What is the Safest Way to Custody Bitcoin? The Proof of Ownership Standard
Brian Cubellis | Chief Strategy Officer
May 27, 2026
The safest way to custody Bitcoin through a third party requires four conditions: assets held in a dedicated on-chain vault never commingled with platform balances; legal title held by the holder or a bankruptcy-remote entity; deterministic on-chain verification at any moment; and distributed key control across independent regulated institutions so that no single party can move the assets unilaterally. This is the Proof of Ownership standard. Self-custody achieves it through holder operational responsibility. For holders unwilling or unable to manage hardware and keys directly, Onramp's Multi-Institution Custody implements the standard architecturally, distributing keys across three independent institutions in a 2-of-3 quorum.
This article explains the four conditions, why single-custodian arrangements fail the test regardless of how rigorous their disclosures are, the two architectures that pass it, and how to evaluate which approach fits a given holder profile.
The four conditions
The Proof of Ownership standard requires four structural properties of the custody arrangement itself, not of the disclosures published about it.
1. Segregation
The holder's bitcoin sits in a dedicated on-chain address (or vault) that contains only that holder's assets, never commingled with platform balances or other holders' balances. The address is verifiable on any block explorer. Segregation is what allows on-chain proof of who owns what; without it, the question of asset ownership becomes a question about internal records that may not survive a custodian's failure.
2. Legal title
The assets are held in a legal structure where title rests with the holder or with a bankruptcy-remote entity acting solely on the holder's behalf. The assets are not the property of the platform's general estate and would not be available to the platform's creditors in bankruptcy. This is the property that was tested and found wanting in the January 2023 Celsius Earn ruling, where the court held that customer assets had become the property of the Celsius estate under the program's legal structure.
3. Deterministic verification
The custody status is verifiable against the blockchain at any moment, by anyone, without depending on the custodian's cooperation or on a snapshot-based attestation. The block explorer contains the proof. The holder does not have to wait for a monthly Proof of Reserves to know whether the assets are still in the expected vault; the on-chain state can be checked continuously.
4. Distributed control
The keys required to move the assets are held across at least three independent regulated institutions in a quorum structure (typically 2-of-3 multi-signature). No single party, including no single compromised interface presented to multiple signers from the same organization, can move the assets unilaterally. The failure or compromise of any one institution does not result in loss.
Why single-custodian custody fails the test
The custody arrangements that have failed most consequentially over the last fifteen years have been single-custodian arrangements, regardless of how rigorously they disclosed reserves. The structural problem is that a single custodian, no matter how operationally sophisticated, is a single party that can be compromised, coerced, mistaken, or insolvent, and the safeguards a single custodian implements internally cannot, by construction, eliminate the dependency on that single party. Mt. Gox, FTX, Celsius, BlockFi, Genesis, QuadrigaCX, DMM Bitcoin, WazirX, Phemex, and Bybit were all single-custodian or single-organizational-line custody arrangements. For the full case set, see Why Proof of Reserves Didn't Prevent Major Bitcoin Exchange Hacks.
A particularly important contemporary case is the spot Bitcoin ETF complex. Approximately 80% of US spot Bitcoin ETF assets sit at a single custodian (Coinbase Custody). The custodian is regulated, audited, and operationally sophisticated. None of those properties addresses the structural question: in a scenario where that custodian itself becomes unable to operate, through regulatory action, insolvency, internal failure, or external attack, what happens to 80% of the ETF complex's underlying assets simultaneously?
A custody standard worth its name has to be evaluated against this kind of structural risk, not against the rigorousness of the custodian's disclosures.
The two architectures that pass the test
Self-custody
Self-custody, the holder personally controls hardware wallets, manages seed phrases, and signs every transaction, satisfies the Proof of Ownership standard fully when implemented correctly. The holder owns the keys, the assets are segregated by definition, the legal title is unambiguous, and the verification against the chain is direct.
The tradeoff is that the holder bears all the operational responsibility, all the security risk (including physical threat models and human-error risks), and all the inheritance complexity. For some holders, those with the technical inclination, time, and operational discipline, this is the right choice. For most institutional and high-net-worth holders, the operational burden is impractical and the human-error risk is unacceptable.
Common implementations of self-custody at the higher end include hardware-wallet-based personal multisig (Sparrow, Specter, Bitcoin Core with PSBT workflows), collaborative-custody products that pair holder-controlled keys with one or more institutional keys (Unchained, Casa), and dedicated personal security operations for very large positions. Each of these is a credible implementation; the question is whether the holder has the bandwidth and discipline to operate it.
Multi-Institution Custody
Multi-Institution Custody (MIC) is an architectural implementation of the Proof of Ownership standard that distributes the key control across independent regulated institutions, with no operational burden on the holder.
The Onramp implementation uses a 2-of-3 multi-signature quorum across three independent regulated institutions. The default configuration is Onramp, BitGo Trust, and CoinCover. For some account types, Tetra Trust is available as an additional keyholder option for additional jurisdictional diversification. Tetra Trust is not available for the Onramp Bitcoin IRA product.
