ARTICLE
16 February 2026

FINMA Guidance 01/2026: New Requirements For The Custody Of Cryptobased Assets

RUGGLE Partner

Contributor

RUGGLE Partner logo
Peter Ruggle is the founder of Ruggle Partner, a boutique law firm with offices in Zürich and Luzern. With over three decades of legal experience, he advises national and international clients on corporate and commercial law, M&A transactions, banking and capital markets, FinTech, and dispute resolution. A graduate of the University of St. Gallen with additional qualifications in FinTech (Oxford) and an MBA (Singapore), Peter began his career as a judge at the District Court of Meilen before joining private practice. He is a qualified mediator and publishes regularly in the fields of commercial law, financial services, and civil procedure. Peter is fluent in German, English, French, and Italian, enabling him to serve clients across multiple jurisdictions with a practical, solution-oriented approach.
Explore Firm Details
On 12 January 2026, the Swiss Financial Market Supervisory Authority (FINMA) published Guidance 01/2026 on the custody of cryptobased assets (the "Guidance").
Switzerland Technology
Peter Ruggle
Peter Ruggle’s articles from RUGGLE Partner are most popular:
  • within Technology topic(s)
  • in India
RUGGLE Partner are most popular:
  • within Technology topic(s)
  • with readers working within the Banking & Credit industries

1. Introduction and Background

On 12 January 2026, the Swiss Financial Market Supervisory Authority (FINMA) published Guidance 01/2026 on the custody of cryptobased assets (the "Guidance"). This Guidance addresses the growing importance of crypto custody services in the Swiss financial market and clarifies the regulatory requirements applicable to supervised institutions. It represents a significant development in the Swiss regulatory landscape for digital assets and warrants careful attention from all market participants.

The Guidance responds to increased market demand for trading, investment, and custody services relating to cryptobased assets. FINMA-supervised institutions, including banks, securities firms, managers of collective assets, and portfolio managers (collectively referred to as "institutions"), have demonstrably expanded their service offerings in this area. FINMA acknowledges this development while emphasizing the need for appropriate risk management and client protection measures.

The regulatory context has evolved significantly since the entry into force of the DLT blanket act (Bundesgesetz zur Anpassung des Bundesrechts an Entwicklungen der Technik verteilter elektronischer Register), which introduced comprehensive bankruptcy protection for cryptobased assets held in custody by third parties under Swiss law. The relevant provisions are found in Art. 37d in conjunction with Art. 16 para. 1bis of the Banking Act (BA; SR 952.0) and Art. 242a of the Federal Act on Debt Enforcement and Bankruptcy (SchKG; SR 281.1).

Concurrently, the regulatory environment in other jurisdictions has developed substantially. Most notably, the Markets in Crypto-Assets Regulation (MiCA) in the European Union has established a comprehensive framework for crypto-asset service providers, including custodians. FINMA explicitly acknowledges that these developments have created the basis for an appropriate custody environment for cryptobased assets abroad, resulting in a growing number of suitable foreign custodians offering bankruptcy protection.

ACTION REQUIRED: All institutions offering crypto custody services or including cryptobased assets in client portfolios should conduct a comprehensive review of their existing arrangements against the requirements set out in this Guidance. Non-compliant arrangements must be adjusted.

2. Key Risks Identified by FINMA

FINMA identifies several categories of risks associated with the custody of cryptobased assets that supervised institutions must address. Understanding these risks is essential for implementing appropriate mitigation measures and selecting suitable custodians.

2.1 Operational and Cyber Risks

Distributed ledger technology (DLT) offers innovative and technology-specific features, but also exposes assets stored "on the blockchain" to particular operational risks. FINMA highlights the following key concerns:

  • Cyber attacks: Cryptobased assets are attractive targets for sophisticated cyber criminals. The irreversible nature of blockchain transactions means that successful attacks can result in permanent loss of assets.
  • Private key protection: The security of cryptobased assets depends entirely on the protection of private keys. Inadequate key management—whether through poor security practices, insider threats, or technical failures—can lead to total loss of the assets.
  • Technical infrastructure requirements: From an operational perspective, it is necessary to establish and maintain a robust technical infrastructure and the associated expertise. This includes secure hardware and software systems, redundancy measures, and qualified personnel.

