Tokenization & Real World Assets

Digital-Asset Custody for Tokenized Fund Interests: Qualified Custodians, MPC Wallets, and the On-Chain Transfer-Agent Function

Martha Mena, CTO and Co-founder·May 26, 2026·10 min read

The question I get asked most often by fund managers evaluating tokenization is not about smart contracts or token standards—it is about custody. Who actually holds these things? What happens if the custody provider fails? Are we covered by the SEC's custody rule? These are the right questions, and they are harder to answer than most vendors admit. Custody for tokenized fund interests involves two distinct but often conflated layers, and getting either one wrong creates regulatory exposure or, worse, irreversible asset loss.

Two Custody Layers, Two Distinct Problems

When a fund tokenizes its LP interests, two separate custody obligations arise. The first is custody of the underlying assets—the real estate portfolio, the private equity positions, the receivables—that back the fund. This is traditional custody, handled through established legal mechanisms: title registration, escrow accounts, book-entry registration with depositories. Tokenization does not change underlying asset custody; the blockchain token is a digital representation of the claim, not the claim itself.

The second is custody of the digital tokens that represent beneficial ownership in the fund. These tokens exist as cryptographic state on a blockchain, controlled by whoever holds the corresponding private key. If the private key is lost, access to the tokens is lost—permanently, with no recovery mechanism. If the private key is stolen, the tokens can be transferred to any address by whoever holds the key. This is fundamentally different from losing a paper certificate, which can be reissued through legal process.

Why the Distinction Matters for Compliance

The SEC's custody rule (Rule 206(4)-2 under the Investment Advisers Act) requires registered investment advisers to maintain client funds and securities with a "qualified custodian"—a bank, broker-dealer, futures commission merchant, or foreign financial institution meeting specific regulatory requirements. The SEC's 2023 proposed custody rule amendments explicitly addressed digital assets, proposing that tokenized securities must also be held with qualified custodians rather than in self-custody by the fund manager. Fund managers operating under Reg D exemptions must still understand how their custodial arrangements will withstand regulatory scrutiny if the SEC's position on digital asset custody hardens.

Qualified Custodian Options for Digital Fund Interests

The institutional digital asset custody market has matured significantly since 2022. Several established financial institutions now offer qualified custodian services for digital securities: BNY Mellon Digital Assets launched institutional digital custody in 2022; Fidelity Digital Assets has provided custody services to institutional clients since 2018; Coinbase Prime offers custody to institutional clients through a regulated trust company structure; Anchorage Digital holds a national bank charter from the OCC—the first crypto-native firm to receive one—giving it unambiguous qualified custodian status.

The choice between these providers involves several trade-offs: insurance coverage levels and what events are covered (hacks vs. operational losses vs. key management failures), fee structures for custody versus transaction services, jurisdiction of operation and which regulatory framework governs, and integration capabilities with the tokenization platform's smart contract infrastructure. A custody provider that cannot integrate with your token's transfer agent or sign transactions compatible with your ERC-3643 compliance modules creates operational friction that eliminates much of the automation value of tokenization.

Self-Custody and Its Limits

Some platforms offer self-custody options where the fund manager or the platform operator holds the private keys. For regulated fund structures with LP capital, self-custody is not a viable long-term arrangement. The operational risk (key loss or compromise) is not insured, the regulatory position is unclear under the SEC custody rule, and institutional LPs conducting diligence will identify self-custody as a risk factor. Self-custody is appropriate for development and testing environments, not for production fund operations.

MPC Wallet Architecture: How It Works and Why It Matters

Multi-party computation (MPC) has become the dominant key management architecture for institutional digital asset custody. The core insight is that a private key—the cryptographic secret that controls a blockchain address—does not need to exist as a complete object for it to be used for signing. MPC protocols allow the key generation and signing computation to be distributed across multiple parties such that no single party ever holds or sees the complete key, yet the combined computation produces a valid signature.

