Articles|Deep Briefs|
← Back to Archive
Client asset protection regulatory framework
18 min read

Client Asset Protection: What the Regulations Actually Require (And What They Don't Say)

The collapse of FTX vaporised $8.7 billion in customer deposits because client assets were never actually protected. MiCA and UK CASS now establish detailed requirements for segregation, reconciliation, consent, and governance. For compliance teams, the work isn't reading the regulations. It's reading them as risk documents: identifying where definitions have expanded, where operational models trigger obligations they weren't designed for, and where the gap between stated compliance and actual protection might surprise you in insolvency.

TL;DR

  • FTX's $8.7 billion customer loss wasn't a market failure but a systemic absence of client asset protection - customer fiat deposits flowed directly into Alameda Research accounts from Q1 2021, with no segregation architecture to violate because none was ever built
  • MiCA Article 70 prohibits CASPs from using client crypto-assets for their own account under all circumstances, while Article 75 imposes direct liability for losses from cyber-attacks, theft, or operational errors capped at market value at time of occurrence
  • UK FCA's CP25/14 adapts the battle-tested Client Assets Sourcebook to crypto custody, requiring safeguarding on trust or custodial basis, daily reconciliation, and a designated CASS Operational Oversight Officer for firms above certain thresholds
  • ESMA clarified in July 2025 that standard terms and conditions are insufficient for authorising asset use - explicit, affirmative consent must be obtained through separate mechanisms before client assets can be used for staking or lending
  • The insolvency test that matters: if your firm entered bankruptcy proceedings tomorrow, could an administrator determine exactly which assets belong to which client and ensure those assets sit outside your creditors' claims?

Download: Client Assets Protection Briefing

A 4-page reference for compliance teams covering MiCA Article 70 & 75, UK FCA CASS requirements, and implementation checklists.

You'll also receive our Weekly Roundup for busy professionals. Unsubscribe anytime.

Reader Navigation Guide

Jump to sections relevant to your role

Reader RoleRelevant Sections
Compliance Officers
Click to view sections
MiCA and UK CASS Requirements - Article 70, Article 75, CP25/14
How the Mechanics Work - Segregation, reconciliation, consent
What Regulations Don't Say - Definitional expansions
Compliance Team Actions - Implementation checklist
Legal Counsel
Click to view sections
Liability Chain - CASPs, sub-custodians, clients
Jurisdictional Application - EU, UK, Singapore, US, Dubai
What Regulations Don't Say - Sub-custody triggers, omnibus legal requirements
What We Don't Know Yet - Enforcement priorities, cross-border recognition
Risk Management
Click to view sections
Why FTX Failed - Systematic failures, structural shortfalls
Liability Chain - Who bears what risk
Traditional Finance Comparison - Settlement, custody, insurance gaps
Operations & Technology
Click to view sections
How the Mechanics Work - Three-level segregation, multi-source reconciliation
Business Continuity - Key backup, disaster recovery
Traditional Finance Comparison - Settlement finality, no central depository
Executive Leadership
Click to view sections
Implementation Timeline - What's in force, what's coming
The Bottom Line - Strategic implications

This navigation framework is exclusive to MCMS members. Share this article to provide colleagues with the same analytical depth.

The collapse of FTX in November 2022 vaporised approximately $8.7 billion in customer deposits. Not because of market volatility or a bank run, but because client assets were never actually protected. Customer fiat deposits flowed directly into Alameda Research accounts. No segregation existed. No reconciliation would have caught it because the systems were designed to hide it.

Eighteen months later, regulators responded. MiCA entered force across the EU. The UK FCA published CP25/14, adapting its Client Assets Sourcebook to crypto custody. Singapore, Dubai, and New York strengthened their own frameworks. The message was clear: the era of "trust us, we're holding your coins" is over.

But here's what compliance officers are discovering as they implement these rules: the regulations tell you what to do. They rarely tell you where the definitions have quietly expanded to capture business models regulators may not have explicitly considered.

This analysis unpacks the client asset protection frameworks now in force and the definitional shifts practitioners need to catch before their auditors do.