These risks must be adequately addressed when offering financial services in connection with cryptobased assets. Institutions that lack the necessary technical capabilities must either develop them internally or rely on qualified third-party custodians.

ACTION REQUIRED: Institutions should assess their own technical capabilities for crypto custody. Where services are provided in-house, a comprehensive cybersecurity framework must be implemented. Where third-party custodians are used, their technical infrastructure and security measures must be thoroughly evaluated as part of the due diligence process.

2.2 Counterparty and Insolvency Risks

Where custody is delegated to third parties, counterparty risks arise. FINMA emphasizes that these risks are particularly acute in the crypto context due to the following factors:

  • Segregability concerns: Counterparty risks exist insofar as the segregability of the cryptobased assets is not guaranteed in the event of the third party's insolvency. Unlike traditional securities held with established central securities depositories, the segregation of cryptobased assets requires specific technical and legal arrangements.
  • Absence of prudential supervision: The risk increases significantly if the third-party custodian is not subject to prudential supervision and does not have to comply with supervisory standards for custody. Unsupervised custodians may not maintain adequate capital buffers, risk management systems, or governance structures.
  • Dependency on third parties: There is a dependency on the respective third party, in particular on its technical infrastructure and continued operational viability. This necessitates careful selection of the third party and ongoing monitoring.

FINMA notes that findings from its supervision show that these risks were not always adequately taken into account by supervised institutions in the past. This observation underscores the importance of the Guidance and signals FINMA's intention to scrutinize custody arrangements more closely going forward.

2.3 Cross-border Custody Complexities

If the custodian is located abroad, complex legal issues may arise. FINMA identifies the following specific concerns:

  • Applicable insolvency regime: The treatment of cryptobased assets in the event of the foreign custodian's insolvency will be governed by foreign law. It must be ensured that customers' cryptobased assets do not form part of the custodian's bankruptcy estate under the applicable foreign law.
  • Regulatory equivalence: Questions arise as to which regulatory requirements foreign custodians must fulfil to be considered suitable for holding Swiss clients' assets. The Guidance provides clarification on this point.
  • Enforcement challenges: In the event of a dispute or the custodian's insolvency, Swiss institutions and their clients may face practical challenges in enforcing their rights in foreign jurisdictions.

ACTION REQUIRED: For cross-border custody arrangements, institutions should obtain legal opinions on (i) the applicable foreign insolvency regime and its treatment of cryptobased assets, (ii) the equivalence of foreign prudential supervision, and (iii) the enforceability of contractual arrangements with the foreign custodian.

3. Regulatory Framework for Swiss Banks

The Guidance clarifies the regulatory treatment of crypto custody services by Swiss banks, building on the framework established by the DLT blanket act and FINMA's earlier Guidance 08/2023 on Staking.

3.1 Bankruptcy Protection under Art. 37d BA and Art. 242a SchKG

Swiss financial institutions may offer their clients custody of and trading in cryptobased assets within a bankruptcy-proof framework. The treatment under bankruptcy law (Art. 242a para. 2 SchKG) depends on the custody model employed:

Individual custody: Where cryptobased assets are held separately for each client, and the obligation exists for these assets to be held in readiness for customers at all times, segregation in the event of the custodian's bankruptcy is guaranteed. The assets are excluded from the bankruptcy estate and must be returned to the client.

Collective custody with clear customer shares: Where cryptobased assets of multiple clients are held together (e.g., in omnibus wallets), but each client's share is clearly recorded and the obligation exists for assets to be held in readiness at all times, segregation is also guaranteed.

