Module 2/6: Training Wheels

Phase One — Execution with Third-Party Custody

The immediate goal is straightforward: begin offering Bitcoin execution and custody access to your existing client base within three to six months, without ever holding a private key on your own infrastructure. In this phase, your institution acts as the trusted client interface while the actual safeguarding of assets rests with an established qualified custodian. This is not a permanent state, but it is a strategically vital one. It allows you to validate demand, refine operational workflows, and earn revenue while your longer-term custody infrastructure is still being designed. For an incumbent institution, this phase should feel less like a technological revolution and more like onboarding a new alternative asset execution and custody arrangement.

What This Phase Demands of You

You are not merely referring clients to a crypto exchange. You are building a controlled, branded experience where your institution remains the primary relationship owner. Clients instruct you, or interact with your portal, and you route those instructions to pre-vetted execution venues and custodians. Your balance sheet does not touch the Bitcoin. Your regulatory footprint remains lighter than it would under full custody. But your reputational exposure is real. If the custodian suffers a breach, a withdrawal freeze, or an operational failure, your client will hold you responsible for having recommended or channeled them into that arrangement. Therefore, the heavy lifting in Phase One is not engineering key management; it is counterparty selection, contractual protection, and operational discipline.

Legal Entity and Licensing

Begin by confirming the precise legal character of what you intend to do. If you are arranging trades and providing advice without taking possession of client assets, you may be able to operate within your existing advisory or broker-dealer framework, potentially as an introducing arrangement. However, if you intend to handle client fiat, even briefly, or to negotiate execution prices on a principal or guaranteed basis, you must confront state and federal money transmission laws and potentially broker-dealer registration requirements.

• Engage specialised counsel early to determine whether your activity constitutes arranging, executing, or custody under the Advisers Act and state money transmission statutes.
• If you are an investment adviser, your Form ADV disclosures must accurately describe the arrangement and identify the qualified custodian holding client assets. Post-2025, remember that your custodian options now include state-chartered trust companies that meet the conditions outlined in the SEC’s September 2025 no-action relief; they can serve as qualified custodians under Rule 206(4)-2.
• Register as a Money Services Business with FinCEN if your activities trigger the definition of money transmission. This is a threshold question that depends on whether you accept and transmit fiat currency in connection with the trade.
• Establish clear legal entity separation if you anticipate spinning this business out or ring-fencing liability. Even within a single institution, the digital asset execution function should have formally documented mandates, risk limits, and board oversight.

Counterparty Due Diligence

This is the most consequential work in Phase One. You are outsourcing the single riskiest function in digital assets—custody—but you retain the client trust. Your due diligence must be as rigorous as if you were selecting a prime broker or a DTC participant for traditional securities.

Start with the custody layer. Evaluate a shortlist of institutional-grade custodians. The field includes established names such as Coinbase Prime, BitGo, Fidelity Digital Assets, and Anchorage, but it now also includes well-capitalized state-chartered trust companies that have received banking authority to custody digital assets. The 2025 regulatory reset means you should not reflexively exclude state-chartered entities; rather, evaluate them against the same operational criteria.

When vetting any custodian, demand documentation and proof across the following areas.

• Insurance and financial resilience. Request specifics on specie coverage for digital assets held in cold storage, crime and fidelity coverage for internal theft, and cyber liability. Understand the policy limits, exclusions, and whether coverage extends to assets held in warm or hot wallets. Review audited financial statements and capitalisation.
• Control attestations. Require a current SOC 2 Type II report with controls specific to digital asset custody, not just generic cloud infrastructure. Ask about independent security assessments and whether the custodian publishes or can share proof-of-reserves methodologies.
• Storage architecture. Understand the proportion of assets held in cold versus warm versus hot storage. For Bitcoin custody, the majority of client assets should reside in geographically distributed, air-gapped cold storage with multi-signature or multi-party computation protections.
• Withdrawal latency and procedures. Establish expected timeframes for withdrawals by size tier. A custodian that processes large withdrawals only during certain windows or requires manual callbacks is not necessarily a weakness; in fact, that friction can be a control strength. What matters is that you understand the mechanics and can set client expectations accurately.
• Re-hypothecation and use of assets. Confirm contractually that the custodian may not pledge, lend, or re-hypothecate client Bitcoin without explicit prior written consent. The SEC’s 2025 no-action relief for state-chartered custodians specifically highlighted this requirement as a condition for qualified custodian status.

For execution, you need two to three reliable liquidity providers. Institutional over-the-counter desks remain the preferred channel for large Bitcoin trades because they provide fixed pricing, minimal market impact, and direct settlement into your custodian’s wallets. Evaluate them on creditworthiness, settlement reliability, and their own custodial arrangements. Some desks self-custody; others clear through the same institutional custodians you are evaluating. Understand that chain. Alternatively, prime services offered by exchanges or custodians themselves can provide integrated execution and settlement, though this concentrates counterparty risk into a single entity. Diversification across at least two independent execution channels is prudent.

Technical Integration

You do not need to build a trading engine. You need to build a control layer that sits between your client and the market.

