Latham & Watkins Discusses New SEC Clarity on the Custody of Cryptoasset Securities

Zachary Fallon, Stephen P. Wink, Naim Culhaci and Deric Behar

16 hours ago

Key Points:

The 2025 Crypto Custody Statement clarifies how broker-dealers can maintain “physical possession” of cryptoasset securities under the Customer Protection Rule, although does not provide further clarity on how broker-dealers can establish “control.”
Private key protection is crucial, ensuring broker-dealers maintain exclusive control over digital asset securities held in custody.
If material security or operational risks are identified with the distributed ledger technology and associated network used to access and transfer a specific digital asset security, broker-dealers must likely refrain from maintaining custody of that digital asset security through that network.

Introduction

On December 17, 2025, the Securities and Exchange Commission (Commission or SEC) Division of Trading and Markets (the Staff) issued a statement [1] (the 2025 Crypto Custody Statement) on the application of the “possession” requirements of Rule 15c3-3 under the Securities Exchange Act of 1934 (the Customer Protection Rule) to fully paid and excess margin digital asset securities.[2] The Staff continues to advance a clearer treatment of broker-dealer custody as it relates to digital assets in general, and digital asset securities in particular.

Digital Asset Custody by Broker-Dealers: Recent SEC and Staff Developments

Paragraph (b)(1) of the Customer Protection Rule requires broker-dealers to obtain and maintain “the physical possession or control of all fully-paid securities and excess margin securities carried by a broker or dealer for the account of customers.”

Under previous guidance, broker-dealers were effectively curtailed from custodying digital asset securities. On July 8, 2019, the Staff, along with the Office of General Counsel of the Financial Industry Regulatory Authority, Inc. (FINRA) issued a joint statement (the 2019 Joint Statement)[3] that interpreted “control” in the digital asset context to mean “exclusive” control.[4] The 2019 Joint Statement — along with a December 23, 2020 Commission statement on the Custody of Digital Asset Securities by Special Purpose Broker-Dealers,[5] which, among other things, required that broker-dealers custodying digital asset securities not engage in any traditional securities activity — did not offer conclusive clarity on a custodial arrangement that would be considered compliant with the Customer Protection Rule.

On May 15, 2025, the Staff and FINRA withdrew the 2019 Joint Statement. The withdrawal of the 2019 Joint Statement cleared the way for the Staff to issue a set of FAQs (the Crypto FAQs) on the same day, addressing broker-dealer and transfer agent engagement with digital assets and blockchain. In particular, the Staff noted that paragraph (b) of the Customer Protection Rule (Physical possession or control of securities) does not apply to digital assets that are not securities. The Crypto FAQs also stated that a broker-dealer can establish control of a digital asset that is a security via paragraph (c) of the Customer Protection Rule (Control of securities) (e.g., the custody or control of a bank), and the Staff “will not object if a digital asset security is not in certificated form when held at an otherwise qualifying control location under paragraph (c).” For more information on the withdrawal of the 2019 Joint Statement and the Crypto FAQs, see this Latham blog post.

The Crypto FAQs represented an incremental step forward (to echo Commissioner Hester M. Peirce’s description) in providing the much-needed interpretive guidance lacking in the 2019 Joint Statement.

The 2025 Crypto Custody Statement

Building on the May 2025 withdrawal of the 2019 Joint Statement and publication of the Crypto FAQs, the Staff provided further clarity in the 2025 Crypto Custody Statement, specifically concerning the “physical possession” prong of paragraph (b)(1) of the Customer Protection Rule. For purposes of paragraph (b)(1) of the Customer Protection Rule, the Staff will not object if a broker-dealer deems itself to have obtained physical possession of a digital asset security if the broker-dealer:

Has access to the digital asset security and the ability to transfer it on the associated distributed ledger technology
Establishes, maintains, and enforces policies and procedures to assess (and document) various critical aspects of the digital asset security’s distributed ledger technology and its associated network (including all “protocols and any smart contracts or applications integral to the operation of the digital asset security”) prior to seeking to obtain possession of the digital asset security
- The assessment is intended to identify and mitigate “significant weaknesses or other operational issues with the distributed ledger technology and associated network that could affect the broker-dealer’s possession,” and may consider protocol governance, performance, transaction speed, scalability, resiliency, security, extensibility, visibility, etc.
Is not aware of any material security or operational problems or weaknesses with the digital asset security’s distributed ledger technology and associated network, or other material risks posed to the broker-dealer’s business by obtaining possession and custodying the digital asset security
- The Staff notes that “other material risks” must arise from the possession of the digital asset security and expressly excludes “other potential risks such as market or reputational risk.”
- While the Staff does not prescribe the steps a broker-dealer should take in the event of discovering material security or operational problems or weaknesses with the digital asset security’s distributed ledger technology and associated network, the broad language suggests that a broker-dealer should not undertake to maintain continued custody of a digital asset security in such case.
Establishes, maintains, and enforces policies, procedures, and controls to prevent theft, loss, or unauthorized or accidental use of the private keys necessary to access and transfer the digital asset security, “consistent with industry best practices”
Establishes, maintains, and enforces policies, procedures, and arrangements to:

- identify the steps it will take in the wake of events that could compromise its possession of the digital asset securities (including blockchain malfunctions, 51% attacks, hard forks, or airdrops);
- allow for the broker-dealer to comply with a lawful order as to seizing, freezing, burning, or prevention of transfer of the cryptoasset securities; and
- allow for the transfer of the cryptoasset securities to another broker-dealer, trustee, receiver, liquidator, etc., in the event the broker-dealer is wound down or liquidated.

Conclusion

While somewhat limited in its scope (addressing only the “possession” prong of the Customer Protection Rule, and not the “control” prong), the 2025 Crypto Custody Statement represents a meaningful evolution from prior SEC and Staff approaches centered on narrow special-purpose structures or the more restrictive control prong of the Customer Protection Rule. By streamlining requirements and emphasizing operational security and risk mitigation, the Staff has potentially lowered the barrier for broker-dealers to participate in the crypto custody market safely and compliantly.

At the same time, questions remain regarding how, in situations where a third-party rather than the broker-dealer physically possesses the digital asset security, such third-party can be deemed a “good control location” and thus satisfy the control requirement under Rule 15c3-3(c). As things stand, broker-dealers will be required to fit digital asset securities into the existing “good control location” framework under Rule 15c3-3(c), including by seeking bespoke relief from the SEC in connection with any control locations that are not listed therein.

ENDNOTES

[1] Like all Staff pronouncements, the statement includes a disclaimer that it represents the views of the Staff and not the Commission itself. It is not a rule, regulation, or Commission statement; has no legal force or effect; and does not create new or additional obligations on any market participant.

[2] Including tokenized equity or debt securities.

[3] For more information on the 2019 Joint Statement, see this Latham blog post.

[4] The Staff held at the time that maintaining a digital asset’s private key may not evidence exclusive control, as another party could have a copy of the private key and transfer the digital asset security without consent.

[5] The December 23, 2020 Commission statement on the Custody of Digital Asset Securities by Special Purpose Broker-Dealers (for more information, see this Latham blog post) was expressly time-limited to five years, and expired by its own terms on December 23, 2025.

This post is based on a Latham & Watkins LLP memorandum, “SEC Staff Provides Clarity on the Custody of Cryptoasset Securities,” dated January 14, 2026, and available here.