Custody Rule Compliance for Onchain DeFi Asset Deployment
This post was also written by Nora Joyce, a Galaxy Legal Intern.
As investment activity increasingly moves onchain, registered investment advisers (“RIAs”) face growing tension between the federal custody framework and the operational realities of decentralized finance (“DeFi”). At the same time, RIAs remain subject to fiduciary obligations that require them to identify and pursue investment opportunities reasonably designed to benefit their clients, making a categorical avoidance of DeFi strategies difficult to justify with respect to clients who desire exposure to such strategies as part of an RIA’s investment thesis and mandate. Rule 206(4)-2 under the Investment Advisers Act of 1940 (“Advisers Act”), commonly known as the “Custody Rule,” was designed for a centralized financial system built around regulated intermediaries, conventional account structures, and custodial arrangements that regulators can readily observe and audit. Many DeFi strategies, however, require advisers to deploy assets directly onchain through smart contracts and cryptographic control mechanisms that do not align neatly with those assumptions. This mismatch has produced a widening compliance gap between the technical requirements of the Rule and the mechanics of modern on-chain investment activity.
The Story Behind the Custody Rule
The U.S. Securities and Exchange Commission (“SEC”) adopted the Custody Rule in 1962 to govern how RIAs safeguard client funds and securities, with the goal of mitigating the risk that advisers could misappropriate or misuse such assets. Over time, the SEC amended the Rule in response to systemic abuses and high-profile fraud, most notably in 2003 and 2009 by adding amendments to expand adviser obligations and introduce additional controls such as enhanced scrutiny of self-custody arrangements and surprise examinations. The Custody Rule applies when an RIA, acting in its capacity as such, has custody of client funds or securities, which exists when the RIA holds such assets directly or has the authority to obtain possession of them. These reforms strengthened investor protection in traditional markets.
The Rule imposes procedural and structural safeguards on the custody of client funds and securities, including maintaining such assets with a qualified custodian (“QC”) that the RIA reasonably believes will deliver account statements directly to clients at least quarterly, and subjecting holdings to independent verification through surprise examinations or audited financial statements for pooled investment vehicles. When an adviser or a related person serves in a custodial role, additional controls apply, including the requirement to obtain an annual internal control report prepared by an independent public accountant, which typically involves substantial ongoing audit, operational, and compliance expense.
Complying with the Custody Rule presents unique challenges for RIAs engaging with DeFi-native protocols and assets in pursuit of investment strategies on behalf of their clients. Digital assets exist as entries on decentralized ledgers, and custody therefore turns on who controls the ability to move or access those assets. Smart contract-based custody arrangements and multi-signature or multi-party computation (“MPC”) wallets often require multiple parties to authorize transactions, which complicates traditional concepts of ownership, control, and custody under the Rule.
The Current Landscape for Custody Rule Compliance
Many QCs, including both traditional and crypto-native providers, are unable or unwilling to support long-tail tokens, smart contract-native assets, or complex DeFi activities. Each digital asset may operate on a distinct blockchain with unique technical specifications, requiring bespoke development and ongoing support, passing costs along to RIAs and their clients in the form of custodial fees and rendering custody of such assets by a QC commercially infeasible or prohibitively expensive for RIAs.
RIAs must rely on MPC-based custody structures to manage cryptographic keys and transaction authorization in the absence of a QC for particular assets. MPC systems distribute signing authority across multiple independent parties and enforce quorum-based approvals, reducing single-points-of-failure and the risk of unilateral asset transfers. While MPC provides strong security protections and operational resilience, it does not neatly satisfy the Custody Rule’s requirement that client funds and securities be managed by a QC. This misalignment reflects a broader structural tension between the Rule’s centralized custody assumptions and the decentralized architecture of many on-chain investment strategies.
The Rule does not permit advisers to self-custody client funds or securities, even where advisers employ robust technical safeguards, unless those assets are maintained with a QC. It therefore assumes that client assets can, as a practical matter, be held by an entity that meets the definition of a QC and can exercise control over those assets. For many DeFi-native instruments, that assumption does not hold. These assets are often uncertificated, recorded exclusively on decentralized ledgers, issued by protocols rather than legal entities, freely transferable through smart contracts, and lacking centralized registrars or transfer agents. Many such assets also remain too nascent to support timely or cost-effective integration by QCs. Because of these features, most DeFi-native assets do not qualify for existing Custody Rule exemptions.
