In practice, this means DIY recovery backups often cannot demonstrate resilience against insider threats, operational failure or external compromise.
As the digital asset ecosystem matures, regulatory focus on operational resilience, client asset protection and ICT risk management is tightening across the UK, EU and US, placing greater scrutiny therefore, on internal recovery process and the ability to withstand disruption.
Regulators now expect clear evidence that crypto exchanges, firms and financial institutions can secure and recover client assets in the event of an internal systems failure, a cyberattack or a complete infrastructure compromise.
At the heart of these compliance demands lies a critical question:
Do in-house wallet backups satisfy regulatory expectations or is third-party key storage required, recommended, or just preferable?
In this article, we explore current UK, EU and US regulatory guidance and supervisory trends across major jurisdictions, highlighting why third-party wallet backup solutions are becoming clear best practice.
For many crypto firms, the default approach to safeguarding private keys and digital asset access has been to build and manage wallet backup infrastructure internally. This DIY strategy is often driven by a desire for tighter control, lower perceived costs and faster deployment.
However, as the regulatory environment makes clear, this approach is showing clear limitations. Regulators now expect demonstrable resilience, clear segregation and tested disaster recovery plans. Internally managed backups, no matter how sensible, frequently falls short when examined against regulatory standards for operational resilience and business continuity.
Crypto-asset service providers (CASPs) should now reassess whether internal backup strategies are truly fit for purpose, or whether they actually introduce regulatory risk.
In the UK, the Financial Conduct Authority (FCA) has laid out clear expectations as part of the new regulatory regime for cryptoassets, introduced by the government on 21 November 2024. This framework has established new regulated activities, including the operation of cryptoasset trading exchanges, market abuse enforcement and admission and disclosure regimes. These measures are designed to boost investor confidence and support innovation.
A core component of the FCA’s regulatory architecture is SYSC 4.1.1R, which mandates that regulated firms are required to implement robust governance arrangements. This includes systems that minimise the risk of data loss and maintain the integrity and security of information.
Internal wallet backups can, in principle, meet SYSC requirements, but only if they are encrypted, securely stored, regularly tested, and shielded from internal and external threats. However, FCA guidance on operational resilience goes further, placing strong emphasis on independence and redundancy. Internal-only solutions, no matter how technically sophisticated, are at risk of lacking the structural separation and external validation needed to satisfy these broader expectations.
Additionally, Principle 10 of the FCA’s Principles for Businesses requires firms to “arrange adequate protection for clients’ assets when it is responsible for them.” If wallet backups are exclusively managed within the firm’s infrastructure, concerns arise around data loss in the event of insolvency, internal sabotage, or ransomware. In contrast, third-party custody and backup services, especially those with geographic and operational separation offer a more compelling solution when examined by the regulator.
The European Union’s (EU) regulatory framework presents a two-pronged approach through the Market in Crypto-Assets Regulation (MiCA) and the Digital Operational Resilience Act (DORA).
These two regimes work together to bring clarity, structure, and long-term stability to the European digital asset ecosystem by addressing both financial conduct standards and technological risk management.
The Markets in Crypto-Assets Regulation (MiCA) is a landmark framework that sets the standard for crypto regulation across the European Union, bringing legal certainty to digital asset markets.
Article 70, titled ‘Safeguarding of clients’ crypto assets and funds’ sets out clear expectations for the implementation of secure and resilient recovery mechanisms, as well as comprehensive business continuity planning. It also imposes liability on service providers for losses resulting from the failure to safeguard client assets. This creates a strong incentive for firms to deploy encrypted wallet backups and robust recovery mechanisms.
MiCA is outcome oriented. It does not mandate third-party solutions but expects demonstrable operational resilience. An in-house solution could be compliant if, and only if, it is demonstrably resilient to threats such as internal corruption, infrastructure loss, or cyber incidents.
DORA is more explicit than MiCA in its expectations.
Under DORA’s mandate, which came into effect in 2022, financial institutions are required to follow stringent guidelines for safeguarding against cyber or ICT-related incidents, including measures for: protection, detection, containment, recovery and repair. Article 8 (3)(c) specifically requires that backup systems be logically or physically segregated from the core ICT infrastructure. This requirement goes beyond basic availability and demands clear structural separation of backup environments.
In practical terms, most internal backup solutions will fall short, unless they are architected with full isolation; something that is rarely achieved without third-party involvement.
DORA’s requirements extend further, encompassing incident classification reporting, resilience testing and third-party risk management. This puts pressure on firms to adopt backup architectures that can stand up to regulatory scrutiny and demonstrate operational resilience under adverse conditions.
In the United States (US) the Securities and Exchange Commission (SEC) applies Regulation Systems Compliance and Integrity (SCI) to certain covered entities such as exchanges, ATSs, and clearing agencies. These firms must maintain systems that ensure availability, capacity, and integrity, supported by tested disaster recovery plans.
Under Regulation SCI, internal-only wallet backup plans may not satisfy compliance expectations unless they include complete redundancy, geographic separation, and demonstrable recovery testing. Moreover, examination priorities in the US are increasingly focused on third-party risk management and cyber resilience.
In addition to Regulation SCI, guidance from the SEC, OCC, and CFTC emphasises the need to evaluate third-party versus internal risk, maintain operational continuity, and avoid concentration risk. If a firm’s wallet backup strategy is entirely reliant on internal infrastructure without documented isolation, testing, and fallback capacity, regulators are likely to raise concerns.
While no regulator explicitly mandates the use of a third-party backup provider, the practical expectations of supervisory authorities are closely aligned with what providers are able to deliver.
The direction of travel and the spirit of regulatory expectations around the robustness of risk management controls makes a compelling case for the adoption of independent third-party backup solutions. Across all three regions analysed (UK, EU and US) the prevailing regulatory expectations emphasis:
From an evidentiary standpoint, third-party solutions allow firms to demonstrate due diligence, preparedness, and credible mitigation strategies; all of which reduce both operational and compliance risk. Therefore, when faced with a regulatory review or live incident, firms using independent, professional-grade recovery infrastructure are far better equipped to defend their position.
Crypto platforms, firms and institutions that continue to rely on in-house wallet backups should ensure these systems are not only technically secure but also fully documented, rigorously tested, and independently auditable.
Secondly, business continuity and disaster recovery plans must be reviewed and validated regularly, with a particular focus on ensuring that backups are physically and logically separated from the operational environment to avoid single points of failure.
Finally, to align with evolving regulatory expectations, firms should also consider hybrid approaches, combining internal infrastructure with third-party recovery providers that specialise in cryptoasset protection. This layered strategy can enhance resilience, reduce regulatory risk, and provide the structural segregation and independent recoverability that regulators increasingly demand.
CoinCover supports crypto firms, exchanges and institutions in meeting and exceeding regulatory expectations, by offering fully segregated backup infrastructure and industry-leading recovery services, trusted by 550+ institutions worldwide.
Discover how CoinCover can enhance your wallet backup strategy and support your regulatory journey across UK, EU, and US jurisdictions. Contact our team today.