What Client Asset Protection Actually Means Under MiCA and UK CASS

Client asset protection is not a single rule. It's an interlocking system of requirements designed to ensure that customer funds remain customer property, even when the custodian fails.

Under MiCA Article 70, CASPs holding client crypto-assets must establish "adequate arrangements to safeguard the ownership rights of clients." The regulation explicitly prohibits using client assets for the firm's own account. Article 75 adds operational specifics: mandatory segregation, daily reconciliation, liability for losses, and disclosure requirements.

The UK FCA's CP25/14 (May 2025) takes a different architectural approach. Rather than building new rules, it adapts the existing Client Assets Sourcebook, which has been battle-tested through decades of traditional finance failures, to crypto custody. The result: safeguarding on a trust or custodial basis, daily reconciliations between client entitlements and assets held, and a designated CASS Operational Oversight Officer for firms above a certain size.

Both frameworks permit two custody models. Segregated wallets assign each client their own wallet with unique cryptographic keys, offering maximum transparency, clearer audit trails, but higher operational costs. Omnibus wallets pool multiple clients' assets in shared wallets, requiring robust off-chain record-keeping to maintain individual entitlements. Neither model is inherently safer; what matters is whether ownership rights remain identifiable and legally protected.

The practical test: if your firm entered insolvency proceedings tomorrow, could a bankruptcy administrator determine exactly which assets belong to which client and ensure those assets sit outside your creditors' claims?

Who Bears the Risk, and Who's Now Liable

The liability chain under new regulations has shifted significantly. Understanding who carries what risk is no longer optional.

CASPs and Exchanges face direct liability for client asset losses under MiCA Article 75(8). This includes losses from cyber-attacks, theft, system failures, or operational errors. The liability is capped at the market value of lost assets at the time of occurrence, creating both protection and incentive structures.

Sub-custodians present a more complex picture. When CASPs delegate custody to third parties, the sub-custodian must be authorised under MiCA Article 59 for custody services. But here's the catch: CASPs remain responsible for sub-custodian activities. Due diligence isn't a one-time checkbox. It requires ongoing monitoring of operational controls, key management procedures, and the sub-custodian's own insolvency treatment of client assets.

Clients carry more risk than many realise. Most crypto-assets fall outside traditional compensation schemes. UK customers cannot rely on the Financial Services Compensation Scheme (FSCS) or Financial Ombudsman Service for unregulated tokens. EU investors find MiCA-regulated assets excluded from MiFID II compensation frameworks. The implication: segregation and insolvency remoteness aren't nice-to-haves. They're the primary protection mechanism.

Retail vs Professional distinctions matter. Regulatory frameworks apply stricter safeguards for retail clients: more extensive disclosures, lower risk tolerance assumptions in suitability assessments, tighter marketing standards. Professional clients are presumed to understand product risks and absorb losses, but can opt into retail protections with informed consent.

Why Regulators Moved Now, and What FTX Revealed

The timing isn't coincidental. FTX provided regulators with a case study in everything that can go wrong when client asset protection exists only on paper.

The failures were systematic, not accidental. Customer fiat deposits were directed to Alameda Research bank accounts from the start. No segregation architecture existed to violate because none was ever built. Approximately $8.7 billion in customer assets were deployed for proprietary trading, venture investments, real estate purchases, and political donations. Internal accounting showed inter-company "loans" that were never formalised or disclosed. Alameda held a special "allow negative" privilege on FTX, enabling unlimited borrowing against customer deposits without consent or visibility.

The bankruptcy examiner's report revealed FTX lacked sufficient funds to meet customer liabilities from at least Q1 2021, more than eighteen months before the collapse became public. No reconciliation system would have surfaced this because the shortfall was structural, not operational.

This context explains why new regulations emphasise daily reconciliation across multiple sources, explicit consent mechanisms for any asset use, and independent oversight functions. Regulators aren't just preventing the next FTX. They're preventing the architecture that made FTX possible.

How the Mechanics Actually Work

Implementation details determine whether client asset protection functions or merely exists on compliance checklists.

Segregation operates at three levels

On-chain segregation means client crypto-assets sit in wallets clearly distinguishable on the distributed ledger from the firm's proprietary holdings.

Off-chain segregation requires accurate internal records maintaining individual client entitlements, even in omnibus structures.

