What is bitcoin custody?

Bitcoin custody is the secure storage and management of private keys that control access to Bitcoin. Options range from self-custody hardware wallets to institutional solutions like Onramp's multi-institution custody model.

What is multi-institution custody?

Multi-institution custody distributes Bitcoin private keys across multiple independent, regulated entities using 2-of-3 multisig. No single institution can access your funds alone, eliminating single points of failure.

Why is multi-institution custody safer?

Unlike single-custodian models, multi-institution custody ensures no single entity controls your Bitcoin. Onramp's model uses 2-of-3 multisig with Lloyd's of London insurance and manages over $1B in assets under custody.

What is Multi-Institution Custody?

Multi-Institution Custody is Onramp's proprietary model where a client's Bitcoin holdings are distributed across multiple regulated custodians simultaneously, rather than concentrated at a single institution. Each custodian holds a portion of the client's total Bitcoin, so no single breach, insolvency, or operational failure can compromise the entire allocation. Onramp pioneered this model and now holds $1B+ in Bitcoin across 4 regulated custodians globally.

How is Multi-Institution Custody different from single-custodian storage?

Single-custodian storage creates a concentrated risk: if that custodian is hacked, becomes insolvent, or faces regulatory seizure, all client assets are at risk simultaneously — as seen in the FTX and Celsius collapses. Multi-Institution Custody eliminates this single point of failure by distributing assets across multiple independent institutions operating under different regulatory regimes. Onramp adds a $100M Lloyd's of London insurance facility as an additional layer of protection.

Why did Onramp develop Multi-Institution Custody?

Onramp developed Multi-Institution Custody in response to the systemic risks exposed by high-profile crypto custodian failures, where clients lost billions because all assets were held at a single institution. The model applies the same risk diversification principles that traditional finance uses for bank deposits — no single exposure that can wipe out everything. Onramp holds $1B+ under this model across 4 regulated custodians with a $100M Lloyd's of London insurance facility.

Multi-Institution Custody Explained

Brian Cubellis | Chief Strategy Officer

Feb 12, 2025

Read the full report here

Multi-Institution Custody Explained: Key Generation, Management, and the Path to Unparalleled Bitcoin Security

Multi-Institution Custody (MIC) is the institutional standard for Bitcoin security, combining cryptographic sharding, distributed control, and quorum-based approval to deliver a level of resilience that no single-custodian model can match. To understand why MIC represents such a significant advance, it helps to examine how it actually works at each stage of the key lifecycle: from the moment a private key is generated to the moment a transaction is broadcast to the Bitcoin network.

Each private key in an MIC arrangement is divided into multiple cryptographic shards. Access and control are distributed across different individuals and institutions, ensuring that no single institution, and not even a single individual within an institution, can control or reconstruct a key unilaterally. The process begins with client authorization, proceeds through video-verified coordination between institutions, secure key reconstruction from shards in offline environments, and quorum-based signing requiring approval from at least two of the three institutions. What follows is a detailed explanation of how these practices collectively set the standard for institutional Bitcoin custody.

The Foundation: Institutional Key Generation

The security of Bitcoin custody begins with how private keys are generated. A compromised key generation process can undermine every security measure that follows, which is why institutional-grade key generation is designed to eliminate vulnerabilities from the very first step.

Air-Gapped Environments and Cryptographic Rigor

Institutional-grade key generation begins in secure, air-gapped environments that are completely isolated from internet-based threats. This eliminates the risk of key exposure to external attacks during creation. High entropy and cryptographic rigor are employed to ensure that keys are truly random and resistant to compromise. These processes adhere to strict security protocols, ensuring that every key is generated with the highest level of randomness and integrity.

Importantly, institutional-grade key generation does not rely on traditional seed phrase generation. Unlike individual wallets that produce a 12- or 24-word seed phrase as a single recovery mechanism, institutional custody solutions use advanced cryptographic sharding. The difference matters: a seed phrase is a single centralized recovery mechanism that becomes a vulnerability if exposed or lost. Sharding eliminates that centralization entirely.

Sharding for Redundancy

Sharding is the process of dividing a private key into multiple cryptographic components, distributing those components across various parties, and requiring a minimum number of shards to reconstruct the full key. Each of the private keys required in the MIC quorum is split into multiple shards, distributed across parties in ways that ensure separation of responsibilities and mitigate the risk of compromise.

