One of the most important issues in crypto-asset markets is the secure custody of users’ crypto-assets. Crypto-assets are not physical assets that can be held in a traditional sense. Access to them is usually provided through wallets and private keys.

This technical structure makes crypto-asset custody different from traditional custody relationships. Custody of crypto-assets does not only mean keeping an asset safe. It also includes the secure protection of the technical elements that provide access to that asset, especially private keys.

Under Turkish law, crypto-asset custody services were introduced into the Capital Markets Law through Law No. 7518. With this regulation, the custody of crypto-assets and private keys providing access to them became subject to the regulatory and supervisory authority of the Turkish Capital Markets Board.

What Are Crypto-Asset Custody Services?

Under Law No. 7518, crypto-asset custody services include the custody and management of platform clients’ crypto-assets or the private keys that provide the right to transfer such assets from wallets, as well as other custody services to be determined by the Capital Markets Board.

Two main elements are important in this definition. The first is the custody of crypto-assets belonging to clients. The second is the custody and management of private keys that enable access to and transfer of those assets.

Therefore, crypto-asset custody is not only about holding crypto-assets. It is also about protecting the technical control tools that make access to those assets possible.

Legal Importance of Private Keys

For crypto-assets, the private key is often the most important element that enables practical access and transfer. The person or entity controlling the private key may technically transfer the relevant crypto-asset.

For this reason, the custody of private keys lies at the center of crypto-asset custody services. Loss, theft or unauthorized access to a private key may cause serious and sometimes irreversible consequences for the client.

The fact that private keys are expressly included in the legal definition of custody services is therefore significant. The Turkish legislator has taken into account the technical structure of crypto-assets and has brought not only the assets themselves but also the private keys providing access to them within the scope of regulation.

Relationship Between Wallets and Custody Services

Crypto-asset custody services are closely connected with the concept of wallets. A wallet refers to software, hardware, systems or applications that allow crypto-assets to be transferred and that enable the online or offline storage of crypto-assets or their public and private keys.

However, not every use of a wallet necessarily constitutes a custody service. In structures where the private key is fully controlled by the user, the responsibility of the service provider may be assessed differently.

This distinction is important in practice. A structure in which the user controls the private key and a structure in which a platform or custody institution controls the private key do not create the same legal consequences.

Protection of Client Assets

The main purpose of crypto-asset custody services is the secure protection of client assets. Crypto-assets belonging to users should be segregated from the service provider’s own assets and protected against unauthorized access.

The following issues are particularly important for the protection of client assets:

Segregation of client assets from the service provider’s own assets,

Secure custody of private keys,

Cold wallet and hot wallet management,

Prevention of unauthorized transfers,

Cybersecurity measures,

Accurate transaction records,

Clear and understandable information to clients,

Written and auditable custody policies.

Clear regulation of these matters is important for investor protection and for increasing trust in the crypto-asset market.

Who May Provide Crypto-Asset Custody Services?

Crypto-asset custody services cannot be offered freely by any person or entity. This activity must be carried out within the regulatory and supervisory framework of the Turkish Capital Markets Board.

Secondary regulations issued by the Board set out the establishment and operating principles of crypto-asset service providers, as well as their working procedures and capital adequacy rules.

The custody function is particularly sensitive because it concerns direct control over client assets and private keys. For this reason, the service provider’s technical capacity, internal controls, organizational structure and legal compliance are essential.

Why Is a Custody Policy Important?

A clear custody policy is essential in crypto-asset custody services. The custody policy should explain how client crypto-assets are held, how private keys are protected, which types of wallets are used and how risks are managed.

A custody policy should address issues such as:

Where and how client assets are stored,

Who controls the private keys,

Cold wallet and hot wallet ratios,

Authorization and access controls,

Multi-signature or similar security mechanisms,

Cybersecurity measures,

Business continuity and disaster recovery plans,

Return or transfer procedures for client assets,

Rights of the client in relation to the custody service.

If these matters are left unclear, serious legal risks may arise for both users and service providers.