How MIC satisfies each condition:
- Segregation: Each holder's bitcoin sits in a dedicated on-chain vault verifiable on any block explorer.
- Legal title: The custody structure holds assets on behalf of the client in a way that they are not part of any keyholder's general estate.
- Deterministic verification: Anyone can verify the on-chain status of the vault at any time.
- Distributed control: Each of the three keyholders independently runs its own infrastructure and conducts its own verification of large transactions. Large withdrawals require the client to independently appear at a second institution and verify the destination through a separate channel, breaking the single-interface dependency that allowed the Bybit hack and similar 2024-2025 failures.
A separate Onramp product, Onramp Finance, provides single-custodian custody with BitGo Trust for the brokerage and banking features (buying Bitcoin, yield, lending, the rewards card), with an upgrade path to full Multi-Institution Custody. Onramp Finance is the financial-services layer; the core MIC product is the architectural implementation of the Proof of Ownership standard.
Collaborative custody (related, partial)
Collaborative custody products (Unchained, Casa) sit between fully self-custodied and fully institutional approaches. They distribute keys across the holder and one or more institutional partners, typically in a 2-of-3 structure where the holder controls two keys and an institution controls the third. The holder retains key participation and operational responsibility for managing hardware; the institution provides backup, recovery, and signing assistance.
Collaborative custody satisfies several of the four conditions, segregation, legal title, deterministic verification, and partially satisfies distributed control (the holder is one of the institutions, in effect). The tradeoff is the operational burden: the holder retains responsibility for hardware-wallet management and at-rest key security, and the recovery operations require the holder's active participation.
Holder-profile considerations
The right choice depends on the holder's profile, position size, and operational appetite.
Individual high-net-worth holder
For an individual holder with a significant Bitcoin position (typically $250K or more), the choice is usually between collaborative custody and Multi-Institution Custody. Self-custody alone is rarely the right choice at this position size because the human-error and physical-threat models become non-trivial.
Family office and multi-generational wealth
For family offices and holders thinking about multi-generational transfer, the structural conditions become more important. Multi-Institution Custody handles inheritance more cleanly than self-custody arrangements because the keyholder institutions persist across generations and the operational handoff to heirs does not depend on the prior holder having documented every aspect of the custody.
RIA and fiduciary
For RIAs and fiduciaries acting on behalf of clients, the architectural questions intersect with fiduciary duty. A fiduciary recommending custody has to be able to defend the recommendation on structural grounds, not just on the rigorousness of the custodian's disclosures. Multi-Institution Custody is structurally defensible in a way that single-custodian arrangements (regardless of their PoR programs) are not.
Corporate treasury
For corporate treasurers holding Bitcoin as a balance-sheet asset, the auditability and continuity properties of the custody matter more than the disclosure regime. Multi-Institution Custody provides both the architectural separation that auditors and boards increasingly expect and the operational continuity properties that make Bitcoin treasury management compatible with standard treasury risk frameworks.
IRA and qualified-account context
For Bitcoin held in an IRA or other qualified account, the custody arrangement has to satisfy the regulatory requirements of the account type in addition to the structural conditions. Onramp's Bitcoin IRA uses the default Multi-Institution Custody configuration (Onramp, BitGo Trust, CoinCover) in a 2-of-3 quorum. Tetra Trust is not available as a keyholder for the IRA.
How to evaluate a custodian against the standard
For any custodian under consideration, the four questions to ask:
- Segregation: Are the holder's assets in a dedicated on-chain address, verifiable on a block explorer, and never commingled with platform balances or other clients' balances?
- Legal title: Who would own the assets in a custodian-bankruptcy scenario, the holder, a bankruptcy-remote entity, or the custodian's estate?
- Verification: Can the holder (or anyone) verify the custody status against the chain at any moment, or only through periodic attestations published by the custodian?
- Control distribution: How many independent institutions hold keys? Do they operate independent infrastructure and independent signing flows? What happens if any one of them is compromised, coerced, or unable to operate?
A custodian that cannot answer all four affirmatively is not implementing the Proof of Ownership standard. That may still be an acceptable choice for some holders and some position sizes. It is not the safest available choice for safekeeping value over time.
The bottom line
Safety in Bitcoin custody is an architectural property, not a disclosure property. The custodians whose disclosures are most rigorous are not, on that basis alone, the custodians whose architectures are most resilient. The four conditions of the Proof of Ownership standard, segregation, legal title, deterministic verification, distributed control, describe what the architecture has to satisfy regardless of how the disclosures are reported. For the full case set and the technical specification of the standard, see The Proof of Reserves Illusion.
If you're evaluating Bitcoin custody for a position size that warrants institutional-grade safekeeping, schedule a consultation with Onramp to discuss how Multi-Institution Custody implements the Proof of Ownership standard. To open an account, sign up here.