Collective custody without clear customer shares: Where no such obligation exists or customer shares are not clearly identifiable, no segregation occurs. In the event of the custodian's bankruptcy, the assets fall into the bankruptcy estate, and customers become unsecured creditors.

The distinction is critical: only custody arrangements that ensure segregation provide meaningful protection to clients. Institutions must ensure that their custody arrangements are structured to achieve segregation under Art. 242a SchKG.

3.2 Licensing Requirements under Banking Law

Under Art. 1a and 1b BA in conjunction with Art. 5 and 5a of the Banking Ordinance (BO), the licensing requirements depend on the custody arrangement and whether assets are held in readiness for customers:

  • Individual custody with assets held in readiness: No banking licence required, but the activity is subject to Anti-Money Laundering Act (AMLA) supervision.
  • Collective custody with clear customer shares and assets held in readiness: A FinTech licence under Art. 1b BA is required.
  • Collective custody without clear customer shares (or without assets held in readiness): A full banking licence is required, as the arrangement constitutes acceptance of public deposits.

3.3 Capital Treatment and Prudential Requirements

The accounting and prudential treatment of cryptobased custody assets follows from their segregability:

  • Segregable custody assets: If a Swiss bank holds cryptobased assets as segregable custody assets in accordance with Art. 37d in conjunction with Art. 16 no. 1bis BA, these assets are not held on the balance sheet and no capital requirements apply (subject to Art. 4sexies BA regarding operational risks).
  • Non-segregable custody: Where custody arrangements do not ensure segregation, the cryptobased assets must be recognized on the balance sheet and are subject to capital requirements.

3.4 Requirements for Foreign Sub-custodians

If custody is delegated to third parties abroad, the capital exemption for segregable custody assets applies by analogy, provided that equivalent conditions are met. FINMA specifies that equivalence requires:

  1. Prudential supervision: The foreign third-party custodian must be subject to prudential supervision in its home jurisdiction.
  2. Bankruptcy protection: The foreign law must guarantee bankruptcy protection for the cryptobased assets held in custody, such that the assets are excluded from the custodian's bankruptcy estate.

Both conditions must be satisfied. A foreign custodian that is prudentially supervised but operates in a jurisdiction without adequate bankruptcy protection for cryptobased assets does not meet the equivalence standard.

ACTION REQUIRED: Swiss banks using foreign sub-custodians for cryptobased assets should: (i) verify the prudential supervision status of each sub-custodian; (ii) obtain legal analysis of the applicable foreign bankruptcy regime; (iii) document the equivalence assessment; and (iv) maintain ongoing monitoring of regulatory developments in the relevant jurisdictions.

4. Requirements for Portfolio Managers

The Guidance provides detailed requirements for institutions active in individual portfolio management, reflecting the growing inclusion of cryptobased assets in client portfolios.

4.1 Custodian Selection under Art. 24 FinIO

In accordance with Art. 24 para. 1 of the Financial Institutions Ordinance (FinIO; SR 954.11), institutions active in individual portfolio management must ensure that assets entrusted to them for management are held in safekeeping, segregated per client, with one of the following types of institutions:

  • A bank pursuant to the Banking Act (BA)
  • A securities firm pursuant to the Financial Institutions Act (FinIA; SR 954.1)
  • A trading facility for distributed ledger technology securities (DLT trading facility) in accordance with the Financial Market Infrastructure Act (FinMIA)
  • Another institution that is subject to supervision equivalent to that in Switzerland

The appropriate safekeeping of managed cryptobased assets requires that they are held in custody by prudentially supervised institutions which, among other things:

  • Have an adequate technical infrastructure for the secure custody of cryptobased assets
  • Possess the necessary expertise in DLT and crypto asset management
  • Can ensure segregation of cryptobased assets in the event of the custodian's bankruptcy

4.2 Equivalence Assessment for Foreign Custodians

Where assets are held abroad, institutions must ensure that the custodian institution is subject to supervision equivalent to that in Switzerland. This requires a dual assessment:

First: Equivalence of prudential supervision

The foreign custodian must be subject to prudential supervision that is comparable to Swiss supervision in terms of scope, intensity, and supervisory standards. Relevant factors include: licensing requirements, capital and liquidity requirements, governance and risk management requirements, and ongoing supervisory monitoring.