Legal segregation, the piece that matters in insolvency, means assets held on trust or under custodial arrangements that place them outside the firm's bankruptcy estate.

Daily reconciliation isn't a single check

Best practice now requires multi-source reconciliation comparing internal client-specific records against on-chain wallet balances, third-party custodian reports, and fiat account balances at credit institutions. Discrepancies must be investigated and remediated promptly. Material shortfalls trigger immediate regulatory reporting.

Consent requirements have teeth

ESMA clarified in July 2025 that standard terms and conditions are insufficient for authorising asset use. Explicit, affirmative consent must be obtained through separate mechanisms, such as pop-up confirmation boxes, before client assets can be used for lending, staking, or collateral.

For staking specifically, ESMA confirmed that CASPs cannot stake clients' crypto-assets for their own benefit, even with consent. Article 70(1) prohibits use for the CASP's own account under all circumstances.

Proof of Reserves has emerged as a transparency mechanism

The UK FCA proposed, and leading custodians have adopted, cryptographic proofs demonstrating that custodians hold sufficient on-chain assets to cover client liabilities. These aren't regulatory requirements yet in most jurisdictions, but they're becoming table stakes for institutional credibility.

What the Regulations Don't Explicitly Say

This is where practitioners earn their fees. The regulations establish principles. The definitions contain the expansions that catch business models.

Sub-custody triggers faster than expected. Pre-funding client transactions by transferring assets to third parties constitutes sub-custody under ESMA's interpretation. If your operational model involves moving client assets to exchanges or liquidity providers before executing trades, you may already be subject to sub-custody requirements you haven't implemented.

"Holding means of access" captures more than custody. The UK's approach defines custody broadly around control of cryptographic keys or "means of access." Multi-signature arrangements where your firm holds one of several keys may still constitute custody depending on the specific configuration and your operational role.

Omnibus structures require more than good record-keeping. The regulations permit pooled wallets, but the legal analysis must demonstrate that individual client entitlements survive your insolvency. In common law jurisdictions, this typically requires trust arrangements. In civil law jurisdictions, statutory frameworks may provide presumptions, but may not guarantee protection.

Business continuity planning for crypto differs from traditional finance

Disaster recovery must address secure backup of encrypted private keys across geographically diverse locations, multi-signature configurations with redundant key holders, and procedures for restoring access after key loss, system failure, or cyber-attack. Standard IT disaster recovery frameworks weren't designed for assets where losing a key means losing the asset permanently.

Where These Rules Apply, and Where They Don't

Jurisdictional complexity creates both risk and opportunity.

JurisdictionFrameworkStatusKey Features
EUMiCAIn ForcePassporting across member states; NCAs retain enforcement discretion
UKCP25/14 / CASSConsultationAligned with MiCA principles; specific CASS adaptations
SingaporeMAS LicensingOperationalBenchmark for Asian regulatory clarity
United StatesFragmentedPatchworkSEC, CFTC, OCC, state regulators (NYDFS) assert different jurisdictions
DubaiVARAOperationalComprehensive framework; actively courting institutional players

For firms operating across jurisdictions, the compliance floor is typically MiCA, the most prescriptive framework. But local requirements may add specific obligations, particularly around marketing, disclosure language, and reporting.

When This Becomes Urgent

The implementation timeline creates different pressure points.

Already in force: MiCA's full framework applies now. UK anti-money laundering registration requirements apply now. Singapore and Dubai licensing regimes are operational.

2025-2026: UK FCA finalisation of CP25/14 crypto custody rules. Expect implementation periods of 12-18 months after final rules publish.

Ongoing: ESMA continues issuing Q&A guidance interpreting MiCA provisions. Each clarification potentially narrows operational flexibility or expands compliance obligations.

The Monday morning test: If you hold client crypto-assets today, your segregation, reconciliation, and consent mechanisms should already meet MiCA standards if you serve EU clients, or be explicitly scoped out of EU exposure. If you're waiting for final UK rules before implementing controls, your risk window is open now.

Compared to Traditional Finance

Crypto client asset protection borrows heavily from traditional finance frameworks, but key differences create implementation gaps.

