Banks, Custody, and the Tokenization Hangover: What Really Matters Now

I used to bet on flashy token platforms and promise-laden white papers. I was wrong more often than I admit at conferences. After reading the regulations, watching banks quietly rework operations, and sitting through more audits than I care to mention, three plain facts stand out: many banks prefer physical custody when possible, the digital promise is showing fatigue, and verifiable inventory has become the single most valuable commodity. This is not a marketing memo. It is a practitioner's reality check.

3 Key Factors When Choosing an Asset Custody Model

Pick any custody debate and it comes down to three things that actually move risk, capital, and client confidence. Ignore them at your peril.

• Regulatory fit and capital impact - Does the model trigger additional capital charges, reporting duties, or new licencing needs? Key rules include Regulation (EU) No 575/2013 (CRR) for prudential treatment, Regulation (EU) No 909/2014 (CSDR) for settlement and safekeeping obligations where applicable, and the Markets in Crypto-Assets Regulation (MiCA), Regulation (EU) 2023/1114, which sets minimum requirements for crypto-asset service providers, including custody. The Digital Operational Resilience Act (DORA), Regulation (EU) 2022/2554, imposes ICT resilience obligations that affect custody technology choices.
• Verifiability and auditability of inventory - Can auditors and clients independently confirm holdings without fragile promises? On-chain proofs have limits; physical audits, tamper-evident vaulting, independent reconciliations, and chain-of-custody records matter. Anti-money laundering requirements such as Directive (EU) 2018/843 (AMLD5) inject identity and reporting obligations into any custody model that touches digital assets.
• Operational control and concentration risk - Who controls keys, seals, or vault doors? Centralising custody in-house improves control but concentrates risks on your balance sheet and tech stack. Outsourcing reduces some operational burden but introduces counterparty risk and dependency on third-party resilience and governance.

In contrast to flashy pitch decks, these three items determine whether a custody approach scales safely or collapses under inspection.

Why Banks Historically Outsourced Custody: Pros, Cons, and Hidden Costs

Outsourcing custody used to be the default for good reasons. Specialized custodians built processes, network connections to settlement systems, and insurance relationships that took years to assemble. They also allowed banks to avoid certain balance sheet and operational headaches. Here is where that reasoning holds up - and where it does not anymore.

What worked

• Specialist custodians offered pooled infrastructure, decreasing per-client cost for a standard set of services: settlement, safekeeping, and reporting.
• Regulatory coverage was simpler: banks treated custodial providers as service vendors and relied on contract and oversight rather than hosting the functions directly on their balance sheet.
• Insurance markets were built around third-party vaulting of physical assets - insurers knew how to underwrite those risks.

Hidden costs and new pressures

• Counterparty concentration risk - outsourcing concentrates a lot of client assets in the hands of a few providers. That is fine until the provider fails or freezes withdrawals.
• Audit and transparency pain - third-party reports often provide comfort but rarely the level of on-the-spot verifiability regulators and clients now demand. Proof-of-reserves for crypto custodians exposed how shallow some attestations were.
• Technology mismatch - legacy custodians were not built for tokenized securities that need atomic settlement and ledger interoperability. Integrations added cost and brittle points of failure.

On the other hand, in-house custody was once dismissed as too expensive and too risky operationally. Those objections are legitimate, but the calculus has shifted.

In-House Custody and Tokenization: How Modern Banks Are Rewriting the Rules

Banks are increasingly bringing custody into the fold for specific asset classes. Not because they enjoy vault inventory management, but because the regulatory and client pressures force a higher standard of proof and control than third-party attestations deliver.

Why banks move assets in-house

• Clients demand verifiable possession and faster settlement - tokenized instruments promise instantaneous settlement, but that promise is hollow unless custody, ledger access, and legal rights line up.
• Regulatory clarity nudges banks in this direction. MiCA (Regulation (EU) 2023/1114) imposes concrete duties on crypto-asset service providers, including safekeeping responsibilities, governance, and capital buffers. Banks that can internalise these functions often prefer that to complex outsourcing arrangements.
• DORA (Regulation (EU) 2022/2554) means ICT resilience is non-negotiable. When the technology stack is critical to client services, banks want direct control over that stack rather than relying on external vendors.

Advanced techniques banks are using

Technique What it protects Limitations Multi-party computation (MPC) Key management without a single point of secret storage Complex to integrate, operational maturity varies Hardware Security Modules (HSMs) Strong key isolation and signing Physical HSMs are costly and require secure facilities Merkle-tree proofs with independent attestation Scalable on-chain style proofs for large inventories Does not prove legal title or absence of double-spend off-chain Tamper-evident vaulting and RFID tracking Physical chain of custody for commodities Requires independent auditors and trusted seals

These techniques reduce certain classes of risk. They do not miraculously eliminate the need for legal clarity on ownership, which leads us back to the rulebook.

