SEC Clarifies Broker-Dealer Custody Rules for Crypto Assets

I. Introduction

A statement this month from U.S. Securities and Exchange Commission (“SEC”) Division of Trading and Markets unlocked a particularly critical part of securities laws for broker-dealers looking to expand into crypto-asset markets¹The SEC defines crypto-asset securities as “tokenized versions of an equity or debt security” for purposes of the 2025 SEC Staff Statement..

On December 17, 2025, the staff of the SEC’s Division of Trading and Markets published a statement describing how they apply the broker-dealer Customer Protection Rule’s possession and control requirements to crypto-assets ²Securities and Exchange Commission, “Statement of the Custody of Crypto Asset Securities by Broker-Dealers”, Dec. 17, 2025 (https://www.sec.gov/newsroom/speeches-statements/trading-markets-121725-statement-custody-crypto-asset-securities-broker-dealers).(the “2025 SEC Staff Statement”). This important guidance illuminates what was previously one of the most difficult issues facing the SEC as it seeks to implement a comprehensive crypto-asset regulatory architecture: how broker-dealers can hold custody of assets where the ownership is evidenced by a cryptographic key.

This client alert describes how the new staff guidance fits into established securities law, why it is such a critical step in providing additional regulatory clarity, and what it ultimately means. A full description of the 2025 SEC Staff Statement appears below in Section IV.

II. The Customer Protection Rule

Securities Exchange Act of 1934 Rule 15c3-3, commonly known as the “Customer Protection Rule,” is intended to protect customer funds held by their broker-dealers and to prohibit broker-dealers from using customer funds and securities to finance any part of their business. In other words, it is a de facto segregation rule for customer assets. One of the main goals of the Customer Protection Rule is to ensure that, in the event of a broker-dealer’s insolvency, all of a customer’s fully paid and excess margin securities are available for return to the customer, along with all of the customer’s “free credit balances” (for example, cash) held by the broker-dealer.

As a general matter, Rule 15c3-3 requires a broker-dealer that maintains custody of customer securities and cash to maintain physical possession or exclusive control over customers’ fully paid and excess margin securities. To satisfy the requirement of maintaining physical possession or exclusive control, the broker-dealer must hold fully paid and excess margin securities in certain specified locations. The securities must also remain free of any liens or other security interests. One permissible location for a broker-dealer to hold such securities is a U.S. bank. Another common location for possession is on the books of a U.S. registered clearing agency, such as various affiliates of the Depository Trust Company. A broker-dealer can also establish possession and exclusive control for purposes of the Customer Protection Rule by holding securities in non-U.S. control locations (called “foreign control locations”), provided that a non-U.S. custodian provides certain representations to the U.S. broker-dealer regarding the status of the securities and the absence of liens.

III. The Customer Protection Rule and Crypto-Assets

The fundamental challenge facing broker-dealers seeking to hold customers’ crypto-assets is that the broker-dealer must maintain exclusive control over the asset to satisfy the “possession or control” requirements under the Customer Protection Rule. This is especially difficult with crypto-assets because they can be transferred by anyone with access to the cryptographic key. If the key is duplicated (copied) for any reason, the broker-dealer cannot ensure that its control is exclusive.

In July 2019, the staffs of the Financial Industry Regulatory Authority (“FINRA”) and the SEC issued a joint statement addressing custody of digital asset securities. While that statement outlined how broker-dealers might introduce digital asset securities to third-party custodians (such as banks), it did not provide clarity on how a broker-dealer itself could demonstrate compliance with the Customer Protection Rule when holding cryptographic keys.

Subsequently, in December 2020, the SEC issued Release No. 34-90788³ Securities and Exchange Commission’s Release No. 34-90788; File No. S7-25-290, “Custody of Digital Asset Securities by Special Purpose Broker-Dealers”, December 23, 2020. (the “2020 Release”), which introduced a nine-point framework for broker-dealers to comply with Rule 15c3-3’s possession and control requirements in connection with crypto-asset holdings⁴ The nine-point framework outlines conditions under which a broker-dealer can consider itself to have physical possession or control of customer fully paid and excess margin digital asset securities. First, the broker-dealer must have access to and the ability to transfer these assets on their respective distributed ledger technology. Its business activities should be limited to digital asset securities, except for holding traditional securities for net capital compliance or hedging purposes. Additionally, the broker-dealer must implement written policies and procedures to analyze whether a digital asset qualifies as a security and ensure compliance with federal securities laws before engaging in transactions or custody. It must also assess the characteristics and risks of the distributed ledger technology used for custody and avoid maintaining custody if material security or operational weaknesses exist. Further, the broker-dealer must adopt industry-standard controls to ensure exclusive control over digital asset securities and safeguard private keys against theft, loss, or misuse. It should have contingency plans for events like blockchain malfunctions, attacks, or insolvency, including mechanisms for asset transfer under court orders or liquidation scenarios. Customers must receive written disclosures explaining the firm’s custody approach, associated risks, and limitations of SIPA protections for certain digital asset securities. Finally, the broker-dealer must enter into written agreements with customers detailing terms for transactions, custody, and safekeeping of digital asset securities.. Although a small number of broker-dealers have followed this framework and effected transactions in and maintained custody of the digital asset securities, the operational burdens and limitations associated with the 2020 Release have deterred most firms from offering those services.  