The effect is significant: no single individual can reconstruct a full private key from their shard alone. Even if a single shard is compromised, the key remains secure, because reconstruction requires combining a sufficient number of shards held by separate parties. By removing the need for a centralized recovery mechanism, sharding inherently increases security and resilience and significantly reduces single points of failure at the individual level before the institutional level of security even comes into play.

Avoiding HSM Vulnerabilities

While Hardware Security Modules (HSMs) are traditionally used for secure key generation, storage, and access, some MIC arrangements, including Onramp's core product, intentionally forgo HSMs to avoid potential weaknesses associated with their use in hot signing scenarios. Instead, these solutions leverage cryptographically verified offline processes to ensure tamper-resistant environments for key management. By combining air-gapped environments, sharding, and institutional-grade cryptographic rigor, MIC establishes a key generation foundation that is resilient against both physical and digital threats.

The Quorum of Quorums: Multi-Institution Key Management

Key management is where MIC's security architecture becomes most sophisticated. The framework uses what can be described as a "quorum of quorums" approach: security is distributed both across and within multiple independent institutions, creating a dual-layer structure that makes unauthorized access extraordinarily difficult to achieve.

How the Dual-Layer Quorum Works

Three independent institutions each hold a private key. Each private key is further divided into cryptographic shards held by distinct individuals within that institution. To execute a transaction, a 2-of-3 quorum approval is required among the three institutions. But before any institution can contribute its signature, it must first reconstruct its private key from its own m-of-n shards held by multiple individuals internally. This means a successful transaction requires not just two institutions cooperating at the top level, but sufficient individuals within each institution cooperating internally to reconstruct that institution's key.

The result is a structure where collusion would require coordinating across multiple individuals within multiple independent institutions simultaneously, a practical impossibility under any realistic threat model. No single entity can unilaterally access or approve a transaction.

Distributed Security Architecture

The distributed nature of MIC reinforces security at every level. Cryptographic shards of each private key are stored across multiple parties rather than concentrated in one location, eliminating the vulnerabilities of centralized custody. These keys are never exposed to external networks during reconstruction and signing. Each institution operates independently with no overlapping dependencies, eliminating the risk of collusion or insider threats. Key holding institutions are carefully selected based on distinct expertise: Onramp's partnership with CoinCover, for instance, leverages CoinCover's specialized focus on disaster recovery and real-time transaction monitoring. The distributed approach also provides geographic redundancy, ensuring that natural disasters or localized failures cannot compromise the overall custody arrangement.

"The quorum of quorums structure means that authorizing a transaction requires sufficient individuals within each institution to reconstruct that institution's key, then sufficient institutions across the quorum to sign. This dual-layer structure makes collusion practically impossible."

The Transaction Approval Process

The process for authorizing a Bitcoin withdrawal under MIC reflects its layered security design at every step.

• Video Verification: Before any key reconstruction begins, each institution in the MIC quorum must complete its own video verification process to confirm the transaction request is legitimate. A minimum of two of the three institutions must complete their verification procedures before fund movement can proceed. This ensures operational transparency and serves as a safeguard against unauthorized access at the human level.

• Shard Reconstruction: Once video verification is complete, each institution reconstructs its private key from its shards in a secure, offline environment. The private key never touches an internet-connected device during this process, ensuring it is never exposed to external threats.

• Quorum-Based Signing: The reconstructed private key is used to sign the transaction in a controlled, air-gapped environment. At least two of the three institutions must approve and sign the transaction before it proceeds, as required by the 2-of-3 multisig structure.

• PSBT Workflow: Transactions are constructed using the Partially Signed Bitcoin Transaction format (PSBT; BIP-174), which allows each key-holding institution to independently add its signature to the transaction before the signatures are combined and the transaction is broadcast to the Bitcoin network.

This multi-layered process ensures that every transaction is executed securely and only with the explicit approval of multiple individuals within each institution as well as across multiple independent institutions.

Qualified Custodians and SOC 2 Compliance

The technical architecture of MIC is reinforced by the regulatory and operational standards of the institutions that participate in it.

Qualified Custodians

Qualified Custodians are legally recognized entities with specific fiduciary duties to their clients. These duties require them to maintain strict controls over the segregation and protection of client assets, insulating those assets from potential claims associated with the custodian's own business operations. Key safeguards include asset segregation from the custodian's balance sheet, fiduciary obligations to act in the client's best interest, and insurance coverage providing additional protection against theft, loss, or operational failure.

