The U.S. SEC's Office of Investor Education and Advocacy has issued this investor bulletin to help retail investors understand how to hold cryptocurrency assets. This bulletin outlines the types of cryptocurrency custody and provides tips and questions to help you decide the best way to hold your cryptocurrency assets.

1. What is cryptocurrency custody?

Cryptocurrency "custody" refers to how and where you store and access your cryptocurrency assets. You typically access cryptocurrency assets through a device or computer program known as a cryptocurrency wallet. The wallet itself does not store cryptocurrency assets; rather, it stores the "private keys" or passwords for your cryptocurrency assets.

Encrypted assets. Encrypted assets refer to assets generated, issued, and/or transferred using blockchain or similar distributed ledger technology networks, including assets referred to as 'tokens', 'digital assets', 'virtual currencies', and 'cryptocurrencies'. Investors should understand the characteristics and design of encrypted assets, as well as the distributed ledger or blockchain technology used for issuance and/or transfer, which may vary significantly. In other words, different encrypted assets may bring different returns or risks.


When creating an encrypted wallet, the following two keys or passwords will be generated:


  1. Private key. The private key is a randomly generated alphanumeric password used to authorize transactions of encrypted assets. The private key is like the password for your encrypted wallet. Once created, the private key cannot be changed or replaced. If you lose the private key, you will permanently lose access to the encrypted assets in the wallet.

  2. Public key. The public key is another code used to verify transactions and allow others to send encrypted assets to your encrypted wallet. The public key cannot access the private keys in the wallet and cannot be used to authorize transactions. The public key is like the email address for your encrypted wallet.


These keys together prove your ownership of the encrypted assets and grant you the right to send, receive, or use the encrypted assets.

II. Hot wallets vs. Cold wallets


There are many types of cryptocurrency wallets, and the ways retail investors hold these wallets vary. Cryptocurrency wallets are mainly divided into two categories: 'hot wallets' and 'cold wallets'. Hot wallets refer to cryptocurrency wallets connected to the internet, which can be desktop applications, mobile applications, or web applications. Hot wallets allow you to easily access encrypted assets for transactions, but also expose your encrypted assets to online threats.


Cold wallets generally refer to physical devices that are not connected to the internet, such as USB drives, external hard drives, or even a piece of paper. For trading encrypted assets, cold wallets are usually not as convenient as hot wallets. However, since cold wallets are not connected to the internet, they are generally more resistant to online threats than hot wallets. Nevertheless, the physical devices for cold wallets can still be lost, damaged, or stolen, resulting in permanent loss of your encrypted assets.


Protect your recovery phrases! Many encrypted wallets generate a 'recovery phrase', also known as a mnemonic recovery phrase, backup recovery phrase, or mnemonic phrase. A recovery phrase is a string of random words that can help you recover your wallet if you lose your encrypted wallet or private keys, or if the wallet's hardware or software is damaged. Please keep your recovery phrases in a secure place and never share them with anyone.

III. Self-hosting vs. Third-party hosting


You also need to decide whether to self-host your encrypted assets (self-management) or to entrust a third party (third-party hosting) to manage them. Both self-hosting and third-party hosting offer hot wallet and cold wallet options.

Self-hosting:

By self-hosting, you can have complete control over your encrypted assets and be responsible for managing all the private keys of your encrypted wallets. This means you have full control over access to the private keys of your encrypted assets, while also meaning you bear full responsibility for the security of those private keys. If your encrypted wallet is lost, stolen, damaged, or hacked, you may permanently lose access to your encrypted assets.


Key questions when choosing a self-hosted encrypted asset solution


  • Are you able to easily set up and maintain your encrypted wallet? Setting up and maintaining an encrypted wallet may require some technical knowledge. Please ensure you are capable of managing all technical aspects needed for setting up and maintaining your encrypted wallet.

  • Do you want to take full responsibility for your encrypted assets? By self-hosting, you can have complete control over your encrypted assets. You need to be fully responsible for keeping the private keys and recovery phrases of your encrypted assets. If these keys or phrases are lost or stolen, you may lose access to your encrypted assets.

  • What type of encrypted wallet do you want to use? As mentioned above, you can use hot wallets or cold wallets to store your encrypted assets. When choosing the type of encrypted wallet that best suits you, carefully consider your convenience and security needs.

  • How much does an encrypted wallet cost? Physical devices for cold wallets usually need to be purchased, while hot wallets may be free initially. However, using the wallet for transactions usually incurs fees. Be sure to understand these costs before choosing an encrypted wallet or making transactions.

Third-party hosting:

Through third-party hosting, you can choose a professional custodian or service provider to hold your encrypted assets. Third-party custodians include cryptocurrency exchanges and specialized encrypted asset custody service providers. Third-party custodians are responsible for managing and controlling access to your encrypted asset private keys. The accounts used by third-party custodians to hold your encrypted asset private keys may be cold wallets, hot wallets, or a combination of both. If a third-party custodian is hacked, goes out of business, or files for bankruptcy, you may lose access to your encrypted assets.

Key questions when choosing a third-party custodian


  • Have you investigated the background of the custodian? Be sure to take the time to thoroughly research any third-party custodian. Search online for any complaints about the custodian. Find out how the custodian is regulated. Although the regulatory framework for the encrypted asset industry is still in its early stages, some level of regulation already exists.

  • What types of encrypted assets does the custodian allow me to hold? Different custodians allow different types of encrypted assets to be held. Be sure to confirm that the custodian allows you to hold the types of encrypted assets you wish to hold in your account.

  • What happens if the custodian goes out of business? Understand whether the custodian offers insurance for lost or stolen encrypted assets, and ensure you understand its terms and conditions.

  • How does the custodian store and protect your encrypted assets? Ask the custodian how they protect your encrypted assets and private keys, and who has access to them. Does the custodian store your encrypted assets in their own facilities, or do they outsource storage to a third party? Does the custodian use hot wallets, cold wallets, or other methods? What type of encrypted wallet do they mainly use, and how do they determine where to store your encrypted assets? Additionally, ask what types of physical and network security protocols and procedures the custodian uses to protect your encrypted assets.

  • How do third-party custodians use your encrypted assets? Some custodians may use the encrypted assets you deposit as collateral for their own purposes (e.g., lending). This is sometimes referred to as 're-hypothecation'. To reduce costs, some custodians may also mix encrypted assets instead of holding them separately for clients. Be sure to understand whether your custodian employs any of these practices and whether they require your consent if they do.

  • What privacy protection measures does the custodian provide? Look for custodians that can protect your sensitive personal information (such as your name, address, social security number, and the types of encrypted assets you own or have traded). Ask the custodian if they will sell any client data to third parties, and if so, whether they require your consent.

  • What account fees does the custodian charge? Ask the custodian about annual asset management fees (charged annually based on the value of your encrypted assets), transaction fees (the cost of using or trading encrypted assets), asset transfer fees (the cost of transferring your encrypted assets outside the custodian), and account opening and closing fees.

IV. General advice for protecting encrypted assets


  1. Carefully research and choose any third-party custodian.

  2. Never disclose your private key or recovery phrase.

  3. Protect your encrypted asset privacy. Do not share the quantity or type of encrypted assets you own with anyone.

  4. Beware of phishing scams involving encrypted assets.

  5. Use strong passwords and multi-factor authentication for all online encrypted asset accounts.

    Follow me, you could get rich!