TL;DR
The custody-provider question is the load-bearing structural choice in any tokenisation programme, and most operators get it wrong by starting with brand and working backwards. The right starting point is the role: the same word "custody" covers four distinct legal and operational functions (sub-custody for tokenised securities, qualified custody for funds, key management for institutional crypto holdings, and settlement custody for the cash leg of a DvP trade), and the shortlist of credible providers differs sharply across them. This playbook walks through the role-first decision frame, the eight evaluation dimensions worth scoring, a worked example covering an APAC asset manager distributing a US-issued tokenised MMF (money-market fund) into Singapore and Hong Kong private-bank channels, and the red flags that show up in custody pitches but rarely get pushed back on. If you want the layer-level explainer rather than the playbook, see Custody layer (tokenisation stack).
Decision frame
Before you evaluate anything, define the role. Custody is not one product. Pick which of the following you are actually buying.
Sub-custody for tokenised securities. The legal record-keeping sits at the issuer or at the issuer's appointed transfer agent (in the US, an SEC-registered transfer agent under §17A; see the transfer-agent role). The custodian holds the tokens for the end investor and integrates with the transfer agent's whitelist. This is the role you are buying when an APAC private bank distributes BUIDL or FOBXX into a Singapore or Hong Kong client account. The relevant counterparty universe is local-licensed sub-custodians with the operational ability to hold and reconcile a whitelisted on-chain position.
Qualified custody for funds. For US-regulated funds and investment advisers, the SEC's investment-adviser custody rule (and Investment Company Act §17(f) for registered funds) requires the assets to sit with a qualified custodian. The qualified-custodian universe for cryptoassets in the US is now meaningfully larger than it was pre-2025, after SAB 121 rescission and the expansion of the OCC trust bank charter under Interpretive Letter 1184 and the April 2026 final rule. The shortlist runs through the federally chartered names (Anchorage as the only firm with a full charter, plus the conditionally approved cohort that includes Circle, Ripple, BitGo, Fidelity Digital Assets, Paxos), the GSIB digital-asset platforms (BNY Digital Assets, State Street Digital), and the bank-incubated specialists (Zodia).
Key management for institutional crypto. The treasury holdings of BTC, ETH, or stablecoins as a corporate asset. The custody product is closer to a bank vault than to a transfer-agency stack. Operational concerns are key generation, signer policies, withdrawal controls, and disaster-recovery posture rather than transfer-agent integration.
Settlement custody for tokenised cash. The cash leg of a DvP trade against a tokenised security or fund. The custodian is whichever entity holds the tokenised deposit or stablecoin balance at the moment of atomic settlement. Inside Project Guardian, inside HKMA's EnsembleTX pilot, or on a multi-bank network like Partior, this is the function the bank-money rail is performing.
The role determines the shortlist. Do not conflate. A custodian that is excellent at one of these functions can be unfit for another, and pitches that present a single AUC number across all four functions are usually obscuring the asymmetry.
Evaluation dimensions
Eight dimensions are worth scoring. Ranking varies by role; the dimensions do not.
Regulatory licensing and jurisdiction. The licence map is the first filter. For US qualified custody, the relevant credentials are an OCC national trust bank charter (the unrestricted version that only Anchorage holds today, or the conditional version that the rest of the cohort holds), an NYDFS limited-purpose trust charter (Coinbase Custody Trust, Gemini Trust, Paxos), or a state trust charter in a substantive jurisdiction (BitGo Trust in South Dakota, Anchorage's national charter substituting for the state route). For APAC, MAS digital-payment-token licensing for Singapore-domiciled custody, HKMA bank-supervised licensing or SFC VATP licensing for Hong Kong activity, FSA Japan trust-bank or registered-crypto-asset-exchange licensing for Japanese activity. For Europe, BaFin Crypto Custody Licence under §1 KWG or the equivalent national-CA route under MiCA. Ask which licence governs which activity in which jurisdiction; ask which entity in the corporate group holds each licence; ask whether the licence covers tokenised securities specifically or only cryptoassets. The third question is where most pitches fall apart.
Key management technology. HSM-backed cold storage was the institutional baseline through 2022. The current production architectures combine multi-party computation (MPC) and threshold-signature schemes for warm and hot tiers with HSM-backed cold storage for the long-tail balance. The right question is not which technology but how the technology maps to the operational policy. Who can authorise a withdrawal, under what threshold, with what time-lock, with what break-glass procedure. Cold-warm-hot tiering is conventional; the policy layered on top of it is what differentiates institutional from retail-grade custody.
