As unclaimed property laws expand to cover digital assets, enterprises managing crypto wallets face a new category of compliance risk: dormant wallet exposure. A dormant wallet is any wallet address that holds a balance but has seen no owner-initiated activity for a defined period. Depending on jurisdiction, that inactivity can trigger legal obligations to attempt owner outreach, report the balance to state or regulatory authorities, and ultimately transfer the asset if the owner cannot be located. Enterprises that lack formal policies for inactive addresses are not just operationally exposed; they are increasingly legally exposed as well.
TL;DR
- Dormant wallet exposure is a growing compliance risk as unclaimed property laws formally extend to digital assets [sd13.senate.ca.gov][wipfli.com].
- Enterprises need written policies covering dormancy triggers, owner outreach, internal reporting, and custody continuity.
- The dormancy period varies by jurisdiction, but a three-year inactivity window is emerging as a common benchmark [fintechweekly.com][wipfli.com].
- Custody infrastructure matters: the ability to segregate, freeze, audit, and transfer dormant balances depends on how wallets are architected from day one.
- Institutions that treat dormancy policy as part of custody design rather than a compliance afterthought are better positioned for audits and regulatory scrutiny [broadridge.com].
About the Author: Cregis has operated enterprise-grade crypto custody infrastructure for nine years, serving 3,500+ businesses across 50+ countries and securing over $300 billion in transactions annually. This article draws on that operational depth and direct experience supporting institutional clients navigating compliance across multiple regulatory jurisdictions.
What Does "Dormant Wallet Exposure" Actually Mean for Enterprises?
Dormant wallet exposure is the operational and legal risk that arises when an enterprise holds digital assets in wallet addresses that have gone inactive, without a defined process for what happens next. For a payments provider, exchange, or corporate treasury, this is not a hypothetical: every unclaimed refund, failed withdrawal, or abandoned user balance is a potential liability.
The challenge is threefold:
- Identification: Most wallet infrastructure is not built to flag inactivity over time. Without proactive monitoring, dormant balances accumulate invisibly.
- Obligation: Unclaimed property law requires holders, not just owners, to act. The obligation sits with the enterprise [salestaxinstitute.com].
- Custody continuity: If the original wallet architecture cannot segregate or transfer dormant assets, compliance becomes structurally impossible.
Why Is This Becoming Urgent Right Now?
Regulatory momentum is the direct driver. Unclaimed property frameworks were built for bank accounts and securities. Regulators are now catching up with digital assets, and the pace has accelerated sharply.
Key developments:
- California passed legislation in 2025 allowing seizure of dormant crypto wallets after three years of inactivity, drawing significant attention from the industry [fintechweekly.com].
- SB 822 in California formally established that abandoned virtual currencies are handled equivalently to stocks, with unclaimed assets safeguarded by the State Controller's Office [sd13.senate.ca.gov].
- As of late April 2025, at least one additional state formally began recognizing virtual currency as reportable property, with a three-year dormancy period [wipfli.com].
- Multi-state audits of financial institutions for unclaimed property compliance are increasing, with material penalties for non-compliance [broadridge.com].
Enterprises that assumed digital assets sat outside unclaimed property law now need to revisit that assumption, jurisdiction by jurisdiction.
What Is the Standard Dormancy Period for Crypto Wallets?
Dormancy periods are set by jurisdiction, and they vary. However, a three-year inactivity window is emerging as the benchmark for digital assets across the jurisdictions that have acted so far [fintechweekly.com][wipfli.com]. This mirrors the approach taken for securities, which is deliberate: regulators are applying existing unclaimed property logic to a new asset class rather than building an entirely separate framework [sd13.senate.ca.gov].
The implication for enterprises is practical: any wallet that has not had owner-initiated activity within three years may be reportable, depending on where the enterprise operates and where the account holder is domiciled.
Key dormancy concepts every enterprise policy should define:
- What counts as "activity" (owner-initiated transactions only, or does system-generated activity count?)
