Bitcoin Custody Is Now a Board-Level Issue, Not an IT Problem
The debate about whether Bitcoin belongs in a Family Office portfolio is over. ETF approvals, institutional allocations from Morgan Stanley to Goldman Sachs, and a market cap that dwarfs most sovereign wealth funds settled that question by late 2024. The debate that matters now is quieter, more uncomfortable, and far more consequential: who holds the keys, and under what governance framework?
That question doesn’t belong in the IT department. It belongs in the boardroom.
How custody became a governance problem
For most of Bitcoin’s institutional history, custody was treated as plumbing. Something the technology team handled. A vendor decision buried in an operational budget line. The board didn’t discuss it because the board didn’t need to — allocations were small, experimental, easy to unwind.
That era is over.
In March 2026, ChainUp — one of the largest blockchain infrastructure providers — published an analysis describing institutional custody as a «board-level strategic pillar» rather than a backend technical requirement. The shift reflects a simple reality: when a Family Office holds $10 million or $50 million in Bitcoin, the custody model carries patrimony-level consequences. A technical failure isn’t a bug report. It’s a wealth event.
Yet many Family Offices are still operating under the old paradigm. The allocation grew. The governance didn’t.
$1.5 billion and a governance autopsy
The Bybit hack provided the case study nobody wanted. $1.5 billion lost in a single incident — not because of a novel cryptographic attack, but because of structural failures that any board should have caught:
- Access concentrated among too few individuals
- No meaningful multi-signature separation between initiation and authorization
- No board-level oversight of custody procedures
The market called it a hack. Auditors and legal counsel read it differently: a governance failure that manifested as a security breach. The technology broke because the institutional framework governing it didn’t exist.
For Family Offices, the uncomfortable implication is direct. If your custody model depends on a single provider’s technical decisions, without independent oversight or structural controls, you’re replicating the architecture that failed at Bybit. Smaller scale. Same category of vulnerability.
The ETF custody illusion
Morgan Stanley custodies its Bitcoin ETF positions through Coinbase and BNY Mellon. Fidelity and Goldman Sachs have built dedicated custody infrastructure. The institutional narrative suggests the custody problem is solved.
It isn’t. It’s been outsourced.
CryptoSlate put it plainly: «Bitcoin ETF custody concentrates power in one place — a single operational failure causes dangerous ripples.» ETF custody funnels massive volumes through a small number of regulated custodians. That solves the compliance question. It doesn’t solve the concentration-of-risk question.
For a Family Office gaining Bitcoin exposure through ETFs, the custody chain is opaque by design. You don’t control the keys. You don’t verify reserves. You don’t choose the signing scheme. You trust that Coinbase or BNY Mellon will maintain flawless practices indefinitely. That may be acceptable for a tactical 1% allocation. It’s harder to justify as a long-term wealth strategy.
And if your Family Office holds Bitcoin directly — not through an ETF — the governance question is even more pressing. There’s no intermediary to blame. The custody framework is yours to build, or yours to neglect.
Multisig vs. MPC: an auditability gap the board should understand
Institutional custody has converged on two core technologies: MPC (Multi-Party Computation) and multisig (multi-signature).
MPC splits a private key into fragments distributed across multiple servers. Cryptographically elegant. But it has a fundamental limitation for governance purposes: verification happens off-chain. An independent auditor cannot look at the blockchain and confirm how an MPC transaction was authorized. They must trust the provider’s internal logs.
Multisig works differently. In a 2-of-3 scheme, three independent keys exist, and any transaction requires at least two signatures. Everything is recorded on-chain. An auditor can verify exactly which keys signed each transaction, independently, without relying on the custodian’s word.
Stripe’s recently published crypto custody guide highlighted multisig schemes — 2-of-3 and 3-of-5 — as institutional reference standards. Not because they’re the newest technology, but because they deliver what institutions require: independently verifiable transaction authorization.
For a board reporting to beneficiaries, this distinction isn’t technical trivia. It’s a governance differentiator.
The framework gap
The industry describes a clean transition: Family Offices moving from «Is Bitcoin worth considering?» to «What is the appropriate framework to manage it?» In practice, most are stuck in an uncomfortable middle ground.