Cold Wallets and Hot Wallets

One of the most common distinctions in crypto-asset custody is the distinction between cold wallets and hot wallets.

Hot wallets operate through systems connected to the internet and allow faster transactions. They provide operational convenience but may be more exposed to cyber risks.

Cold wallets refer to storage methods that are not directly connected to the internet. They may provide stronger security but may create limitations in terms of speed and accessibility.

Custody service providers should manage these methods in a balanced way. Keeping all client assets in hot wallets may increase security risks. On the other hand, keeping all assets in cold wallets may create operational difficulties.

For this reason, wallet management should be clearly addressed in the custody policy.

Proof of Reserves and Asset Reconciliation

In crypto-asset custody services, it is important to verify whether client assets actually exist and whether they are properly held. For this reason, proof of reserves, asset reconciliation and independent audit mechanisms may become significant.

These mechanisms may help ensure that the service provider actually holds the assets shown in client accounts and that these assets are not improperly used or mixed with the provider’s own assets.

Proof of reserves and regular reconciliation may therefore support transparency, client protection and market confidence.

Custody Services Provided by Platforms

Crypto-asset platforms may, in some cases, provide custody services in addition to facilitating trading. Therefore, platforms may have responsibilities not only in relation to transaction infrastructure but also in relation to the protection of client assets.

For platforms, the following issues are important:

Segregation of client assets,

Who provides the custody service,

Who controls the private keys,

Relationship between the platform and the custody institution,

How unauthorized transfer risks are reduced,

Scope of information provided to clients,

How assets will be returned if the platform ceases operations.

These issues should be carefully addressed in user agreements, platform rules and regulatory compliance policies.

Liability in Crypto-Asset Custody Services

Liability is one of the most important issues in crypto-asset custody. If client assets are lost due to loss of private keys, unauthorized transfers, cyberattacks or system failures, it must be determined who is responsible.

In this assessment, the obligations of the custody service provider, user agreements, technical security measures, disclosure obligations and applicable regulations should be considered together.

The duty of care of custody service providers is particularly important. The service provider should maintain adequate technical infrastructure, implement controlled personnel authorization, take cybersecurity measures and prepare business continuity and emergency plans.

Points Users Should Consider

Users receiving crypto-asset custody services should also act carefully. They should understand where their assets are held, who controls the private keys and under what conditions the custody service is provided.

Users should pay attention to issues such as:

Regulatory status of the custody service provider,

Who controls the private keys,

Whether assets are held in cold or hot wallets,

The platform’s custody policy,

Return and transfer conditions for assets,

Fees and costs,

Risk disclosures,

Complaint and support mechanisms.

This assessment may help users reduce legal and economic risks.

Need for Further Regulation under Turkish Law

Crypto-asset custody services are one of the areas where Turkish law may require further detailed regulation. Law No. 7518 provides the basic definition and grants broad regulatory authority to the Capital Markets Board. However, technological developments and market practices may require further clarification over time.

Future regulation may be needed on issues such as:

Technical standards for private key custody,

Segregation of client assets,

Cold wallet and hot wallet ratios,

Proof of reserves and independent audit,

Liability of custody institutions,

Cybersecurity obligations,

Relationship between platforms and custody institutions,

Scope of information to be provided to users,

Return of assets in case of termination of activities.

Clear rules in these areas would contribute to trust and legal certainty in the crypto-asset market.

Conclusion

Crypto-asset custody services are one of the most important issues in Turkish crypto-asset law. Access to crypto-assets is usually provided through private keys and wallets. Therefore, custody services do not only involve keeping an asset safe; they also involve protecting the technical elements that provide access to that asset.

Law No. 7518 defines crypto-asset custody services as the custody and management of platform clients’ crypto-assets or the private keys relating to such assets. This is an important starting point for the protection of client assets and the supervision of service providers.

With secondary regulations of the Capital Markets Board, crypto-asset custody services are expected to become more detailed in terms of establishment, operation, technical infrastructure, proof of reserves and client asset protection.

For both users and service providers, private key security, wallet management, segregation of client assets and clear custody policies are of central importance.