The Structural Compliance Gap for RIAs in DeFi
These constraints create a structural compliance gap for advisers engaging in onchain DeFi strategies. The Custody Rule may deem an adviser to have custody based on its authority to effect transactions or withdrawals, while simultaneously rendering technical compliance infeasible because no QC can support the relevant assets or activities. In this setting, RIAs may face regulatory risk even when acting in good-faith and implementing robust safeguards to protect client assets. At the same time, the Advisers Act imposes fiduciary duties requiring RIAs to act in their clients’ best interests, including by providing investment advice based on a reasonable understanding of the client’s objectives and a reasonable basis for the recommendation. For many clients, this may include pursuing investment strategies in DeFi markets. The practical question, then, is how a rules-based custody framework for onchain activity can preserve the investor protection objectives of the Custody Rule in a way that is compatible with DeFi.
Best Practices for RIAs in DeFi
Recent regulatory developments reflect growing recognition of this tension. Public statements by Commission leadership indicate an increased willingness to consider flexibility where advisers make good-faith efforts to comply with the Custody Rule but encounter structural barriers to technical adherence. In a June 2025 speech, SEC Chair Paul Atkins described crypto self-custody and direct participation in decentralized systems as a “foundational American value,” and emphasized that the Commission should adapt existing frameworks where they impose unnecessary costs or impede on-chain activity. He further noted that SEC staff has been directed to evaluate potential rulemaking and exemptive relief addressing crypto custody, self-custody models, and DeFi broadly. In the absence of tailored regulatory guidance, market participants have explored various practices to advance the investor protection objectives underlying the Custody Rule, including both technical controls and increased transparency.
For RIAs considering best practices when engaging in onchain DeFi activity where underlying assets cannot be held with a QC, the most effective approach typically pairs robust cryptographic key management and transaction authorization controls with governance structures that segregate transaction approval, system administration, and investment decision-making functions. Implemented through MPC-based custody arrangements, these controls distribute signing authority across multiple stakeholders within required quorum-based approvals, reducing concentration of control and limiting the ability of any individual to unilaterally transfer client assets. Adopted together, these controls establish a baseline framework for safeguarding client assets in onchain environments ensuring that, while MPC may not satisfy the technical requirements of the Rule as currently drafted and applied, it allows RIAs to achieve the investor protection objectives underlying the Rule’s requirements.
Independent oversight can further strengthen custody frameworks where QC support is unavailable. Annual audits conducted by PCAOB-registered accounting firms, including verification of digital asset balances and review of custody controls and transaction workflows, can provide strong accountability for how client assets are held and managed. In onchain environments, the transparency of public blockchains allows for real-time visibility into asset balances and transfers, enabling more frequent monitoring and review between audit periods. Leveraged appropriately, this continuous observability can supplement periodic independent verification and enhance investor protection.
RIAs should also implement disciplined diligence processes for both self-custody providers (typically providing self-custodial technology on a software-as-a-service subscription basis) and the DeFi protocols to which client assets may be exposed. This includes evaluating cybersecurity, key management and operational controls, solvency and bankruptcy remoteness, credit risk, legal and regulatory compliance, the quality and scope of smart contract audits, governance structures, dependencies on third-party infrastructure, the ability to promptly withdraw client assets from a protocol and negotiation of contractual protections in written agreements with such providers. Taken together, these practices help ensure that client assets are deployed in environments that are resilient, transparent, and consistent with the investor-protection objectives underlying the Custody Rule.
Moving Beyond Today’s Custody Rule Stalemate
While the SEC considers formal amendments to the Rule, RIAs remain in a quagmire: they must choose to either engage in on-chain strategies without certainty as to the permissibility of custodial arrangements or forego providing clients with access to potentially attractive investment strategies. In the interim, advisers can best manage risk by adopting custody practices that protect client assets, promote transparency, and align as closely as possible with the principles underlying the Custody Rule, all while continuing to best serve their clients’ interests via access to emerging DeFi markets. By combining MPC-based key management, governance controls, investor-informed disclosures, robust diligence of self-custody providers and DeFi protocols, and independent audit oversight, advisers can develop custody frameworks that substantially fulfill the Rule’s investor protection objectives, even where strict technical compliance remains unattainable. This layered, risk-based approach reflects emerging best practices in digital asset management, and offers a pragmatic path forward for advisers seeking to reconcile innovative on-chain investment strategies with longstanding fiduciary obligations.
