Satoshi Institute page hero background
Policy Template · Treasury v2

Bitcoin Custody Policy Template for Corporate Treasuries

An editable custody policy template covering custodian selection, key-management, segregation of duties, insurance, and incident response.

Back to the pillar

Custody is the single most-scrutinized section in any external audit of a Bitcoin treasury program. This template structures the policy the way an auditor reads it: counterparty, controls, contingency.

Scope and definitions

Defines 'Digital Asset', 'Qualified Custodian', 'Authorized Signer', and 'Material Event' for purposes of this policy. Applies to all Bitcoin held on the Company's balance sheet, regardless of acquiring entity within the corporate group.

Custodian selection criteria

  • Regulated as a trust company, qualified custodian, or equivalent in its home jurisdiction
  • Current SOC-2 Type II report covering the asset-custody control environment
  • Segregated, on-chain-attestable holdings (no commingled omnibus structures)
  • Documented disaster-recovery and key-ceremony procedures
  • Independent insurance coverage with minimum thresholds defined by risk

Key management

All withdrawals require a quorum of named Authorized Signers under a multi-signature scheme. No single Authorized Signer may unilaterally initiate, approve, and execute a withdrawal. Signer changes require Audit Committee notification within five business days.

Segregation of duties

Initiation, approval, and reconciliation responsibilities are split across three functional roles. The same individual may not perform more than one role in any single transaction lifecycle.

Transaction authorization

  • Transactions ≤ Tier 1 threshold: CFO or Treasurer approval
  • Transactions ≤ Tier 2 threshold: CFO and one additional officer
  • Transactions > Tier 2 threshold: prior Audit Committee approval

Reconciliation

On-chain holdings reconciled to the sub-ledger no less than weekly. Variances investigated and resolved within two business days; unresolved variances escalated to the CFO and internal audit.

Incident response

Defined escalation path for suspected key compromise, custodian outage, or unauthorized transaction. Material events reported to the Audit Committee within 24 hours and disclosed per the Company's existing materiality framework.

Takeaway

An auditor will not test whether the policy reads well — they will test whether the controls described in it actually fired the last time someone touched a key.

Related articles

Continue the playbook

Pitch Deck

CFO Pitch Deck Outline for a Bitcoin Treasury Strategy

A 12-slide deck CFOs sign off on. Fiduciary framing, sized allocation band, stress survivability, and audit-ready disclosure — in that order.

Read article
Board Document

Board Resolution Template for a Bitcoin Treasury Allocation

Editable board resolution language defining thresholds, authorities, custody, and reporting for a governed Bitcoin treasury allocation.

Read article
Checklist

Bitcoin Treasury Governance Checklist for the Audit Committee

A 24-point pre-allocation governance checklist covering mandate, custody, accounting, stress response, disclosure, and reporting cadence.

Read article