Document TIB-FRM-CU-1.0
Issued 16 April 2026
Module of TIB-FRM-1.0
Verification Module — Custodians
Twenty-four binding criteria for verification engagements with traditional custodians, prime broker-dealer custody operations, and digital-asset custodians (qualified or otherwise).
© 2026 Stratinova LTD. All rights reserved.
About this module
This module (the CU Module) extends the universal TIB Integrity Standards with criteria specific to custodians — entities holding financial or digital assets on behalf of third parties. It applies to traditional custodians, prime broker-dealer custody operations, and digital-asset custodians (qualified or otherwise). The module is informed by CPMI-IOSCO Principles for Financial Market Infrastructures, ISO/IEC 27001, and NIST Cybersecurity Framework where structurally relevant.
The module adds twenty-four binding criteria (CU-1 through CU-24).
Verification Module — Custodians
Twenty-four binding criteria with rationale, requirement, evidence rubric, illustrative cases, and cross-references.
Scope
This Module applies whenever the engagement covers a Firm whose activities include the custody of financial or digital assets on behalf of third parties.
Joint application
Where the custodian also operates an exchange or trading venue, the Exchanges Module (TIB-FRM-EX) is invoked jointly. Where custody is incidental to brokerage, the Brokers Module (TIB-FRM-BR) covers the custody arrangements.
Out of scope
TIB does not opine on regulatory licensing in any jurisdiction. For digital-asset custodians, TIB review covers operational controls and disclosed architecture, not cryptographic implementation correctness.
Definitions
- Asset Holder — the third party on whose behalf assets are held by the custodian.
- Sub-custodian — an entity to which the principal custodian delegates custody of specific assets.
- Tri-party — an arrangement involving the custodian, the asset holder, and one or more other regulated entities.
- Omnibus — an aggregated account holding assets of multiple holders.
- Cold Storage — (digital assets) keys stored offline, typically with hardware-security-module backing.
- Hot Wallet — (digital assets) keys accessible to online systems for operational throughput.
- MPC — multi-party computation; a cryptographic technique allowing key fragments held by multiple parties.
- PoR — proof of reserves; an attestation regime for demonstrating custody backing.
Theme map
| Theme | Criteria | Universal pillar | Section |
|---|---|---|---|
| Segregation depth | CU-1, CU-2, CU-3 | TIB-IS.2 Capital | § 4 |
| Tri-party arrangements | CU-4, CU-5 | TIB-IS.2 Capital / TIB-IS.6 | § 5 |
| Sub-custodian network | CU-6, CU-7, CU-8 | TIB-IS.2 / TIB-IS.5 | § 6 |
| Insolvency protections | CU-9, CU-10 | TIB-IS.2 / TIB-IS.6 | § 7 |
| Reconciliation | CU-11, CU-12, CU-13 | TIB-IS.5 Risk | § 8 |
| Key management (digital assets) | CU-14, CU-15, CU-16, CU-17 | TIB-IS.5 Risk | § 9 |
| Withdrawal authorisation | CU-18, CU-19, CU-20 | TIB-IS.5 Risk / TIB-IS.4 | § 10 |
| Insurance and proof of reserves | CU-21, CU-22, CU-23, CU-24 | TIB-IS.6 Disclosure | § 11 |
Segregation depth
Account-level segregation
Asset-holder positions must be recorded at the granularity disclosed; cross-pollution between holders is the worst-case custody failure.
Asset-holder positions are recorded at the level of granularity disclosed (omnibus, individually segregated, per-account). Cross-pollution between asset holders is prevented by documented controls.
Asset registration
The legal form in which assets are registered determines whose claim attaches in insolvency.
Registered assets are recorded in the name appropriate to the segregation arrangement (custodian as nominee, asset-holder direct, trust structure) and aligned with disclosure to the asset holder.
Asset-class scoping
Different asset classes (cash, securities, digital assets) may have materially different segregation regimes; clarity on which applies to what is essential.
