What makes RWA custody different from standard crypto custody?

Standard crypto custody treats all assets of the same contract address as equivalent. RWA custody must track individual asset identities (CUSIP/ISIN), maintain the link between on-chain token state and off-chain legal instruments, and enforce asset-specific compliance restrictions at the token level — not just the wallet level.

What are the three layers of RWA custody infrastructure?

The on-chain custody layer (wallet, key management, smart contract signing), the compliance and registry layer (investor identity, KYC/AML enforcement, transfer restriction logging, regulatory reporting), and the exchange and liquidity layer (secondary market connectivity, compliance metadata preservation across wallets).

Why is the compliance and registry layer where most RWA programs have gaps?

Most issuers focus on the token mechanics and underinvest in the registry infrastructure. When a non-compliant secondary market transfer occurs, discovering it requires tracing back through the registry state at the time of transfer. If that data was not captured, the program cannot prove compliance during regulatory examination.

What regulatory requirements apply to RWA custody in 2026?

MiCA (Europe) requires authorized custody arrangements with qualified custodians — crypto-native wallets do not qualify. The SEC requires qualified custodian status for investment advisors holding tokenized securities. FATF Travel Rule applies to RWA transfers above threshold, requiring originator and beneficiary data capture and transmission.

What should issuers evaluate in a custody partner for tokenized assets?

Asset type coverage (specific to your asset class, not generic), smart contract governance (who controls upgrade keys and via what process), off-chain data integration (NAV updates, corporate actions, interest accrual bridging), and audit trail support (point-in-time state reconstruction for regulatory examinations).

RWA Custody Solutions: What Tokenized Asset Issuers Need to Know in 2026

Tokenized real world assets (RWA) are moving from experiment to infrastructure. Treasuries, private credit, real estate, and commodities are being put on-chain at scale — and the institutions behind them are discovering that custody is the hardest part.

This guide covers what RWA issuers actually need from a custody solution in 2026: the structural requirements, the compliance implications, and the infrastructure gaps that are still catching teams off guard.

Why Standard Crypto Custody Falls Short for RWA

Most crypto custody solutions were built for fungible assets — BTC, ETH, stablecoins. RWAs break those assumptions in three critical ways:

Asset identity matters. A tokenized bond isn't interchangeable with another tokenized bond in the same wallet. Standard custody treats all assets of the same contract address as equivalent. RWA custody needs to track individual asset identities, CUSIP or ISIN links, and off-chain legal instrument references.
The off-chain paper still exists. Tokenization doesn't eliminate the underlying legal document — the prospectus, the deed of trust, the credit agreement. Custody for RWAs requires maintaining the link between on-chain token state and off-chain legal validity. When those get out of sync, you have a legal problem, not a technical one.
Compliance is asset-specific. An institutional investor holding tokenized private credit may have different transfer restrictions than one holding tokenized T-bills. Custody infrastructure needs to enforce those restrictions at the token level, not just at the wallet level.

The Three Layers of RWA Custody Infrastructure

Mature RWA custody operates across three distinct layers, each with its own requirements:

1. On-Chain Custody Layer

This is the wallet and key management infrastructure — multisig schemes, MPC wallets, HSM integration. The requirements here look similar to traditional crypto custody with one addition: the custody solution must support smart contract interaction, not just asset holding. RWA tokens frequently have onchain compliance logic (transfer restrictions, whitelists, lock-up enforcement) that requires the custodian to sign contract calls, not just send tokens.

Key questions to ask any on-chain custody provider for RWA:

Can they sign arbitrary contract calls on your behalf, or only native token transfers?
What's the key ceremony process for adding or removing authorized signers?
How do they handle upgradeable token contracts — do they re-review security on each upgrade?

2. Compliance and Registry Layer

This is where most RWA issuers have infrastructure gaps. The compliance layer sits between the on-chain custody and the off-chain legal reality. It needs to:

Maintain an investor registry that maps wallet addresses to verified KYC/AML identities
Enforce transfer restrictions (accredited investor status, jurisdiction eligibility, lock-up periods)
Log every transfer with the compliance context at the time of transfer — who approved it, what verification was current, what restriction category applied
Generate regulatory reports: 1099s, CAR (Consolidated Asset Report), FATF Travel Rule compliance

This is exactly what AndxOS compliance tracking addresses — giving issuers a real-time view of their investor registry state, transfer eligibility, and compliance event log without having to build a custom reporting stack.

