How Tokenized-Asset Custody Is Regulated: SEC vs SFC vs MAS (2026)

When a real-world asset is tokenized, most attention goes to the issuance — the bond, the fund, the on-chain wrapper. But the layer where investor protection is actually won or lost is custody: who holds the private keys or the legal title to the asset, whether your holdings are ringfenced from the firm that holds them, and who pays if those assets are hacked, lost, or caught inside an insolvency.

The three regulators that matter most for an Asia-Pacific investor or builder — the US Securities and Exchange Commission (SEC), Hong Kong's Securities and Futures Commission (SFC), and the Monetary Authority of Singapore (MAS) — have taken visibly different routes to the same question. This page compares them using primary sources only. Where a regulator has not actually written a rule, we say so rather than imply one. A note on scope: the prescriptive custody standards below sit mostly in the virtual-asset / digital-payment-token perimeter, which is where the keys-and-cold-storage problem is most acute; we flag where that boundary matters.

The most common misreading of the US position is to treat the SEC's December 2025 investor bulletin as a custody rule. It is not. On 12 December 2025 the SEC's Office of Investor Education and Assistance published Crypto Asset Custody Basics for Retail Investors, which walks retail investors through self-custody versus third-party custody, hot versus cold wallets, and the risks of a third-party custodian engaging in rehypothecation (lending out deposited assets) or commingling (per the SEC, 2025). The document is explicit about its own weight:

This Investor Bulletin represents the views of the staff of the Office of Investor Education and Assistance. It is not a rule, regulation, or statement of the Securities and Exchange Commission … it does not alter or amend applicable law, and it creates no new or additional obligations for any person.

The binding requirement lives elsewhere. The Investment Advisers Act Custody Rule (17 CFR 275.206(4)-2) requires a registered investment adviser with custody of client funds or securities to keep them with a qualified custodian, in a separate account in the client's name or in an account holding only clients' assets under the adviser's name as agent or trustee (per 17 CFR 275.206(4)-2). A qualified custodian is defined narrowly: an FDIC-insured bank or savings association, a registered broker-dealer holding client assets in customer accounts, a registered futures commission merchant, or a foreign financial institution that segregates client assets from its own (per 17 CFR 275.206(4)-2(d)(6)). Critically, this rule binds advisers — it is not a general-purpose safeguarding regime for any platform that holds crypto for retail users.

One 2025 change did materially reshape who can custody crypto. On 23 January 2025 the SEC issued Staff Accounting Bulletin No. 122 (SAB 122), effective 30 January 2025, rescinding SAB 121 — the interpretive guidance that had pushed entities safeguarding crypto for users to recognise those holdings as a liability on their own balance sheets (per the SEC, 2025). Removing that accounting treatment lowered the deterrent that had kept many US banks out of crypto custody. The net picture: the US relies on a qualified-custodian framework plus disclosure, not a fixed safety formula written specifically for tokenized or crypto assets.

Hong Kong is the most prescriptive of the three. Under the SFC's Guidelines for Virtual Asset Trading Platform Operators, a licensed platform “should only hold client assets on trust for its clients through its Associated Entity” (per the SFC). That associated entity is not an accounting fiction: it must be a wholly-owned subsidiary of the platform, incorporated in Hong Kong, holding a trust-or-company-service-provider licence under the Anti-Money Laundering Ordinance, and it may do nothing other than receive and hold client assets (per the SFC). Client virtual assets must be segregated from the assets of both the platform and the associated entity, and the entity must hold the same virtual assets, in the same amount, that are owed to clients (per the SFC).

On the storage mechanics, the SFC writes a hard number: the platform and its associated entity “should store 98% of client virtual assets in cold storage” — such as hardware-security-module-based cold storage — except in limited circumstances the SFC permits case-by-case, and should minimise transactions out of the cold storage where the majority of client assets are held (per the SFC).

What sets Hong Kong apart most sharply is a mandated loss-coverage floor. The platform must have an SFC-approved compensation arrangement covering potential loss of 50% of client virtual assets in cold storage and 100% of client virtual assets in hot and other storageheld by its associated entity, and must monitor on a daily basis whether that coverage still complies (per the SFC). In other words, the regulator does not merely require “adequate insurance” — it specifies the minimum proportion of client assets that must be made whole. This custody regime is the same licensing layer that underpins the broader Hong Kong framework traced in our Hong Kong RWA regulation timeline.

