Operational Due Diligence Assessment of Custody Providers

Context

A global multi-billion-dollar hedge fund preparing to expand its digital asset capabilities required an independent operational due diligence assessment of prospective tier-one custody providers to support internal decision-making and operational risk evaluation, as part of demonstrating a full risk process to its investors.

The client sought a structured due diligence process capable of assessing not only technical security controls, but also the broader operational maturity, governance standards, resilience measures, and infrastructure robustness of custodians operating in the digital asset sector. Given the evolving nature of the market, the exercise required distinguishing between technical capability and institutional readiness.

Appold was engaged to lead due diligence across multiple global custody providers and to provide independent analysis to support the client’s evaluation framework.

The client required a detailed assessment framework capable of evaluating:

• Security architecture and key management controls

• Operational resilience and incident response maturity

• Governance structures and oversight mechanisms

• Wallet infrastructure and transaction controls

• Regulatory positioning and compliance frameworks

• Third-party dependencies and concentration risks

• Disaster recovery and business continuity capabilities

• Audit readiness and external assurance processes

A further challenge was the lack of standardisation in disclosure practices across custody providers, with material differences in the depth, clarity, and technical specificity of information shared, necessitating additional validation and structured follow-up analysis. Appold addressed this by designing and executing a bespoke custodian due diligence programme aligned with the client’s institutional risk framework, which included distributing detailed questionnaires to shortlisted providers, structuring assessments of security controls, wallet architecture, and operational processes, and reviewing governance arrangements, escalation pathways, and organisational controls. This was complemented by analysis of infrastructure resilience, redundancy, and dependency structures, alongside evaluation of audit processes, certifications, and assurance reporting. Appold also identified concentration risks and control gaps, benchmarked providers against institutional governance expectations, and consolidated all findings into structured, decision-ready reporting for senior stakeholders, acting throughout as an independent analytical layer translating technical custody design considerations into clear operational and commercial risk insights.

Appold’s analysis enabled the client to:

• Identify material differences in security implementation and governance maturity between providers

• Assess the degree of alignment between vendor controls and institutional operational requirements

• Evaluate resilience assumptions underpinning custody and transaction workflows

• Strengthen internal understanding of digital asset custody risk considerations

• Support internal governance and procurement decision-making with independently structured analysis

The process also highlighted broader market observations regarding the variability of disclosure standards and infrastructure maturity across the digital asset custody landscape. Following the engagement, the client advanced its evaluation process with a more robust understanding of the technical, operational, and governance implications of institutional digital asset custody.