Introduction
In December 2024, the Australian Securities and Investments Commission (ASIC) updated Regulatory Guide 133 (RG 133), formally extending custodial standards to crypto-assets that are considered financial products. This revision marks a significant shift, moving the regulatory approach for digital asset custody from temporary guidance, such as Information Sheet 225 (INFO 225), into the core framework for Australian Financial Services (AFS) licensees.
For responsible entities and licensed custodians, this update establishes new good practice expectations that function as mandatory minimum standards for risk management and asset security. This guide provides essential information on these new obligations, focusing on the significant operational changes required for asset holders to ensure compliance with ASIC’s updated framework.
RG 133’s New Focus on Digital Assets
Moving Beyond Temporary Guidance to Core Frameworks
ASIC reissued RG 133 in December 2024, marking a significant update from the previous version released in June 2022.
This revision formally extends the guide’s scope to explicitly cover the custody of crypto-assets. As a result, the regulatory approach has shifted from general principles to specific, mandatory minimum standards for AFS licensees.
Previously, guidance on crypto custody was primarily found in supplementary documents like INFO 225. Now, the updated RG 133 integrates these expectations into the core AFS licence framework. This shift means:
- What was once considered “good practice” for a digital asset business is now part of the central obligations for any AFS licensee involved in holding crypto-assets that are deemed financial products.
- The requirements are no longer optional or supplementary but are embedded within the main regulatory framework.
Application to Responsible Entities & Custodians
The new crypto-asset guidance within RG 133 specifically applies to certain types of AFS licensees. The obligations and standards are directed at two key groups involved in funds management and custodial services:
| Entity Type | Description |
|---|---|
| Responsible entities | Of registered managed investment schemes where the scheme’s property includes or comprises crypto-assets. |
| Custodians | Who hold crypto-assets that are classified as financial products under Australian law. |
This clarification ensures that when a digital asset meets the definition of a financial product, any entity providing a custodial or depository service for that asset must comply with the updated standards. The rules apply whether the licensee is holding the assets directly or has engaged another service provider as a custodian.
Get Your Free Initial Consultation
Consult with one of our experienced ACL & AFSL Lawyers today.
Minimum Standards for Cold Storage & Geo-Redundancy
Mandatory Cold Storage on Isolated Hardware
Under the updated RG 133, the security of private keys is of critical importance for any AFS licensee. ASIC’s guidance specifies that private keys used to access crypto-assets must be generated and stored in a manner that minimises the risk of loss and unauthorised access. This establishes a mandatory minimum standard for what is commonly known as “cold storage.”
To comply with this standard, solutions protecting private key material must:
- Use hardware devices that are physically isolated from other computing systems.
- Ensure these devices have appropriately limited connectivity to prevent remote attacks.
According to RG 133, private key material should not be held on internet-connected systems, also known as “hot storage,” beyond what is strictly necessary for operational purposes.
Furthermore, any hardware devices used to hold these keys must be protected by robust physical security practices.
Geo-Redundancy Requirements for Key Backups
In addition to securing primary private keys, asset holders must implement effective systems and processes for backup and recovery. This is a critical component of business continuity and risk management, ensuring that assets remain accessible even if primary systems are compromised or fail.
ASIC’s good practice expectations outlined in RG 133 state a preference for maintaining backup sites that are geographically distributed. This practice, known as geo-redundancy, ensures that a localised disaster, such as a fire or flood at a single site, does not result in the permanent loss of access to the crypto-assets.
By storing backups in multiple, distinct, and highly protected locations, licensees can:
- Build resilience into their custodial operations.
- Ensure they can recover assets when needed.
Speak with an ACL & AFSL Lawyer Today
Request a Consultation to Get Started.
Mandatory On-Chain Asset Segregation
Using Unique Public & Private Keys for Clients
Under the updated RG 133, one of the most critical obligations for any AFS licensee is the on-chain segregation of crypto-assets. This standard is a non-negotiable good practice for responsible entities and custodians holding crypto-assets that are financial products.
To comply with this requirement, asset holders must ensure that client crypto-assets are kept separate from all other holdings directly on the blockchain. This is achieved through specific operational measures, including:
- Maintaining unique public keys for each client’s assets.
- Securing these assets with corresponding unique private keys.
By following these practices, client assets are never intermingled with the holder’s own proprietary crypto-assets or the assets of other clients in the same on-chain address.
Avoiding Commingling of Client & House Assets
The mandate for on-chain segregation means that relying on internal, off-chain bookkeeping to distinguish client funds is no longer sufficient. An AFS licensee cannot hold client crypto-assets in a large omnibus wallet and use an internal ledger to track individual ownership.
Instead, the separation must be verifiable on the blockchain itself. This absolute requirement is designed to protect client assets from the significant risks associated with commingling funds.
By keeping client and house assets separate on-chain, licensees are prevented from:
- Using a client’s crypto-assets to settle their obligations.
- Using a client’s crypto-assets to settle the obligations of another client.
This measure provides a clear, auditable record of ownership and is fundamental to maintaining trust and protecting client funds.
Get Your Free Initial Consultation
Consult with one of our experienced ACL & AFSL Lawyers today.
Managing Operational Friction Between Liquidity & Compliance
Balancing Liquidity Needs & Compliance Rules
A significant operational challenge for any AFS licensee holding crypto-assets is managing the tension between the need for instant liquidity and the security standards mandated by ASIC.
Low-latency execution of client trades often requires the use of “hot wallets,” where private keys are stored online for immediate access. However, RG 133 establishes a clear preference for “cold storage,” where private keys are held on physically isolated hardware devices with limited connectivity.
