SEC officials are stepping up their warnings to everyday investors who are venturing into digital assets, focusing in particular on how those assets are stored and who ultimately controls them. In a new investor bulletin, the agency’s Office of Investor Education and Assistance outlines in plain terms the risks surrounding crypto custody, loss of private keys, and reliance on third‑party custodians.
Unlike traditional brokerage accounts, where a regulated intermediary holds securities on your behalf, crypto assets are accessed through wallets that store cryptographic keys rather than the assets themselves. The bulletin stresses that understanding how these wallets work — and what can go wrong — is essential before putting any money into digital coins or tokens.
The SEC distinguishes between two broad categories of wallets. “Hot” wallets are connected to the internet, making them convenient for frequent trading or spending but more vulnerable to hacks, malware, and phishing. “Cold” wallets, by contrast, are kept offline on physical devices or even on paper, reducing exposure to cyberattacks but increasing the risk of physical loss or damage. Investors are urged to weigh convenience against security, rather than assuming that any wallet solution is inherently safe.
A central focus of the guidance is the concept of cryptographic keys. Crypto wallets generate two types of keys: private and public. Private keys act like randomly generated, highly sensitive passcodes that authorize outgoing transactions. Once created, they are fixed — there is no “reset” button. According to the SEC, if you misplace or destroy your private key, you permanently lose access to the crypto tied to that wallet. No customer support line, court order, or regulator can restore it.
Public keys, by contrast, are used to receive assets and verify that a transaction is going to the correct address. The bulletin likens a public key to an email address: you can share it freely so others can send you crypto, but it does not grant the ability to spend your funds. That authority rests entirely with the private key. This asymmetric design underpins much of the security of blockchain systems but also means that user mistakes can be catastrophic.
To mitigate the risk of losing a private key, many wallet providers generate a “seed phrase” — a sequence of words that can recreate the keys and restore access to funds if the device fails or is lost. The SEC underscores that this seed phrase is effectively as powerful as the private key itself. If someone else obtains it, they can take control of the wallet and its contents. The bulletin urges investors to store seed phrases in a secure, offline location and never share them with anyone, including people claiming to be support staff.
Beyond self‑custody, the guidance devotes substantial attention to third‑party custodians such as crypto exchanges, specialized custody firms, or financial platforms that hold crypto on behalf of customers. These arrangements have a completely different risk profile from self‑managed wallets, and the SEC warns that many investors incorrectly assume that such services function like traditional banks or broker‑dealers.
Before entrusting assets to any custodian, investors are encouraged to conduct their own due diligence. That includes looking into the company’s regulatory status, searching for complaints or enforcement actions, and understanding where the custodian is located and which legal jurisdiction governs it. The SEC also suggests verifying which specific crypto assets the custodian will hold and whether those assets are treated differently under the firm’s internal policies.
Insurance is another point of confusion highlighted in the bulletin. Some custodians advertise insurance coverage, but that protection may be limited in scope, apply only to certain types of incidents, or cover the custodian rather than the individual client. Investors are advised to ask directly what types of losses are insured, up to what limits, and who is actually the beneficiary of any policy.
The regulator also flags the practice of rehypothecation, where custodians use client assets as collateral for loans or other financial activities. In some cases, customer holdings may be commingled in a single pool instead of being held in separate, clearly identified accounts. While such practices may allow custodians to offer yield or lower fees, they can also increase the risk that clients lose access to their assets if the custodian faces liquidity stress, credit problems, or legal claims.
The bulletin is blunt about worst‑case scenarios: if a third‑party custodian is hacked, suddenly halts operations, or enters bankruptcy, customers may find themselves locked out of their accounts with little recourse. The ranking of customer claims in insolvency proceedings, and the legal status of the held crypto, can be complex and uncertain, particularly given the rapidly evolving regulatory landscape around digital assets.
In light of these risks, the SEC encourages investors to ask custodians direct questions about both physical and cyber security measures. This could include how private keys are generated and stored, whether multi‑signature schemes are used, what protections exist against insider threats, and how access is logged and monitored. The bulletin also suggests asking whether customer data — not just assets — is shared or sold to third parties, raising separate concerns about privacy and identity theft.
Fees are another area where the agency sees potential for confusion or hidden costs. Crypto custody arrangements can involve annual asset‑based fees, trading commissions, transfer or withdrawal charges, and sometimes fees for opening or closing accounts. The SEC’s message is that these costs can significantly erode returns, particularly for smaller investors, and should be clearly understood before choosing where and how to hold crypto.
The timing of the guidance is not accidental. In recent years, several high‑profile crypto exchanges and custody providers have collapsed or frozen user withdrawals, leaving customers unable to access their holdings for extended periods or losing them altogether. These episodes have illustrated, in real terms, the difference between owning crypto in theory and being able to actually control or transfer it in practice.
For retail investors, the bulletin implicitly raises a broader question: whether they are prepared to take on the responsibilities that come with true self‑custody, or whether they are more comfortable outsourcing that responsibility — and accepting the associated counterparty risk — to an institution. Neither choice is risk‑free; the crucial point is that the risks are different, and investors must understand which ones they are accepting.
In practical terms, the guidance suggests that new investors start by mapping out their priorities: Are they planning to trade actively, or hold assets for the long term? How much technical complexity are they comfortable with? Do they have a safe way to store seed phrases and backup information offline? These questions can help determine whether a hot wallet, a hardware wallet, a third‑party custodian, or some combination of solutions makes the most sense.
The SEC’s bulletin also implicitly underscores the importance of diversification, not only across assets but across custody arrangements. Keeping all holdings in a single exchange account or relying on one device can concentrate risk. Some investors may choose to keep a small amount in a hot wallet for day‑to‑day use, while storing the bulk of their holdings in more secure cold storage, whether self‑managed or via a reputable custodian.
Another theme threaded through the guidance is the need for ongoing vigilance. Crypto platforms, legal frameworks, and security threats are evolving quickly. What appears safe today may be exposed tomorrow by a newly discovered vulnerability, regulatory change, or business failure. The agency’s message is that custody decisions should be reviewed periodically, not set once and forgotten.
Finally, the bulletin serves as a reminder that the promise of digital assets — speed, decentralization, and global accessibility — comes with a corresponding responsibility on the part of the user. With greater control comes fewer safety nets. The SEC is not telling investors to avoid crypto altogether, but it is clearly signaling that a basic understanding of wallets, keys, and custodians is no longer optional for anyone considering exposure to this asset class.