver]   | [Personnel change / Security / Other]
 
Permission Changes:
Name/Role | Old Level | New Level | Justification
----------|-----------|-----------|---------------------------
[Name]    | [Initiator] | [Approver] | [Reason for elevation]
 
CURRENT ACCESS LIST (after changes)
Name/Role | Level     | MFA Method    | Device ID
----------|-----------|---------------|---------
[Name]    | Admin     | Hardware key  | [ID]
[Name]    | Approver  | Hardware key  | [ID]
[Name]    | Approver  | Hardware key  | [ID]
[Name]    | Initiator | TOTP          | [ID]
 
VERIFICATION
[ ] All removed users confirmed deactivated in custodian platform
[ ] All new users completed MFA setup
[ ] Access permissions tested and verified
[ ] Emergency contacts updated
[ ] Documentation updated in [location]
 
APPROVALS
Requested By: _________________ Date: _______
Approved By: _________________ Date: _______
Security Review: _________________ Date: _______
 
Change Ticket: [Reference number if applicable]

Security Configuration Template

Use this template to document detailed security settings. Complete this after initial account registration.

CUSTODIAL ACCOUNT SECURITY CONFIGURATION
 
Account: [Name]
Custodian: [Provider]
Last Configuration Update: YYYY-MM-DD
Configured By: [Name]
 
AUTHENTICATION SETTINGS
 
Multi-Factor Authentication:
Role | Primary Method | Backup Method | Enrollment Status
Administrator | Hardware key + biometric | Hardware key + PIN | [Active]
Approver | Hardware key | TOTP + SMS | [Active]
Initiator | Hardware key or TOTP | SMS | [Active]
Viewer | TOTP | SMS | [Active]
 
Session Controls:
- Timeout: [X minutes]
- Re-auth required for: [High-value transactions, policy changes, user management]
- Concurrent sessions: [Allowed/Blocked]
 
ACCESS CONTROL
 
Current User List:
Name/Role | Level    | MFA Method   | Device ID | Added Date
----------|----------|--------------|----------|------------
[Name]    | Admin    | Hardware key | [ID]     | YYYY-MM-DD
[Name]    | Approver | Hardware key | [ID]     | YYYY-MM-DD
[Name]    | Approver | Hardware key | [ID]     | YYYY-MM-DD
 
Note: Track all access changes using Access Change Template
 
Approval Thresholds:
Transaction Value | Required Approvers | Time Delay | Additional Requirements
<$10K          | 1 | None       | MFA only
$10K - $100K   | 2 | 4 hours    | MFA
$100K - $1M    | 3 | 24 hours   | Test transaction
>$1M           | 4 | 48 hours   | Multi-channel confirmation, test tx
 
Separation of Duties:
[ ] Initiators cannot approve own transactions
[ ] Admins cannot unilaterally execute withdrawals
[ ] Minimum [X] unique approvers required
 
NETWORK RESTRICTIONS
 
IP Whitelist:
XXX.XXX.XXX.XXX - [Office Location]
XXX.XXX.XXX.XXX - [VPN Range]
XXX.XXX.XXX.XXX - [Backup Location]
 
Change Approval: [24 hour delay / XX approvers required]
Emergency Override: [Process description]
 
VPN Requirement: [Mandatory / Optional]
Geographic Restrictions: [Blocked countries/regions]
Device Fingerprinting: [Enabled / Disabled]
 
TRANSACTION POLICIES
 
Address Whitelisting:
Status: [Enabled / Disabled]
Current Addresses: [XX addresses]
Addition Process: [XX approvers, YY hour delay]
Review Schedule: [Monthly / Quarterly]
 
Transaction Limits:
Limit Type        | Amount   | Override Process
------------------|----------|-----------------
Single Transaction | $XXX,XXX | [Authorization required]
Hourly Aggregate   | $XXX,XXX | [Authorization required]
Daily Aggregate    | $XXX,XXX | [Authorization required]
Weekly Aggregate   | $XXX,XXX | [Authorization required]
Monthly Aggregate  | $XXX,XXX | [Authorization required]
 
Time-Lock Settings:
Change Type                          | Delay Period
-------------------------------------|-------------
New address addition                 | XX hours
Policy modification                  | XX hours
High-value transaction (>$XXX,XXX)   | XX hours
 
MONITORING & ALERTS
 
Real-Time Alerts:
Type                       | Enabled
---------------------------|--------
All outgoing transactions  | [ ]
New device login           | [ ]
Failed authentication attempts (>X) | [ ]
Policy violations          | [ ]
Large transactions (>$XXX,XXX) | [ ]
Unusual access times       | [ ]
New geographic location    | [ ]
 