Legal Disclosure:
This document, and the information contained herein, has been provided to you by Galaxy Digital Inc. and its affiliates (“Galaxy Digital”) solely for informational purposes. This document may not be reproduced or redistributed in whole or in part, in any format, without the express written approval of Galaxy Digital. Neither the information, nor any opinion contained in this document, constitutes an offer to buy or sell, or a solicitation of an offer to buy or sell, any advisory services, securities, futures, options or other financial instruments or to participate in any advisory services or trading strategy. Nothing contained in this document constitutes investment, legal or tax advice or is an endorsement of any of the stablecoins mentioned herein. You should make your own investigations and evaluations of the information herein. Any decisions based on information contained in this document are the sole responsibility of the reader. Readers should consult with their own advisors and rely on their independent judgement when making financial or investment decisions.
Participants, along with Galaxy Digital, may hold financial interests in certain assets referenced in this content. Galaxy Digital regularly engages in buying and selling financial instruments, including through hedging transactions, for its own proprietary accounts and on behalf of its counterparties. Galaxy Digital also provides services to vehicles that invest in various asset classes. If the value of such assets increases, those vehicles may benefit, and Galaxy Digital’s service fees may increase accordingly. The information and analysis in this communication are based on technical, fundamental, and market considerations and do not represent a formal valuation. For more information, please refer to Galaxy’s public filings and statements. Certain asset classes discussed, including digital assets, may be volatile and involve risk, and actual market outcomes may differ materially from perspectives expressed here.
For additional risks related to digital assets, please refer to the risk factors contained in filings Galaxy Digital Inc. makes with the Securities and Exchange Commission (the “SEC”) from time to time, including in its Quarterly Report on Form 10-Q for the quarter ended September 30, 2025, filed with the SEC on November 10, 2025, available at www.sec.gov.
Certain statements in this document reflect Galaxy Digital’s views, estimates, opinions or predictions (which may be based on proprietary models and assumptions, including, in particular, Galaxy Digital’s views on the current and future market for certain digital assets), and there is no guarantee that these views, estimates, opinions or predictions are currently accurate or that they will be ultimately realized. To the extent these assumptions or models are not correct or circumstances change, the actual performance may vary substantially from, and be less than, the estimates included herein. None of Galaxy Digital nor any of its affiliates, shareholders, partners, members, directors, officers, management, employees or representatives makes any representation or warranty, express or implied, as to the accuracy or completeness of any of the information or any other information (whether communicated in written or oral form) transmitted or made available to you. Each of the aforementioned parties expressly disclaims any and all liability relating to or resulting from the use of this information. Certain information contained herein (including financial information) has been obtained from published and non-published sources. Such information has not been independently verified by Galaxy Digital and, Galaxy Digital, does not assume responsibility for the accuracy of such information. Affiliates of Galaxy Digital may have owned, hedged and sold or may own, hedge and sell investments in some of the digital assets, protocols, equities, or other financial instruments discussed in this document. Affiliates of Galaxy Digital may also lend to some of the protocols discussed in this document, the underlying collateral of which could be the native token subject to liquidation in the event of a margin call or closeout. The economic result of closing out the protocol loan could directly conflict with other Galaxy affiliates that hold investments in, and support, such token. Except where otherwise indicated, the information in this document is based on matters as they exist as of the date of preparation and not as of any future date, and will not be updated or otherwise revised to reflect information that subsequently becomes available, or circumstances existing or changes occurring after the date hereof. This document provides links to other Websites that we think might be of interest to you. Please note that when you click on one of these links, you may be moving to a provider’s website that is not associated with Galaxy Digital. These linked sites and their providers are not controlled by us, and we are not responsible for the contents or the proper operation of any linked site. The inclusion of any link does not imply our endorsement or our adoption of the statements therein. We encourage you to read the terms of use and privacy statements of these linked sites as their policies may differ from ours. The foregoing does not constitute a “research report” as defined by FINRA Rule 2241 or a “debt research report” as defined by FINRA Rule 2242 and was not prepared by Galaxy Digital Partners LLC. Similarly, the foregoing does not constitute a “research report” as defined by CFTC Regulation 23.605(a)(9) and was not prepared by Galaxy Derivatives LLC. For all inquiries, please email [email protected].
©Copyright Galaxy Digital Inc. 2026. All rights reserved.