The Securities and Exchange Commission’s Office of Investor Education and Assistance released a bulletin on Dec. 12, 2025, aimed at helping retail investors understand how crypto assets are held and protected.
The guidance focuses on custody choices, wallet types, and the trade-offs that come with each option.
Crypto asset custody refers to how investors store and access digital assets. Access usually happens through a crypto wallet, which does not hold the asset itself.
Instead, it stores the private keys that prove ownership and authorize transactions.
A crypto asset covers tokens, digital assets, virtual currencies, and coins created or transferred through blockchain or similar distributed ledger systems.
Designs vary widely, and so do risks. Not all crypto assets behave the same way, and investors shouldn’t assume uniform protections.
When a wallet is created, two keys appear. The private key is a randomly generated alphanumeric code that authorizes transactions. It works like a password and cannot be replaced.
Lose it, and access to the asset is gone for good. The public key, by contrast, allows others to send assets to the wallet. It verifies transactions but cannot unlock funds. Think email address versus password.
Together, the two keys establish ownership and control.
Wallets generally fall into two categories. Hot wallets connect to the internet and often come as mobile, desktop, or web applications.
They make transactions easy but expose assets to cyber risks. Cold wallets trade convenience for security. They reduce online attack risk but can be lost, damaged, or stolen.
Cold wallets stay offline and usually exist as physical devices like USB drives or external hard drives. Some even live on paper.
Most wallets also generate a seed phrase, sometimes called a recovery phrase. This string of words restores access if keys or devices fail. Anyone with the phrase can take control of the wallet. Protect it. Never share it.
Investors also face a custody decision. Self-custody means managing private keys directly. Control stays entirely with the owner, along with all responsibility. If keys disappear or wallets are compromised, recovery options are slim to none.
Choosing self-custody raises practical questions
- Are you comfortable setting up and maintaining wallets?
- Do you want full responsibility for security?
- Do you prefer hot or cold storage?
- What fees apply, including transaction costs or hardware purchases?
Third-party custody shifts those tasks to an exchange or dedicated custodian. These firms control private keys and often mix hot and cold storage. Convenience improves. Dependence rises.
If the custodian is hacked, shuts down, or enters bankruptcy, access to assets may be disrupted or lost.
Selecting a third-party custodian requires due diligence. Investors should review the firm’s background, regulatory status, and complaint history. Asset support matters too. Not all custodians hold every type of crypto asset.
1 / Risk planning counts. Investors should ask whether assets are insured, what happens if the custodian fails, and how keys are safeguarded. Storage methods, subcontracting arrangements, and internal access controls all matter.
Some custodians use customer assets for lending or other activities, a practice often called rehypothecation.
2 / Others commingle assets to cut costs. Investors should know whether these practices occur and whether consent is required.
3 / Privacy also deserves attention. Custodians collect sensitive personal data and transaction histories. Investors should ask how that data is protected, whether it is shared, and under what conditions.
4 / Fees round out the decision. Custodians may charge asset-based fees, transaction fees, transfer fees, and account setup or closure costs. Understanding the full fee structure before committing can prevent surprises later.
According to Beinsure analysts, the SEC’s message is straightforward. Crypto custody offers flexibility, not simplicity. Control, convenience, and security rarely line up perfectly.
Investors choose the balance, and they own the consequences.
