Regulators warn: the choice between self-custody and third parties defines your crypto risk

The U.S. Securities and Exchange Commission has released a new educational guide that clarifies one of the fundamental dilemmas of cryptocurrency investing: controlling your own keys or delegating that responsibility to third parties. The SEC bulletin emphasizes a principle that industry veterans already know well — “not your keys, not your coins” — but which deserves to be understood in detail by novice investors.

The key mechanism: understanding the difference between public and private

Every crypto wallet operates with a two-key system. The private key is the critical element: an alphanumeric code generated randomly that functions as the master password to authorize any movement of assets. Unlike traditional bank accounts, this key cannot be recovered, reset, or changed after creation. “If you lose your private key, you permanently lose access to the crypto assets stored in that wallet,” warns the SEC guide.

The public key, in turn, plays a complementary but entirely different role: it allows others to identify your wallet and send you funds, but never authorizes expenses. It’s the equivalent of an email address — everyone can know it, but no one can access your mailbox without the password.

Many platforms generate a seed phrase (seed phrase) that functions as a backup to restore access if the device is lost or damaged. However, the responsibility to keep this phrase in a secure location falls entirely on the user.

Hot wallets versus cold wallets: the choice shapes security

The SEC distinguishes two main storage approaches. Hot wallets (hot wallets) remain connected to the internet, enabling quick transactions but exposing themselves to cyberattacks. Cold wallets (cold wallets) store keys on disconnected physical devices, offering a higher layer of protection but with slower access.

For those who choose to manage their own keys — the self-custody scenario — security depends solely on personal practices: secure storage of the seed phrase, protection against malware, redundant backups.

When to trust third parties: the implicit risks of delegated custody

Custody through third parties (exchanges, specialized platforms, or asset management services) transfers the responsibility of keys to an external entity. The SEC warns that investors in this situation face distinct risks. If the custodian is targeted by a hacker attack, ceases operations, or declares bankruptcy, access to funds can be blocked or permanently lost.

The regulator recommends that investors conduct diligent research: which assets each custodian accepts, whether they offer insurance coverage against theft, what security protocols they implement, and whether they sell customer data. Some institutions practice rehypothecation — using deposited assets as collateral for loans — which increases exposure risk in case of bankruptcy.

Cost structure and losses: beyond the apparent fee

The SEC emphasizes that delegated custody involves multiple layers of costs: annual fees calculated on assets under management, transaction commissions, charges for transferring assets, and account opening and closing fees. The total cost often exceeds what an investor would assume when managing their own wallet.

The underlying principle: “not your keys, not your coins”

This guide reinforces a well-established truth: those who do not control private keys do not truly control the assets. Whether due to losing a private key in a self-custody scenario or the collapse of the custodian in a third-party arrangement, the risk of permanent loss is real in both scenarios. The choice is not between perfect security and risk, but between different risk profiles and responsibilities.