They have exposure. Maybe they bought in 2024 when the institutional narrative was compelling. Maybe they accumulated through 2025. But the governance framework didn’t keep pace with the investment. There’s no board-approved custody policy. No reserve audit process. No clear definition of who can authorize movements and under what conditions.
A board-level custody framework should address, at minimum:
Role separation and authorization
Who can initiate a transaction? Who approves it? Are they different people with aligned but independent incentives? A scheme where the same person or entity controls both initiation and approval isn’t custody — it’s blind trust dressed up as process.
Independent verifiability
Can an external auditor verify that reserves exist and that authorization procedures are being followed? On-chain proof-of-reserves and auditable signing records are the minimum standard, not a premium feature.
Geographic and jurisdictional distribution
Where are the keys physically located? Under which jurisdiction do the custodians operate? A Family Office with all keys held in a single jurisdiction is carrying concentrated regulatory risk — something traditional wealth management learned to avoid decades ago.
Succession and continuity planning
What happens if the primary keyholder dies or becomes incapacitated? Is there a recovery protocol that doesn’t depend on a single person’s memory or a password in a safe deposit box? Traditional asset custody solved this generations ago. Many Family Offices haven’t solved it for their Bitcoin holdings.
Custodian governance
Who watches the custodian? How often are security practices, solvency, and operational performance reviewed? If the answer is «at contract renewal,» oversight is nominal.
Beyond delegation and self-custody
The custody spectrum runs from full delegation (a third party holds all your keys) to pure self-custody (you hold all your keys and are the sole point of failure).
Neither extreme works well for a Family Office.
Full delegation exposes you to counterparty risk without control. Pure self-custody exposes you to operational risk — key loss, no succession protocol, human error — without a safety net.
The model gaining traction among sophisticated wealth holders is collaborative custody: a multisig scheme where the principal retains majority control of the keys, while a specialized co-custodian participates in the signing structure. The principal maintains sovereignty. The co-custodian provides infrastructure, security protocols, and operational continuity.
In a 2-of-3 scheme, for example:
- Key 1: under the principal’s direct control
- Key 2: held by a specialized co-custodian
- Key 3: backup stored in an independent secure location
The principal can transact using their key and the co-custodian’s key for routine operations. If the co-custodian disappears, the principal recovers full access using their key and the backup. If the principal suffers an incident, the co-custodian and the backup can execute a predefined succession protocol.
No single party has unilateral control. All signatures are recorded on-chain. The board can audit every movement.
Five questions for the next board meeting
If a Family Office holds Bitcoin — and in 2026, most do in some measure — these questions belong on the board agenda, not in a helpdesk ticket:
1. How many parties must coordinate to move our funds? If the answer is «one,» the risk profile is unacceptable for patrimony-level holdings.
2. Can we verify our reserves independently, without relying on the custodian’s self-reporting? If not, transparency is performative.
3. What happens if our current custodian ceases operations tomorrow? If there’s no documented plan, continuity is an assumption, not a strategy.
4. Does a succession protocol exist for our digital assets? If it involves «the password is in a safe,» the protocol is insufficient for institutional standards.
5. When did the board last formally review our custody policy? If the answer is «never,» governance doesn’t exist — regardless of what the investment policy says.
Custody as a wealth decision
Bitcoin doesn’t behave like any other asset in a Family Office portfolio. There’s no default central custodian. No regulator guaranteeing recovery in case of loss. No deposit insurance.
That doesn’t necessarily make it riskier. It makes it different. And different demands a different framework.
Bitcoin custody is a wealth decision. It involves governance, succession, jurisdiction, auditability, and sovereignty. Treating it as an IT problem fundamentally underestimates what’s at stake.
Family Offices that understand this are building board-level custody frameworks with role separation, on-chain verification, and continuity protocols. Those that don’t are betting that nothing goes wrong. Historically, that hasn’t been a sustainable wealth strategy.
—
At Citadel B, we work with Family Offices and wealth holders who want exactly this: a collaborative custody model where sovereignty stays with the principal, backed by professional multisig infrastructure and auditable governance protocols. Because the key is not being the only key.