Regulation-by-number that matters

If you want concrete references, read these:

• Regulation (EU) No 575/2013 (CRR) - capital and prudential treatment for institutions.
• Regulation (EU) No 909/2014 (CSDR) - settlement finality and safekeeping where central securities depositories are involved.
• Regulation (EU) 2023/1114 (MiCA) - rules for crypto-asset service providers including custody duties and authorisation requirements.
• Regulation (EU) 2022/2554 (DORA) - ICT and operational resilience obligations that affect custody systems and third-party connections.
• Directive (EU) 2018/843 (AMLD5) - anti-money laundering and customer due diligence rules relevant to any asset custody that touches crypto.

In contrast to marketing papers, these regulations prescribe outcomes, not tech stacks. Smart institutions design systems to meet the outcomes and document how they do it.

Third-Party Custodians and Hybrid Models: Practical Trade-offs

All in-house custody sounds confident until the boards ask for cost estimates. The real answer for many institutions is hybrid - use specialists where they add clear value, internalise when regulatory certainty or client demand requires it.

When third-party custody still wins

• Low-margin retail custody where scale beats control - if you cannot amortise HSMs and vault staff across volumes, third parties are cheaper.
• Access to niche insurance markets - specialised custodians often have better cover for rare risks than mid-sized banks.
• Geographic coverage and local licences - sometimes you need a local licence or vault in another jurisdiction for legal or client reasons.

When hybrid makes sense

• Core assets in-house, peripheral assets outsourced - keep the critical ledger and proof functions internally, outsource back-office reconciliations and physical logistics.
• Use third parties as redundant failover - on a cold day your in-house systems might be down; a trusted custodian under contract provides continuity.
• Trusted attestation layers - maintain internal controls but accept certified third-party proofs that satisfy external auditors and regulators.

On the other hand, relying solely on a third party because it is cheaper https://mozydash.com/2025-market-report-on-the-convergence-of-privacy-tech-and-heavy-capital/ can be false economy. I have seen firms compromise on governance to save costs and then pay far more when the vendor fails regulatory scrutiny.

Choosing the Right Custody Strategy for Your Institution

There is no single right answer. There are only answers that survive audit, align with the balance sheet, and keep clients from panicking when markets wobble. Here is a practical decision path that I use now - after learning the hard way.

1. Map regulatory obligations to asset class - tokenized securities may fall under CSDR or MiFID II frameworks, crypto falls under MiCA, and fiat payments interact with PSD2 (Regulation (EU) No 2015/2366). Make a matrix showing licences, capital impacts, and reporting for each asset class.
2. Assess verifiability needs - decide whether clients and auditors need independent, on-demand proof of holdings. If yes, require mechanisms such as Merkle proofs plus independent custodial attestations or physical audit protocols for commodities.
3. Quantify concentration vs control - model the cost of a provider failure vs the incremental cost of internal control. Include capital charges under CRR where relevant and operational resilience investments under DORA.
4. Use hybrid as default architecture - keep settlement-critical, legally-sensitive, and high-value assets under tighter control. Outsource standardised, commoditised functions that do not require client-facing transparency.
5. Document proof and reconciliation processes - auditors and regulators want repeatable processes. Build reconciliation cadence, independent attestations, and end-to-end chain-of-custody documentation into contracts and systems.
6. Stress-test assumptions - simulate a vendor outage, a key compromise, and a sudden regulatory change. See which model survives without emergency capital or client withdrawals.

In contrast to ideological positions, this approach accepts complexity and focuses on what regulators and clients will actually test during a crisis.

Contrarian viewpoints worth considering

• Tokenization is not a substitute for legal title - an on-chain token only works if the legal framework recognises it. Banks should test legal finality before treating a token as equivalent to ownership.
• Proof-of-reserves is necessary but not sufficient - on-chain snapshots can show balances but not commitments, liens, or rehypothecation. Always pair proofs with legal audits and reconciliation to firm books.
• Centralising custody increases systemic risk - if every bank internalises custody in the same way, you reduce third-party concentration but you may increase correlated failure modes across the system. Diversity of custody models has resilience value.

I used to assume that specialist providers would always be better at custody. Experience forced me to adjust that view. The correct answer depends on what you are safeguarding and what your clients need to verify in a pinch.

Final checklist before you commit

• Have you mapped regulatory obligations for every jurisdiction and asset class involved?
• Can clients and auditors get independent evidence of holdings without relying only on vendor-supplied attestations?
• Have you quantified capital and liquidity impacts under CRR and related prudential rules?
• Does your ICT strategy comply with DORA-level resilience expectations?
• Are AML and KYC processes aligned with Directive (EU) 2018/843 requirements for any crypto-related custody?

Ignore these and you'll still find buyers for your pitch. The regulators will not be as forgiving. Trust me - I learned that the hard way.

Summary: banks prefer custody models that give verifiable inventory and direct control when legal and economic conditions demand it. Tokenization and digital custody remain useful tools, but they are not magic. The next decade will separate platforms that promise speed from institutions that can demonstrate ownership with evidence auditors and clients respect. Be skeptical. Demand proof. Build processes that survive the audit, not just the pitch.