Crypto custody is not just storage; it is a chain of promises. A provider can have slick dashboards and big names on a slide, and still fail where it matters. Your job is to look past marketing and confirm how assets are controlled, protected, and returned. The best time to audit a custodian is before you send them a single satoshi. Here are five practical ways to audit a crypto custody provider before you trust them.
- Start with a structured stress test
Use a checklist that forces clear answers. A good starting point is a Bitcoin custody stress test because it pushes on governance, controls, and failure scenarios. Ask who can move funds, under what conditions, and with what approvals. Confirm whether wallets are segregated or pooled. Be sure to also request a plain language map of the custody flow, from deposit to cold storage to withdrawal. If they cannot explain it simply, assume it is messy.
- Confirm segregation, wallet design, and withdrawal guardrails
First, get clear on where your coins actually sit. Are your assets held in segregated wallets, or pooled and tracked on a ledger? Ask them to show how they assign addresses, reconcile balances, and prove you are not sharing operational wallets with other clients.
Then zoom in on movement controls. Walk through a real withdrawal, step by step, from request to broadcast. Look for multisig or threshold approvals, strict whitelisting, velocity limits, cooling-off windows, and an out-of-band confirmation that cannot be bypassed. If they cannot demonstrate these controls with logs, screenshots, and a clean narrative, assume the controls are weaker than the slide deck.
- Pressure test governance, people access, and insider risk
Custody failures often look like ‘process mistakes’ until you trace them back to incentives and access. Ask for a role-based access model and a live list of privileged roles. Confirm background checks, separation of duties, and mandatory vacations for key operators.
Find out how they monitor admin actions, detect unusual behavior, and investigate alerts. Ask what happens when a key employee is compromised. Their answer should include rapid revocation, clean room recovery, and incident playbooks.
- Demand a real audit scope
A SOC report is useful, but only if the scope matches what you are buying. Ask which systems, subsidiaries, and workflows were included. Confirm whether key management, signing operations, and disaster recovery were audited, or if the report mostly covers corporate IT.
Look for qualified opinions, carve-outs, and user entity controls you must implement. If they refuse to share details under NDA, treat it as a risk signal, not a privacy feature.
- Validate recovery, continuity, and the exit path
Ask them to prove they can recover from loss, downtime, or legal disruption. You want documented recovery time objectives, backup methods, and tested restore results. Request evidence of regular drills, including who participates and what failed. Then audit your exit plan. How fast can you move assets out, what approvals are required, and what data do you get back? If portability is unclear, you are accepting lock-in risk.
Endnote
The goal is not to find a perfect provider, but to make tradeoffs visible, then choose the one with controls you can understand and verify. If you cannot get clear answers, reduce exposure and split custody across trusted setups.
Aisha Noreen is an owner of a small business with more than 9 years of experience in the marketing industry. With the wisdom of an old soul, she always seeks innovation and mind-blowing ROI techniques. Her unique approach helped many small businesses thrive and she can surprise you in many ways as well. Believe it or not, her energy, passion, and creativity are contagious enough to transform your business and take it to another level.