This approach is considered a good practice for minimising the risk of loss and unauthorised access. As a result, there is a direct conflict between the operational goal of providing liquidity and the compliance obligation of ensuring maximum asset security.
Creating a Risk-Based Hot Wallet Policy
To manage this friction, asset holders must develop a documented, risk-based policy for hot wallet allocations. The guidance in RG 133 permits the use of hot storage only for amounts that are “strictly necessary” for operational purposes. This means licensees should not hold more crypto-assets in hot wallets than required to meet immediate, daily liquidity needs.
A robust policy should be implemented to address this balance, which may include:
- Defining the minimum necessary balance of crypto-assets to be held in hot wallets.
- Establishing automated “sweeping” procedures to move any excess funds to a compliant cold storage solution at regular intervals.
- Documenting the justification for the hot wallet balance to demonstrate a systematic approach to risk management for compliance teams.
Speak with an ACL & AFSL Lawyer Today
Request a Consultation to Get Started.
Technical Requirements for Key Sharding & Multi-Party Computation
Using MPC to Eliminate Single Points of Failure
Under the updated RG 133, ASIC has established a good practice expectation for asset holders to adopt transaction-signing approaches that minimise “single point of failure risk.” This requirement represents a shift away from systems where a single private key or individual can unilaterally control and authorise the transfer of crypto-assets. The guidance now expresses a clear preference for distributed control mechanisms.
To meet this standard, AFS licensees are expected to implement more sophisticated signing solutions, such as:
| Signing Approach | Description |
|---|---|
| Multi-signature (Multi-sig) | This method requires two or more independent parties to approve a transaction before it can be executed, distributing trust and authority (e.g., requiring 3 of 5 signatories). |
| Sharding-based signing (MPC) | This technology involves breaking a single private key into multiple encrypted “shards” and distributing them. No single shard can sign a transaction, and the full key is never reconstructed in one place. |
Additionally, the process for validating and executing instructions must include appropriate permission to ensure that no single party has control over the entire transaction lifecycle. This mandate for multi-party control is a core technical requirement for any compliant digital asset custody operation.
Why Single Private Keys on Hardware Wallets Are Insufficient
The new standards outlined in RG 133 mean that traditional methods of securing crypto-assets are likely no longer sufficient for a licensed custodian. Specifically, storing a single private key on a standard hardware wallet, such as a Ledger or Trezor device kept in a safe, is unlikely to meet the mandatory “no single point of failure” standard.
While physically secure, this setup concentrates all control into one key. This approach is considered insufficient because it creates a significant single point of failure. If the hardware device is lost, stolen, or damaged, or if the individual with access to it becomes unavailable, the crypto-assets could be permanently lost or compromised.
The updated guidance requires a system that can withstand such an event by distributing control. Consequently, asset holders must move towards Multi-sig or sharding-based signing approaches that eliminate reliance on any single key, device, or person.
Get Your Free Initial Consultation
Consult with one of our experienced ACL & AFSL Lawyers today.
Due Diligence for Service Providers & Jurisdictional Accessibility
Assessing Regulatory Status & Controls of Custodians
When engaging third-party custodians, AFS licensees must conduct reasonable due diligence, similar to an AFSL compliance health check, to ensure the service provider is both compliant and secure. This obligation requires verifying the regulatory status and operational controls of any custodian, such as Coinbase Custody or BitGo, before entrusting them with client crypto-assets.
Under RG 133, an asset holder should be satisfied that any service provider it uses to buy or sell crypto-assets meets specific standards. Key verification steps include confirming that the provider is:
- Registered with the Australian Transaction Reports and Analysis Centre (AUSTRAC) as a digital currency exchange provider.
- Alternatively, regulated by foreign laws that implement the Financial Action Task Force (FATF) recommendations on customer due diligence and record-keeping.
- Equipped with risk-based systems and controls for Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) that are monitored by a relevant supervisory body.
Furthermore, ASIC’s good practice expectations require that the custodian’s cybersecurity practices and control environment are independently verified to an appropriate industry standard. This involves:
- Obtaining and reviewing independent audit reports, such as a System and Organisation Controls (SOC) report.
- Reviewing certifications like ISO 27001 to assess the effectiveness of their security controls and risk management processes.
Ensuring Asset Accessibility & Protection in Australia
While AFS licensees can engage overseas-based custodians, they must navigate a significant due diligence burden to ensure client assets are protected. The licensee remains ultimately responsible for the assets and must ensure they are accessible from Australia, even if held by a foreign entity.
RG 133 clarifies that the assets, meaning the private keys, must be accessible in a manner consistent with the licensee’s obligations. This is particularly critical in scenarios involving the foreign custodian’s insolvency or operational failure.
The due diligence process, as outlined in RG 133.60, is substantial and requires careful assessment of the foreign provider’s legal and operational frameworks. Licensees must ensure that:
- Legally enforceable agreements are in place that provide reasonably effective protection for the assets.
- If a trust structure is not recognised under foreign law, the licensee must be satisfied that the assets are held in a way that safeguards them in case of the custodian’s insolvency, and this basis must be documented.
Speak with an ACL & AFSL Lawyer Today
Request a Consultation to Get Started.
Conclusion
The December 2024 update to ASIC’s RG 133 establishes mandatory minimum standards for AFS licensees holding crypto-assets, transforming previous good practice into firm obligations. These new requirements demand significant operational changes, particularly in cold storage, on-chain asset segregation, key management, and the due diligence of service providers.
To ensure your operations align with these updated standards, contact the AFSL compliance lawyers at AFSL House for tailored support. Our team provides expert guidance to help your financial services business navigate the new RG 133 framework and turn regulatory challenges into strategic opportunities.
