← Back to blog

What is a crypto custody license: 2026 regulatory guide

June 21, 2026
What is a crypto custody license: 2026 regulatory guide

TL;DR:

  • A crypto custody licence authorizes a business to hold or control digital assets on behalf of clients with fiduciary responsibilities. Most regulators assess control over private keys and transaction authorization, not just technical security measures. Regulators worldwide increasingly require on-chain custody segregation and strong governance to grant and maintain licences.

A crypto custody licence is a regulatory authorisation granted to entities that hold, safeguard, or control digital assets on behalf of clients, establishing a fiduciary and governance responsibility over those assets. The standard industry term is virtual asset custody authorisation, though regulators including VARA in Dubai, the EU under MiCA, and the US under the NY DFS BitLicense framework each apply their own nomenclature. What unites every framework is a shared premise: custody is a fiduciary function, not a technical one. Founders who treat it as an IT infrastructure feature routinely fail their applications. Understanding the licence, its triggers, and its operational demands is the starting point for any compliant digital asset custody business.


What is a crypto custody licence and which activities trigger it?

Group discussing crypto custody regulatory activities in office

A crypto custody licence authorises a business to legally hold or control digital assets for clients under a defined regulatory framework. The licensing trigger is not wallet ownership. Regulators look at who controls the private keys and who can authorise, freeze, or move assets on behalf of a client.

The core activities that trigger a custody licensing obligation include:

  • Safekeeping of private keys on behalf of clients, whether in hot, cold, or hybrid storage
  • Administration of digital assets, including record-keeping, corporate actions, and reporting
  • Settlement and transfer execution on behalf of clients, where the custodian initiates or authorises on-chain movements
  • Wallet-as-a-service arrangements where the provider retains technical control over key generation or signing

The distinction between custodial and non-custodial models is a common source of confusion. A non-custodial model means the client retains sole control of their private keys at all times. The moment a service provider can independently sign transactions, recover keys, or freeze assets, the arrangement becomes custodial and licensing obligations attach. Technologies such as multi-party computation (MPC) and multi-signature (multi-sig) wallets do not automatically remove the licensing requirement. Regulators assess control over keys and funds flows, not the underlying cryptographic architecture.

The fiduciary dimension is what separates custody from simple wallet provision. A licensed custodian owes duties of care, segregation, and accountability to clients. VARA in Dubai frames this explicitly: custodians must behave as specialised financial institutions, not technology vendors. That framing has direct consequences for governance, capital, and staffing requirements.

Infographic detailing steps for crypto custody license process

Pro Tip: Map your fund flows and key control architecture before engaging any regulator. If your system can sign or move a client's assets without their real-time authorisation, you are almost certainly operating a custodial model and need a licence.


How do custody licensing frameworks differ across major jurisdictions?

Custody licensing regimes vary significantly across jurisdictions in their triggers, capital thresholds, passporting rights, and prudential standards. The table below compares the four most commercially significant frameworks for 2026.

JurisdictionRegulatorLicence / AuthorisationCapital RequirementPassportingKey Custody Rule
UAE (Dubai)VARAVirtual Asset Custody Services LicenceNot publicly listedNoFiduciary governance, board oversight, insurance mandatory
EUESMA / NCAs under MiCACASP Authorisation€50,000–€150,000Yes (EU-wide)On-chain segregation of client assets required
USA (New York)NY DFSBitLicenseNot publicly listedNo (state-by-state)Fiduciary duty, book-entry segregation, OCC guidance applies
USA (Federal)OCC / SECNo-action / Trust CharterVariesLimitedFiduciary segregation rules post-SAB 121 rescission

VARA: fiduciary governance in Dubai

VARA's custody services licence imposes obligations that go well beyond wallet technology. VARA expects custodians to operate as specialised financial institutions, with governance structures, capital adequacy, qualified staffing, cybersecurity controls, insurance coverage, and group structure all within regulatory scope. The VARA Regulations and relevant Rulebooks require board-level accountability for custody risk. Local incorporation in the Emirate of Dubai is mandatory, and the regulator conducts detailed supervisory reviews of operational readiness before granting authorisation.

MiCA: harmonised EU authorisation

MiCA's CASP licensing framework standardises authorisations, prudential requirements, conduct rules, and consumer protection across all EU member states. MiCA requires custodians to segregate client crypto-assets on separate on-chain addresses from their own holdings, with capital tiers ranging from €50,000 to €150,000 depending on the scope of services. The passporting mechanism allows a CASP authorised in one member state to operate across the EU without separate national licences. That is a material commercial advantage over fragmented regimes.