Settlement finality works differently. Traditional finance operates on T+2 settlement with central counterparty clearing. Crypto transactions settle on-chain in minutes or hours, but finality depends on blockchain confirmation depth. Reconciliation systems must account for reorg risk on chains with probabilistic finality.

Self-custody is a real alternative. Unlike securities, where custody is functionally mandatory for most investors, crypto clients can withdraw to self-custody. This creates competitive pressure on custodians but also shifts risk discussions: clients choosing custodial arrangements are making an active decision about who controls their keys.

No central depository exists. Traditional finance benefits from central securities depositories that provide systemic record-keeping. Crypto's decentralised architecture means each custodian must independently verify on-chain holdings, creating both transparency (anyone can verify) and complexity (no authoritative single source of truth for off-chain entitlements).

Insurance markets are immature. Traditional custodians operate within well-developed insurance frameworks. Crypto custody insurance remains expensive, limited in coverage, and subject to exclusions that may surprise firms when they file claims.

What Compliance Teams Should Do Now

The regulations establish requirements. Implementation requires operational decisions.

Audit your custody chain. Map every entity that touches client assets: sub-custodians, liquidity providers, staking validators, exchange counterparties. Determine which relationships trigger custody or sub-custody obligations under applicable frameworks.

Stress-test your insolvency analysis. Work with counsel to confirm that your segregation arrangements actually achieve bankruptcy remoteness in relevant jurisdictions. Trust documentation, custodial agreements, and operational reality must align.

Implement consent mechanisms that work. Standard terms buried in click-through agreements won't satisfy explicit consent requirements. Design user flows that make consent affirmative and documented for each asset use category.

Build reconciliation that catches structural problems, not just operational errors. FTX-style failures won't surface through balance-checking alone. Reconciliation must verify that reported client assets actually exist, are actually segregated, and are actually accessible.

Prepare for regulatory examination. Document your interpretation of ambiguous requirements. When ESMA or the FCA asks why you structured something a particular way, "we thought it was compliant" is weaker than "here's our analysis of Articles X, Y, and Z, and why we concluded this approach meets the regulatory objective."

What We Don't Know Yet

Intellectual honesty requires acknowledging gaps.

Enforcement priorities remain unclear. Regulators have published frameworks but limited enforcement action has occurred under new rules. Which violations will draw attention first? Likely high-profile failures, but the precise supervisory approach remains untested.

Cross-border recognition is unresolved. Will EU regulators accept UK custody arrangements as equivalent? Will Singapore-authorised custodians face additional requirements to serve EU clients? Mutual recognition frameworks are discussed but not finalised.

Proof of Reserves standards lack consensus. Different custodians implement different methodologies. Whether regulatory standardisation emerges, and what it requires, remains open.

DeFi integration creates boundary problems. When client assets interact with decentralised protocols, where does custodian responsibility begin and end? Regulatory guidance has barely touched these questions.

The Bottom Line

Client asset protection has moved from principle to prescription. The frameworks now in force, including MiCA, UK CASS adaptations, and their international equivalents, establish detailed requirements for segregation, reconciliation, consent, and governance that will reshape how crypto custody operates.

For compliance teams, the work isn't reading the regulations. It's reading them as risk documents: identifying where definitions have expanded, where operational models trigger obligations they weren't designed for, and where the gap between stated compliance and actual protection might surprise you in insolvency.

The firms that will thrive in this environment aren't those with the largest legal budgets. They're the ones that treat client asset protection as an operational architecture, not a compliance checklist, and build systems that would actually return client assets in a crisis, not just claim to.

That's what $8.7 billion buys you: regulations that finally mean what they say.

If you found this useful, please share it.