Segregation model. Omnibus versus segregated. In an omnibus model, multiple clients' tokens sit in one on-chain wallet that the custodian operates, with internal books reflecting per-client beneficial ownership. In a segregated model, each client's tokens sit in a wallet associated with that client. Segregated wallets give cleaner bankruptcy-remoteness in a custodian failure scenario and cleaner on-chain attestation; omnibus wallets are operationally simpler but require trust in the custodian's internal recordkeeping. For tokenised securities, the transfer-agent integration usually pushes toward segregated or named-sub-account models because the on-chain record is the operative one. For institutional crypto, omnibus is more common. Ask for the bankruptcy-opinion documentation and read it.
Insurance coverage. The marketing line is "fully insured up to USD X billion." The reality is almost always narrower. Insurance for custodied digital assets typically covers crime (theft, fraud by employees) and not market loss, sub-limited to cold storage rather than the warm or hot tier where most operational activity happens, with carve-outs for specific event categories (network compromise, smart-contract exploit, third-party signer compromise). Ask for the policy-carrier identity (Lloyd's syndicates, the major specialty insurers), the specific policies in force, the sub-limits per tier, and the exclusions. The gap between "USD 1 billion insured" in marketing and what the policy actually covers in a realised loss scenario is usually large.
Asset-class coverage. Different licences cover different things. An OCC national trust bank charter covers crypto custody (cryptoassets and stablecoins) under the non-fiduciary activity authority confirmed by the April 2026 final rule; it does not cover tokenised securities held in a transfer-agency capacity, which sits under SEC §17A. A MAS DPT licence covers digital payment tokens; it does not cover tokenised securities, which require capital-markets-services licensing. The same provider can sometimes hold the asset (the on-chain token sits in the custodian's wallet) but be unable to service it (handle corporate actions, subscription and redemption, dividend distribution) under the licence in question. The asset-class-by-licence matrix is the right tool here. See asset-class regulatory treatment for the cross-jurisdictional view.
Integration patterns. The custody platform is a database with operational controls; the integration surface determines whether it can plug into your stack. API depth (REST, WebSocket, batch reconciliation), messaging support (FIX for order flow, SWIFT-style messaging for traditional asset servicing), smart-contract whitelist integration (the custodian's wallet has to clear the issuer's whitelist to receive transfers; the operational handshake between custodian KYC and issuer whitelist is the integration point that breaks most often), and transfer-agent tie-in for tokenised securities. For an APAC distribution-side custodian receiving a tokenised MMF position from a US transfer agent, the whitelist handshake is the dimension that gets glossed over in pitches and matters most in production.
Audit posture. SOC 2 Type II is the institutional baseline. SOC 1 alone is insufficient. Proof-of-reserves cadence is a separate question (monthly is the institutional norm, daily is achievable for some configurations, quarterly is below institutional grade) and the methodology matters more than the cadence. Cryptographic proof of reserves (Merkle-tree-based attestation linking on-chain balances to per-client claim) is a stronger discipline than auditor-attested reserves alone. Ask which auditor signs the SOC 2 (the major firms versus a less-named alternative is meaningful here), which auditor signs the proof-of-reserves attestation, and what a counterparty examining the audit reports under NDA actually sees.
Fee structure. Basis points on AUC is the headline. Transaction fees are the line item that dominates economics for active flow (frequent subscription and redemption, frequent rebalancing). Integration and onboarding fees are usually one-off and meaningful for first-mandate work. Minimum monthly fees catch small mandates and can make a custodian uneconomic for sub-scale programmes. The right comparison is total cost of custody for a realistic flow profile, not the AUC headline.
Worked example: APAC distribution of a US-issued tokenised MMF
An APAC asset manager evaluating distribution of BUIDL or FOBXX into Singapore and Hong Kong private-bank channels needs to map four custody roles onto the right counterparties.
The underlying fund custody (the T-bill, repo, and cash sleeve for BUIDL; the underlying government securities for FOBXX) sits with the issuer-side conventional custodian. For BUIDL this is BNY as fund administrator and custodian of the underlying (reference architecture details); for FOBXX, the equivalent function sits with the Franklin Templeton-side conventional custodian. The APAC distribution decision does not move this counterparty; the underlying custodian was set at fund formation.
