Custody Methodology

How Pledge reviews Bitcoin custody control models.

Custody research starts with a harder question than brand rank: who can move the Bitcoin? This methodology explains how we review key control, recovery, legal boundaries, insurance claims, operating burden, and evidence depth before a provider is treated as comparable.

Review framework checked May 24, 2026. Custody profiles are scored on 8 factors under v3.2 with an estimated-confidence flag at launch; deeper verification refines each score over time.

Open custody workspace Review publishing rules

Review factors

Control, recovery, legal posture, insurance, fit, and concentration stay visible.

Current status

Scored

All 11 tracked providers scored on 8 factors at launch — each flagged verified or estimated (estimated = entity verified, some sub-factors inferred from public disclosure), refined over time. No custody provider is pending verification today.

First question

Who signs?

The methodology starts with movement authority, not marketing category.

Output

Fit first

The current workspace compares model fit and evidence depth rather than declaring a universal best custodian.

Review workflow

The review starts with control, then asks whether the evidence is strong enough to compare.

The old way to compare custodians is to rank brand names by insurance, audits, and fees. That misses the first-order risk: whether the product is outsourced custody, shared control, or user-operated self-custody support.

Classify the control model first

We separate self-custody support, collaborative multisig, and institutional qualified custody before discussing provider quality. They solve different jobs.

Map who can move the Bitcoin

The review asks who signs, who can block movement, who can recover, and which service or legal dependency becomes critical during stress.

Check evidence before status

Provider pages, custody agreements, security disclosures, insurance language, SOC reports, and source links determine whether a profile is ready for ranking.

Publish fit, not a fake universal winner

Until evidence is deep enough, custody profiles show status and fit rather than pretending one ranked table can choose for every user.

Factors checked

Eight custody questions decide whether a provider profile is useful.

These are not weighted scores yet. They are the evidence gates that prevent the custody page from implying false precision.

Control and key structure

We start with who can move coins, how signatures are distributed, and whether the user keeps meaningful control or is trusting a pure custodian.

Legal segregation and bankruptcy posture

Custody quality depends on whether assets appear clearly segregated, what the customer agreement says, and how the structure is meant to behave under stress.

Operational transparency

We care about what the provider publishes on setup, approvals, recovery, outages, personnel controls, and custody workflow rather than vague “secure by design” copy.

Insurance and loss handling

Insurance only matters if the policy scope, exclusions, and claims story are understandable. We will not treat the word “insured” as a complete answer.

Recovery and inheritance design

A custody product is not complete if the recovery path is brittle, obscure, or impossible to explain to a family office, executor, or successor.

Service fit and user profile

Some providers are built for institutions, some for high-net-worth households, and some for self-custody-first users. Fit matters as much as brand familiarity.

Jurisdiction and compliance posture

We look at where the provider operates, what oversight actually applies, and whether the compliance posture matches the user segment it serves.

Counterparty concentration

Even collaborative models can hide concentration in vendors, insurers, co-signers, or service dependencies. We want those dependencies visible.

Scoring weights

How the 8 factors roll up to a single overall score.

Each provider gets a 0–10 grade on each of these factors. The factors are weighted (sums to 100%) and combined into one overall score. The weighting reflects what we think actually matters in a custody decision — model and key structure first, marketing veneer last.

FactorWeightWhat it measuresTop score looks like

Custody model18%Whether keys sit with one party (custodial) or are distributed across multiple parties or the user themselves.Collaborative multisig where no single party — including the provider — can move client coins alone.

Key management16%The exact signing structure: single-sig, 2-of-3, 3-of-5, MPC, threshold schemes, and how keys are generated and stored.Institutional MPC or multi-of-many distributed signing with hardware-isolated key generation.

Insurance & recourse14%Whether the provider carries crime, theft, or key-loss coverage — and whether the policy scope is explicit enough to be useful.Named Lloyd's-syndicated policy with disclosed cover amount, key-loss inclusion, and a known claims process.

Regulatory status12%The legal envelope around the custody business: state trust company, qualified custodian, federally chartered bank, or no oversight at all.Federally chartered crypto bank (OCC) or NYDFS-licensed trust company with active supervisory examinations.

Recovery story12%What happens after a key loss, owner incapacitation, or death — including inheritance triggers, co-signer paths, and seed-phrase backup design.Explicit inheritance trigger with named co-signers and a documented recovery procedure.

Transparency & audits10%Public disclosure cadence — SOC-2 reports, proof-of-reserves, incident history publication, and customer-agreement legibility.SOC-2 Type-2 audited, periodic reserve attestation, and a public incident retro for any past event.

Track record10%Years operating under the current custody design, and the absence (or presence) of operational incidents during that time.8+ years operating with zero client-asset loss events and a published security-incident retrospective.

Loss history8%Whether any client-asset loss event has been disclosed or implicated against this provider specifically.No loss event in provider history; if one occurred, it was disclosed promptly with a clear corrective-action record.

Total100%Overall score = weighted sum across all 8 factors.

Launch scores ship with an 'estimated' confidence flag — they're best-effort grades from publicly disclosed information cited on each provider profile. As deeper provider-level verification completes (key-management diligence, recovery walkthroughs, insurance claim review, regulatory filing checks), scores flip to 'verified'.

Publishing discipline

What must be true before Pledge ranks a custody provider.

Custody pages should be honest about research maturity. If the source set cannot answer control and recovery questions, the page should say so instead of burying the uncertainty in a score.

Do not publish a custody review until the recovery model and key-control structure are clearly explained.

Do not rank collaborative custody, self-custody tooling, and institutional qualified custody as if they solve the same job.

Do not let brand familiarity substitute for legal clarity, operational transparency, or service fit.

Custody provider rows now carry concrete 8-factor scores under v3.2, but every score ships with an 'estimated' confidence flag at launch. The grades are best-effort from public disclosure; deeper provider-level verification (key-management diligence, recovery walkthroughs, insurance claim review) will tighten the numbers over time.

Use the methodology with the custody workspace, not instead of it.

The methodology explains the rules. The custody workspace applies them to current provider profiles and keeps the control-model question visible.

Decision page

Custody decision workspace

Start with the control-model map and provider comparison before opening individual profiles.

Deep dive

Control-model explainer

Plain-English custody model tradeoffs before a reader compares provider profiles.

Loans

Bitcoin loan comparison

Use this after you understand what happens to collateral custody during a loan.

Disclosure

Disclosure policy

Commercial relationships are disclosed separately and do not change custody research status.

Not custody advice. Pledge provides custody research for educational purposes only. It does not recommend any custodian, self-custody tool, collaborative setup, legal structure, or key-management design.

No guarantee of asset safety. Provider controls, agreements, insurance scope, withdrawal rules, and recovery assumptions can change after a page is reviewed.

Affiliate disclosure. Commercial relationships, if any, are disclosed separately and do not change methodology, review status, or provider ordering.