Qualified custody under SFC Hong Kong, DACS Malaysia, JFSA Japan, MAS Singapore and AFSA Kazakhstan. Cold/hot wallet split, HSM controls, insurance, proof-of-reserves and segregation built to the regulator's standard.
Custody is a separate authorisation in some APAC regimes and a sub-service of broader licences in others. The map for 2026:
A crypto custody licence is a regulatory authorisation to safekeep client virtual assets, private keys, signing credentials and on-chain control, on the customer's behalf. Across APAC the function sits under a dedicated category in some regimes and as a sub-activity inside broader licences in others. Hong Kong's SFC treats custody as a prerequisite function performed by a wholly-owned associated entity under the VATP Guidelines; MAS Notice PSN04 embeds custody rules inside the Major Payment Institution perimeter in Singapore; Japan's JFSA accepts a custody-only subset of the CAESP licence; SC Malaysia's Guidelines on Digital Assets create a standalone Digital Asset Custodian (DACS) category; and Australia's Digital Asset Platform regime introduces a licensed custody function under the Corporations Amendment (Digital Assets Framework) Bill 2025. The HKMA's February 2024 DAS custody guidance for authorised institutions set the cold-storage and insurance baseline that SFC then applied to licensed VATPs.
| Regime | Base capital | Cold storage | Insurance rule |
|---|---|---|---|
| Hong Kong. SFC VATP | HKD 5M paid-up (custodian sub) | ≥98% | ≥50% cold / 100% hot losses |
| Singapore. MAS MPI | SGD 250,000 | ≥90% (MAS guidance) | Statutory trust under PSN04 |
| Japan. JFSA CAESP | JPY 10M | ≥95% + equivalent own-balance | Trust-segregation at trust bank |
| Malaysia. SC DACS | MYR 500,000 minimum | Majority cold (SC guideline) | Insurance or trust ring-fence |
| Thailand. SEC Custodial Wallet | THB 50M + 20M equity fund | Majority cold (KorThor 28/2567) | Segregation + audit trail |
| Kazakhstan. AFSA | USD 500,000 | Cold-storage baseline | Express-trust drafting |
| Philippines. BSP VASP Type A | PHP 50M + risk-based add-on | Per BSP Circular 1108 | Segregation + audit |
| Australia. DAP (indicative) | 0.5% AUM (sub-custody) / AUD 5M NTA (direct) | Majority cold (guidance) | Compensation arrangement |
The decision is rarely binary. A direct custody stack gives full control over HSM residency, key-share topology and PoR cadence but demands ongoing SOC 2 cycles, insurance premiums at 1.5–2.5% of the insured limit, and regulator-facing incident reporting. Appointing a licensed sub-custodian, for example, a Hong Kong SFC-licensed custodian subsidiary, a Japanese trust bank or a Fireblocks-network qualified partner, shifts the operational burden but keeps the platform accountable for asset segregation on its books. Australia's indicative DAP rule (0.5% NTA via sub-custody vs AUD 5M direct) quantifies that trade-off explicitly; HK, Japan and Malaysia require the sub-custodian itself to be locally licensed.
Segregation is the single compliance theme that cuts across every APAC custody regime, and the drafting of the underlying rule determines whether client assets actually sit outside the custodian's insolvent estate. In Singapore, MAS Notice PSN04 (effective 4 October 2023, with the customer-asset safeguarding amendments carried through in Notice PSN05) requires every Major Payment Institution holding customer Digital Payment Tokens to: hold those DPTs on statutory trust for the customer; segregate them from the MPI's own DPTs and from other customers' DPTs on separate on-chain addresses; maintain an accurate book of beneficial ownership reconciled daily against the ledger; and refrain from lending, pledging or rehypothecating client DPTs to third parties without express prior written consent. The MPI must also appoint an independent external auditor to report annually on customer-asset compliance, and file a non-compliance report within five business days of any breach.
In Hong Kong, the segregation backbone sits inside the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (AMLO, Cap. 615) as amended by the Anti-Money Laundering and Counter-Terrorist Financing (Amendment) Ordinance 2022, together with the SFC VATP Guidelines. Client VAs must be held on bare trust by a wholly-owned associated entity, the custodian subsidiary, incorporated in Hong Kong, with segregated wallets per client, per asset. Insurance must cover at least 50% of hot-storage VAs and 100% of losses traceable to internal or external theft.
