Custodial Treasury Security: Inventory & Controls Framework

Treasury OpsOperationsRisk Management

Authored by:

Dickson Wu

SEAL

Reviewed by:

relotnek

Filecoin Foundation

Proper documentation and classification of custodial accounts is essential for institutional treasury security. This guide covers the security assessment, classification, and control frameworks for crypto assets held with third-party custodians.

Classification Process

Use this dual classification to determine appropriate security controls for each custodial account.

Step 1: Impact Assessment

Evaluate the consequences if this account is compromised or unavailable.

Financial Impact

Calculate the total value at risk in this account:

Current market value of all assets held
Include value of any active positions (e.g., staked assets, DeFi deposits)
What is the financial impact if unavailable for 7 days?

Operational Impact

Assess the consequences if this account becomes unavailable:

What specific operations require this account?
Do you have a secondary custody account that can handle these operations?
What is the reputational impact if this account is compromised or unavailable?

Regulatory Impact

Evaluate regulatory and compliance consequences:

Are assets in this account subject to regulatory reporting requirements (SEC filings, audit requirements)?
Does this account hold regulated assets (e.g., stablecoins subject to reserves reporting)?
What are the regulatory deadlines that could be missed if this account is unavailable?

Impact Classification

Level	Financial Exposure (% of Total Assets)	Operational Dependency	Regulatory Impact
Low	<1%	No critical operations depend on it	No regulatory reporting tied to this account
Medium	1% - 10%	Important but alternative funding available	Periodic reporting; delays manageable
High	10% - 25%	Critical operations, limited alternatives	Regular regulatory filings; delays cause violations
Critical	>25%	Business-critical, no alternatives for weeks	Real-time reporting requirements; SEC filings; audit

Step 2: Operational Assessment

Evaluate how frequently and urgently this account must be accessed.

Transaction Frequency

Document typical transaction patterns:

Transactions per month
Typical transaction sizes
Predictability of transaction timing

Access Urgency

Define response time requirements:

What is the maximum acceptable delay for routine transactions?
Are there scenarios requiring same-day execution?
What are the consequences of 24-hour, 72-hour, or 7-day delays?

Coordination Requirements

Assess how transactions are executed:

How many approvers are needed for typical transactions?
Are transactions handled manually or through automated systems?
Do approvers need to coordinate across timezones?

Note: Single-approver configurations should only be used for low-value operational accounts (<0.1%) with additional compensating controls like strict spending limits and daily reconciliation.

Operational Classification

Type	Frequency	Response Window	Example Use Cases
Cold Vault	<5 tx/month	48-72 hours	Long-term reserves, infrequent rebalancing
Warm Storage	5-50 tx/month	4-24 hours	Scheduled payments, planned operations
Active Operations	>50 tx/month	<4 hours	Trading capital, frequent operational expenses
Time-Critical	Unpredictable	<2 hours	Collateral management, market-sensitive operations

Step 3: Security Control Matrix

Combine impact and operational assessments to determine required controls.

Use Case	Impact	Operational	Approvers	MFA Requirement	Whitelist Delay	Additional Controls
Primary Reserve (>25% assets)	Critical	Cold Vault	5-7	Hardware mandatory	72 hours	Geographic distribution, MPC recommended
Secondary Reserve (10-25%)	Critical	Cold Vault	4-5	Hardware mandatory	48 hours	Geographic distribution, MPC recommended
Active Treasury (5-10%)	High	Warm Storage	3-4	Hardware mandatory	24 hours	Daily reconciliation, velocity limits
Trading Capital (variable)	High	Active Ops	3	Hardware mandatory	None	Real-time monitoring, simulation required
Trading Capital	High	Active Ops	3	Hardware mandatory	None	Real-time monitoring, simulation required
DeFi Positions	Medium-High	Warm Storage	3	Hardware mandatory	24 hours	Contract whitelist, position monitoring
Liquidation Protection	Medium-High	Time-Critical	2	Hardware required	None	Pre-approved destinations, automated alerts
Operational Wallet	Medium	Active Ops	2	Hardware required	12 hours	Daily caps, weekly audit
Payments	Low	Active Ops	2	Standard TOTP	6 hours	Per-tx cap, monthly aggregate limit

Step 4: Enhanced Controls for High-Risk Accounts

For Critical and High impact accounts, implement additional security layers beyond the baseline controls.