Second: Equivalence of bankruptcy protection

Foreign law must provide for bankruptcy protection for cryptobased assets that is equivalent to Swiss law. This means that the foreign jurisdiction must recognize the client's property rights in the cryptobased assets and ensure their exclusion from the custodian's bankruptcy estate. The mere fact that a foreign custodian is supervised does not guarantee adequate bankruptcy protection.

FINMA explicitly acknowledges that regulatory developments such as MiCA in the EU have created the basis for an appropriate custody environment for cryptobased assets. Under MiCA, licensed crypto-asset service providers (CASPs) must segregate client assets and are subject to detailed custody requirements. As a result, a growing number of suitable custodians with bankruptcy protection already exist in EU Member States.

ACTION REQUIRED: Portfolio managers should conduct and document a formal equivalence assessment for each foreign custodian used for cryptobased assets. This assessment should cover: (i) the regulatory status and licensing of the custodian; (ii) the applicable prudential requirements; (iii) the bankruptcy law treatment of custodied crypto assets in the relevant jurisdiction; and (iv) any relevant legal opinions obtained.

4.3 Transitional Arrangements and Client Disclosure Obligations

As a general rule, custody arrangements that do not meet the regulatory requirements must be adjusted in the interests of client protection. However, FINMA permits existing arrangements to continue by way of exception in two specific scenarios:

Scenario (a): Foreign custodians that are subject to equivalent prudential supervision, but where no equivalent bankruptcy protection exists in the foreign jurisdiction.

Scenario (b): Swiss custodians under Self-Regulatory Organization (SRO) supervision where bankruptcy protection is ensured (Art. 242a SchKG), but prudential supervision (in the sense of FINMA supervision) is lacking.

These transitional arrangements are permissible only if the portfolio manager satisfies the following cumulative conditions:

  1. Comprehensive risk disclosure: The portfolio manager must be able to prove that it has provided comprehensive information to the clients about increased custody risks associated with the existing custody service provider, particularly in the event of bankruptcy.
  2. Information about alternatives: The portfolio manager must be able to prove that it has informed the clients about other suitable custodians for cryptobased assets in Switzerland and abroad.
  3. Documented written consent: The portfolio manager must have documented the client's written consent to the use or retention of a custodian that is not suitable in the above sense.

The burden of proof lies with the portfolio manager. Oral disclosures or implied consent are insufficient. Institutions should implement robust documentation processes to ensure compliance.

ACTION REQUIRED: Portfolio managers relying on the transitional arrangements must: (i) prepare a standardized risk disclosure document explaining the specific risks of the non-compliant custody arrangement; (ii) prepare information about alternative custodians that meet the full requirements; (iii) obtain and retain signed written consent from each affected client; and (iv) establish a timeline for transitioning to compliant custody arrangements where feasible.

4.4 Anti-Circumvention Rule

FINMA emphasizes that the guarantee of appropriate safekeeping of entrusted assets in accordance with Art. 24 para. 1 FinIO may not be circumvented by structures with foreign products. Client protection must be comprehensively guaranteed regardless of the legal structure employed.

Specifically, a Swiss institution that acts as a sponsor or manager of a foreign collective investment scheme that invests in cryptobased assets and places these in the portfolios of its clients remains responsible for compliance with the same custody principles. The interposition of a foreign fund structure does not relieve the Swiss institution of its obligations regarding the careful safekeeping of fund assets.

5. Collective Investment Schemes

5.1 Custody Requirements under CISA

The requirements for the safekeeping of fund assets of Swiss collective investment schemes are governed by the Collective Investment Schemes Act of 23 June 2006 (CISA; SR 951.31).