Questions or feedback? Contact us

MCMS Brief • Classification: Public • Sector: Digital Assets • Region: Global

References

  1. 1. Oxford Academic Capital Markets Law Journal - Crypto Custody (January 1, 2024) [Link]
  2. 2. United States Bankruptcy Court District of Delaware - FTX Bankruptcy Examiner Report: Failure of Internal Controls (April 9, 2023) [Link]
  3. 3. European Banking Authority - MiCA Article 70: Safeguarding of clients' crypto-assets and funds (January 1, 2024) [Link]
  4. 4. European Banking Authority - MiCA Article 75: Custody and administration of crypto-assets (January 1, 2024) [Link]
  5. 5. UK Financial Conduct Authority - CP25/14: Stablecoin issuance and cryptoasset custody (May 1, 2025) [Link]
  6. 6. European Securities and Markets Authority - ESMA Q&A 2608: Custody and Staking (July 1, 2025) [Link]
  7. 7. Financial Stability Board - Regulation, Supervision and Oversight of Crypto-Asset Activities and Markets (October 1, 2022) [Link]
  8. 8. IOSCO - Policy Recommendations for Crypto and Digital Asset Markets (January 1, 2023) [Link]
  9. 9. MIT Sloan School of Management - Sam Bankman-Fried and FTX (January 1, 2024) [Link]
  10. 10. U.S. Securities and Exchange Commission - SEC Charges Samuel Bankman-Fried with Defrauding Investors (December 1, 2022) [Link]
  11. 11. Commodity Futures Trading Commission - CFTC Charges Sam Bankman-Fried, FTX Trading and Alameda with Fraud (December 1, 2022) [Link]
  12. 12. Deloitte UK - CASS in a Crypto World (January 1, 2024) [Link]
  13. 13. KPMG - No Custody Without CASS? (January 1, 2025) [Link]
  14. 14. Clifford Chance - Custody of Cryptoassets (June 1, 2023) [Link]
  15. 15. ISDA - Navigating Bankruptcy in Digital Asset Markets (January 1, 2023) [Link]
  16. 16. Dudkowiak Law - July ESMA Q&A Session on MiCAR (July 1, 2025) [Link]
  17. 17. FCA Handbook - CASS 1A.3: Responsibility for CASS operational oversight (January 1, 2025) [Link]
  18. 18. Tres Finance - Daily Digital Asset Reconciliation Is No Longer Optional (January 1, 2025) [Link]
  19. 19. New York Department of Financial Services - Crypto Custody Guidance (February 1, 2023) [Link]
  20. 20. U.S. Securities and Exchange Commission - A Model Framework for Crypto Asset Safeguarding (December 1, 2025) [Link]
  21. 21. BDO Canada - Fraud Deconstructed: The Rise and Demise of FTX (January 1, 2023) [Link]
  22. 22. KPMG China - The Collapse of FTX (November 1, 2022) [Link]

SOURCE FILES

Source Files expand the factual layer beneath each MCMS Brief — the verified data, primary reports, and legal records that make the story real.

FTX Collapse and Systemic Client Asset Failures

The FTX bankruptcy examiner's report filed April 9, 2023 documented that FTX lacked sufficient funds to meet customer liabilities from at least Q1 2021, more than eighteen months before the November 2022 collapse. The MIT Sloan case study (Shroff, 2024) documents how the 'allow negative' feature enabled Alameda to borrow unlimited amounts against customer deposits without consent or visibility. The SEC complaint confirms customer fiat deposits were directed to Alameda Research bank accounts from inception, with no segregation architecture built. The approximately $8.7 billion misappropriation included deployment for proprietary trading, venture investments, real estate purchases, and political donations. BDO's fraud analysis and KPMG's collapse report document inter-company 'loans' that were never formalised or disclosed. The CFTC complaint provides evidence of the systematic commingling structure.

(FTX Bankruptcy Examiner Report (US Bankruptcy Court)|MIT Sloan Case Study: Sam Bankman-Fried and FTX|SEC Charges Against FTX|CFTC Complaint Against FTX|BDO Fraud Analysis|KPMG Collapse Analysis)

MiCA Articles 70 and 75 Client Asset Protection Framework

Zetzsche, Sinnig, and Nikolakopoulou's peer-reviewed analysis in the Capital Markets Law Journal (2024) provides the most comprehensive academic treatment of MiCA's custody framework. Article 70 requires CASPs holding client crypto-assets to establish 'adequate arrangements to safeguard the ownership rights of clients' and explicitly prohibits using client assets for the firm's own account under all circumstances. Article 75 adds operational specifics: mandatory segregation, daily reconciliation, liability for losses from ICT incidents, cyber-attacks, theft, or malfunction. The liability is capped at the market value of lost assets at the time of occurrence, with exemptions only for events not attributable to the CASP (such as inherent issues with permissionless DLT). Sub-custodians must be authorised under MiCA Article 59 for custody services, but CASPs remain responsible for sub-custodian activities. The EBA Interactive Single Rulebook provides authoritative regulatory text.