In a typical 2-of-3 MPC arrangement, three key shares are generated and distributed to three independent parties—perhaps the custody provider, the fund manager, and a neutral third party. Any two share holders can cooperate to sign a transaction; no single party can do so alone. The signing computation happens in a secure multi-party protocol—the parties exchange messages to compute the signature collaboratively without any party ever reconstructing the full key. Even if one party's systems are fully compromised, the attacker has a single key share that is useless for signing without one of the other parties' cooperation.

MPC vs. Hardware Security Modules

Traditional institutional key management uses hardware security modules (HSMs)—tamper-resistant hardware devices that store private keys and perform signing operations in a secure enclave. HSMs are widely used in traditional finance (for TLS certificates, code signing, and payment system keys) and are supported by FIPS 140-2 Level 3 certification standards. The limitation for blockchain custody is that HSMs hold a complete private key in a single hardware device—the security boundary is the physical tamper resistance of the device, not a distributed key architecture. MPC is considered more resilient against the specific threat model of blockchain custody because there is no single point of physical attack that yields a complete key.

Fireblocks, Copper, and Qredo are the leading MPC wallet infrastructure providers used by institutional digital asset custodians. Asking a potential custody provider which MPC library they use and whether it has been independently audited is a reasonable due diligence question—the quality of MPC implementations varies, and published audit reports are a meaningful signal of engineering rigor.

The On-Chain Transfer Agent and Cap Table Function

In traditional securities, the transfer agent maintains the cap table—the authoritative record of who owns how many shares—and processes transfers when instructed by the issuer or clearing house. Transfer agents are regulated entities (registered with the SEC under the Securities Exchange Act) who bear fiduciary responsibility for the accuracy of ownership records.

In a tokenized fund, the blockchain itself serves as the authoritative ownership registry. The token contract holds a mapping of wallet addresses to token balances—this is the on-chain cap table. Every transfer updates this mapping in a publicly verifiable, immutable record. The "transfer agent" function is partially automated by the smart contract itself (which enforces transfer restrictions and updates balances), but a legal entity must still bear responsibility for maintaining the integrity of the identity registry—the mapping between on-chain wallet addresses and verified investor identities.

Who Bears Transfer Agent Liability

This is an area where legal frameworks are still catching up to the technology. For the BENJI fund, Franklin Templeton's registered transfer agent maintains the official ownership records directly on-chain through its proprietary Benji blockchain-integrated system—taking direct regulatory responsibility for the accuracy of those records. Most tokenization platforms position themselves as technology vendors rather than registered transfer agents, placing the legal responsibility on the fund manager or their designated administrator. Fund managers should obtain explicit written clarity from their tokenization vendor about who bears transfer agent liability, what happens if the identity registry contains errors, and what the remediation process is for incorrectly recorded transfers.

The KYC/AML verification underlying the identity registry is a separate but related obligation. The ERC-3643 identity registry maps wallet addresses to verified investor claims, but the verification of those claims—accreditation status, identity documents, sanctions screening against 2,000+ watchlists—is performed by the platform's compliance validation infrastructure, not by the blockchain itself. The chain of custody from identity verification to on-chain claim issuance must be documented and auditable for regulatory purposes.

Key Management Policy: What a Fund Manager Should Establish

Regardless of which custody provider a fund uses, the fund manager should establish and document a key management policy before deploying any tokenized structure. The policy should cover: which parties hold key shares or signing authority, under what conditions transactions can be authorized, what approval workflow governs large or unusual transactions, what the incident response procedure is for suspected key compromise, how key rotation works and on what schedule, and what the fund wind-down procedure is for ensuring token redemption without operational key continuity.

The wind-down question is frequently overlooked. A tokenized fund with a 10-year lifespan must ensure that 10 years from now, the custody arrangement is still operational and the keys are still accessible. Custody provider failure, key share holder departure, or MPC software deprecation must all be addressed in the policy. Some fund managers use on-chain time-lock mechanisms as a backstop: if no transaction is authorized within a defined period, a pre-configured recovery address can claim the tokens—providing a last-resort mechanism against custody provider failure.

