Galaxy: On-chain DeFi asset deployment custody rule compliance requirements

Author: Ian Irlander, Venture Capital Advisor at Galaxy Ventures; Source: Galaxy Digital; Translation: Shaw, Golden Finance

As investment activities gradually migrate onto the blockchain, Registered Investment Advisers (RIAs) are facing an increasingly prominent conflict between the federal custodial regulatory framework and the actual operational models of decentralized finance (DeFi). Meanwhile, registered investment advisers still bear fiduciary duties, which require them to identify and adopt reasonably designed investment opportunities that can generate returns for clients. If clients wish to incorporate DeFi-related strategies into their institutional investment logic and fiduciary scope, a blanket rejection of DeFi configurations by investment advisers will be difficult to justify with a reasonable explanation.

Rule 206(4)-2 under the Investment Advisers Act of 1940, commonly known as the Custody Rule, was originally designed to fit a centralized financial system: The entire system relies on licensed intermediaries, traditional account structures, and custodial models that can be audited and verified by regulators at any time. However, most DeFi investment strategies require advisers to deploy client assets directly on-chain via smart contracts and cryptographic permission controls, a operational logic that is difficult to reconcile with existing regulatory preconditions. The rigid requirements of the rule and the operational mechanisms of modern on-chain investments are increasingly out of sync, creating ongoing compliance gaps.

Background of the Custody Rule

The U.S. Securities and Exchange Commission (SEC) issued the Custody Rule in 1962 to regulate the safekeeping of client funds and securities by registered investment advisers, primarily to reduce the risk of misappropriation and theft of client assets. Subsequent amendments, especially those in 2003 and 2009, significantly expanded adviser obligations and introduced multiple control measures, such as enhanced self-custody review and surprise on-site inspections.

When a registered investment adviser holds client funds or securities in their own capacity (either directly holding assets or having withdrawal authority), the Custody Rule applies. These reforms effectively enhanced investor protection in traditional financial markets.

The rule requires dual safeguards for client funds and securities: Client assets must be held by qualified custodians (QCs); advisers must reasonably confirm that the custodian sends account statements directly to clients at least quarterly; and assets held in pooled investment vehicles must be verified through surprise inspections or audited financial statements. If an adviser or their affiliates assume custody themselves, additional controls are required, such as engaging independent CPA firms to issue annual internal control reports, which entails ongoing high costs for audits, operations, and compliance.

For registered investment advisers managing native DeFi protocols and digital assets, implementing the custody rule presents unique compliance challenges. Digital assets exist as data records on distributed ledgers, and the core criterion for custody becomes: who controls the authority to transfer or access the assets. Custody solutions based on smart contracts, multi-signature wallets, or multi-party computation (MPC) wallets often require multiple parties to authorize transactions, blurring the traditional ownership, control, and custody logic under the regulatory framework.

Current Industry Status of Custody Compliance

Whether traditional custodians or native crypto custody providers, most qualified custodians are unable or unwilling to support long-tail tokens, smart contract-native assets, and complex DeFi operations. Each type of digital asset operates on a separate blockchain with different technical standards, requiring customized development and long-term maintenance, with costs ultimately passed on to advisers and clients as custody fees. For registered investment advisers, entrusting qualified custodians to hold such assets is either commercially unfeasible or prohibitively expensive.

For assets without qualified custodians, advisers can only rely on multi-party computation (MPC) custody architectures to manage encrypted private keys and transaction authorization. MPC systems split signing permissions among multiple independent entities, using voting thresholds to approve transactions, eliminating single points of failure and preventing unilateral asset transfers. Although MPC offers strong security and operational stability, it still cannot fully meet the strict requirement that “client funds and securities are managed by qualified custodians.” This fundamental conflict reflects a deep structural contradiction: existing rules are designed for centralized custody scenarios, whereas many on-chain investment strategies adopt decentralized architectures.

The custody rule prohibits advisers from self-custody of client funds and securities, even with advanced technical safeguards, unless assets are held by qualified custodians. The rule assumes client assets can be entrusted to qualified third-party custodians, but many native DeFi assets do not meet this premise. These assets typically lack paper certificates, are recorded solely on distributed ledgers, issued by protocols rather than legal entities, and can be freely transferred via smart contracts without a central registration or transfer agent. Additionally, most DeFi assets are still immature, and custodians cannot easily or cost-effectively integrate with their systems. Due to these characteristics, the vast majority of native DeFi assets cannot currently qualify for existing custody rule exemptions.