Alert Routing:
Severity | Contact         | Method       | Response Time
---------|------------------|-------------|--------------
Critical | [Name, phone]   | SMS + Call   | <15 min
High     | [Name, phone]   | SMS + Email  | <1 hour
Medium   | [Name, email]   | Email        | <4 hours
 
VERIFICATION
[ ] All settings tested and operational
[ ] Alert routing verified
[ ] User access confirmed
[ ] Documentation stored in [location]
 
Configured By: _________________ Date: _______
Reviewed By: _________________ Date: _______
Approved By: _________________ Date: _______

Quarterly Review Template

Use this template for regular security reviews of custodial accounts.

CUSTODIAL ACCOUNT QUARTERLY REVIEW
 
Account: [Name]
Custodian: [Provider]
Review Period: [Q1/Q2/Q3/Q4 YYYY]
Review Date: YYYY-MM-DD
Reviewed By: [Name]
 
ACCESS AUDIT
 
Current Users:
Name/Role | Level | Last Login | MFA Status | Action Required
[Name] | Admin | YYYY-MM-DD | Active | None
[Name] | Approver | YYYY-MM-DD | Active | None
[Name] | Approver | Never logged in | Inactive | Remove access
 
Access Changes This Quarter: [X additions, Y removals, Z modifications]
 
Findings:
[ ] All users still require current access level
[ ] No dormant accounts (>90 days inactive)
[ ] MFA functioning for all users
[ ] No unauthorized access detected
 
Actions Required:
- [List any access to be removed/modified]
- [List any policy updates needed]
 
TRANSACTION REVIEW
 
Transaction Volume:
- Total transactions: [X]
- Average per month: [Y]
- Largest transaction: $XXX,XXX
- Total outflow: $XXX,XXX
 
Pattern Analysis:
[ ] Transactions within expected parameters
[ ] No unusual transaction patterns detected
[ ] All large transactions properly authorized
[ ] Test transactions performed correctly
 
Anomalies Detected:
- [List any unusual activity or violations]
 
SECURITY CONFIGURATION
 
Whitelist Review:
- Current addresses: [X]
- Addresses added this quarter: [Y]
- Addresses to remove: [Z]
- Review complete: [Yes/No]
 
Spending Limits:
Current | Actual Usage | Status
Single: $XXX,XXX | Max: $XXX,XXX | [Appropriate / Adjust]
Daily: $XXX,XXX | Avg: $XXX,XXX | [Appropriate / Adjust]
Monthly: $XXX,XXX | Avg: $XXX,XXX | [Appropriate / Adjust]
 
Findings:
[ ] Limits appropriate for current usage
[ ] No limit breaches this quarter
[ ] IP whitelist current and accurate
[ ] Time-locks functioning properly
 
ALERT EFFECTIVENESS
 
Alerts This Quarter:
Type | Count | False Positive Rate
Critical | [X] | [Y%]
High | [X] | [Y%]
Medium | [X] | [Y%]
 
Response Times:
Severity | Target | Actual Average | Status
Critical | <15 min | [X min] | [Met/Missed]
High | <1 hour | [X min] | [Met/Missed]
Medium | <4 hours | [X hours] | [Met/Missed]
 
Findings:
[ ] Alert routing working correctly
[ ] Response times meeting SLAs
[ ] No missed critical alerts
 
Actions Required:
- [Adjust alert thresholds if needed]
- [Update contact information]
 
CUSTODIAN RELATIONSHIP
 
SOC Reports: [Current / Expired - date]
Security Incidents: [Any custodian-wide incidents this quarter]
Service Quality: [Any issues or concerns]
Communication: [Regular contact maintained]
 
RISK ASSESSMENT UPDATE
 
Classification Review:
Current: [Impact Level / Operational Type]
Still Appropriate: [Yes / No]
 
If No, Recommended Change:
New Classification: [Level / Type]
Justification: [Explain change in risk profile]
 
Asset Value Change: [% increase/decrease]
Operational Change: [Any significant changes in usage]
 
RECOMMENDATIONS
 
Security Improvements:
1. [Recommendation]
2. [Recommendation]
3. [Recommendation]
 
Operational Improvements:
1. [Recommendation]
2. [Recommendation]
 
ATTESTATION
 
This account [continues to meet / deviates from] security standards.
 
[If deviation: Describe and provide remediation plan]
 
APPROVALS
 
Reviewer: _________________ Date: _______
Security Officer: _________________ Date: _______
Treasury Lead: _________________ Date: _______
 
Next Review Due: YYYY-MM-DD