Transaction Verification

Test transactions: Send maximum $100 to new addresses before executing full transaction
Multi-channel confirmation: Request via one channel, approve via separate channel
Simulation requirement: All transactions must be simulated before execution
Address verification: Verify new addresses against three independent sources

For DeFi interactions: refer to the DeFi Risk Assessment Guide for recommended procedures.

Access Security

Hardware security keys (FIDO2/WebAuthn) mandatory for all approvers
- Secure fallback: Each approver must register minimum 2 hardware keys stored in separate secure locations
- Key loss procedure: Temporary access via backup key + additional approver verification via multiple channels + mandatory key replacement within 48 hours
IP whitelisting with 24-hour change approval delay
Device fingerprinting with new device approval process
Session timeout and re-authentication for sensitive operations
Dedicated credentials: Use separate email addresses and passwords exclusively for custody access, not shared with other corporate systems

Device Security

Dedicated secure workstations for custody access only
Network isolation on separate VLAN/segment
VPN mandatory for all platform access
Full disk encryption with automatic screen lock
MDM-enforced security baseline with remote wipe capability

MPC for Large Holdings

For organizations managing >10% of total assets or >$10M equivalent in a single custodial account consider using MPC:

Evaluate MPC (Multi-Party Computation) custody solutions that distribute key material across multiple parties
Consider threshold signature schemes (e.g., 3-of-5 or 5-of-9) where no single party controls sufficient key shares
Implement geographic distribution of key share holders across multiple jurisdictions
Establish clear key refresh and rotation procedures
Document recovery procedures and test annually

Zero Trust Architecture Alternative

A Zero Trust architecture involves continuous verification of user, device, and context, rather than reliance on a single perimeter or network location. Centralizing access through a secure environment (such as a bastion host or isolated cloud workspace) can support Zero Trust principles when combined with strong identity and device posture enforcement.

Bastion Host Approach: Deploy a hardened jump server that acts as the sole gateway to custody platforms.
- All custody sessions route through the bastion with full session recording
- Bastion enforces MFA, device posture checks, and approved software versions
- No direct custody access from employee devices
- Centralized patch management and security configuration
Cloud Workspace Isolation: Use browser-isolated or virtual workspace environments (e.g., Citrix, AWS WorkSpaces, Azure Virtual Desktop)
- Custody access occurs only within a controlled virtual environment
- Copy/paste and download restrictions prevent data exfiltration
- Session timeout and automatic workspace destruction after use
- Significantly reduces risk from compromised employee devices

Security Monitoring & Logging

For Critical and High impact accounts, implement centralized security monitoring:

SIEM Deployment: Deploy SIEM to centralize logs from custody platforms, authentication systems, and access devices. Create real-time correlation rules for suspicious patterns (failed authentication, geographic anomalies, policy changes).
Internal Incident Response: Build dedicated incident response capability for custody-related security events. Define clear escalation procedures, maintain 24/7 on-call rotation for Critical accounts, and establish playbooks for custody compromise scenarios.
Essential Log Sources: Authentication events, transaction attempts, policy modifications, access changes, whitelist updates, IP address changes, new device enrollments, and approval workflows.

For Medium and Low impact accounts, leverage custodian's native audit logs with weekly manual review and automated alerting for critical events (new device enrollment, policy changes, transactions above threshold).

Documentation Templates

Registration Template

Use this template when initially documenting a custodial account.

