The SEC’s Office of Investor Education and Assistance is issuing this Investor Bulletin to help educate retail investors about the ways investors can hold crypto assets. This Investor Bulletin provides an overview of types of crypto asset custody and provides tips and questions to help you decide how to best hold crypto assets.

What is crypto asset custody?

Crypto asset “custody” refers to how and where you store and access your crypto assets. You generally access crypto assets through a device or computer program referred to as a crypto wallet. Crypto wallets do not store crypto assets themselves; instead, they store the “private keys” or passcodes for your crypto assets.

Crypto Asset. A crypto asset is an asset that is generated, issued, and/or transferred using a blockchain or similar distributed ledger technology network, including assets known as “tokens,” “digital assets,” “virtual currencies,” and “coins.” Investors should know that the characteristics and design of crypto assets, and the distributed ledger or blockchain technology through which they are issued and/or transferred, can vary significantly. In other words, different crypto assets can present different benefits or risks.

When you create a crypto wallet, the following two keys or passcodes are created:

1. Private key. A private key is a randomly generated alpha numeric passcode that allows you to authorize transactions for the crypto asset. A private key is like a password to your crypto wallet. Once created, a private key cannot be changed or replaced. If you lose your private key, you permanently lose access to the crypto assets in your wallet.
    
2. Public key. The public key is another code that is used to verify transactions and allow someone else to send crypto assets to your crypto wallet. The public key does not allow access to the private key in the wallet and cannot be used to authorize transactions. A public key is like the e-mail address to your crypto wallet.

Together, these keys prove your ownership of the crypto asset and grant you the rights to send, receive, or spend your crypto assets.

Hot vs. Cold Wallets

There are different kinds of crypto wallets, and different ways for retail investors to hold these wallets. The two primary types of crypto wallets are “hot wallets” and “cold wallets.” A hot wallet is a crypto wallet connected to the internet. This may be a desktop, mobile, or web application. Hot wallets provide you with a convenient way to access your crypto assets for transactions, but they also expose your crypto assets to cyberthreats.

A cold wallet is typically a physical device that is not connected to the internet, such as a USB drive, external hard drive, or even a piece of paper. A cold wallet is generally less convenient than a hot wallet for crypto asset transactions. However, since they are not connected to the internet, cold wallets are generally more secure from cyberthreats than hot wallets. That said, the physical devices for cold wallets can be lost, damaged, or stolen, which may result in a permanent loss of your crypto assets.

Protect your Seed Phrase! Many crypto wallets generate a “seed phrase,” also known as a seed recovery phrase, backup seed phrase, or mnemonic phrase. A seed phrase is a random sequence of words that allows you to restore your crypto wallet if you lose it or your private key, or its hardware or software is damaged or corrupted. Store your seed phrase in a secure place and do not share it with anyone.

Self vs. Third-Party Custody

You also need to decide whether you want to manage your crypto assets on your own (self-custody) or if you prefer to have a third-party manage your crypto assets (third-party custody). Hot and cold crypto wallet options exist for both self and third-party custody.

Self-Custody: With self-custody, you control your crypto assets and are responsible for managing the private keys to any of your crypto wallets. With self-custody, you have sole control over the access to your crypto assets’ private keys. Self-custody also means that you have sole responsibility for the security of your crypto assets’ private keys. If your crypto wallets are lost, stolen, damaged, or hacked, you may permanently lose access to your crypto assets.

Key questions when selecting self-custody crypto asset options.

• Are you comfortable setting up and maintaining your crypto wallets? Setting up and maintaining a crypto wallet on your own may require some technical savvy. Make sure you are comfortable with any of the technical aspects you may need to set up and maintain your crypto wallet on your own.
   
• Do you want to have sole responsibility for your crypto assets? With self-custody, you are in complete control of your crypto assets. You have sole responsibility for keeping track of the private keys and seed phrases for your crypto assets. If these keys or phrases are lost or stolen, you may lose access to your crypto assets.
   
• What type of crypto wallet do you want to use? As discussed above, you may use hot or cold wallets to store your crypto assets. Carefully consider your convenience and security needs when selecting what type of crypto wallet would work best for you.
   
• How much does the crypto wallet cost? Physical devices for cold wallets typically cost money to purchase, while hot wallets may initially be free. However, making transactions using the wallets typically involve fees. Make sure you learn about these costs before selecting a crypto wallet or engaging in transactions.

Third-Party Custody: With third-party custody you select a professional custodian or service provider to hold your crypto assets. Third-party custodians include crypto exchanges and dedicated crypto asset custody providers. Third-party custodians manage and control access to your crypto assets’ private keys. The accounts that third-party custodians use to hold your crypto assets’ private keys may consist of cold wallets, hot wallets, or a combination of both. If the third-party custodian is hacked, shuts down, or goes bankrupt, you may lose access to your crypto assets.

Key questions when selecting third-party custodians.

• Have you researched the custodian’s background? Take time to carefully research any third-party custodian. Do an internet search for any complaints about the custodian. Find out how a custodian is regulated. While the crypto asset industry is still emerging from a regulatory standpoint, some level of regulation does exist.
   
• What types of crypto assets does the custodian allow me to hold? The types of crypto assets that you can hold at each custodian varies. Make sure the custodian will allow you to hold the types of crypto assets you want to hold in your account.
   
• What happens if the custodian fails? Find out if the custodian provides insurance for the loss or theft of crypto assets, and make sure you understand its terms and conditions.
   
• Where and how does the custodian store and safeguard your crypto assets? Ask the custodian how it safeguards your crypto assets and private keys, and who has access to them. Does the custodian store your crypto assets in its own facilities, or does it subcontract its crypto asset storage to a third-party? Does the custodian use hot wallets, cold wallets, or other methods? Which crypto wallet do they use more, and how do they determine where they keep your crypto assets? Also, ask about what types of physical and cyber security protocols and procedures the custodian uses to protect your crypto assets.
   
• How does the third-party custodian use your crypto assets? Some custodians use deposited crypto assets as collateral for their own purposes (i.e., lending). This is sometimes called “rehypothecation.” To reduce costs, some custodians also may commingle crypto assets, instead of holding them individually for customers. Find out whether your custodian engages in either of these practices and, if so, if they require your consent.
   
• What privacy protections does the custodian provide? Look for a custodian that protects your sensitive personal information, such as your name, address, social security number, and the types of crypto assets you own or have bought and sold. Ask whether the custodian sells any of its customer data to third-parties and, if so, whether it requires your consent.
   
• What account fees does the custodian charge? Ask the custodian about annual asset-based fees (annual fee based on the value of your crypto assets), transaction fees (the cost to spend or trade your crypto assets), asset transfer fees (the cost to move your crypto assets outside of the custodian), and fees to set up and close the account.

General tips for protecting crypto assets.

1. Carefully research and select any third-party custodians.
    
2. Never share your private keys, or seed phrases.
    
3. Keep your crypto assets private. Do not share the amount or types of crypto assets you have with anyone.
    
4. Watch out for crypto asset phishing scams.
    
5. Use strong passwords and multi-factor authentication for access to all your online crypto asset accounts.