Who Holds Control? The Regulatory View on MPC Custody

Introduction: Why MPC Custody Challenges Old Notions of Control

In traditional finance, custody has been easy to explain: a custodian physically holds a client’s securities or cash and is legally responsible for protecting them. When digital assets emerged, this concept was translated into a simple rule of thumb: whoever holds the private key to a wallet is the custodian.

Multi‑Party Computation (MPC) custody breaks this equation. In an MPC wallet, no single party ever holds the full private key. Instead, signing power is split into cryptographic shares, and transactions are authorized collaboratively. That raises a fundamental regulatory question: if no entity can move funds alone, who actually has custody, and who is accountable?

From Single Private Keys to Distributed Control

The first generation of crypto custody mirrored hardware security patterns from other industries. Keys were generated in hardware wallets, Hardware Security Modules (HSMs), or cold‑storage devices, and then carefully stored and used only when necessary. This model worked, but it came with structural weaknesses:

• Single point of failure: a single compromised key or device could unlock an entire wallet or omnibus account.
• Operational fragility: recovery and rotation procedures were manual, slow and highly dependent on human discipline.
• Policy as an add‑on: multi‑signature approvals and limits were often bolted on at the application layer instead of being baked into the cryptography.

MPC custody replaces this model by removing the notion of a monolithic private key. Instead, the signing operation is run as a protocol among multiple participants, each holding only a share of the secret. A transaction is valid only when a threshold of shares participate, and no individual party can reconstruct the full key or act alone.

The Regulatory Puzzle: Who Really Has Custody Under MPC?

For regulators, the core concern is not mathematical elegance, but control, accountability, and investor protection. Many legal frameworks implicitly equate custody with having the ability to sign transactions because the custodian owns or controls the private key.

Under MPC, that link breaks down:

• No participant ever sees or stores the complete private key.
• A single compromised share cannot authorize a transfer on its own.
• Effective control becomes collective and is enforced by the protocol rather than by a single trusted key‑holder.

This raises several practical questions for supervisors and firms:

• Is distributed transaction authority still “custody”? If yes, which entities are recognized as the custodian of record?
• Where does accountability sit? In a bank–tech provider–sub‑custodian stack, which parties bear regulatory responsibility if assets are lost or mis‑routed?
• How should cross‑border MPC clusters be supervised? Shares may be located in multiple jurisdictions, each with separate reporting and licensing regimes.

Early regulatory debates show a clear trajectory. Instead of weakening oversight, MPC is increasingly viewed as a way to align technical design with regulatory intent: segregation of duties, independent checks, minimization of insider risk, and robust auditability are all easier to enforce cryptographically than through policy documents alone.

Security and Compliance Advantages of MPC Custody

MPC custody is not just a different way to sign transactions; it is a more robust security and governance model. Key benefits for regulated institutions include:

1. Threshold enforcement by design
   Transactions can be configured to require multiple independent approvals—across devices, teams or entities—before a signature is produced. This enforces four‑eyes or six‑eyes policies at the cryptographic layer.
2. No single point of catastrophic failure
   Because no single party holds the full private key, a compromised device or insider does not automatically translate into asset loss. Attackers must compromise a threshold of shares in a short time window, which is significantly harder.
3. Distributed Key Generation (DKG)
   In a well‑implemented MPC system, the key shares are generated collaboratively, so there is never a vulnerable “key‑at‑rest” moment. This removes one of the riskiest steps in traditional key ceremonies.
4. Embedded policy and governance
   Risk parameters such as transaction limits, whitelists, approval roles, and geographic separation can be encoded into the MPC protocol and orchestration logic, reducing the reliance on manual checks and out‑of‑band approvals.
5. Comprehensive audit trails
   Every signing attempt can be logged, signed, and correlated with identity and policy information. Supervisors and auditors can verify who participated in a transaction, which controls were enforced, and when exceptions occurred—without revealing key material.

From a regulatory perspective, these properties often make MPC custody more aligned with the underlying objectives of custody rules than legacy single‑key or purely hardware‑based solutions.

How MPC Technology Is Evolving

MPC itself is a fast‑moving research area. Over just a few years, production implementations have improved on several fronts that matter to regulators and risk managers.

1. Asynchronous, Scalable Protocols

Early MPC schemes assumed low latency and a small, fixed group of participants. Modern protocols increasingly support asynchronous communication and larger clusters without sacrificing security. This is essential for global institutions that distribute signing authority across regions, entities, or cloud environments.