(Oxford Academic: Crypto Custody (Zetzsche et al., 2024)|EBA Article 70 Interactive Rulebook|EBA Article 75 Interactive Rulebook|FSB Crypto-Asset Regulation Framework|IOSCO Policy Recommendations)

UK FCA CASS Adaptation to Crypto Custody

UK FCA Consultation Paper CP25/14 published May 2025 takes a fundamentally different architectural approach from MiCA. Rather than building new crypto-specific rules, it adapts the existing Client Assets Sourcebook (CASS), which has been refined through decades of traditional finance failures including Lehman Brothers and MF Global. The result includes safeguarding on a trust or custodial basis ensuring bankruptcy remoteness, daily reconciliations between client entitlements and assets held, and a designated CASS Operational Oversight Officer for firms above certain size thresholds. Deloitte's 'CASS in a Crypto World' analysis examines the practical implications of applying CASS rules designed for securities to crypto-asset custody. KPMG's 'No Custody Without CASS?' guidance addresses the regulatory expectation that crypto custodians will need to comply with CASS-equivalent standards. FCA Handbook CASS 1A.3 details the regulatory framework for operational oversight responsibilities.

(FCA CP25/14 Consultation Paper|Deloitte: CASS in a Crypto World|KPMG: No Custody Without CASS?|FCA Handbook CASS 1A.3)

ESMA July 2025 Q&A: Consent, Staking, and Sub-Custody Triggers

ESMA Q&A 2067 and 2608 provide critical clarifications that significantly expand MiCA's practical scope. The July 2025 session confirmed that standard terms buried in click-through agreements will not satisfy explicit consent requirements under Article 70. Affirmative consent must be obtained through separate mechanisms (such as pop-up confirmation boxes) before client assets can be used for lending, staking, or collateral. For staking specifically, ESMA confirmed that CASPs cannot stake clients' crypto-assets for their own benefit, even with consent. Article 70(1) prohibits use for the CASP's own account under all circumstances. Critically, ESMA clarified that pre-funding client transactions by transferring assets to third parties (such as exchanges or liquidity providers) constitutes sub-custody, requiring the third party to be authorised under Article 59. Dudkowiak Law's analysis, Aosphere's EU developments roundup, and BSP Luxembourg's regulatory newsletter provide practitioner interpretations of these requirements.

(ESMA Q&A 2608|Dudkowiak: July ESMA Q&A Analysis|Aosphere: EU Crypto Developments July 2025|BSP Luxembourg: Recent ESMA Developments)

Segregation Levels and Insolvency Protection Mechanisms

The Oxford Academic analysis (Zetzsche et al., 2024) and Clifford Chance's custody briefing detail the three levels of segregation required for robust client asset protection. On-chain segregation means client crypto-assets sit in wallets clearly distinguishable on the distributed ledger from the firm's proprietary holdings. Off-chain segregation requires accurate internal records maintaining individual client entitlements, even in omnibus structures where assets are pooled. Legal segregation, the element that matters in insolvency, means assets held on trust or under custodial arrangements that place them outside the firm's bankruptcy estate. In common law jurisdictions (UK, Singapore, Hong Kong), this typically requires explicit trust arrangements. In civil law jurisdictions, statutory frameworks may provide presumptions but may not guarantee protection. ISDA's analysis of bankruptcy in digital asset markets examines how different custody structures perform under insolvency scenarios, including the FTX example where no legal segregation existed.

