NY DFS Guidance on Virtual Currency Custody and Customer Protection

Industry Letter

TO: Entities Licensed Under 23 NYCRR Part 200 or Chartered as Limited Purpose Trust Companies Under the New York Banking Law That Custody Virtual Currency Assets

FROM: Adrienne A. Harris, Superintendent of Financial Services

RE: Updated Guidance on Custodial Structures for Customer Protection in the Event of Insolvency

DATE: September 30, 2025

---

The New York State Department of Financial Services (the “Department”) is issuing this guidance (“Guidance”) to update and replace, effective immediately, the January 23, 2023,

“Guidance on Custodial Structures for Customer Protection in the Event of Insolvency” (“2023 Guidance”). This Guidance provides additional direction, particularly with regard to sub- custodians, while continuing to emphasize sound custody and disclosure practices to protect customers in the event of an insolvency or similar proceeding. Like the 2023 Guidance, this Guidance also emphasizes the paramount importance of equitable and beneficial interest always remaining with the customer.

The demand for virtual currency custody services continues to grow across both retail and institutional customer segments. Custody services include, without limitation, storing, holding, or maintaining custody or control of virtual currency on behalf of others. 1 As stewards of others’ assets, virtual currency entities (“VCEs”) 2 that act as custodians (“VCE Custodians”) play an important role in the financial system and, therefore, a comprehensive and safe regulatory framework is vital to protecting customers and preserving trust. As the prudential regulator of entities engaged in virtual currency business activity in New York and with New Yorkers under the nation’s first comprehensive virtual currency regulatory framework, 3 the Department considers customer protection of the utmost importance.

New York’s virtual currency regulation, 23 NYCRR Part 200, requires BitLicensees to do the following, among other things: hold virtual currency in a manner that protects customer assets; maintain comprehensive books and records; properly disclose the material terms and conditions associated with their products and services, including custody services; and refrain from making any false, misleading, or deceptive representations or omissions in their marketing materials. 4 DFS places analogous requirements on New York State limited purpose trust companies that engage in virtual currency business activity. 5

This Guidance is intended to offer greater clarity regarding standards and practices that, in the Department’s view, will help to ensure that VCE Custodians are structuring their asset custody framework to protect the interests of their customers. 6 Specifically, this Guidance focuses on customer protection relating to:

I. Segregation of and Separate Accounting for Customer Virtual Currency;
II. VCE Custodians’ Limited Interest in and Use of Customer Virtual Currency;
III. Sub-Custody Arrangements; and
IV. Customer Disclosure.

I. Segregation of and Separate Accounting for Customer Virtual Currency

To custody customer virtual currency properly and maintain appropriate books and records, a VCE Custodian is expected to separately account for and segregate customer virtual currency from the corporate assets of the VCE Custodian and its affiliated entities, both on-chain and on the VCE Custodian’s internal ledger accounts. 7

Customer virtual currency should be maintained in either (i) separate on-chain wallets and internal ledger accounts for each customer under that customer’s name or (ii) one or more omnibus on-chain wallets and internal ledger accounts that contain only virtual currency of customers held under the VCE Custodian’s name as agent or trustee for the benefit of those customers. Where a VCE Custodian chooses to hold customer virtual currency in an omnibus account, the VCE Custodian should maintain appropriate records and maintain a clear internal audit trail to identify customer virtual currency and account for all customer transactions, so that each individual customer’s beneficial interest is always evident and up-to-date. Accordingly, VCE Custodians should have clearly documented policies and procedures to evidence that these safeguards are in place. VCE Custodians should also be prepared at all times to demonstrate reconciliation between the VCE’s books and records and on-chain activity upon request from the Department, whether such request is made as part of ongoing monitoring, routine onsite examination, or otherwise.

As discussed below in Part IV, the VCE Custodian should clearly and prominently disclose the manner in which the VCE Custodian segregates and accounts for customer virtual currency.

II. VCE Custodians’ Limited Interest in and Use of Customer Virtual Currency

When a customer transfers possession of an asset to a VCE Custodian for the purposes of safekeeping, the Department expects that the VCE Custodian will take possession only for the limited purpose of carrying out custody and safekeeping services, and that it will not thereby establish a debtor-creditor relationship with the customer. The Department expects VCE Custodians to structure their custodial arrangements in a manner that preserves the customer’s equitable and beneficial interest in the customer’s virtual currency. A VCE Custodian should treat customer virtual currency in its possession or control as belonging solely to customers and should not employ customer virtual currency for the VCE Custodian’s own use. For example, a VCE Custodian should not use customer virtual currency to secure or guarantee an obligation of, or extend credit to, the VCE Custodian or any other person except the customer. 8 Further, VCE Custodians are expected to act upon the instructions of their customers or authorized representatives and not to acquire general discretion over custodied assets beyond those terms clearly expressed in the VCE Custodian’s customer agreement, as further described below.