2. Hardware‑Assisted MPC (TEEs and HSMs)

A growing number of architectures combine MPC with Trusted Execution Environments (TEEs) or HSMs. Hardware isolation can protect key shares in memory or provide tamper‑resistance, while MPC removes the single‑key failure mode. Even where specific TEEs have lifecycle issues, the broader idea—stacking independent security controls—is gaining adoption.

3. Preparing for Post‑Quantum Cryptography

Large‑scale quantum computers could, in the future, break classical public‑key algorithms such as ECDSA and EdDSA. Institutions and regulators are therefore demanding post‑quantum readiness. Research into lattice‑based and hash‑based threshold signatures is accelerating, and MPC engines are being designed so that they can swap out underlying algorithms once standards mature.

4. Formal Verification and Continuous Testing

Recently disclosed bugs in threshold signature libraries have underscored the need for formal verification and aggressive security testing. Mature MPC platforms are starting to use provable security properties, audited code bases, and structured bug bounty programs to reduce the chance of hidden protocol flaws.

5. Interoperability and Emerging Standards

Standardization bodies such as NIST and the IETF have begun work on threshold cryptography and key management frameworks. As reference standards emerge, it will become easier for regulators to benchmark MPC custody implementations and for institutions to compare providers on a like‑for‑like basis.

The Quantum Computing Angle: Future‑Proofing Custody

Quantum computing is frequently cited as an existential threat to current cryptography. While practical attacks are not imminent, long‑lived financial institutions must plan on multi‑decade horizons. Today’s MPC deployments typically rely on elliptic‑curve signatures, but the architecture itself is algorithm‑agnostic.

In practice, this means:

• MPC clusters can be upgraded to use post‑quantum threshold schemes once standards and implementations reach production readiness.
• The institution’s governance, workflow, and approval logic can remain intact even as the cryptographic primitives change beneath the surface.
• Regulators can focus on the control model and migration plans, rather than forcing costly re‑platforming every time algorithms evolve.

For boards and supervisors, MPC therefore offers a future‑proof custody architecture that can adapt to new cryptographic standards without redesigning how authority is distributed and monitored.

From Key Possession to Transaction Authority: The Regulatory Road Ahead

Regulators ultimately care about three outcomes: client assets are protected, unauthorized transactions are prevented, and systemic risk is contained. As custody models evolve, legal definitions will need to catch up with technical reality. Several shifts are already visible:

• Custody defined by control, not storage: Expect frameworks to focus increasingly on who can authorize movements and under what constraints rather than where a key is physically held.
• More emphasis on auditability: Cryptographic logs that prove which approvals were gathered, from which entities and locations, will become a standard regulatory expectation.
• New models for cross‑border governance: When MPC shares sit in different jurisdictions, supervisors will need coordination mechanisms for oversight, incident reporting, and resolution.

Viewed through this lens, MPC should not be treated as a loophole around custody rules. Properly implemented, it is a compliance enabler: a way to turn written risk policies into hard technical constraints that cannot be quietly bypassed.

Custody Redefined Through MPC

The key regulatory insight is that custody is no longer synonymous with holding a private key. In an MPC world, custody is about structured, provable control over transaction authority—how many independent approvals are required, which entities participate, and how those choices are logged and verified.

For institutions and supervisors, the implications are clear:

• MPC custody distributes power, making insider abuse and single‑device compromise far less likely.
• Approval policies, limits, and segregation of duties can be enforced by cryptography instead of only by internal checklists.
• The architecture is flexible enough to absorb future changes, such as post‑quantum algorithms and new governance requirements.

As a result, the central custody question is shifting from “Who holds the key?” to “Who holds the authority to act, and how is that authority constrained, monitored and provably enforced?” MPC custody provides a credible, regulator‑friendly answer to that question.

Key Facts at a Glance

• MPC custody replaces single private keys with threshold signatures across multiple parties.
• Regulators are moving toward definitions of custody based on transaction authority and governance.
• MPC improves compliance by making segregation of duties and multi‑approval policies technically mandatory.
• Post‑quantum threshold schemes will allow MPC platforms to remain secure against future cryptanalytic advances.
• Well‑designed MPC custody can reduce both operational risk and regulatory uncertainty for institutional crypto adoption.