3. Exchange and Liquidity Layer

Secondary market liquidity is what makes tokenized assets valuable beyond operational efficiency. But connecting RWAs to exchange infrastructure creates its own custody requirements:

Assets sent to exchange hot wallets need to maintain compliance metadata — a token that's locked up can't be traded even if it's sitting in an exchange wallet
Settlement timelines need to match the off-chain redemption or settlement process for the underlying asset
Exchange analytics need to track not just price and volume but compliance-relevant events: who bought, at what verification level, from which jurisdiction

The exchange analytics dashboard in AndxOS gives issuers visibility into secondary market activity with the compliance context attached — so you're not reconciling exchange data against your compliance registry manually.

Regulatory Positioning in 2026

The regulatory picture for RWA custody has clarified significantly over the past 18 months:

MiCA (Europe): Asset-referenced tokens and e-money tokens require authorized custody arrangements with qualified custodians. Issuers targeting European distribution need a MiCA-compliant custody partner — crypto-native wallets don't qualify.
SEC guidance (US): The "qualified custodian" requirement for investment advisors now clearly applies to tokenized securities. Self-custody of client assets by the issuer is not a viable structure for regulated issuers.
FATF Travel Rule: Global VASP compliance now includes RWA transfers above threshold. Your custody infrastructure needs to capture and transmit originator and beneficiary information for covered transfers.

The compliance burden isn't going away — it's shifting from paper to infrastructure. Issuers who build the right data capture now will spend less on retroactive remediation later.

What to Evaluate in a Custody Partner

When evaluating custody solutions for a tokenized asset program, these are the criteria that actually differentiate providers:

Asset Type Coverage

Does the custodian have experience with your specific asset class? Tokenized Treasuries and tokenized real estate have completely different operational profiles. Custody infrastructure built for one doesn't automatically work for the other. Ask for live customer references in your asset class.

Smart Contract Governance

Who controls the upgrade keys on your token contract? If the custodian controls them jointly with the issuer (common in institutional arrangements), what's the governance process for upgrades? This is a security and operational risk that's often underdiscussed.

Off-Chain Data Integration

Can the custody platform ingest off-chain data (NAV updates, corporate actions, interest accrual) and reflect those in on-chain token state? For debt instruments especially, the token needs to reflect the current economic value of the underlying — that requires custody infrastructure that bridges on-chain and off-chain data sources.

Reporting and Auditability

Your auditors will need to reconcile on-chain positions against off-chain legal records at a specific point in time. The custody platform needs to support point-in-time state reconstruction, not just current-state queries. Ask specifically whether they support historical position snapshots.

Common Infrastructure Mistakes

These are the patterns we see most often in RWA programs that run into operational problems:

Building compliance as a layer on top of custody instead of into it. If your custody infrastructure doesn't natively track compliance metadata, you'll be maintaining a separate compliance database and reconciling constantly. The reconciliation always breaks eventually.
Underestimating the investor registry problem. Most issuers focus on the token mechanics and underinvest in the registry infrastructure. When a secondary market transfer happens that's non-compliant, discovering it requires tracing back through the registry state at the time of transfer. If that data wasn't captured, you can't prove compliance.
Treating custody as a one-time setup. Token contracts get upgraded. Regulatory requirements change. Investor eligibility changes (a qualified investor may no longer be eligible). Custody infrastructure needs to be maintained actively, not installed and forgotten.
No process for key holder offboarding. Personnel turnover at custodians is real. Make sure you understand the key ceremony process for removing a compromised or departed signer — before you need it.

Building Your RWA Custody Stack

Most institutional RWA programs end up with a three-party custody arrangement:

Qualified custodian — holds assets and meets regulatory requirements (Anchorage, BitGo, Fireblocks with qualified custody licenses, or a traditional custodian with digital asset capabilities)
Compliance and registry layer — maintains investor eligibility, transfer restriction enforcement, and compliance event logging
Issuer operational platform — the interface for managing the token program, monitoring secondary market activity, and generating regulatory reports

The integration between these three layers is where operational risk concentrates. Data that lives in one layer needs to be accessible (in the right format, at the right time) to the other two. That's an infrastructure problem, not just a vendor selection problem.

AndxOS was built to be the operational layer in this stack — the platform where issuers manage their compliance state, track exchange activity, and generate the reports their legal and regulatory teams need, without building a custom data pipeline from scratch.

The Bottom Line

RWA custody in 2026 is not a solved problem. The on-chain custody piece has matured significantly — qualified custodians with MPC infrastructure and institutional-grade security are now available. The compliance layer and the exchange analytics layer are still where most programs have gaps.

If you're launching or scaling a tokenized asset program, the custody evaluation needs to start with the compliance and registry requirements, not the wallet technology. The wallet is the easy part. The audit trail that proves your investors were eligible at the time of every transfer — that's what determines whether your program survives its first regulatory examination.