Key Takeaways

  • Tokenized fund custody involves two distinct layers: traditional custody of underlying assets (unchanged by tokenization) and digital custody of private keys representing on-chain token ownership. Both require institutional-grade arrangements; conflating them creates regulatory and operational gaps.
  • Qualified custodians for digital fund interests include BNY Mellon Digital Assets, Fidelity Digital Assets, Coinbase Prime (regulated trust company), and Anchorage Digital (OCC national bank charter). The SEC's custody rule likely applies to tokenized securities held by registered advisers; self-custody is not a viable arrangement for regulated fund structures.
  • MPC wallet architecture distributes key material such that no single party ever holds a complete private key, providing resilience against single-point-of-compromise attacks that HSM-based custody cannot fully address. Fireblocks, Copper, and Qredo are the primary MPC infrastructure providers for institutional custody.
  • The on-chain identity registry (mapping wallet addresses to verified investor claims in ERC-3643) is the on-chain cap table; the legal entity bearing transfer agent liability for its accuracy should be explicitly identified in vendor contracts—most platform vendors do not register as transfer agents, placing that responsibility on the fund manager or administrator.
  • A documented key management policy covering signing authority, transaction approval workflows, key rotation schedule, incident response, and fund wind-down procedures must be established before deploying any tokenized structure—the wind-down scenario is frequently overlooked and can create custody continuity risk over multi-year fund lifespans.

Polibit's tokenization infrastructure is designed around institutional custody integration—working with qualified custodians, ERC-3643 compliant identity registry management, and compliance validation across 2,000+ international watchlists. Explore the platform or schedule a demo to walk through how custody, transfer agent functions, and on-chain cap table management work together in a production tokenized fund deployment.

Sources

• SEC (2023). Safeguarding Advisory Client Assets: Proposed Amendments to the Custody Rule — Digital asset custody and qualified custodian requirements under Rule 206(4)-2
• OCC (2021). Interpretive Letter 1179: National Banks as Custodians of Cryptocurrency — Qualified custodian framework for digital assets
• ERC-3643 Association (2023). T-REX Protocol: Identity Registry and Compliance Architecture — On-chain identity registry and transfer agent function
• Fireblocks (2024). MPC-CMP: Multi-Party Computation for Institutional Digital Asset Signing — MPC key management architecture specification
• Franklin Templeton (2024). BENJI Fund: Blockchain-Integrated Transfer Agent Recordkeeping — Fund transfer agent maintaining official ownership records on-chain

← Back to Blog

Related Articles

Tokenization & Real World Assets

Securing Tokenized Fund Infrastructure: Smart-Contract Auditing, Programmable Transfer Restrictions, and Platform Security Diligence

Tokenized fund infrastructure introduces security attack surfaces that traditional fund administration never faced: smart contract vulnerabilities, private key compromise, and on-chain governance exploits. Fund managers diligencing a tokenization platform must evaluate smart-contract auditing depth, formal verification practices, programmable transfer restriction architecture, and platform-layer controls—SOC 2, encryption standards, access control, and key custody risk—before committing LP capital to an on-chain structure.

May 28, 2026·10 min read
Tokenization & Real World Assets

Blockchain Settlement and the Off-Chain Data Problem: How Tokenized Funds Handle Settlement Finality, DvP Mechanics, and NAV Oracles

Atomic delivery-versus-payment settlement and near-instant finality are among tokenization's most cited advantages over T+2 traditional settlement. But settlement on-chain depends on data that originates off-chain—NAV calculations, income accruals, asset valuations—and the reliability of that data pipeline determines whether on-chain settlement creates confidence or compounds risk. This post covers settlement mechanics, DvP architecture, the oracle problem, and stablecoin distribution rails.

May 27, 2026·10 min read
Tokenization & Real World Assets

KYC/AML Compliance for Tokenized Securities: Automating Investor Verification Across 2,000+ Watchlists

Tokenized securities create unique compliance challenges: smart contracts enforce transfer restrictions, but investor identity verification must still occur off-chain. Modern platforms automate KYC/AML verification across 2,000+ international watchlists while feeding verified investor data directly into ERC-3643 permissioned token contracts.

May 17, 2026·9 min read