III. Sub-Custody Arrangements

A VCE Custodian may elect, after appropriate due diligence, to arrange for the safekeeping of customer virtual currency through a sub-custody arrangement with a third party, so long as that arrangement is consistent with this Guidance. The Department views the establishment of any new sub-custody or third-party arrangement as a material change to a VCE’s business that requires the Department’s approval prior to implementation. 9 In support of a request for such prior approval, the Department expects to receive for review, at a minimum:

(i) the applicable risk assessment performed by the VCE Custodian;
(ii) the proposed service agreement(s) between the parties; and
(iii) the VCE Custodian’s updated policies and procedures reflecting the processes and controls to be implemented around the proposed arrangement.

The Department expects the proposed service agreement to contain an acknowledgement by the sub-custodian that the sub-custodian must handle all VCE customer virtual currency in accordance with all applicable Department requirements and standards. These include, without limitation: (i) proper titling of all accounts and wallets holding customer assets as “F/B/O” accounts; and (ii) segregating all customer virtual currency from the corporate assets of both the VCE and the sub-custodian. Also, the proposed service agreement should make clear that customer virtual currency may not, under any circumstances, be treated as collateral for the proprietary obligations of the VCE, nor may such assets be subject to any right of set-off or lien by the sub-custodian other than may be customary for ordinary fees and expenses.

In addition, the Department expects any sub-custodian to be either (i) chartered or licensed by the Department or (ii) subject in its home jurisdiction to a supervisory and regulatory regime for custodial activities that is, as determined by the Department in its sole discretion, substantially similar to the Department’s regime.

Applicants for a BitLicense or limited purpose trust company charter may seek the required approval during the application process, while currently regulated VCE Custodians may submit requests as a material change in business proposal. 10

IV. Customer Disclosure

A VCE Custodian is expected to (i) clearly disclose to each customer in writing the general terms and conditions associated with its products, services and activities, and (ii) obtain acknowledgment of receipt of such disclosure prior to entering into an initial transaction with the customer, consistent with this Guidance. 11 In addition, the VCE Custodian’s customer agreement should make clear the parties’ intentions to enter into a custodial relationship, rather than a debtor-creditor relationship. For example, the VCE Custodian should clearly disclose how it segregates and accounts for customer virtual currency, the property interest the customer retains in custodied assets, how the VCE Custodian may use custodied virtual currency while in its possession, and what limitations on the use of custodied virtual currency by the VCE Custodian apply. If a VCE Custodian makes use of a third-party, sub-custody arrangement, the customer agreement should, consistent with this Guidance, clearly disclose the terms of that arrangement and the material risks. Further, the Department expects a VCE Custodian to make its standard disclosures and customer agreement readily accessible to customers on its website, in a manner consistent with New York laws and regulations.

Note: This Guidance is not intended to limit the scope or applicability of any law or regulation. For further information, VCEs should contact their relationship manager or point of contact with the Department.

1 See 23 NYCRR § 200.2(q)(2).

2 VCEs include entities licensed under 23 NYCRR Part 200 (also known as “BitLicensees”), as well as entities chartered as limited purpose trust companies under the New York Banking Law, to engage in virtual currency business activity, including custody services. See, e.g., 23 NYCRR §§ 200.2(q), 200.3(c)(1).

3 See 23 NYCRR Part 200 (the “BitLicense Regulation” or “Part 200”).

4 See, e.g., 23 NYCRR §§ 200.9, 200.12, 200.18, 200.19.

5 The Department enters into supervisory agreements with virtual currency entities, including limited purpose trust companies, that specify required, restricted, and prohibited activities. In addition, the Department has, for example, the authority to order the discontinuance of unsafe and unsound practices in order to maintain public confidence and protect the public interest. See, e.g., NY Banking Law §§ 10, 39.

6 This Guidance pertains to custodial safekeeping activity generally and is not intended to address in detail ancillary activities associated with custodial services such as staking or on-chain governance.

7 Any exception from this general segregation requirement requires the Department’s prior written approval and must be consistent with applicable customer protection requirements and standards, as determined by the Department in its sole discretion. In evaluating a request for an exception, the Department may consider any factor it deems relevant, including but not limited to the controls and documentation the VCE plans to put in place in order to ensure that the interests of customers are not put at risk during any period of commingling.

8 Products and services that involve securing or guaranteeing an obligation of, or extending credit to, a customer, require the prior approval of the Department, whether as a material change to business under 23 NYCRR § 200.10 or otherwise.

9 See, e.g., 23 NYCRR § 200.10.

10 Id.

11 See, e.g., 23 NYCRR § 200.19.