Singapore's approach is prescriptive on structure and conduct, though it expresses the safety bar through a statutory trust rather than a cold-storage percentage. On 3 July 2023 MAS announced that Digital Payment Token (DPT) service providers must safekeep customer assets under a statutory trust, to mitigate loss or misuse and to aid recovery of customer assets in an insolvency (per MAS, 2023). The same measures require DPT providers to: segregate customers' assets from their own and hold them in trust; conduct a daily reconciliationof customer assets and keep proper books and records; maintain access and operational controls to customers' tokens in Singapore; and ensure the custody function is operationally independent from other business units (per MAS, 2023).

MAS also went further than either the SEC or the SFC on one conduct point: it is restricting DPT service providers from facilitating lending and stakingof retail customers' tokens, judging those activities “generally not suitable for retail public,” while still permitting them for institutional and accredited investors (per MAS, 2023). This is a direct answer to the rehypothecation risk that the SEC bulletin merely warns retail investors to ask about.

These were not aspirations. MAS confirmed on 2 April 2024 that providing custodial services for DPTs became a regulated activity, with the safeguarding-of-customer-assets provisions of the Payment Services Regulations taking effect six months from 4 April 2024 — that is, on 4 October 2024 — requiring segregation into a trust account for the benefit of customers, proper books and records, and effective systems and controls to protect the integrity and security of customer assets (per MAS, 2024).

Reading the three frameworks against each other, the divide is less about strictness in the abstract and more about prescriptive versus processual. Hong Kong and Singapore write the safeguards into the rulebook — a number, a trust, a coverage floor. The US relies on who is allowed to be a custodian and on disclosure, without a crypto-specific safety formula for retail.

• Who is licensed to custody.US: a qualified custodian — bank, registered broker-dealer, FCM, or a segregating foreign financial institution — for advisory clients (per 17 CFR 275.206(4)-2). Hong Kong: a licensed platform's wholly-owned associated entity holding an AMLO trust/company-service licence (per the SFC). Singapore: a licensed DPT service provider, with DPT custody itself now a regulated activity (per MAS).
• Segregation.US: client assets in a separate account in the client's name, or under the adviser as agent/trustee (per 17 CFR 275.206(4)-2). Hong Kong: segregated from both the platform's and the associated entity's assets (per the SFC). Singapore: segregated from the provider's own assets (per MAS).
• Trust / statutory custody. US: held by a qualified custodian, with the adviser potentially acting as agent or trustee (per 17 CFR 275.206(4)-2). Hong Kong: held on trust through the associated entity (per the SFC). Singapore: held under a statutory trust (per MAS).
• Cold-storage mandate. US: none specified for crypto. Hong Kong: 98% of client virtual assets in cold storage (per the SFC). Singapore: no fixed percentage, but access and operational controls maintained in Singapore (per MAS).
• Insurance / compensation.US: no mandated floor; the SEC bulletin tells investors to ask whether a custodian provides insurance (per the SEC). Hong Kong: SFC-approved compensation covering 50% of cold-storage and 100% of hot-and-other-storage client assets (per the SFC). Singapore: statutory trust to aid recovery, but MAS expressly warns that regulation “cannot protect consumers from all losses” and that recovery may be delayed in an insolvency (per MAS).
• Reconciliation and lending limits.US: independent annual verification of adviser-custodied assets (per 17 CFR 275.206(4)-2). Hong Kong: daily monitoring of total custodied value against the compensation floor (per the SFC). Singapore: daily reconciliation, plus a restriction on lending and staking of retail customers' tokens (per MAS).

For how RwaRadar maps these custody safeguards onto the assets we track — the legal wrapper, the on-chain structure, and who can actually access an asset — see our methodology. The headline takeaway is practical: in Hong Kong and Singapore you can read the floor of protection off a regulator's text; in the US you mostly read it off who the custodian is and what they disclose.