Malaysia's SC DACS framework under the Guidelines on Digital Assets likewise requires separate ring-fenced trust accounts per client, with monthly internal reconciliations and an annual external compliance audit filed with the Securities Commission.
Regulators want three distinct audit streams, financial statements, customer-asset safeguarding, and IT general controls, on different but predictable cadences. Planning them as a single compliance calendar rather than three separate exercises saves 20–30% of audit-firm fees and smooths out regulator-facing reporting.
| Regime | Financial audit | Customer-asset audit | IT controls / PoR |
|---|---|---|---|
| Hong Kong. SFC VATP | Annual HKFRS | Annual, para. 10 VATP Guidelines | Semi-annual PoR + SOC 2 Type II |
| Singapore. MAS MPI | Annual SFRS | Annual PSN04 auditor's report | Daily reconciliation, SOC 2 Type II |
| Japan. JFSA CAESP | Annual J-GAAP / IFRS | Annual customer-asset separation audit | Semi-annual PoR expected |
| Malaysia. SC DACS | Annual MFRS | Annual SC compliance audit | Semi-annual PoR, SOC 2 encouraged |
| Kazakhstan. AFSA | Annual IFRS | Annual AIFC rulebook audit | Annual IT-GC audit |
Practically, a December year-end combined with a June PoR snapshot lets the Big Four or BDO/RSM tier batch the engagements. JFSA and SFC both expect the customer-asset audit to be filed within four months of year-end; MAS PSN04 reports are due within three months.
The objective of every custody structure is the same: if the custodian enters insolvency, client crypto must fall outside the general insolvent estate and return to customers without becoming a dividend claim. The legal route differs by jurisdiction. In Singapore, PSN04 paragraph 4 declares client DPTs to be held on statutory trust, which under the Trustees Act and Insolvency, Restructuring and Dissolution Act 2018 is sufficient to defeat set-off claims by unsecured creditors. In Japan, Article 63-11 of the Payment Services Act requires CAESPs to entrust customer cash to a domestic trust bank and to keep an amount of crypto-assets of equivalent market value in cold storage segregated from the CAESP's own holdings, with a priority-repayment right for customers on insolvency. In Hong Kong, client VAs are held on bare trust by the wholly-owned associated-entity custodian under the SFC VATP regime, with declarations of trust drafted under Hong Kong trust law; the VATP licensee itself cannot touch client wallets other than on signed customer instruction.
In Labuan and AFSA Kazakhstan, bankruptcy remoteness depends on express-trust drafting under the Labuan FSA digital-asset guidelines and the AFSA Rules on Digital Asset Activities respectively, a well-drafted declaration of trust will typically hold up, but there is less case-law comfort than in Singapore or Japan. Properly structured, all five regimes deliver the same commercial outcome: client assets ring-fenced, segregated, and returnable in full on a custodian insolvency.
Token-coverage rules diverge more than the capital or custody-tech rules. Hong Kong SFC operates a de-facto whitelist focused on large-cap, highly liquid tokens with at least two acceptable index providers recognising them. BTC, ETH and a narrow set of additions; staking services for retail VATPs were conditionally permitted from 7 April 2024 under SFC circular guidance, subject to a maximum slashing risk-weight and quarterly disclosure. Japan's JVCEA publishes a green-list that includes BTC, ETH, SOL, ATOM, ADA, XRP, XLM and a set of staked derivatives; any token outside the green-list requires JVCEA screening and JFSA acknowledgement before listing or custody onboarding. Malaysia SC lists approved digital assets by ticker. BTC, ETH, XRP, LTC and a modest set of additions, with each addition published as a Prescribed Digital Asset order.
Singapore MAS does not operate a formal whitelist but expects each DPT held in custody to have undergone a token-onboarding due-diligence process documented in the MPI's Internal Control Manual, covering legal classification, market-abuse risk and on-chain traceability. Liquid staking tokens, wrapped assets and rehypothecated tokens are consistently flagged as higher-risk across all four regimes and typically require case-by-case regulator clearance. Memecoins, privacy coins (Monero, Zcash, Dash) and unregistered security tokens are functionally off-limits under every APAC custody regime in 2026.