CUSTODIAL ACCOUNT REGISTRATION
 
Account Name: [Descriptive name]
Custodian: [Provider name and legal entity]
Account ID: [Custodian reference number]
Network(s): [Bitcoin, Ethereum, etc.]
Registration Date: YYYY-MM-DD
Registered By: [Name]
 
CLASSIFICATION
Impact Level: [Low / Medium / High / Critical]
Operational Type: [Cold Vault / Warm Storage / Active Operations / Time-Critical]
 
Justification:
- Financial exposure: $XXX,XXX,XXX
- Operational dependency: [Description]
- Recovery time objective: [X hours/days]
 
ASSETS CONTROLLED
Asset   | Network  | Value     | Purpose
--------|----------|-----------|------------------------------
BTC     | Bitcoin  | $XXX,XXX  | [Reserve/Trading/Operations]
ETH     | Ethereum | $XXX,XXX  | [Reserve/Trading/Operations]
USDC    | Ethereum | $XXX,XXX  | [Reserve/Trading/Operations]
 
CUSTODY MODEL
Type: [Qualified Custodian / Co-managed / MPC Platform]
Key Management: [MPC 3-of-5 / Multi-sig 2-of-3 / HSM]
Key Control: [Custodian only / Co-managed / Client-controlled]
Recovery Capability: [Yes - describe / No]
 
INITIAL ACCESS SETUP
Primary Administrator: [Name, added YYYY-MM-DD]
Initial Approvers: [Names, added YYYY-MM-DD]
 
Note: Complete access details documented in Access Change Template
Note: Security configuration documented in Security Configuration Template
 
ATTESTATION
This account [meets / deviates from] security standards for its classification.
 
[If deviation: Explain gap and compensating controls]
 
CONTACTS
Security Owner: [Name, email, phone]
Backup Contact: [Name, email, phone]
Custodian Support: [Name, email, phone]
 
Last Updated: YYYY-MM-DD
Updated By: [Name]

Access Change Template

Use this template when modifying user access to a custodial account.

CUSTODIAL ACCOUNT ACCESS CHANGE
 
Account Name: [Name]
Custodian: [Provider]
Account ID: [Reference]
Change Date: YYYY-MM-DD
Changed By: [Name]
 
ACCESS MODIFICATIONS
 
Additions:
Name/Role | Access Level | MFA Method     | Justification
----------|--------------|----------------|------------------------------
[Name]    | [Approver]   | [Hardware key] | [Reason for addition]
 
Removals:
Name/Role | Access Level | Removal Reason
----------|--------------|-------------------------------
[Name]    | [Approver]   | [Personnel change / Security / Other]
 
Permission Changes:
Name/Role | Old Level | New Level | Justification
----------|-----------|-----------|---------------------------
[Name]    | [Initiator] | [Approver] | [Reason for elevation]
 
CURRENT ACCESS LIST (after changes)
Name/Role | Level     | MFA Method    | Device ID
----------|-----------|---------------|---------
[Name]    | Admin     | Hardware key  | [ID]
[Name]    | Approver  | Hardware key  | [ID]
[Name]    | Approver  | Hardware key  | [ID]
[Name]    | Initiator | TOTP          | [ID]
 
VERIFICATION
[ ] All removed users confirmed deactivated in custodian platform
[ ] All new users completed MFA setup
[ ] Access permissions tested and verified
[ ] Emergency contacts updated
[ ] Documentation updated in [location]
 
APPROVALS
Requested By: _________________ Date: _______
Approved By: _________________ Date: _______
Security Review: _________________ Date: _______
 
Change Ticket: [Reference number if applicable]

Security Configuration Template

Use this template to document detailed security settings. Complete this after initial account registration.