(Oxford Academic: Crypto Custody|Clifford Chance: Custody of Cryptoassets|ISDA: Navigating Bankruptcy in Digital Asset Markets)

Daily Reconciliation as Global Regulatory Standard

Tres Finance's analysis documents how daily digital asset reconciliation has shifted from best practice to regulatory requirement across major jurisdictions. MiCA Article 70 requires CASPs to maintain records that enable identification of client entitlements at any time. UK FCA's CP25/14 adapts CASS reconciliation requirements to crypto custody. Singapore MAS, Japan FSA, and Dubai VARA have all implemented daily reconciliation standards. The critical insight is that reconciliation must be multi-source: comparing internal client-specific records against on-chain wallet balances, third-party custodian reports (for sub-custodied assets), and fiat account balances at credit institutions. The FTX case demonstrates why: balance-checking alone would not have surfaced structural shortfalls where the misappropriation was designed into the system. Reconciliation must verify that reported client assets actually exist, are actually segregated, and are actually accessible.

(Tres Finance: Daily Reconciliation Standards|EBA Article 70 Interactive Rulebook|FCA CP25/14)

KEY SOURCE INDEX

  • Oxford Academic Capital Markets Law Journal (Zetzsche et al., 2024)Peer-reviewed academic analysis of MiCA custody framework by Dirk Zetzsche, Julia Sinnig, and Anna Nikolakopoulou covering Articles 70, 75, sub-custody requirements, liability structures, and international standards comparison
  • FTX Bankruptcy Examiner ReportOfficial court-filed report (April 9, 2023) documenting FTX's failure of internal controls, structural shortfalls from Q1 2021, absence of segregation architecture, and systematic misappropriation of $8.7B in customer funds
  • European Banking Authority Interactive Single RulebookAuthoritative regulatory text for MiCA Articles 70 (safeguarding requirements, prohibition on own-account use) and 75 (custody contracts, liability for losses, sub-custody requirements)
  • UK FCA CP25/14May 2025 consultation paper adapting the Client Assets Sourcebook (CASS) to crypto custody with trust-based safeguarding, daily reconciliation requirements, and CASS Oversight Officer obligations for larger firms
  • ESMA Q&A on MiCA (2608)Official July 2025 interpretations clarifying consent requirements (standard T&Cs insufficient), staking prohibitions (cannot stake for CASP's own benefit), and sub-custody triggers (pre-funding transactions constitutes sub-custody)
  • Financial Stability Board Crypto-Asset FrameworkG20 coordination body's recommendations on regulation, supervision, and oversight of crypto-asset activities establishing international baseline for client asset protection
  • IOSCO Policy RecommendationsInternational securities regulators' policy recommendations for crypto and digital asset markets addressing custody, segregation, and investor protection standards
  • MIT Sloan FTX Case Study (Shroff, 2024)Academic case study documenting FTX's 'allow negative' feature enabling Alameda's unlimited borrowing against customer deposits, absence of internal controls, and systematic commingling
  • SEC Charges Against FTXOfficial SEC complaint documenting fraud charges against Samuel Bankman-Fried, including customer fund misappropriation and false statements to investors
  • CFTC Complaint Against FTXOfficial CFTC fraud charges documenting commingling of customer funds with Alameda Research and the 'allow negative' balance feature enabling unlimited borrowing
  • Clifford Chance: Custody of CryptoassetsMagic Circle law firm analysis of crypto custody structures, trust arrangements, beneficial ownership, and insolvency protection mechanisms across common law and civil law jurisdictions
  • ISDA: Navigating Bankruptcy in Digital Asset MarketsInternational Swaps and Derivatives Association analysis of how different custody structures perform under insolvency scenarios, customer asset protection mechanisms, and legal frameworks
  • Deloitte: CASS in a Crypto WorldBig 4 analysis of practical implications of applying UK Client Assets Sourcebook rules to crypto custody, including reconciliation requirements and operational oversight
  • KPMG: No Custody Without CASS?Big 4 guidance on regulatory expectations that crypto custodians will need to comply with CASS-equivalent standards under evolving UK framework

Related Reading

Tags

MiCAclient assetscustodyUK FCACASScrypto regulationsegregationreconciliationESMAinsolvencycompliance

Disclaimer: This content is for educational and informational purposes only. It is NOT financial, investment, or legal advice. Cryptocurrency investments carry significant risk. Always consult qualified professionals before making any investment decisions. Make Crypto Make Sense assumes no liability for any financial losses resulting from the use of this information. Full Terms

← Back to ArchiveBrowse Glossary →