The four operating themes

VARA's Version 2.0 Custody Rulebook is a long document, but the post-release supervisory commentary has surfaced four operating themes that explain most of the remediation work we see in the market:

  1. Key management as a documented architecture, not a vendor claim. The era of "we use a Tier-1 custody platform, here's their whitepaper" has closed. The custodian is expected to evidence the architecture as it operates — quorum policy, threshold signing, hot/warm/cold separation — under its own governance, not the vendor's.
  2. Segregation that survives a real reconciliation. Client asset segregation has always been a Custody-Rulebook fundamental. Version 2.0 raised the bar on the daily reconciliation discipline behind it, and on the second-line challenge of the reconciliation output.
  3. Withdrawal controls that defend against insider as well as external threat. The threat model has been broadened — both in the rulebook text and in supervisory commentary — to cover the insider-collusion and social-engineering scenarios that have driven most material incidents in recent years.
  4. Proof of reserves that is independently auditable, not vendor-asserted. The defensible posture today is a documented attestation framework with a named external attesting party, not a vendor-issued report posted to a public page.

1. Key management — the documented architecture standard

The Version 2.0 expectation on key management is that the custodian operates a documented separation between hot, warm and cold key environments, with explicit threshold and quorum policy on the cold tier. The architecture must be expressed in writing, owned by a named function inside the firm, and subject to independent challenge — not delegated to the vendor.

What good looks like in practice:

  • A written Key Management Policy that names the cryptographic primitives in use, the threshold and quorum settings on each tier, and the rotation and re-keying cadence.
  • A documented role-and-responsibility matrix for key holders, with conflicts management around dual-role concentration.
  • A defined exception path for emergency access and break-glass procedures, with second-line review of every invocation after the fact.
  • Annual independent assurance of the architecture — not just a SOC 2 report on the vendor, but a tailored review against the Custody Rulebook expectations as the supervisor reads them.
The recurring inspection finding in custody is not "the policy is missing." It is "the policy is not what the firm actually does."

2. Segregation — daily reconciliation under second-line challenge

Client asset segregation is the heart of the Custody Rulebook. Version 2.0 sharpened the operational discipline expected behind it: a daily reconciliation between on-chain holdings, internal ledger balances and client-statement balances; documented break-investigation; second-line challenge of the reconciliation output; and an escalation path that runs to the board for material breaks.

Most custodians we see have a reconciliation. Fewer have an evidenced second-line challenge of it. Inspection findings increasingly target the absence of evidenced challenge as a control failure in its own right — the equivalent posture you would expect from a regulated bank's CASS reconciliation under FCA expectations.

3. Withdrawal controls — the post-incident threat model

The withdrawal-control expectations in Version 2.0 reflect the lessons of the past three years of industry incidents. Pure technical controls on a withdrawal request are no longer sufficient. The expectation now is a layered model:

  • Pre-trade: customer instruction validated, address whitelisted, counterparty risk-assessed, sanctions and Travel Rule checks completed.
  • In-flight: threshold-based human review on material withdrawals, with documented evidence of who reviewed and on what basis.
  • Post-trade: reconciliation of intended vs effected, with a second-line review of pattern anomalies (geographic, behavioural, counterparty) on a defined cadence.
  • Insider-threat: documented controls on dual-control invocation, segregation of duties between request approval and operational execution, and a defined response posture for social-engineering and credential-compromise scenarios.

4. Proof of reserves — from vendor report to attestation framework

The Version 2.0 era is closing the window for "we use a vendor PoR tool, here's a public link" as a sufficient posture. The defensible position today is a documented attestation framework: a defined methodology, a named external attesting party with relevant expertise, a defined cadence, and a clear scope statement that the attestation can be measured against.

Practical implications:

  • The methodology should be documented in writing, owned by the firm (not the attesting party), and reviewed at least annually by the second line.
  • The scope of the attestation should match what is communicated externally — over-claiming is a marketing-and-communications violation as well as a custody one.
  • The attesting party should be independent, suitably qualified, and named in the published attestation. "Anonymous" PoR is not a defensible posture.
  • Material exceptions, qualifications and scope-limitations should be disclosed alongside the attestation, not buried in a footnote.

The five remediation items most custodians still owe their boards

  1. A refreshed Key Management Policy that names primitives, thresholds, quorums, rotation cadence and the exception path — owned by a named function and reviewed annually.
  2. A documented daily reconciliation pack with second-line challenge evidence, an escalation matrix and a board-reporting cadence on material breaks.
  3. A withdrawal-control architecture document that maps controls to threat model — including the insider-threat and social-engineering scenarios — with evidence of operation, not just policy.
  4. A Proof-of-Reserves Attestation Framework with a defined methodology, named external party, scope statement and disclosure standard.
  5. An annual Custody Rulebook self-assessment against the Version 2.0 evidence bar, run by the second line and challenged by internal audit, with the output presented to the board.

How CASA helps

We deliver post-Version 2.0 Custody Rulebook readiness in three productised forms:

  • Custody Rulebook Diagnostic — a fixed-fee assessment against the Version 2.0 evidence bar, with a board-ready remediation plan.
  • Compliance Framework Attestation — independent attestation of the firm's custody framework, suitable for board, regulator and counterparty distribution.
  • Proof-of-Reserves Attestation Framework build — methodology, scope statement, attesting-party selection support, and disclosure-standard design.

Want a 30-minute call on where your custody framework sits against the Version 2.0 bar?

Brief our team

References: VARA Custody Rulebook (Version 2.0, May 2025); VARA Compliance and Risk Management Rulebook; FATF Recommendation 16; UAE PDPL.

This briefing is general commentary by CASA and does not constitute regulated legal, financial or investment advice. Firms should confirm specific positions with retained counsel and the relevant supervisory authority.