A bank-custodian route, for example, an authorised institution licensed by the HKMA under the February 2024 DAS custody guidance, or a Japanese trust bank providing trust-segregation for CAESPs, brings three structural advantages: (1) a capital-adequacy framework already calibrated to Basel III crypto-asset rules (BCBS d545), (2) central-bank-grade operational-resilience and business-continuity expectations, and (3) a depositor-protection or trust-fund backstop that non-bank custodians cannot match. The cost is rigidity: bank custodians cannot easily support novel tokens, newer chains or high-frequency rebalancing.
A non-bank custodian. SFC-licensed VATP associated entity, SC Malaysia DACS, AFSA-licensed custodian, or Labuan DFIA custodian, offers faster onboarding, broader token coverage and tighter integration with trading infrastructure, at the cost of building the capital, insurance and bankruptcy-remoteness machinery from scratch. Most institutional platforms running on APAC rails in 2026 adopt a hybrid model: a non-bank custodian for the operational hot and warm wallets and a bank-custodian or trust-bank relationship for the deep-cold reserve segment, with clear regulatory disclosure of the split.
Ongoing capital adequacy, not just the entry-point threshold, is what keeps a custody licence in good standing year after year. The four most prescriptive regimes in 2026 are the Philippines BSP VASP Type A framework, the HKMA 2025 stablecoin-custody regime for authorised institutions, the SFC VATP regime for non-bank custodians, and the JFSA CAESP framework in Japan. Each layers a risk-based add-on on top of a headline minimum.
| Regime | Entry capital | Risk-weighted add-on | Source |
|---|---|---|---|
| BSP VASP Type A (PH) | PHP 50M paid-up | Risk-based add-on, USD 1B+ annual volume | BSP Circular 1108 |
| HKMA stablecoin custody (HK) | HKD 25M base | 2% risk-weighted buffer vs AUC | HKMA stablecoin regime |
| SFC VATP custodian sub (HK) | HKD 5M paid-up | HKD 3M liquid capital floor | SFC VATP Guidelines |
| JFSA CAESP (JP) | JPY 10M | 100% cold-storage equivalent-balance test | JFSA PSA |
The headline numbers understate the true cost. BSP's risk-based add-on for Type A licensees with over USD 1 billion annual volume typically doubles the paid-up requirement in practice. HKMA's 2% risk-weighted buffer on assets under custody means a USD 2 billion book carries an implicit HKD 300M+ capital cost. SFC VATP operators are required to keep liquid capital at least 12 times the average monthly operating expenditure for the preceding three-month period, this often becomes the binding constraint rather than the HKD 5M paid-up figure. JFSA's 100% equivalent-own-balance test for cold-storage segregation is the most demanding single rule in APAC: every unit of customer crypto must be matched by the CAESP's own holdings in segregated cold wallets, creating a structural doubling of the capital base.
Not always. Singapore folds it into MPI; Hong Kong requires a wholly-owned subsidiary as the custodian under VATP; Malaysia DACS is a standalone licence; Japan supports custody-only CAESP; Thailand has a dedicated Custodial Wallet Provider category.
Varies by regime. USD 500,000 (AFSA), THB 50M paid-up + 20M equity (Thailand), HKD 5M paid-up (HK VATP, custodian sub), SGD 250,000 MPI (Singapore). See country pages for the live figures.
If your platform holds client crypto, yes in HK and MY. In SG and JP, exchange licensing already covers custody. The decision depends on the corporate structure and the regime, not just the activity.
Sometimes. Australia indicative DAP rules permit outsourcing to a sub-custodian holding AUD 5M NTA, reducing the operator's NTA to 0.5% of assets held. Most other regimes require local licensing of the custodian itself.
SOC 2 Type II (Security, Availability, Confidentiality) is the de-facto baseline expected by the SFC, MAS and SC Malaysia during on-site inspections. SOC 1 is typically requested only where the custodian services a bank or fund administrator whose own financial-reporting controls depend on the custody systems. Plan for an annual cycle with no material exceptions before applying.