CUSTODIAL ACCOUNT SECURITY CONFIGURATION
 
Account: [Name]
Custodian: [Provider]
Last Configuration Update: YYYY-MM-DD
Configured By: [Name]
 
AUTHENTICATION SETTINGS
 
Multi-Factor Authentication:
Role | Primary Method | Backup Method | Enrollment Status
Administrator | Hardware key + biometric | Hardware key + PIN | [Active]
Approver | Hardware key | TOTP + SMS | [Active]
Initiator | Hardware key or TOTP | SMS | [Active]
Viewer | TOTP | SMS | [Active]
 
Session Controls:
- Timeout: [X minutes]
- Re-auth required for: [High-value transactions, policy changes, user management]
- Concurrent sessions: [Allowed/Blocked]
 
ACCESS CONTROL
 
Current User List:
Name/Role | Level    | MFA Method   | Device ID | Added Date
----------|----------|--------------|----------|------------
[Name]    | Admin    | Hardware key | [ID]     | YYYY-MM-DD
[Name]    | Approver | Hardware key | [ID]     | YYYY-MM-DD
[Name]    | Approver | Hardware key | [ID]     | YYYY-MM-DD
 
Note: Track all access changes using Access Change Template
 
Approval Thresholds:
Transaction Value (% of Total Assets) | Required Approvers | Time Delay | Additional Requirements
<0.1%          | 1 | None       | MFA
0.1% - 1%   | 3 | 4 hours    | MFA
1% - 10%    | 4 | 24 hours   | Multi-channel confirmation, test transaction
10% - 25%    | 5 | 24 hours   | Multi-channel confirmation, test transaction
>25%           | 7 | 48 hours   | Multi-channel confirmation, test transaction
 
Separation of Duties:
[ ] Initiators cannot approve own transactions
[ ] Admins cannot unilaterally execute withdrawals
[ ] Minimum [X] unique approvers required
 
NETWORK RESTRICTIONS
 
IP Whitelist:
XXX.XXX.XXX.XXX - [Office Location]
XXX.XXX.XXX.XXX - [VPN Range]
XXX.XXX.XXX.XXX - [Backup Location]
 
Change Approval: [24 hour delay / XX approvers required]
Emergency Override: [Process description]
 
VPN Requirement: [Mandatory / Optional]
Geographic Restrictions: [Blocked countries/regions]
Device Fingerprinting: [Enabled / Disabled]
 
TRANSACTION POLICIES
 
Address Whitelisting:
Status: [Enabled / Disabled]
Current Addresses: [XX addresses]
Addition Process: [XX approvers, YY hour delay]
Review Schedule: [Monthly / Quarterly]
 
Transaction Limits:
Limit Type        | Amount   | Override Process
------------------|----------|-----------------
Single Transaction | $XXX,XXX | [Authorization required]
Hourly Aggregate   | $XXX,XXX | [Authorization required]
Daily Aggregate    | $XXX,XXX | [Authorization required]
Weekly Aggregate   | $XXX,XXX | [Authorization required]
Monthly Aggregate  | $XXX,XXX | [Authorization required]
 
Time-Lock Settings:
Change Type                          | Delay Period
-------------------------------------|-------------
New address addition                 | XX hours
Policy modification                  | XX hours
High-value transaction (>$XXX,XXX)   | XX hours
 
MONITORING & ALERTS
 
Real-Time Alerts:
Type                       | Enabled
---------------------------|--------
All outgoing transactions  | [ ]
New device login           | [ ]
Failed authentication attempts (>X) | [ ]
Policy violations          | [ ]
Large transactions (>$XXX,XXX) | [ ]
Unusual access times       | [ ]
New geographic location    | [ ]
 
Alert Routing:
Severity | Contact         | Method       | Response Time
---------|------------------|-------------|--------------
Critical | [Name, phone]   | SMS + Call   | <15 min
High     | [Name, phone]   | SMS + Email  | <1 hour
Medium   | [Name, email]   | Email        | <4 hours
 
VERIFICATION
[ ] All settings tested and operational
[ ] Alert routing verified
[ ] User access confirmed
[ ] Documentation stored in [location]
 
Configured By: _________________ Date: _______
Reviewed By: _________________ Date: _______
Approved By: _________________ Date: _______

Quarterly Review Template

Use this template for regular security reviews of custodial accounts.