• Application programming interface connectivity. Integrate with your custodian’s APIs for balance retrieval, transaction history, deposit address generation, and withdrawal whitelisting. Ensure your integration supports Bitcoin specifically, with proper handling of address formats, confirmation monitoring, and UTXO management if you are operating at a granular accounting level.
• Order management system. Deploy a lightweight order management system that captures client intent, routes orders to OTC desks via FIX or REST protocols, and records execution details. If your existing equities OMS can be extended, prefer that path over introducing a standalone crypto platform. The goal is unified workflow, not siloed technology.
• Reconciliation engine. Automate a daily reconciliation that compares three sources: your internal sub-ledger of client positions, the custodian’s reported balances and transactions, and the Bitcoin blockchain itself. Running your own Bitcoin node is not strictly necessary in Phase One, but using multiple independent blockchain data providers to verify custodian claims is a minimum standard. Reconciliation breaks must trigger alerts to operations personnel with defined escalation paths.
• Pricing and valuation feeds. Integrate a reputable fair value pricing source for Bitcoin so that your client statements and any advisory fee calculations reflect accurate marks. Ensure the pricing methodology is documented and auditable.

Operational Workflow

Design the lifecycle of a trade so that every handoff is defined and every responsibility is clear.

A typical Bitcoin purchase flows as follows. The client instructs your institution, typically through a relationship manager or an embryonic portal interface. Your operations team confirms the order against pre-trade limits, including any concentration or suitability checks. The OMS routes the order to a selected OTC desk or execution venue. Upon execution, the desk delivers Bitcoin to a segregated wallet address provided by your custodian on behalf of the specific client. Your operations team monitors the blockchain for confirmations; for Bitcoin, finality is generally accepted after three to six confirmations, depending on your internal risk appetite. Once confirmed, the internal sub-ledger is updated to reflect settled ownership. The client receives a trade confirmation and a statement entry. The fiat leg settles through your existing banking rails.

For sales, the flow reverses. The client instructs a sale. You confirm the custodian can deliver the specified Bitcoin to the buyer or OTC desk. Upon blockchain confirmation of delivery, the fiat proceeds are wired to the client’s linked account. Throughout, your team must maintain an immutable audit trail linking each client instruction to each blockchain transaction hash.

• Establish cutoffs for same-day execution, recognising that Bitcoin settles continuously but your fiat banking partners operate on business hours and time zones.
• Define roles clearly. Who can accept a client instruction? Who can approve a trade above a certain size? Who monitors blockchain confirmations? Who handles a failed settlement or a stuck transaction? Write these procedures down before you take the first client order.

Compliance and Monitoring

In Phase One, your compliance obligations are substantial but manageable within your existing framework.

Extend your existing CIP and CDD workflows to capture digital asset-specific risks. At onboarding, clients should declare their intended source of funds and their expected transaction profile. You must screen not only the client but, where possible, the blockchain addresses they intend to use. Integrate a blockchain analytics provider such as Chainalysis, Elliptic, or TRM Labs. These tools allow you to evaluate whether an incoming Bitcoin transfer originated from or transited through high-risk jurisdictions, mixers, sanctioned addresses, or darknet markets.

• Implement transaction monitoring that flags unusual patterns, such as rapid round-trip trading, structuring just below reporting thresholds, or deposits from unscreened self-hosted wallets.
• Prepare for the Travel Rule under FATF Recommendation 16. For transfers above one thousand dollars equivalent, you may need to transmit originator and beneficiary information between financial institutions. In Phase One, your custodian or execution partner may handle much of this technical transmission, but your institution remains responsible for collecting and verifying the required data.
• Maintain a Suspicious Activity Report filing protocol specific to digital assets. Train your surveillance team on the typologies unique to crypto, including peel chains, exchange hopping, and nested services.

Risk Management and Contractual Protections

Even though you do not hold the keys, you are exposed to your custodian and execution counterparties. Institute concentration limits. No single custodian should hold more than a defined percentage of aggregate client Bitcoin assets without board-level exception. Negotiate your custodial agreement to include representations on cold storage percentages, insurance maintenance, notification periods for material changes, and indemnification for negligence or wilful misconduct.

• Require your custodian to provide regular attestation reports, ideally including proof of reserves or independent wallet verification.
• Maintain contractual step-in rights. If the custodian experiences a material operational disruption, you need clarity on how client assets can be transferred to a backup custodian.
• For OTC counterparties, use standard legal frameworks such as ISDA or bespoke digital asset master agreements, and ensure settlement is delivery-versus-payment or at least sequenced to minimise free settlement risk.

Reporting and Client Experience

Your client should not feel that they have been handed off to a crypto startup. Bitcoin holdings should appear on the same statement, in the same aesthetic, and with the same narrative quality as their traditional holdings.

• Provide cost basis tracking, unrealised gain and loss calculations, and tax lot reporting for Bitcoin trades.
• Offer explanatory materials that contextualise Bitcoin’s 24/7 volatility and settlement mechanics relative to the fixed-income and equity holdings they already maintain with you.
• Use this phase to gather data. Which clients trade actively? Which treat Bitcoin as a buy-and-hold position? What is the typical ticket size? This intelligence will inform your infrastructure sizing when you eventually build in-house custody.

When Phase One Is Complete

You will know you are ready to contemplate Phase Two when several conditions are met. You have sustained client flow and revenue that justifies deeper investment. Your operations team has internalised the rhythm of Bitcoin settlement, confirmation monitoring, and blockchain reconciliation. You have identified the limitations of your custodial partners—perhaps withdrawal latency, reporting granularity, or fee structures—that could be improved by direct custody. And critically, your board and risk committee have developed an informed risk appetite for digital assets, grounded in real transaction data rather than theoretical exposure.

Phase One is not merely a stopgap. It is the foundation upon which every subsequent module rests. If you cannot execute, settle, reconcile, and report Bitcoin trades cleanly through a third party, you will not succeed when the keys are yours to protect.