FINMA Circular 2026/1: Custody of crypto assets means bearing responsibility

The focus is not on cryptographic mechanisms or blockchain architectures, but on the custody of crypto assets, clear responsibilities, robust organizational structures, and the management of operational risks. This moves crypto definitively into the core area of classic financial market supervision.

The circular is not a new law. Rather, it clarifies how existing legal and regulatory requirements – namely from FINMAG, FINIG and GwG, as well as from the relevant FINMA circulars on organisation, outsourcing and operational risks – are to be applied to crypto business models.

From a legal perspective, crypto assets have never been an independent special category. Since its early statements on blockchain and ICO topics, FINMA has always made it clear that crypto-based assets must be functionally qualified and are therefore subject to existing financial market law regulations.

In practice, however, the technological novelty led to different implementation approaches and a certain restraint in supervisory practice for years. Circular 2026/1 addresses this development and sharpens the application of existing organizational, governance, and risk principles for crypto business models.

It is therefore not a legal reassessment, but a concretization of supervisory expectations against the background of increased market volumes, complexity, and systemic relevance.

Circular 2026/1 addresses all constellations in which an institution:

• Holds crypto assets for clients
• Controls or technically influences private keys
• Initiates transactions on behalf of clients
• Uses third-party providers or sub-custodians

FINMA expects in particular:

• clear key governance (access rights, approvals, escalations),
• the separation of client and own holdings,
• dual control principles and robust control mechanisms,
• emergency, failure, and exit concepts,
• clear and enforceable contractual arrangements for outsourcing.

FINMA is responding to a number of structural features of crypto assets:

• Transactions are irreversible
• Errors lead directly to total losses
• Reversal or hedging mechanisms are lacking
• Governance errors have an immediate impact
• International custody structures increase legal and insolvency risks

From a supervisory perspective, these factors combine to create an increased operational risk that can only be managed through a clean organization, clear responsibility, and effective controls.

The circular does not contain a fixed deadline, but follows a clear logic of expectations:

Short term (0–3 months), until the end of March 2026:

• Acknowledgement by the Board of Directors and Executive Board
• Analysis of impact and gaps
• documented risk and model assessment

Medium term (3–9 months) March to September 2026:

• Adaptation of governance, policies, and directives
• Review of custody and outsourcing structures
• contractual and organizational refinements

Long term (9–18 months) September 2026 – June 2027:

• fully implemented and tested structures
• Integration into Risk, Compliance, AML, and Audit
• supervisory-proof overall architecture

In particular, banks, securities firms, asset managers, FinTechs, and other supervised institutions with crypto exposure are affected.

The following applies to these:

• Crypto business models must be justified and documented from a supervisory perspective
• Pilot or test projects are not automatically privileged
• Self-custody is generally not a realistic option for institutions
• Outsourcing increases the requirements for governance and control

Compliance becomes a central control function for crypto activities:

• Integration of crypto processes into existing compliance frameworks
• clear roles, responsibilities, and escalation paths
• full application of AML obligations
• increased requirements for documentation and traceability
• close integration of Compliance, Risk, Legal, and IT

Crypto compliance is therefore not an add-on, but part of the core organization.

The real challenge in connection with FINMA Circular 2026/1 lies not in reading or understanding the text, but in its consistent implementation in a manner that is proof against supervision and auditing. In practice, it is precisely here that many crypto initiatives fail, less because of the technology than because of unclear governance, inadequate organization, or a lack of regulatory integration.

VELAW has been advising financial institutions, FinTechs and crypto service providers for years at the interface of financial market law, compliance, governance and technology. Our strength lies in not interpreting regulatory requirements abstractly, but in translating them into practical, resilient and FINMA-compliant structures that work in day-to-day operations and stand up to supervisory dialogue.

We support our clients in particular with:

• the supervisory classification and positioning of crypto business models,
• the design of robust custody and key governance structures,
• the legal and organizational protection of outsourcing models,
• the preparation for audits, supervisory discussions, and regulatory developments.

VELAW supports financial service providers in classifying and implementing regulatory requirements at the interface of financial market law, compliance and technology.

Further information can be found at www.velaw.ch or contact us at info@velaw.ch.