Pursuant to Art. 72 para. 1 CISA, fund assets must be held in safekeeping by a Swiss bank acting as custodian bank (Depotbank). This fundamental requirement also applies to cryptobased assets held as direct investments within Swiss collective investment schemes.

Consequently, direct investments in cryptobased assets as part of Swiss collective investment schemes must generally be held in custody at a Swiss custodian bank. This represents a significant constraint for fund managers seeking to include cryptobased assets in Swiss-domiciled funds.

5.2 Delegation to Third-Party Custodians

A custodian bank may delegate the safekeeping of fund assets to a third-party custodian or central securities depository in Switzerland or abroad where this is appropriate pursuant to Art. 73 para. 2 CISA.

For cryptobased assets, delegation to a third-party custodian is possible, provided that:

  • The third-party custodian is subject to equivalent prudential supervision
  • Equivalent bankruptcy protection rules for cryptobased assets exist in the relevant jurisdiction

The equivalence assessment must be conducted by the custodian bank and documented. The custodian bank remains responsible for the proper safekeeping of fund assets even where custody is delegated.

5.3 Investor Disclosure Requirements

Investors must be informed about the risks associated with delegation of custody. Specifically, disclosure must be provided:

  • In the prospectus of the collective investment scheme
  • In the basic information sheet (BIS) / Key Information Document (KID) in accordance with Title 3 of the Financial Services Act (FinSA; SR 950.1)

ACTION REQUIRED: Fund management companies and custodian banks should: (i) review custody arrangements for any Swiss collective investment schemes with direct crypto investments; (ii) verify that all third-party custodians meet the equivalence requirements; (iii) update prospectuses and basic information sheets to include appropriate risk disclosures regarding crypto custody; and (iv) establish monitoring processes for ongoing compliance.

6. Structured Products and Crypto ETPs

6.1 Regulatory Framework under FinSA

The offering of structured products to retail clients with whom there is no permanent portfolio management or investment advice relationship is governed by Art. 70 FinSA.

The issuing of structured products to retail clients by special purpose entities (SPVs) is permitted if the following conditions are met:

  • The products are offered by prudentially supervised institutions in accordance with Art. 70 para. 2 FinSA; and
  • Either a legally enforceable guarantee from a prudentially supervised financial intermediary exists for the obligations of the issuer (Art. 70 para. 1 FinSA), or legally enforceable real security is provided in favour of the investors (Art. 70 para. 2 FinSA; Art. 96 paras. 2 and 3 FinSO).

6.2 Requirements for Real Security

Risks arise when offering structured products in the crypto sector with regard to the custody of the underlying cryptobased assets pledged as security. FINMA has drawn attention to these risks in connection with crypto Exchange Traded Products (ETPs) in its 2022 and 2023 annual reports.

The Guidance clarifies that in the case of cryptobased assets, "real" security pursuant to Art. 96 FinSO requires legal protection in the event of the insolvency of the custodian of the security. This is a critical point: the collateralization only provides meaningful protection to investors if the cryptobased assets serving as collateral can be segregated from the custodian's bankruptcy estate.

If the custodian of the collateral becomes insolvent and the cryptobased assets fall into the bankruptcy estate, the "security" provides no protection to investors—they become unsecured creditors of the custodian in competition with other creditors.

6.3 Stock Exchange Requirements

Both Swiss stock exchanges have already issued specific rules in their regulations for the admission of crypto ETPs and their collateralization:

  • SIX Swiss Exchange AG: Additional Rules for the Listing of Exchange Traded Products, Arts. 12a-15
  • BX Swiss AG: Additional Rules for the Listing of Exchange Traded Products, Arts. 6-9

Issuers and offerors of crypto ETPs should ensure compliance with both the FINMA requirements and the applicable stock exchange regulations.