Structural Compliance Gaps Facing DeFi-Focused Registered Advisers

Multiple constraints create structural compliance gaps for advisers seeking to deploy on-chain DeFi strategies: According to custody rule standards, as long as an adviser has the authority to initiate transactions or withdraw assets, it is deemed to be in custody; but in practice, there are no qualified custodians willing or able to hold these assets, making technical compliance impossible. Under these circumstances, even well-intentioned advisers building robust safeguards to protect client assets face regulatory risks. Meanwhile, the fiduciary duty mandated by the Investment Advisers Act requires advisers to prioritize client interests, fully understand clients’ investment goals before providing advice, and offer reasonably justified asset allocation plans. For many clients, DeFi investment strategies are part of their asset allocation needs. This raises a practical challenge: how to build a regulatory framework that is compatible with on-chain operations, based on custody rules, that both protects investors and accommodates the decentralized nature of DeFi.

Best Industry Practices for Advisers Engaging in DeFi

Recent regulatory developments indicate that authorities are increasingly aware of these conflicts. SEC commissioners have publicly stated that if advisers act in good faith to meet custody rule requirements but are hindered by objective structural limitations, regulators are willing to exercise some flexibility. In June 2025, SEC Chair Paul Atkins delivered a speech emphasizing that self-custody of crypto assets and direct participation in decentralized systems are “core values” of the United States, and that if current regulations impose unnecessary costs or hinder innovation on-chain, the SEC should consider adjusting existing rules. He further disclosed that internal staff have been tasked with exploring rule amendments and issuing exemptions covering crypto custody, self-custody, and DeFi sectors.

Until specific regulatory rules are implemented, market institutions are exploring multiple practical solutions that balance investor protection with technical feasibility, dividing approaches into technical controls and information transparency.

For advisers planning to launch on-chain DeFi activities without qualified custodians, the most effective approach is to establish a high-security encrypted private key management and transaction authorization system, coupled with a governance framework that separates responsibilities—splitting transaction approval, system operations, and investment decision-making. Using MPC custody models, permissions are distributed among multiple parties, with transactions requiring multi-party approval thresholds, preventing over-concentration of authority and unauthorized asset transfers. This layered control framework can form a foundational on-chain asset security system. Although current rules and enforcement practices still do not fully recognize MPC as compliant, this approach can help fulfill the core legislative intent of protecting investors.

If qualified custodians are unavailable, external independent oversight can further improve the custody system: engaging PCAOB-registered auditors to conduct annual audits, verify digital asset balances, review custody controls and transaction processes, and clarify responsibilities across the entire asset management chain. The transparency of public blockchains allows real-time monitoring of balances and transfers, and periodic audits can be supplemented with high-frequency on-chain monitoring to enhance investor protection.

Advisers should also establish rigorous due diligence procedures covering two types of entities: providers of self-custody technology via subscription-based software services, and the various DeFi protocols where client assets are invested. Due diligence should include assessments of cybersecurity, private key management, operational risk controls, solvency and bankruptcy protections, credit risks, legal compliance, smart contract audit coverage, governance structures, third-party infrastructure dependencies, and rapid asset redemption channels. Formal agreements should be signed with service providers to specify asset protection terms. By applying these measures, advisers can ensure client assets are deployed in stable, transparent environments aligned with the core principles of custody rules and investor protection.

Breaking the Regulatory Deadlock on Custody Rules

While the SEC is studying formal amendments to the custody rules, current registered advisers face a dilemma: either engage in on-chain investments with significant regulatory uncertainty regarding custody compliance; or abandon DeFi investment opportunities that could offer potential returns for clients.

During the transition period, advisers can manage risks by adopting custody solutions that protect client assets, enhance transparency, and align as closely as possible with the legislative intent of custody rules, while continuing to offer access to emerging DeFi markets. By integrating multi-party security key management, responsibility separation, full disclosure of risks, thorough due diligence of self-custody providers and DeFi protocols, and third-party independent audits, advisers can build a custody framework that, even if not fully compliant with all technical requirements, still largely achieves the core goal of investor protection. This layered, risk-oriented approach has become an emerging best practice in digital asset management and offers a feasible path for advisers: to uphold fiduciary duties while innovating on-chain investment strategies.