Asset-class-specific segregation regimes are documented; mixed-asset accounts are explicitly addressed.
Tri-party arrangements
Tri-party contracts
Tri-party arrangements multiply the entities with claims on assets; clear allocation of asset-control, instruction-authority, and dispute-resolution provisions is essential.
Tri-party agreements identify asset-control, instruction-authority, and dispute-resolution provisions clearly.
Tri-party operational testing
Tri-party arrangements must be operationally tested, especially for dispute scenarios.
Tri-party arrangements are operationally tested at least annually; dispute-resolution scenarios are rehearsed.
Sub-custodian network
Sub-custodian selection diligence
Sub-custodian failure transmits to the principal custodian and ultimately to asset holders; selection diligence is foundational.
Sub-custodians selected under documented diligence covering credit, segregation, regulatory standing, and operational capability. Diligence refreshed at least annually.
Sub-custodian disclosure
Asset holders should know which entities hold their assets; sub-custodian network changes that affect their position should be notified.
Sub-custodian network in use is disclosable to asset holders on request. Material changes (additions, removals, downgrades) are notified.
Sub-custodian credit-risk monitoring
Sub-custodian credit conditions change; periodic monitoring after onboarding is essential.
Sub-custodian credit posture is monitored periodically; material changes trigger documented review.
Insolvency protections
Insolvency-protection mechanism
Asset-holder protection on custodian insolvency is the primary substantive protection custody arrangements offer; the mechanism must be documented and tested in legal opinion.
The mechanism by which asset-holder claims are protected on insolvency of the custodian (statutory trust, ring-fenced funds, dedicated entity, regulator-overseen wind-down) is documented and disclosed.
Wind-down plan
For systemically important custodians, a documented wind-down plan reduces the cost of failure on the broader system and on asset holders.
For material custodians, a wind-down plan exists with priority-of-restoration, asset-holder communication, and regulator engagement protocols.
Reconciliation
Internal-vs-external reconciliation
Daily reconciliation between internal records and external reality (sub-custodian, depositary, blockchain) is the primary control over asset existence.
Reconciliation between internal records and external (sub-custodian, depositary, blockchain) records is performed daily for liquid asset classes; cadence documented for less-liquid classes.
Break investigation SLA
Reconciliation breaks above defined thresholds must be investigated quickly to prevent accumulation.
Reconciliation breaks above defined thresholds are investigated within a documented SLA. Break register records issue, root cause, and resolution.
Reconciliation independence
Reconciliation must be performed by personnel separated from those who authorise transactions; otherwise the control is reduced to attestation by the controlled party.
Reconciliation is performed by personnel separated from transaction authorisation; results are reviewed by an independent function.
Key management (digital assets)
Key generation and storage architecture
For digital-asset custody, key management is the security perimeter; HSM, MPC, and multi-signature architectures with documented design are baseline.
Key generation, storage architecture (HSM, MPC, multi-signature), and key-segregation arrangements are documented and reviewed by an independent function.
Hot / cold storage allocation
Hot-wallet exposure is operational risk; cold-storage majority is the structural defence.
Hot / cold storage allocation policy is documented; cold-storage majority is the default; deviations require documented rationale.
Key rotation and ceremony
Periodic key rotation reduces exposure to compromised keys; the ceremony is a high-risk operation requiring documented procedure.
Key rotation occurs periodically per documented schedule; ceremonies follow procedure with multi-party participation and external observation where appropriate.
Key recovery and disaster scenarios
Key loss is a permanent custody failure; recovery procedures, including multi-jurisdictional fragments, are essential.
Key-recovery procedures address loss scenarios; multi-jurisdictional fragments or analogous resilience exists; recovery is rehearsed periodically.
Withdrawal authorisation
Multi-party authorisation
Withdrawals must require authorisation under documented controls; sole-key authorisation is structurally unacceptable for custody at scale.
Withdrawals require authorisation under documented controls (multi-party approval, withdrawal-address whitelisting, time-locks). Sole-key authorisation is prohibited.
