Custody is the question that stops institutional blockchain conversations cold. Not compliance frameworks, not token standards, not legal structure — custody. The question takes different forms: "Who holds the private keys?" "What happens if the key is lost?" "Does this satisfy our qualified custodian requirement?" Each version is asking the same thing: can we hold on-chain assets without accepting a failure mode that traditional custody eliminated decades ago?
The answer is yes — but only with the right custody architecture. This primer covers how MPC-based custody works, why it solves the problems that single-key wallet custody cannot, and what institutional counterparty requirements it satisfies in practice.
The Single-Key Problem
Traditional blockchain wallet custody relies on a single private key — a 256-bit cryptographic secret that authorizes all transactions from a given address. Whoever possesses the private key controls the assets. This creates two failure modes that are incompatible with institutional standards.
First: key loss. If the private key is destroyed, access to the assets is permanently and irreversibly severed. Unlike a bank account, there is no recovery process, no regulatory pathway, no court order that can restore access. The assets exist on-chain; without the key, they are inaccessible forever. A fund that holds $25M in tokenized securities in a single-key wallet and loses the key has simply lost $25M.
Second: key compromise. If an attacker obtains a copy of the private key — through insider theft, malware, or compromised storage — they can drain the wallet in a single irreversible transaction. Blockchain transactions are final. There is no chargeback, no fraud reversal, no custodian recovery. The loss is permanent.
Neither failure mode is acceptable under institutional custody standards. Both are eliminated by MPC architecture.
How MPC Works
Multi-party computation (MPC) custody splits the cryptographic signing operation across multiple independent parties — typically three or more — such that no single party ever possesses or stores the complete private key. Instead, each party holds a "key share" — a fragment of the signing material that is mathematically useless alone.
When a transaction needs to be authorized, the parties execute a distributed signing protocol. Each party contributes its key share to the computation, and the protocol produces a valid cryptographic signature — but the complete private key is never assembled in any single location, not even transiently in memory. The result on-chain is identical to a single-key signature; blockchain validators cannot distinguish between a single-key authorization and an MPC authorization.
This architecture eliminates both failure modes. Key loss becomes a key share loss, which is recoverable through a defined recovery procedure involving the other key share holders. Key compromise is now a multi-party problem: an attacker who compromises one key share cannot sign transactions without also compromising the remaining shares, which are held in separate, independent environments — different cloud regions, different organizational controls, sometimes offline cold storage.
The practical effect of MPC: custody institutions can now set a policy threshold — for example, 2-of-3 key shares required to authorize a transaction — and distribute those shares across independent environments with independent access controls. A transaction cannot execute without meeting the threshold. This mirrors the dual-control principles that have governed institutional asset custody for decades.
Fireblocks Architecture Specifically
Fireblocks is a custody and key management infrastructure platform used by financial institutions, crypto-native exchanges, and tokenization platforms. It implements MPC-CMP (Multi-Party Computation with Commitment-Based Message Passing), which is one of the more recent and performant MPC protocols for distributed key signing.
In a Fireblocks deployment, key shares are distributed across: the institution's Fireblocks workspace environment, Fireblocks' own infrastructure (which serves as a co-signer), and an optional mobile-based key share held by a designated administrator. For a 2-of-3 threshold, any two of these three parties can authorize a transaction. Fireblocks' infrastructure is not the sole signing authority — it co-signs but cannot unilaterally transact without the institution's participation.
The Fireblocks platform also provides policy engine controls that sit above the cryptographic layer: transaction limits by asset type, whitelisted destination addresses, multi-approver workflows for large transactions, and API rate limiting. These controls are enforced before the MPC signing protocol executes, meaning unauthorized transactions are blocked at the application layer before they reach the cryptographic authorization step.
For tokenized security tokens under ERC-3643, the custody layer interacts with the token's compliance requirements. A transfer originating from a Fireblocks-managed wallet must still satisfy the ERC-3643 compliance checks: the destination address must hold valid compliance attestations. Custody architecture and token compliance architecture are independent layers that work in sequence.
Qualified Custodian Standards and Digital Assets
The Investment Advisers Act requires registered investment advisers to maintain client assets with a "qualified custodian" — typically a bank, broker-dealer, futures commission merchant, or foreign equivalent. For digital assets, this has been an evolving area of regulatory guidance.
The SEC's Staff Accounting Bulletin 121 (SAB 121), issued in 2022 and partially modified subsequently, required entities acting as custodians for digital assets to record a liability on their balance sheets equal to the fair value of those assets. This accounting treatment made it economically unattractive for traditional banks and broker-dealers to offer digital asset custody, which slowed adoption of qualified custodian arrangements for on-chain assets.
As of late 2025, qualified custodian availability for tokenized securities has improved, with several trust companies and regulated custodians formally supporting security token custody. The framework is not fully resolved — regulatory interpretation continues to evolve — but the barrier is lower than it was two years ago. Institutional investors exploring tokenized private credit allocations should verify the custody arrangement for any specific deal: Is the custodian regulated? What is their recovery procedure for key share loss? Does their custody arrangement satisfy the fund's existing counterparty approval process?
What Institutional Due Diligence Asks
In our conversations with LP compliance teams reviewing tokenized private credit structures, the custody questions that arise most consistently are:
- Key reconstruction: Under what conditions can the full private key be reconstructed? (The correct answer for MPC is: it cannot be reconstructed; that's the point.)
- Share independence: Are key shares stored in truly independent environments, or does a single administrator control multiple shares?
- Recovery procedure: What happens if one key share holder (including Fireblocks itself) becomes unavailable? Is there a documented recovery process?
- Insurance: Does the custody arrangement carry crime/cyber insurance covering key compromise or operational failure?
- Regulatory status: Is the custody entity regulated as a trust company, bank, or broker-dealer?
MPC architecture answers the technical questions cleanly. The regulatory and insurance questions vary by custody provider and deal structure — they require documentation review, not just an architecture diagram.
Custody Is Infrastructure, Not a Feature
The custody layer in a tokenized security structure is not a value-add. It's foundational infrastructure. Institutional participants — whether LPs investing in a tokenized fund, or fund administrators managing the cap table — require custody arrangements that satisfy counterparty risk requirements before they will engage with on-chain assets at any scale.
MPC-based custody via providers like Fireblocks has largely resolved the technical objection: the single-key failure mode is eliminated. What remains is the institutional framework work — regulatory recognition, insurance coverage, custodian counterparty approval processes — which varies by jurisdiction and institution type and continues to develop as the asset class matures.
For a fund manager evaluating a tokenized deal structure, the right question isn't whether MPC custody is secure enough. It is. The question is whether the specific custody arrangement — the provider, the key share distribution, the regulatory status, the recovery documentation — satisfies your LP base's specific compliance requirements. That due diligence is worth doing early in the deal structuring process, not after the subscription documents are drafted.
