How Should a Business Store Bitcoin?

Bitcoin offers the advantage of a wide variety of custody arrangements. By holding bitcoin, businesses can reduce counterparty risk to banks and third-party intermediaries.

The custody of bitcoin differs significantly from traditional financial assets, requiring a thorough understanding of its complexities. This article intends to serve as a starting point for businesses considering custody options for bitcoin as a treasury asset.

How Is Bitcoin Stored?

Ownership of bitcoin is secured by cryptographic keys, allowing for flexible custody arrangements but also imposing greater responsibility on the holder. We have a variety of educational resources available for bitcoin storage, including how bitcoin wallets work and information on seed phrases.

How Can Businesses Store Bitcoin?

Businesses have four primary options for bitcoin custody:

1. Institutional Custody: Many businesses and institutional investors prefer outsourcing custody to third parties. Numerous established firms provide institutional-grade bitcoin custody services, including River, which employs a 100% full-reserve custody model. While outsourcing bitcoin custody to an institutional provider is a relatively safe and established practice, it does come with counterparty risk. 
2. Self-Custody: By “self custody”, we mean that your business is responsible for managing the public/private key pairs associated with its bitcoin. Becoming comfortable with key management is crucial in Bitcoin, because whoever controls your keys, ultimately controls your bitcoin. Technically-savvy businesses may opt to self-custody their bitcoin holdings. The main risk inherent in self-custody is losing the keys, which can lead to the permanent loss of bitcoin. To mitigate this risk, businesses can employ strategies such as multi-signature setups and multi-party computation (MPC) to distribute key ownership and remove single points of failure.
3. Collaborative Custody: Multi-signature custody setups allow for the distribution of key ownership across various entities. In a collaborative custody arrangement, a business retains ownership of a controlling share of keys within a multisignature setup while outsourcing the remaining keys to a third party. Many institutional custodians offer collaborative custody services, mitigating the risks inherent in both fully outsourced and self-custody models. While offering benefits, collaborative custody setups are complex, requiring a high degree of technical sophistication and coordination of stakeholders.
4. Exchange-Traded Funds (ETFs): Bitcoin ETFs provide businesses with exposure to bitcoin’s price movement without the need to directly buy and store the asset. While ETFs may be a low-overhead option, they introduce counterparty risk, come with management fees, and prevent businesses from converting their holdings into real bitcoin without incurring trading costs and triggering a taxable event.

For a business just getting started with bitcoin as a treasury asset, a safe and easy option is to hold bitcoin with an institutional provider. Over time, as one’s understanding of Bitcoin improves and the size of one’s bitcoin holdings increases, exploring options such as self-custody or collaborative custody may be appropriate.

How to Self-Custody Bitcoin

We made a zero-to-one guide for self custody that provides an overview of getting started, how to use wallets, understanding seed phrases, and more. If you choose to self-custody as a business, here are some additional points you need to know:

• Avoid using a “hot” wallet: The term hot describes a device with external connections, especially to the internet. These wallets are more convenient for day-to-day spending, but are not as secure as cold storage options because they interact with the internet. Due to their vulnerabilities, we recommend that the value stored in a hot wallet should not exceed $300. As businesses typically handle larger amounts of bitcoin, hot wallets are not recommended.

   

• Governance: Make sure you clearly document who has access and authorization to manage your business’s keys. For a multi-signature setup, distributing access to stakeholders across multiple geographical locations is best practice. Additionally, implementing roles-based access controls can help ensure key management is limited only to those with appropriate experience.

   

• Have a backup plan: In a worst-case scenario, losing your keys can mean losing all of the bitcoin associated with those keys. To prevent this, make sure you always have a backup plan for the loss of a hardware device or documentation. One of the best practices is to make backups of your seed phrase in a secure location, which can be used to derive your private keys in the event of a lost hardware device. Going with a multisignature wallet setup also serves to remove single points of failure.

How to Choose an Institutional Custody Provider

Before choosing a custodian, it is crucial to thoroughly understand their custody model, security audits, and history of any security breaches or fund losses. Here are a few steps you can take to ensure you’ve made the right choice:

• Background Research: Compile a list of potential custodians in your jurisdiction and get a good sense of how long they’ve been in business, the experience of the management team, how many assets they currently manage, and their reputation. Any custodian that has had security breaches or losses of funds should be crossed off the list. Additionally, be aware of firms that outsource their custody services to third-party providers, and the additional risks that come with this model.
• Licenses and Regulatory Compliance: Bitcoin custodians may be required to register with regulators.
  • Custodians who take control of client funds will register with he Financial Crimes Enforcement Network (FinCEN) as a Money Services Business (MSB). MSBs are required to comply with anti-money laundering (AML) and counter-terrorist financing (CTF) laws and regulations, such as the Bank Secrecy Act (BSA).
  • Many states regulate custody of Bitcoin as well—most often as a “money transmission” activity. Custodians may be required to obtain a money transmitter license (MTL). The requirements vary by state, but typically include compliance with AML and CTF regulations, bonding requirements, and financial stability assessments. Certain states require specific “virtual currency” licneses; an example would be New York’s “BitLicense”.
  • If the custodian deals with cryptocurrencies outside of bitcoin, which may be deemed as securities, they may require registration with the SEC as a broker dealer and a qualified custodian under the Investment Advisers Act of 1940.
• Audits: Institutional custodians should regularly undergo several types of audits:
  • Financial audits include regular audits of the custodian’s financial statements by a third-party accounting firm. Additionally, some custodians offer a proof of reserves (PoR), which is a way to allow clients to verify that their funds were included in the audit and that corresponding assets are held by the custodian.
  • Security audits are conducted by third-party firms to identify and address issues in a custodian’s security model. In particular, meeting the System and Organization Controls 2 Audit (SOC-2) can be a good sign of a custodian’s trustworthiness.
• Private key management: An understanding of several critical aspects of key management is important to ensure the highest levels of security:
  • Key generation is a crucial aspect of cryptographic security. The process of generating private keys should be done in a secure environment that is completely isolated from unauthorized access. Additionally, generating a secure private key requires a high quality of entropy, meaning that the numbers used to derive the key are truly random.
  • Key storage is typically divided across various methods. Take into account the percentage of assets a custodian keeps in cold storage, whether they use multi-signature setups, and what controls are in place to limit the authorized access of keys. Some custodians maintain comprehensive logs and audit trails for all access and operations involving private keys.
• Segregation of assets: Proper segregation of client assets can prevent the commingling of funds, protect against fraud, and simplify auditing and compliance. Some custodians may offer bankruptcy-remote accounts that can be employed to protect client assets in the event of a custodian’s insolvency.
• Insurance: Some custodians may offer insurance against data breaches, internal and external theft, and personal liability. These offerings may come with a higher expense ratio and do not always offer full protection of funds under custody.

Once you’ve chosen a custodian, establishing formalized access controls for who can interface with the custodian is recommended. Only stakeholders with appropriate experience and understanding of bitcoin should have authorization to manage custodied funds.

Does River Offer Custody Services for Businesses?

Many businesses trust River to custody their bitcoin reserves. Why? River employs a 100% full reserve custody model, meaning we don’t use or lend your bitcoin. River is also thoroughly licensed, audited, and regulated in the U.S. We maintain our clients’ bitcoin offline in geographically-dispersed cold storage locations that require multiple signatures.

Our business page is a good resource to learn more about how we serve corporate clients. If you have any questions about River’s offerings, we offer live support whenever you need assistance.