This article was originally published on Securities.io and is repurposed here with permission. Written by Anthony Yeung, Chief Commercial Officer at CoinCover.
Spending over a decade across payments, fraud prevention, AML, and crypto has taught me one thing above all else: trust is never declared, it's earned — and it's earned through the guardrails that protect people when things go wrong.
Traditional finance built public confidence incrementally, through regulation, oversight, and a clear promise to consumers: if something goes wrong, someone has your back. Think about a fraudulent charge on your credit card. Most people don't think twice about it, because programmes like 3D Secure and strong consumer protection frameworks mean the bank will make you whole. That certainty took decades of regulatory scaffolding to create.
Digital asset markets are still building that same foundation. This industry was created by brilliant engineers solving genuinely hard problems at a pace that's almost impossible to keep up with — and that's a gift. But engineers optimise for elegance, speed, and innovation, not for compliance frameworks or consumer protection obligations. Sometimes the result is security architecture so sophisticated that only the people who built it understand it, which is fine until something goes wrong. Trust can't live inside a system only its creators can read. Technology alone doesn't create the guardrails that build trust — accountability does.
Regulatory frameworks emerging across the globe — from MiCA in Europe, to the evolving SEC and CFTC oversight landscape in the US, the MAS guidelines in Singapore, and VARA in Dubai — signal to the public that there are rules, there is oversight, and there are consequences for bad actors. The direction of travel is clear, and it's happening across every major financial centre. That's the foundation TradFi built its credibility on — and it's the same foundation crypto needs now. The firms that embrace that, rather than resist it, will define the next chapter of this industry.
The UK’s Cryptoassets Regulations 2026 and the FCA’s direction of travel are forcing a much more disciplined approach to how institutions operate. The biggest change is that digital asset risk can no longer sit at the edges of the business, it must be built into institutions’ core infrastructure.
For custody, that means moving away from in-house approaches to operational resilience, and towards models that are structured, auditable and aligned with regulatory expectations. Institutions need to be clear not just about how assets are held, but how business continuity is ensured at every stage.
Regulators are increasingly focused on what happens when things fail, not just how they are protected, and this is setting higher standards for resilience. If access to assets is lost, firms need proven, tested ways to recover it. Without that, it’s very difficult to demonstrate true operational resilience.
There is also a clear shift towards providing evidence, as accountability becomes a central measure of how firms operate. It’s no longer enough to say controls exist. Firms need to be able to evidence they work in real scenarios and with the right level of oversight. Regulation is raising the bar, but done correctly, it also creates the conditions for institutions to scale with real confidence.
Irreversible asset loss is still one of the biggest barriers to building trust in digital assets, and it largely comes down to how access is managed. Too many institutions still rely on self-managed backups, which creates a fragile system exposed to human error, lost credentials or operational failure. The challenge isn’t self-custody itself; it’s that self-custody at scale becomes an operational risk transfer.
The shift needs to be towards treating key management and recovery as core infrastructure, not an afterthought. That means moving away from manual processes and establishing controlled, verifiable recovery mechanisms that can restore access if something goes wrong.
This does not undermine the principles of digital assets, it strengthens them. You still have security and control, but with resilience built in.
A regulator-ready recovery framework starts with recognising that loss of access is not a theoretical risk, it’s already happening at scale. Around $350bn worth of bitcoin has been lost, with lost credentials the primary cause. That simply is not acceptable in a regulated environment.
From a governance perspective, firms need clear ownership of key management and recovery, with defined controls and separation of duties. It must be auditable and accountable at every stage.
Technically, this means embedding recovery into core infrastructure – moving away from manual backups to controlled, verifiable mechanisms that can demonstrably restore access after failure, compromise or error.
Crucially, these processes must be proven to work in practice. At CoinCover, we have protected over 22 million wallets without a single failed recovery. That is the level of assurance institutions, regulators and customers increasingly need and expect.
Stablecoins and tokenisation have brought institutions into the market, but many firms are still applying a traditional cybersecurity mindset to digital assets. The challenge is that digital assets introduce a fundamentally different risk – loss of access. It’s not just about protecting systems, it’s about protecting access.
Even in the most stable use cases, if access to the wallet is lost, users can lose access permanently. That is not something traditional cybersecurity frameworks were designed to handle. It creates a new threat model centred on lost credentials, operational failure and human error, not just external attacks.
To address this, institutions need to move beyond prevention alone and build in recovery as a core control. Just as ‘forgot password’ transformed online logins, digital assets need that same safety net to give institutions and their customers reassurance.
As regulation becomes more defined, the balance will shift away from ideology and towards practicality. The question is no longer just who holds the keys, but whether assets can be managed, protected and recovered in line with regulatory expectations.
Self-custody places a high burden on internal processes and people, and we still see many firms relying on in-house backups that do not always meet the standards that regulators are moving towards. That creates risk at scale.
“Third-party custody brings structure, but it doesn’t remove the need for strong governance and clear recovery capabilities.
A more pragmatic, hybrid approach is emerging. Institutions retain appropriate control but embed specialist infrastructure to ensure access can be restored, controls are auditable and resilience is built in.
Trust in digital assets shouldn’t be framed as a question of regulation alone. The more practical issue is whether institutions and consumers can rely on systems that protect access and prevent permanent loss.
Even the most secure systems fall short if users cannot recover access when something goes wrong. Recoverability, therefore, needs to be a core layer of protection, with secure, controlled ways to restore access.
At the same time, strong governance, auditable controls and independent assurance are essential. The real test is not whether digital asset products can be built, but whether they can deliver the level of confidence people expect from banks and financial institutions.
As banks and financial institutions scale their digital asset offerings, recoverability and resilience will become expectations rather than added features. Customers will expect the same experience they are used to in traditional finance, where access can be restored and assets remain protected without added complexity.
What changes is how this is delivered. Manual processes and self-managed approaches simply do not hold up across large customer bases. Recovery needs to be built into the infrastructure itself, working seamlessly in the background rather than relying on user intervention.
This is where specialist providers play a critical role. It’s not about replacing institutions, it’s about giving them the infrastructure they need to manage digital asset risk at scale. Over time, these capabilities will become standard across the industry, helping institutions offer digital assets with the same level of confidence, consistency and trust that customers already expect elsewhere.
Given the scale of losses we have already seen, the industry does need more standardised recovery protocols. The current approach is too inconsistent. Many firms still rely on in-house backups that may appear compliant but often lack the resilience, testing and independent assurance required in practice.
Regulators should take the lead in setting expectations around resilience, auditability and consumer protection. But standards need to be shaped in close collaboration with infrastructure providers who are solving these challenges day to day.
This is about moving from fragmented processes to verifiable, tested recovery frameworks that can stand up in real-world scenarios, and that are independently benchmarked against recognised standards. We have established a certification process precisely to address this lack of standardisation, and so that our customers can demonstrate their adherence to emerging standards.
To leverage increasing demand for digital assets, the industry needs to close the gap between innovation and operational certainty. Regulation is moving in the right direction, but there are still critical areas, like recovery, that remain underestimated.
Today, if access to a wallet is lost, the assets can be lost forever. With millions of bitcoin already inaccessible, that’s not a risk profile banks or their customers will accept.
By 2027 and beyond, we need to see recovery treated as a core requirement, not an optional feature. That means institutions having controlled, auditable ways to restore access, supported by tested processes and independent assurance. Alongside this, clearer standards around governance, custody and operational resilience will be essential.
Digital assets will only reach mainstream adoption when institutions can offer the same level of reliability and confidence people expect from traditional financial services.