CUSTODIAL ACCOUNT QUARTERLY REVIEW
 
Account: [Name]
Custodian: [Provider]
Review Period: [Q1/Q2/Q3/Q4 YYYY]
Review Date: YYYY-MM-DD
Reviewed By: [Name]
 
ACCESS AUDIT
 
Current Users:
Name/Role | Level | Last Login | MFA Status | Action Required
[Name] | Admin | YYYY-MM-DD | Active | None
[Name] | Approver | YYYY-MM-DD | Active | None
[Name] | Approver | Never logged in | Inactive | Remove access
 
Access Changes This Quarter: [X additions, Y removals, Z modifications]
 
Findings:
[ ] All users still require current access level
[ ] No dormant accounts (>90 days inactive)
[ ] MFA functioning for all users
[ ] No unauthorized access detected
 
Actions Required:
- [List any access to be removed/modified]
- [List any policy updates needed]
 
TRANSACTION REVIEW
 
Transaction Volume:
- Total transactions: [X]
- Average per month: [Y]
- Largest transaction: $XXX,XXX
- Total outflow: $XXX,XXX
 
Pattern Analysis:
[ ] Transactions within expected parameters
[ ] No unusual transaction patterns detected
[ ] All large transactions properly authorized
[ ] Test transactions performed correctly
 
Anomalies Detected:
- [List any unusual activity or violations]
 
SECURITY CONFIGURATION
 
Whitelist Review:
- Current addresses: [X]
- Addresses added this quarter: [Y]
- Addresses to remove: [Z]
- Review complete: [Yes/No]
 
Spending Limits:
Current | Actual Usage | Status
Single: $XXX,XXX | Max: $XXX,XXX | [Appropriate / Adjust]
Daily: $XXX,XXX | Avg: $XXX,XXX | [Appropriate / Adjust]
Monthly: $XXX,XXX | Avg: $XXX,XXX | [Appropriate / Adjust]
 
Findings:
[ ] Limits appropriate for current usage
[ ] No limit breaches this quarter
[ ] IP whitelist current and accurate
[ ] Time-locks functioning properly
 
ALERT EFFECTIVENESS
 
Alerts This Quarter:
Type | Count | False Positive Rate
Critical | [X] | [Y%]
High | [X] | [Y%]
Medium | [X] | [Y%]
 
Response Times:
Severity | Target | Actual Average | Status
Critical | <15 min | [X min] | [Met/Missed]
High | <1 hour | [X min] | [Met/Missed]
Medium | <4 hours | [X hours] | [Met/Missed]
 
Findings:
[ ] Alert routing working correctly
[ ] Response times meeting SLAs
[ ] No missed critical alerts
 
Actions Required:
- [Adjust alert thresholds if needed]
- [Update contact information]
 
CUSTODIAN RELATIONSHIP
 
SOC Reports: [Current / Expired - date]
Security Incidents: [Any custodian-wide incidents this quarter]
Service Quality: [Any issues or concerns]
Communication: [Regular contact maintained]
 
RISK ASSESSMENT UPDATE
 
Classification Review:
Current: [Impact Level / Operational Type]
Still Appropriate: [Yes / No]
 
If No, Recommended Change:
New Classification: [Level / Type]
Justification: [Explain change in risk profile]
 
Asset Value Change: [% increase/decrease]
Operational Change: [Any significant changes in usage]
 
RECOMMENDATIONS
 
Security Improvements:
1. [Recommendation]
2. [Recommendation]
3. [Recommendation]
 
Operational Improvements:
1. [Recommendation]
2. [Recommendation]
 
ATTESTATION
 
This account [continues to meet / deviates from] security standards.
 
[If deviation: Describe and provide remediation plan]
 
APPROVALS
 
Reviewer: _________________ Date: _______
Security Officer: _________________ Date: _______
Treasury Lead: _________________ Date: _______
 
Next Review Due: YYYY-MM-DD