ACTION REQUIRED: Issuers and offerors of crypto structured products and ETPs should: (i) review custody arrangements for collateral to ensure segregation in custodian insolvency; (ii) verify compliance with applicable stock exchange requirements; (iii) update product documentation to reflect custody risks where relevant; and (iv) consider whether alternative collateralization arrangements may be required.

7. Practical Implications and Implementation Checklist

The Guidance has significant practical implications for Swiss financial institutions. The following checklist summarizes the key action items for different types of institutions:

7.1 For All Institutions Offering Crypto Services

  • Conduct a comprehensive inventory of all crypto custody arrangements
  • Assess each arrangement against the requirements in the Guidance
  • Develop a remediation plan for non-compliant arrangements
  • Update internal policies and procedures
  • Train relevant staff on the new requirements

7.2 For Institutions Using Foreign Custodians

  • Verify the regulatory status of each foreign custodian
  • Obtain and document legal analysis of foreign bankruptcy protection
  • Conduct and document formal equivalence assessments
  • Establish ongoing monitoring of foreign regulatory developments
  • Where transitional arrangements apply: implement disclosure and consent processes

7.3 For Portfolio Managers

  • Review all client portfolios containing cryptobased assets
  • Ensure custody arrangements meet Art. 24 FinIO requirements
  • Prepare standardized risk disclosure documents for transitional arrangements
  • Obtain and retain documented client consent where required
  • Review structures involving foreign collective investment schemes for anti-circumvention compliance

7.4 For Fund Management Companies and Custodian Banks

  • Review custody arrangements for Swiss collective investment schemes with crypto investments
  • Verify sub-custodian equivalence where delegation is used
  • Update prospectuses with appropriate risk disclosures
  • Update basic information sheets / KIDs

7.5 For Structured Product and ETP Issuers

  • Review custody arrangements for cryptobased collateral
  • Verify that collateral custody ensures segregation in insolvency
  • Ensure compliance with stock exchange requirements (SIX / BX Swiss)
  • Update product documentation as necessary

8. Investor Risk Notice

FINMA emphasizes that cryptobased assets, such as cryptocurrencies, are not per se safe investments, even if held in custody in accordance with the requirements set out in the Guidance.

Investors should be aware of the following risks before investing in cryptobased assets:

  • High volatility: Cryptobased assets are characterized by high price volatility. Significant losses can occur within short periods.
  • Speculative nature: These are often risky and highly speculative investments. The value may be based primarily on market sentiment rather than underlying fundamentals.
  • Total loss potential: Investors should be aware that high losses—including total loss of the investment—are possible.
  • Custody risks: Even compliant custody arrangements do not eliminate all risks. Technical failures, cyber attacks, or operational errors may result in loss of assets.

Financial institutions should ensure that clients are adequately informed about these risks before making investment decisions involving cryptobased assets.

9. Conclusion

FINMA Guidance 01/2026 provides important clarification on the regulatory requirements for crypto custody services in Switzerland. The Guidance reflects FINMA's balanced approach: it recognizes the legitimate expansion of crypto services by supervised institutions while emphasizing the need to ensure adequate client and investor protection through appropriate custody arrangements.

Key takeaways from the Guidance include:

  • Foreign custodians are permitted, but must meet equivalence standards for both prudential supervision and bankruptcy protection
  • MiCA-regulated custodians in the EU are likely to meet the equivalence standards
  • Transitional arrangements exist but require comprehensive client disclosure and documented consent
  • Anti-circumvention rules prevent structuring through foreign products to avoid custody requirements
  • Crypto ETP collateral must be held with custodians providing insolvency protection

Financial institutions should promptly review their existing custody arrangements and implement necessary adjustments to ensure compliance with the Guidance. Given FINMA's observation that supervised institutions have not always adequately addressed custody risks in the past, enhanced supervisory scrutiny in this area can be expected going forward.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Peter Ruggle
Peter Ruggle
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More