IV. The 2025 SEC Staff Statement

In the 2025 SEC StaffStatement, the SEC staff states it will not object if a broker-dealer deems itself to have “physical possession” of a crypto asset security for purposes of Rule 15c3-3(b)(1), provided the firm implements the following specified controls and procedures:

• First, a broker-dealer intending to obtain and maintain possession directly must have access to the crypto asset security and the capability to transfer it on the associated distributed ledger.
• Second, a broker-dealer must adopt and enforce reasonably designed written policies and procedures to assess the relevant distributed ledger technology and its associated network before undertaking custody (and at reasonable intervals thereafter), including governance matters such as how protocol updates are determined and implemented, with the objective of identifying significant weaknesses or operational issues and taking appropriate risk-reducing action.
• Third, if a broker-dealer is aware of material security or operational problems or weaknesses with the distributed ledger technology or network used to access and transfer the asset, or if custodying the asset would otherwise pose material risks to the broker-dealer’s business, the broker-dealer should not deem itself to possess a crypto asset. This expectation focuses the broker-dealer on material risks arising from possession of the crypto asset itself, as distinct from market or reputational risks, and is intended to provide reasonable assurance that a broker-dealer will not treat itself as in possession where doing so would expose it to such weaknesses or risks.
• Fourth, a broker-dealer must implement written policies, procedures, and controls (consistent with industry best practices) designed to protect against the theft, loss, or unauthorized or accidental use of private keys needed to access and transfer the crypto asset, and to ensure that no other person, including customers or third parties (such as affiliates), can access the keys and transfer assets without the broker-dealer’s authorization.
• Fifth, a broker-dealer must maintain written policies, procedures, and arrangements that set out in advance steps to address events (a) that could affect possession of crypto assets, such as blockchain malfunctions, 51% attacks, hard forks, or airdrops; (b) that enable compliance with lawful orders to seize, freeze, burn, or prevent transfers; and (c) that provide for the transfer of the crypto assets to a broker-dealer, trustee, receiver, liquidator, or other appropriate person in the event of wind-down, self-liquidation, or an insolvency proceeding. These measures are intended to ensure the continued safekeeping and accessibility of the crypto assets and to provide assurance that a broker-dealer has thoughtfully planned for unexpected disruptions to possession and control.

Taken together, the 2025 SEC Staff Statement outlines a non-objection framework under which broker-dealers can demonstrate “physical possession” for fully paid and excess margin crypto assets by implementing robust access, technology assessment, key management, and contingency planning controls. The statement notes, however, that it does not address other applicable obligations under the federal securities laws. The guidance is intended to provide near-term clarity for market participants as the SEC continues its broader consideration of custody issues in the crypto assets context.

The 2020 Release and the 2025 SEC Staff Statement reflect two distinct regulatory approaches to broker-dealer obligations in the digital asset securities space. The 2020 Release introduced a framework that emphasized structural and disclosure-based safeguards, requiring broker-dealers to limit their business exclusively to crypto-asset securities, maintain robust written policies for determining whether a crypto asset qualifies as a security, provide clear risk disclosures to prospective customers, and formalize customer relationships through written agreements outlining terms and conditions. After few broker-dealers chose to adopt that complex framework, the 2025 SEC Staff Statement streamlined the expectations, with a sharper focus on operational security and risk mitigation. Most notably, it introduced a requirement for broker-dealers to implement comprehensive written policies, procedures, and controls specifically designed to prevent theft, loss, or unauthorized use of private keys, an area not addressed in the 2020 Release.

This evolution signals a regulatory shift from broad governance and disclosure obligations toward targeted technical safeguards that address the unique custody and cybersecurity risks inherent in crypto assets.

V. Conclusion

In their new guidance, the Division of Trading and Markets staff seems to recognize that the industry is maturing. With that implied recognition, the new guidance provides a more commercially viable way to hold crypto-asset securities. We expect it will become apparent quickly if market participants agree with this assessment, as broker-dealers can begin relying on this guidance to hold custody of client crypto assets immediately.

At the same time, the guidance aims to be mindful of investor-protection and recordkeeping requirements that will allow the SEC and FINRA to properly maintain oversight of this evolving space. While a longer time horizon will be required for judging whether these requirements are sufficient for investor-protection purposes, we anticipate this new guidance will open up the possibility for many additional broker-dealers to begin custodying crypto assets.