Glossary

Digital Asset Custody

The safekeeping of private cryptographic keys that control ownership of digital asset securities on distributed ledgers — requiring CMA licensing, SAR 25M minimum capital, 95% cold storage, and quarterly proof-of-reserves attestation in Saudi Arabia.

CMA License Category DAC

Licensed Custodians 11

Cold Storage Min. 95%

Insurance Min. SAR 65M

Definition

Digital asset custody is the safekeeping of private cryptographic keys that control ownership of digital asset securities on distributed ledgers. In Saudi Arabia, digital asset custody requires CMA licensing (Digital Asset Custodian category), SAR 25M minimum capital, 95% cold storage of client assets, SAR 65M minimum professional indemnity insurance, and quarterly proof-of-reserves attestation.

Why Custody Matters for Tokenized Securities

Unlike conventional securities where ownership is recorded in a centralized register, tokenized securities ownership is controlled by private cryptographic keys on a distributed ledger. Whoever controls the private key controls the token — making key management the foundational security requirement for digital assets.

In Saudi Arabia’s tokenized securities ecosystem, custody encompasses:

Private key generation and storage using hardware security modules (HSMs)
Transaction signing for trades, transfers, and corporate actions on R3 Corda
Asset segregation separating client assets from custodian proprietary holdings
Backup and recovery ensuring key availability even if primary systems fail
Access control managing multi-signature authorization for large transactions

Saudi Regulatory Framework

The CMA’s Digital Asset Custody Standards establish among the most stringent custody requirements globally:

Cold Storage: A minimum of 95% of client digital asset value must be held in air-gapped cold storage — hardware devices physically disconnected from the internet. Only 5% may remain in hot wallets for operational liquidity. This exceeds the UAE VARA requirement of 70% and Bahrain CBB requirement of 80%.

Insurance: SAR 65M minimum professional indemnity insurance covering client asset loss through operational failure, cybersecurity breach, internal fraud, or key management failure. Insurance policies must be from CMA-approved insurers with A- or better ratings.

Proof-of-Reserves: Quarterly third-party attestation confirming that client asset balances on the Edaa DLT register match the custodian’s records. The attestation uses cryptographic proof — verifying on-chain balances without exposing client identity data, consistent with PDPL data protection requirements.

Custodian of Last Resort: Edaa serves as the custodian of last resort — if a licensed custodian fails, client tokens are transferred to Edaa’s custody or to an alternative CMA-licensed custodian designated by the client. This mechanism ensures that investor assets are never at risk of permanent loss due to custodian insolvency.

Custody Architecture

Saudi CMA-licensed custodians operate a three-tier architecture:

Tier	Function	Security Level
Cold storage	Long-term key storage in HSMs	Air-gapped, multi-signature, geographic distribution
Warm storage	Operational keys for daily trading	Network-connected HSMs with rate limiting
Hot wallets	Immediate liquidity	Software wallets with transaction caps

Key management follows the Saudi Blockchain Lab’s recommendations for financial-grade HSM deployment, including FIPS 140-2 Level 3 certification and multi-party computation (MPC) for key generation.

Licensed Custodians

As of Q1 2026, 11 entities hold CMA Digital Asset Custodian licenses. These include:

Saudi bank subsidiaries that added custody through ELDAP
Dedicated digital asset custody firms that entered through the CMA sandbox
International custodians with Saudi operational presence (4 entities connected to Tadawul’s platform for cross-border custody)

Self-Custody

Self-custody — where investors manage their own private keys — is permitted under Saudi regulation but carries specific implications:

Self-custody investors lose the protection of Edaa’s custodian-of-last-resort mechanism
Transfers between self-custody wallets and CMA-licensed entities require enhanced AML/CFT due diligence
Lost private keys in self-custody cannot be recovered through any institutional mechanism
Self-custody investors remain responsible for PDPL compliance for any personal data associated with their blockchain transactions

International Comparison

Saudi Arabia’s custody standards compare with international frameworks:

Cold storage: Saudi 95% vs. UAE VARA 70% vs. Switzerland FINMA 100% (qualified custodian)
Insurance: Saudi SAR 65M (~$17M) mandatory vs. UAE case-by-case vs. Singapore MAS risk-based
Proof-of-reserves: Saudi quarterly mandatory vs. UAE annual vs. most jurisdictions voluntary
Custodian of last resort: Saudi Edaa — unique globally; most jurisdictions rely on asset segregation alone

The CMA’s custody regime reflects lessons from international digital asset failures where inadequate key management and commingled client funds led to catastrophic investor losses. Saudi Arabia’s mandatory asset segregation, independent proof-of-reserves, and the Edaa backstop collectively provide one of the most investor-protective custody frameworks in global digital asset markets.

Saudi Arabia’s FATF membership (since 2019) requires that custody operations include transaction monitoring, Travel Rule compliance for transfers above SAR 3,750, and suspicious transaction reporting to SAFIU within 24 hours.