Grafa logo

SEC warns retail investors to scrutinise crypto custody risks

Written by Mahathir BayenaPublished Dec. 14 2025Last Updated Dec. 14 2025

Share

The U.S. Securities and Exchange Commission has issued new guidance aimed at helping retail investors understand how custody choices can determine the safety of their crypto holdings.

The Investor Bulletin was released on December 12 by the SEC’s Office of Investor Education and Assistance as part of broader efforts to raise awareness of crypto-related risks.

The regulator stressed that how digital assets are stored can influence whether they survive hacks, bankruptcies, or the shutdown of service providers.

A central focus of the bulletin is the selection of third-party custodians, including crypto exchanges and specialised digital asset custody firms.

The SEC advised investors to thoroughly research custodians before depositing funds, including reviewing company backgrounds and regulatory standing.

Retail investors were encouraged to examine whether custodians have faced enforcement actions or accumulated customer complaints.

The guidance noted that custodians differ significantly in the range of crypto assets they support, making verification essential before transferring holdings.

The SEC highlighted the importance of understanding what happens to customer assets if a custodian is hacked, ceases operations, or enters bankruptcy.

Investors were urged to determine whether any insurance coverage applies in the event of theft, loss, or operational failure.

The bulletin explained that investors should ask where and how private keys are stored, including whether custodians use hot wallets, cold wallets, or a combination.

It also warned that some custodians outsource storage or key management to third parties, which may introduce additional layers of risk.

The SEC cautioned that certain custodians may lend or commingle customer crypto assets, potentially exposing investors to losses if firms fail.

Beyond third-party custody, the bulletin outlined general security practices applicable to all crypto holders.

The regulator stressed that private keys and recovery phrases should never be shared under any circumstances.

Investors were advised to store recovery information securely and offline to reduce exposure to theft or unauthorised access.

The guidance recommended keeping ownership details private, noting that public disclosure can attract criminals.

The SEC highlighted phishing scams as a persistent threat, particularly messages designed to steal login credentials or recovery phrases.

Retail investors were urged to treat unsolicited communications and links with caution.

Strong passwords and multi-factor authentication were recommended for all crypto-related accounts.

The SEC concluded that careful custodian selection combined with disciplined personal security practices can significantly reduce the risk of permanent asset loss.