Withdrawal address controls
Withdrawal-address whitelisting and cooling-off periods reduce social-engineering and account-takeover risk.
Whitelisting and cooling-off mechanisms operate; new addresses require time-delayed activation and additional confirmation.
Withdrawal monitoring and limits
Velocity limits and pattern monitoring detect abnormal withdrawal activity at the operational layer.
Withdrawal velocity limits and pattern monitoring operate; abnormal patterns trigger investigation per documented procedure.
Insurance and proof of reserves
Insurance disclosure
Insurance is a recoverability layer; its scope and exclusions must be transparent to asset holders.
Insurance arrangements covering custody (crime, cyber, errors and omissions) are summarised: insurer, coverage limit, exclusions, applicability to asset-holder claims. Where no insurance is maintained, the absence is disclosed.
Proof-of-reserves attestation methodology
Proof-of-reserves attestations have varying robustness; methodology disclosure prevents headline claims from masking weak attestation regimes.
Where the custodian publishes proof-of-reserves attestations, methodology, frequency, and limitations are disclosed.
Liabilities-side disclosure
Reserves alone do not guarantee solvency; the liabilities side of the balance sheet must be evidenced for proof-of-solvency claims.
Where the custodian asserts proof-of-solvency or full reserve backing, the liabilities-side disclosure (typically via Merkle tree or audited liabilities) accompanies the reserves attestation.
Withdrawal performance disclosure
Withdrawal performance is the empirical proof of custody integrity from the asset-holder perspective.
Withdrawal performance (request-to-disbursement) is monitored and disclosable on request. Material delays are explained.
Public Report sections
- Custody architecture summary — segregation level, sub-custodian count, jurisdictions;
- Insolvency-protection mechanism as plain-language summary;
- Asset-class coverage — which asset classes are within engagement scope;
- Insurance and PoR posture — high-level summary.
Evidence pathway
| Evidence | Source | Frequency |
|---|---|---|
| Sub-custodian register | Operations / treasury | Current state |
| Reconciliation log | Operations | 30-day sample |
| Key-management policy and review | Security / compliance | Most recent independent review (e.g. SOC 2 Type II) |
| Withdrawal authorisation matrix | Operations | Current state + sample of recent withdrawals |
| Insurance schedule | Risk / finance | Current policy |
| Proof-of-reserves methodology | Public attestation library | Trailing attestations |
| Wind-down plan | Treasury / risk | Current version + review evidence |
Limitations
- TIB does not opine on regulatory licensing of the custodian in any jurisdiction;
- For digital-asset custodians, TIB review covers operational controls and disclosed architecture, not cryptographic implementation correctness;
- Insurance coverage scope is summarised; asset holders should review the full policy for detailed exclusions.
Module changelog
| Version | Effective | Approved by | Notes |
|---|---|---|---|
| TIB-FRM-CU-1.0 | 16 April 2026 | TIB Standards Committee | Initial publication. 24 binding criteria across 8 themes. |
Normative annex.
| Universal pillar | Module criteria contributing |
|---|---|
| TIB-IS.1 Governance | CU-13 |
| TIB-IS.2 Capital & Safeguarding | CU-1, CU-2, CU-3, CU-4, CU-6, CU-9, CU-11, CU-12 |
| TIB-IS.3 Order Handling & Execution | (N/A) |
| TIB-IS.4 Payout Integrity | CU-24 |
| TIB-IS.5 Risk & Compliance | CU-5, CU-8, CU-10, CU-14, CU-15, CU-16, CU-17, CU-18, CU-19, CU-20 |
| TIB-IS.6 Disclosure & Conduct | CU-7, CU-21, CU-22, CU-23 |
Informative annex.
| Document code | TIB-FRM-CU-1.0 |
| Issuing authority | TIB Standards Committee |
| Effective date | 16 April 2026 |
Issuing entity
Stratinova LTD
Cyprus HE475207