FINMA Issues Guidance 01/2026 on Crypto Custody: What Swiss Institutions Need to Tighten Now

FINMA has published Guidance 01/2026, “Custody of crypto-based assets,” setting out how it assesses custody risks and what it expects from supervised institutions offering custody, trading, and related services for crypto-based assets. The message is direct: crypto custody is operationally and legally different, and weak vendor selection, weak key governance, or unclear insolvency treatment will not be tolerated.

FINMA highlights technology-driven risks (DLT, cyber threats, private-key protection) and the legal complexity that comes with third-party and cross-border custody — especially where an insolvency scenario is not cleanly addressed. Institutions remain responsible even when custody is outsourced.

When custody is delegated abroad, FINMA focuses on two questions:

• Is the foreign custodian prudentially supervised to a level equivalent to Switzerland?
• Does the relevant foreign law provide bankruptcy protection for the crypto assets that is equivalent to Swiss law (i.e., segregability and legal enforceability in insolvency)?

If you cannot answer both questions with evidence, you should assume the setup is exposed.

FINMA ties custody to the ability to manage core operational risks: cyber resilience, private-key protection, access controls, and robust processes around “who can move what, when, and how.” “We use a reputable provider” is not a control framework. The institution needs its own oversight, testing, documentation, and escalation path.

FINMA links individual portfolio management custody to the FinIO requirement that client assets be held in safekeeping, segregated per client, with appropriately supervised institutions (or equivalent foreign supervision). Where existing custody arrangements fail one of the two pillars—prudential supervision or bankruptcy protection—FINMA allows a narrow exception, but only if the portfolio manager can prove all of the following:

• clients were clearly informed of the increased custody risk (with special emphasis on insolvency),
• clients were pointed to other suitable custodians in Switzerland and abroad,
• the client gave written consent to continue using (or to retain) the non-suitable custodian.

That is a documentation-heavy standard. Most firms will need to re-paper and re-engineer parts of their model.

FINMA is explicit that Swiss client protection rules cannot be circumvented via foreign products or structures. If a Swiss institution sponsors or manages a foreign vehicle investing in crypto-based assets and places it into client portfolios, the Swiss institution remains accountable for custody principles and investor protection.

From onboarding to exit: where FINMA will look for evidence

This stage sets the risk profile.

• Custody model selection: in-house vs. third-party; Swiss vs. cross-border; single custodian vs. sub-custody chains
• Vendor due diligence: supervision status, licensing scope, technical controls, incident response, sub-custodian governance, governing law, insolvency segregation and enforceability
• Contracting: segregation mechanics, audit and information rights, incident notification, exit and migration rights, contingency planning
• Client disclosures: risk factors aligned with the actual setup; written consent where exceptions apply

Supervisors will assess outcomes, not assurances.

• Key governance: access management, dual controls, role separation, change management
• Reconciliation and segregation: ability to evidence client-by-client segregation and align internal records with on-chain data
• Ongoing monitoring: periodic reassessment of equivalence and operational resilience, especially in cross-border setups

This is where failures most often occur.

• Authority and authentication: documented chains of authority and robust instruction handling
• Operational discipline: approval thresholds, independent checks, escalation rules
• Exit readiness: practical migration playbooks for custodian failure, stress scenarios, or client self-custody

Goldblum and Partners advises banks, securities firms, portfolio managers, fund managers, fintechs, and infrastructure providers on Swiss and cross-border financial regulation, including digital assets.
We support clients with:

• custody model design and remediation,
• foreign custodian equivalency assessments,
• outsourcing governance,
• client documentation,
• fund and product structuring,
• remediation of legacy custody arrangements.

Whether you are launching a custody offering, reviewing an outsourcing chain, or re-papering existing client setups, Goldblum and Partners is ready to assist.

With more than 15 years of financial regulatory experience across crypto and blockchain matters, and offices in Zurich and Zug, we engage quickly and pragmatically.

For more information about our services, the current legislation or to discuss the particular case, please contact: