FINMA Guidance 01/2026 on crypto custody: what to tighten now

FINMA's Guidance 01/2026 sets out what it expects from institutions that hold crypto assets. The message is blunt: crypto custody is operationally and legally different, and outsourcing it does not outsource the accountability.

The core principle

FINMA's concern is weak vendor selection, thin key governance and unclear treatment in insolvency. The guidance ties custody to operational-risk competence (cyber resilience, private-key protection, access controls and documented processes) and makes the point that relying on a reputable provider, without your own oversight, is not a control framework.

Foreign custody: the equivalence test

Delegating custody abroad triggers a two-part test. FINMA looks at whether the foreign custodian is under prudential supervision equivalent to Swiss standards, and whether foreign bankruptcy law protects the crypto assets to an equivalent degree — segregability and enforceability if the custodian becomes insolvent. A Swiss institution cannot use a foreign vehicle to step around client-protection rules; a Swiss sponsor of a foreign crypto product stays accountable for the custody principles.

Portfolio managers, funds and structured products

Under the FinIA/FinIO regime, client assets must sit in segregated, supervised safekeeping. Where an arrangement lacks proper supervision or bankruptcy protection, only narrow exceptions apply, and only with clear risk disclosure, information on alternative custodians and the client's written consent. Swiss collective investment schemes keep a baseline custody-bank requirement in Switzerland; any delegation needs the same "equivalent supervision plus equivalent bankruptcy protection" analysis, disclosed in the offering documents. Structured products that post crypto as collateral need legal protection against the custodian's insolvency.

What supervisors will actually check

The guidance reads as a lifecycle. At onboarding: choose the custody model, run due diligence on supervision, licensing scope, technical controls and incident response, and disclose the risk to clients. Day to day: FINMA assesses outcomes, not assurances: access management, dual controls, role separation and reconciliation that proves segregation client by client. At release and exit, where failures tend to surface, documented authority chains, approval thresholds, independent verification and a migration plan if a custodian fails.

Goldblum and Partners advises institutions on digital-asset custody and the wider Swiss regulatory framework: custody-model design, equivalence assessments, outsourcing governance, client documentation and the remediation of legacy arrangements.