US: fragmented but converging

The US approach remains fragmented. NY DFS issues the BitLicense for New York-based operations, while the OCC has clarified that federally chartered banks may provide crypto custody services. The SEC Division of Investment Management issued a no-action letter conditionally allowing state trust companies to be treated as banks for crypto custody purposes, subject to conditions including segregation, risk management, written agreements, and annual due inquiry. Following the rescission of SEC Staff Accounting Bulletin 121, US regulation treats crypto custody as a fiduciary function with book-entry segregation rules. Businesses operating across multiple US states must assess each state's licensing requirements independently.

Global regulatory standards are converging toward mandatory on-chain segregation of client assets and clear fiduciary governance as a baseline for institutional custody. That convergence reduces arbitrage opportunities and raises the bar for all market entrants.


What are the operational requirements for a crypto custody licence?

Obtaining and maintaining a custody licence requires far more than a compliant technology stack. Regulators assess the entire operating model, from board composition to disaster recovery procedures.

  1. Board-level governance. The board must demonstrate active oversight of custody risk. VARA and MiCA frameworks both require designated senior managers with accountability for operational, cyber, and governance risk. Board members must meet fit-and-proper standards, and governance frameworks must be documented and auditable.

  2. Capital adequacy and prudential modelling. Custodians must hold sufficient regulatory capital to absorb operational losses. Under MiCA, capital tiers range from €50,000 to €150,000. VARA's capital requirements are assessed on a case-by-case basis aligned with the custodian's risk profile. Prudential modelling must account for concentration risk, counterparty exposure, and operational stress scenarios.

  3. AML/CFT compliance and the Travel Rule. Licensed custodians are obligated to implement AML/CFT programmes aligned with FATF standards. In the UAE, this means compliance with Federal AML Law (Decree-Law No. 20 of 2018 and its amendments) and CBUAE Circular 2/2024. The Travel Rule requires custodians to collect and transmit originator and beneficiary information for virtual asset transfers above applicable thresholds. Custody-specific KYC obligations extend to beneficial ownership verification and ongoing transaction monitoring.

  4. Technology and key management controls. Regulators assess key management architecture, including the use of hardware security modules (HSMs), MPC protocols, and cold storage procedures. Cybersecurity frameworks must address access controls, penetration testing, incident response, and business continuity. Disaster recovery plans must be tested and documented.

  5. Insurance coverage. VARA mandates that custodians maintain adequate insurance against operational and cyber risks. The policy must cover loss of private keys, theft, and operational failure. Insurers with relevant crypto custody experience are required.

  6. Staff competency. Custody operations require qualified personnel in compliance, technology, and operations. Regulators assess whether key function holders have relevant experience and whether training programmes are in place.

  7. Supervisory reporting and audit readiness. Licensed custodians must submit periodic regulatory reports, maintain auditable records of all client asset positions, and cooperate with supervisory inspections. DFSA Rulebooks (COBS, AML, GEN) impose equivalent obligations for DIFC-based custodians, and the FSRA Virtual Asset Framework applies within ADGM.

Pro Tip: Engage an external auditor with crypto custody experience before your licence application. Regulators treat pre-application audit readiness as evidence of governance maturity, not just a compliance checkbox.


Common licensing challenges and how to structure for regulatory success

The most common reason custody licence applications fail is a conceptual gap. Founders treat custody as an IT infrastructure feature and underestimate the fiduciary and governance obligations that regulators prioritise. That misalignment shows up immediately in application documentation.

Key pitfalls to avoid include:

  • Misclassifying the business model. Failing to map fund flows precisely leads to incorrect activity classification. A wallet-as-a-service product that retains key signing authority is a custodial service, regardless of how it is marketed.
  • Insufficient governance documentation. Regulators expect detailed board charters, risk committee terms of reference, and documented escalation procedures. Generic corporate governance templates do not satisfy VARA or MiCA reviewers.
  • Weak AML/CFT frameworks. Custody-specific AML policies must address the Travel Rule, virtual asset risk typologies, and sanctions screening for on-chain addresses. Generic AML policies copied from traditional finance fail this test.
  • Inadequate capital planning. Applicants frequently underestimate the capital required to satisfy prudential modelling expectations, particularly when custody services are bundled with exchange or brokerage activities.
  • Group structure misalignment. Regulators assess the entire group structure, not just the applicant entity. Opaque holding structures, offshore parent companies with weak governance, or unregulated affiliates providing key services will attract regulatory scrutiny.