SOC 2 Compliance

SOC 2 compliance is a rigorous certification ensuring custodians adhere to the highest standards across security, availability, processing integrity, confidentiality, and privacy. It requires independent third-party audits that assess whether custodians maintain industry-leading standards, implementation of advanced cybersecurity measures protecting key management systems, procedures ensuring availability and continuity even under disruptions, and strict controls over data handling and storage. Through Qualified Custodian status and SOC 2 compliance, MIC provides a custody solution that is secure, dependable, and transparent, meeting and exceeding the regulatory requirements that institutional capital demands.

The Institutional Key Holders

The institutions that participate in Onramp's MIC architecture bring proven capabilities and track records in institutional Bitcoin custody.

BitGo

BitGo is a pioneer in multisignature technology and a leader in institutional-grade custody solutions, managing over $100 billion in digital assets for financial institutions, cryptocurrency exchanges, and large enterprises worldwide. Their advanced multisignature systems distribute signing authority across multiple independent parties, and their Qualified Custodian status means adherence to SOC 2 compliance and stringent regulatory standards.

CoinCover

CoinCover is renowned for disaster recovery and secure key management solutions, serving clients from cryptocurrency startups to large financial institutions. Their specialized focus on recovery means that clients benefit from a partner explicitly designed to ensure continuity of access. CoinCover employs real-time monitoring and alerts to detect and prevent unauthorized transactions, and advanced cryptographic tools to protect private keys.

Tetra Trust

Tetra Trust is Canada's first regulated digital asset custodian, providing custody services for institutions and high-net-worth individuals across financial institutions, asset managers, and corporate treasuries. Their distributed storage approach uses geographically dispersed vaults to store private key shards, providing resilience against physical threats or localized failures, backed by regular audits and updates maintaining the highest levels of security and reliability.

"BitGo, CoinCover, and Tetra Trust represent the institutional best practice for key generation, distributed key management, and disaster recovery. Each contributes distinct expertise to a custody framework designed to eliminate single points of failure at every level."

Addressing Common Misconceptions

The Collusion Concern

A common misconception about MIC is that it requires only two individuals, one at each of at least two participating institutions, to collude for the system to be compromised. This oversimplification ignores the sophisticated structure of sharding and quorum-based management that makes such collusion practically impossible.

Collusion at the institutional level would require obtaining sufficient shards from multiple individuals within at least two institutions simultaneously, in an environment where those individuals operate under strict security protocols, are subject to regular audits, and have no awareness of each other's shard holdings. MIC's distributed nature and cryptographic protections ensure that even in the unlikely event of attempted collusion, client assets remain secure.

Continuous Improvement

MIC is not a static architecture. Regular audits, compliance checks, and updates to cryptographic standards ensure that the framework remains at the cutting edge of security practices. The architecture allows for adjustments and expansions as client needs grow, ensuring the system remains robust and resilient against emerging threats.

Why MIC Is the New Standard

The combination of institutional-grade key generation, cryptographic sharding, and distributed key management addresses vulnerabilities at every stage of the key lifecycle while delivering a level of operational robustness that meets the needs of institutions and high-net-worth individuals managing significant Bitcoin holdings.

Institutional-grade key generation creates private keys in offline, air-gapped environments using high-entropy processes. Sharding splits those keys into cryptographic components stored in separate, geographically distributed, secure facilities. Quorum-based management requires 2-of-3 approval across independent institutions, with each institution reconstructing its key shards offline before signing. Together, these practices minimize risks from external attacks and operational failures simultaneously, providing a level of security and redundancy that no single-custodian model can replicate.

Bitcoin is here to stay. The custody model designed to serve the needs of institutional capital allocators and high-net-worth investors must provide security, inheritance planning, and seamless financial services integration without introducing the centralized counterparty risk that defeats the purpose of holding Bitcoin in the first place. Multi-Institution Custody is that model. Onramp's implementation of MIC, with keys held across Onramp, BitGo, and CoinCover, SOC 2 compliant controls, Lloyd's of London insurance coverage, and an integrated platform for estate planning, lending, and portfolio management, represents the institutional standard that Bitcoin's role in the global financial system demands.