The on-chain token-level handling is where the design choice opens. Three patterns are live. First, the issuer-side platform-with-custody pattern: Securitize as transfer agent, with custody of the on-chain tokens at one of the supported qualified custodians (Anchorage, BNY's expanding digital-asset franchise, or a self-custody arrangement for the most sophisticated institutional buyers). Second, the bank-incubated APAC pattern: Zodia Custody as a Singapore-licensed and FCA-registered counterparty with the bank-incubated credibility but structural separation from the parent-bank balance sheet. Third, the GSIB digital-asset platform pattern: BNY Digital Assets or State Street Digital as the on-chain custodian, leveraging the same brand the asset manager already uses for traditional custody. Pattern selection depends on whether the asset manager wants a single-counterparty stack or wants the on-chain custody to sit at a specialised provider.
The APAC distribution-side investor account custody is the role that sub-custodians like DBS, Standard Chartered, or HSBC perform. The private-bank client account holds a position in the tokenised MMF; the bank's custody operations team needs to reconcile the on-chain balance against the bank's internal client-account ledger. DBS has the deepest tokenisation perimeter of the Singapore local banks (DDEx is CMS and RMO-licensed, and the bank has issued its own tokenised securities). Standard Chartered's structural separation between the principal bank and Zodia means the principal bank can act as the distributing private bank while Zodia provides the regulated digital-asset custody venue. HSBC's plural posture means the bank can plug into multiple jurisdictional sandboxes but does not consolidate the activity under a single named programme.
The settlement-cash custody for any DvP trade against the tokenised position is the fourth role. For Singapore-side flows, this is increasingly running on the bank's own tokenised-deposit infrastructure (DBS Token Services, the DBS-Kinexys interoperability framework for cross-bank flows). For Hong Kong-side flows, the HKMA EnsembleTX pilot perimeter is where the cash-leg infrastructure is being staged.
Land at a shortlist. For an APAC private bank distributing BUIDL into qualified-investor accounts, a workable stack is BNY for the underlying fund custody (set at fund formation), Securitize for transfer agency and on-chain issuance, Anchorage or BNY Digital Assets for on-chain token custody at the issuer side, and either DBS plus DDEx or Standard Chartered plus Zodia for the APAC distribution-side investor account custody. The exact ratio is a function of the manager's existing custody relationships and the private bank's own custody infrastructure preference.
Red flags
Opaque insurance carve-outs. The "USD X billion fully insured" line is almost always crime-only coverage with sub-limits concentrated in cold storage, leaving the warm and hot tiers (where most operational activity happens) on a much smaller policy. Ask for the policy schedule. If the custodian is reluctant to share it under NDA, that is the answer.
Single-jurisdiction concentration without sub-custody arrangements. A custodian licensed in only one jurisdiction is exposed to jurisdiction-specific operational risk (regulatory action, licensing revocation, infrastructure disruption) that the custodian cannot diversify on the client's behalf. The mitigation is sub-custody arrangements with adjacent-jurisdiction counterparties; the absence of those arrangements is a red flag for any institutional mandate.
Lack of SOC 2 Type II or comparable independent attestation. SOC 1 alone, ISO 27001 alone, or auditor-attested controls without a Type II report indicates the custodian has not been examined under operating conditions. For an institutional mandate, SOC 2 Type II from a recognised auditor is the floor.
No transfer-agent integration when handling tokenised securities. If the custodian holds the on-chain token but does not have the operational tie-in to the issuer's transfer agent, the on-chain entry may not reflect the legal share register. The transfer agent and the custodian have to be in operational sync for the on-chain record to be reliable. Pitches that describe "we hold the token" without describing the transfer-agent handshake are missing a load-bearing piece.
Marketing materials that conflate "wallet" with "custody." A wallet is a key-management product; custody is a regulated trust relationship. The two have different counterparty profiles, different bankruptcy treatments, and different supervisory footprints. A pitch that uses the words interchangeably is a signal that the provider does not understand the distinction or is hoping the buyer does not.
Absent or vague proof-of-reserves methodology. "We attest to reserves quarterly" without disclosing the methodology, the auditor identity, or the cryptographic linkage between on-chain balances and per-client claim is below the institutional bar. Cryptographic proof of reserves with a Merkle-tree-based attestation is the current discipline; auditor sign-off without the cryptographic linkage is weaker.