
Bitcoin Custody Policy Template for Corporate Treasuries
An editable custody policy template covering custodian selection, key-management, segregation of duties, insurance, and incident response.
Custody is the single most-scrutinized section in any external audit of a Bitcoin treasury program. This template structures the policy the way an auditor reads it: counterparty, controls, contingency.
Scope and definitions
Defines 'Digital Asset', 'Qualified Custodian', 'Authorized Signer', and 'Material Event' for purposes of this policy. Applies to all Bitcoin held on the Company's balance sheet, regardless of acquiring entity within the corporate group.
Custodian selection criteria
- Regulated as a trust company, qualified custodian, or equivalent in its home jurisdiction
- Current SOC-2 Type II report covering the asset-custody control environment
- Segregated, on-chain-attestable holdings (no commingled omnibus structures)
- Documented disaster-recovery and key-ceremony procedures
- Independent insurance coverage with minimum thresholds defined by risk
Key management
All withdrawals require a quorum of named Authorized Signers under a multi-signature scheme. No single Authorized Signer may unilaterally initiate, approve, and execute a withdrawal. Signer changes require Audit Committee notification within five business days.
Segregation of duties
Initiation, approval, and reconciliation responsibilities are split across three functional roles. The same individual may not perform more than one role in any single transaction lifecycle.
Transaction authorization
- Transactions ≤ Tier 1 threshold: CFO or Treasurer approval
- Transactions ≤ Tier 2 threshold: CFO and one additional officer
- Transactions > Tier 2 threshold: prior Audit Committee approval
Reconciliation
On-chain holdings reconciled to the sub-ledger no less than weekly. Variances investigated and resolved within two business days; unresolved variances escalated to the CFO and internal audit.
Incident response
Defined escalation path for suspected key compromise, custodian outage, or unauthorized transaction. Material events reported to the Audit Committee within 24 hours and disclosed per the Company's existing materiality framework.
An auditor will not test whether the policy reads well — they will test whether the controls described in it actually fired the last time someone touched a key.
Continue the playbook
CFO Pitch Deck Outline for a Bitcoin Treasury Strategy
A 12-slide deck CFOs sign off on. Fiduciary framing, sized allocation band, stress survivability, and audit-ready disclosure — in that order.
Read articleBoard Resolution Template for a Bitcoin Treasury Allocation
Editable board resolution language defining thresholds, authorities, custody, and reporting for a governed Bitcoin treasury allocation.
Read articleBitcoin Treasury Governance Checklist for the Audit Committee
A 24-point pre-allocation governance checklist covering mandate, custody, accounting, stress response, disclosure, and reporting cadence.
Read article