For multi-jurisdictional operations, the structuring decision between a MiCA CASP passporting model and a jurisdiction-by-jurisdiction approach requires careful legal analysis. The global crypto licensing map across 41 jurisdictions illustrates the range of regulatory options available. Passporting under MiCA offers EU-wide reach from a single authorisation, but the home member state regulator retains primary supervisory authority. Businesses targeting both the UAE and EU markets typically require separate authorisations under VARA and MiCA respectively, as no mutual recognition agreement currently exists between the two frameworks.

Enforcement exposure for unlicensed custody activity is material. VARA can impose financial penalties, suspend operations, and refer matters for criminal prosecution under UAE law. MiCA national competent authorities carry equivalent powers. Building compliance into the business model from inception is significantly less costly than remediation after regulatory action.


The fiduciary shift: why custody licensing is not a technology problem

At Cryptoverselawyers, we have advised custody applicants across VARA, MiCA, and multiple other frameworks. The pattern we observe most consistently is this: technically sophisticated founders arrive with detailed MPC wallet architectures and assume the licence will follow from the technology. It does not.

Regulators are not assessing your cryptographic design. They are assessing whether your board understands its fiduciary duties, whether your capital model reflects real operational risk, and whether your AML programme would survive a supervisory inspection. The legal responsibilities of custodians are grounded in centuries of trust law, updated for digital assets. That is the framework regulators apply.

The global convergence toward on-chain asset segregation as a non-negotiable baseline is also accelerating. MiCA mandates it. VARA expects it. The SEC's post-SAB 121 position reinforces it. Custodians who build segregation into their architecture from day one will find licence applications and ongoing supervision materially easier. Those who retrofit it after authorisation face significant operational disruption.

Our practical advice: treat the licence application as a governance project, not a compliance exercise. The documentation you produce for the regulator should reflect how you actually intend to run the business. Regulators read the gap between stated governance and operational reality very clearly.

— CRYPTOVERSE


How Cryptoverselawyers can support your custody licence application

Cryptoverselawyers advises custody businesses across VARA, MiCA, FCA, MAS, and over 30 jurisdictions worldwide. Our team combines regulatory expertise with direct experience of custody licence applications, governance structuring, and AML/CFT framework design.

https://cryptoverselawyers.io

Whether you are preparing a VARA custody services licence application, structuring a MiCA CASP authorisation, or assessing licensing obligations across multiple markets, Cryptoverselawyers provides regulator-ready legal solutions. Our services cover pre-application strategy, governance framework design, AML/CFT policy drafting, capital adequacy modelling, and supervisory engagement. Contact Cryptoverselawyers to discuss your VARA licensing requirements or to obtain a tailored assessment of your custody model's regulatory obligations across the jurisdictions that matter to your business.


FAQ

What is a crypto custody licence in simple terms?

A crypto custody licence is a regulatory authorisation that permits a business to hold or control digital assets on behalf of clients. It establishes fiduciary duties, governance obligations, and compliance requirements that go beyond operating a wallet service.

Who needs a crypto custody licence?

Any entity that controls private keys, executes asset movements, or administers digital assets on behalf of clients requires a custody licence in most regulated jurisdictions. This includes wallet-as-a-service providers, exchanges offering asset safekeeping, and institutional custodians.

What are the main crypto custody licence requirements?

Core requirements across VARA, MiCA, and US frameworks include board-level governance, capital adequacy, AML/CFT compliance aligned with FATF standards, key management controls, cybersecurity measures, insurance coverage, and auditable client asset segregation.

How does MiCA custody licensing differ from VARA?

MiCA provides EU-wide passporting for CASP-authorised custodians with capital tiers of €50,000–€150,000 and mandatory on-chain client asset segregation. VARA applies a fiduciary governance model specific to Dubai, with no passporting to other jurisdictions and a case-by-case capital assessment.

What is the most common reason custody licence applications are rejected?

The most common reason is treating custody as a technology function rather than a fiduciary one. Regulators reject applications that lack credible governance frameworks, inadequate AML/CFT policies, or insufficient capital planning, regardless of the sophistication of the underlying wallet technology.