Hong Kong VATP guidelines mandate ≥98% of client VAs in cold storage with keys generated and stored in FIPS 140-2 Level 3 (or higher) HSMs, and private-key signing split across at least two geographically separated sites. Japan's JFSA expects ≥95% in cold storage with offline signing. MPC and multi-sig are both accepted substitutes for hardware cold storage in HK, SG and MY provided threshold schemes, key-share residency and quorum procedures are fully documented in the Internal Control Manual.
For APAC custodians, Lloyd's syndicates (Atrium, Arch, Canopius) currently underwrite USD 100M–USD 500M specie and crime towers per custodian, with USD 1B achievable via quota-share. Commercial carriers (Munich Re, Marsh captives) top up excess layers. SFC requires cover for ≥50% of hot-wallet VAs and 100% of losses from internal theft, typically priced at 1.5%–2.5% of the insured limit per annum in 2026.
Yes, in practice. Hong Kong, Japan and Malaysia expect independent PoR attestations at least semi-annually, executed by a Big Four or equivalent firm using Merkle-tree methodology plus wallet-ownership signatures. MAS does not mandate PoR publicly but treats periodic customer-asset reconciliations under Notice PSN04 as functionally equivalent.
All covered regimes prohibit commingling client crypto with proprietary assets. Hong Kong, Japan and Malaysia require named, ring-fenced client-asset wallets with on-chain addresses recorded on the regulator's file. Singapore MAS Notice PSN04 (effective 4 October 2023) mandates daily reconciliation, statutory trust and prohibition on lending client digital payment tokens without explicit written consent.
Trust structures are the primary vehicle: in Singapore via a statutory trust under PSN04; in Japan via trust-segregation at a Japanese trust bank for fiat and cold-storage segregation for crypto; in Hong Kong via the wholly-owned associated-entity custodian holding assets on bare trust. Labuan and AFSA Kazakhstan rely on express-trust drafting under local trust statutes. Properly documented, client assets fall outside the custodian's insolvent estate.
Approved-token lists are regulator-specific. Hong Kong SFC maintains a whitelist focused on large-cap tokens; staking services for retail were conditionally allowed from April 2024. Japan JVCEA publishes a green-list that includes SOL, ATOM, ADA and certain staked derivatives. Malaysia SC lists approved digital assets by ticker, currently BTC, ETH, XRP, LTC and a small set of additions. Wrapped, rehypothecated or LSTs typically require case-by-case clearance.
Philippines BSP VASP Type A renewal requires ongoing PHP 50M paid-up plus a risk-based capital add-on. Hong Kong's 2025 stablecoin-custody regime under HKMA imposes a 2% risk-weighted capital buffer against assets under custody, on top of the HKD 25M base. Singapore MPI renewals test SGD 250,000 minimum base capital plus operational-risk add-on. Japan CAESP renewals reassess the JPY 10M minimum and the 100% cold-storage segregation test annually.
A bank custodian (HKMA-authorised institution, Japanese trust bank) brings Basel III-calibrated capital, central-bank-grade operational resilience and a depositor-protection backstop, at the cost of slower onboarding and narrow token coverage. A non-bank custodian (SFC VATP subsidiary, SC Malaysia DACS, AFSA) offers broader token coverage and tighter trading integration but requires the operator to build capital, insurance and bankruptcy-remoteness machinery independently. Most institutional APAC platforms run a hybrid, non-bank custodian for hot/warm wallets, bank or trust-bank for deep-cold reserves.
Liquid staking tokens, wrapped assets and rehypothecated tokens are flagged as higher-risk across every APAC custody regime and typically require case-by-case regulator clearance. Hong Kong SFC allowed retail staking from 7 April 2024 under circular guidance with slashing risk-weights and quarterly disclosure; Japan JVCEA green-lists a subset of staked derivatives; Malaysia SC adds tokens to its Prescribed Digital Asset list item-by-item. Privacy coins (Monero, Zcash, Dash), memecoins and unregistered security tokens are functionally off-limits in 2026.
A 30-minute scoping call with the country lead. Map cold/hot architecture, insurance and segregation against the regime.