- When the dormancy clock starts (last transaction date, last login, last owner communication)
- How dormancy is tracked across multi-chain or multi-token wallet architectures
- Whether different asset types within the same wallet trigger separate dormancy clocks
What Does a Sound Enterprise Policy for Dormant Wallets Look Like?
Building on the regulatory context above, the harder question is what an internal policy actually needs to contain. The following components reflect best practice for unclaimed property compliance programs in financial institutions [cuwebtraining.com][broadridge.com][bakertilly.com].
1. Dormancy Identification and Monitoring
- Automated flags for wallet addresses that exceed defined inactivity thresholds
- Periodic review cycles (quarterly or annual) to identify newly dormant balances
- Separate tracking for different asset types, since dormancy rules may vary by asset class
2. Owner Outreach (Due Diligence)
Before any balance is reported or transferred, enterprises must attempt to contact the owner [salestaxinstitute.com]. This typically includes:
- Written notice to the last known contact address
- A defined response window before the balance is reclassified
- Documentation of every outreach attempt for audit purposes
3. Internal Reporting and Escalation
- A designated compliance owner for unclaimed property
- Internal reporting cadence aligned to state filing deadlines
- Escalation paths for high-value dormant balances or balances in multiple jurisdictions
4. Escheatment Execution
Escheatment is the legal process of transferring unclaimed or abandoned property to the state after the dormancy period and due diligence requirements are met [witheisen.com]. For digital assets, this process is still being operationalized in most jurisdictions, but enterprises should be ready to:
- Convert digital assets to fiat at the point of transfer, if required by the receiving authority
- Maintain records of the original wallet address, asset type, and balance at time of transfer
- Retain audit trails for a minimum period as required by applicable law
5. Custody Continuity
This is the component most enterprises underestimate. Custody continuity means the infrastructure can still access, segregate, and transfer a dormant balance years after the wallet was created, even if the original user no longer exists in the system, even if the platform has been upgraded, and even if the relevant network has undergone changes.
How Does Wallet Architecture Affect Dormancy Compliance?
Stepping back from the policy detail, a separate concern is whether the underlying wallet infrastructure can actually support these obligations. Policy without architecture is a document without teeth.
The relevant questions for any custody platform:
| Capability | Why It Matters for Dormancy |
|---|---|
| Address-level balance visibility | You cannot report what you cannot see |
| Inactivity monitoring at scale | Manual review fails at volume |
| Granular access controls | Segregating dormant balances requires role-based controls |
| Key continuity | Dormant assets must remain accessible even after key rotations or platform migrations |
| Audit-ready transaction logs | Regulators require a full history, not just current state |
| Multi-jurisdiction reporting | Dormancy rules differ by state and country |
This is where infrastructure choices made years earlier either support or constrain compliance today. Enterprises that built on platforms with rigid, account-level wallet structures often find they cannot isolate dormant addresses without manual intervention at scale.
Cregis's Wallet-as-a-Service platform delivers three core capabilities that dormancy compliance requires: Secure custody through MPC key management and HSM-based controls. Efficient monitoring across 40+ networks and 100 million+ managed wallets. Compliant reporting through granular access controls, segregation tools, and audit-ready transaction logs built into the core architecture, not layered on afterward.
Frequently Asked Questions
What triggers dormancy in a crypto wallet? Dormancy is typically triggered by a defined period of owner inactivity, most commonly three years in jurisdictions that have formalized rules for digital assets [fintechweekly.com][wipfli.com]. What counts as activity varies: some frameworks require owner-initiated transactions; others accept any interaction.
Is crypto subject to unclaimed property laws? Increasingly, yes. Multiple U.S. states now formally recognize virtual currency as reportable property under unclaimed property statutes [sd13.senate.ca.gov][wipfli.com]. The legal trend is toward treating digital assets equivalently to securities.
Who is responsible for dormant crypto balances? The holder, meaning the enterprise or platform that controls or manages the wallet, bears the compliance obligation, not the absent owner [salestaxinstitute.com].
What happens if an enterprise does not report dormant crypto? Non-compliance can result in financial penalties, interest charges, and multi-state audits [broadridge.com]. Regulatory enforcement in unclaimed property is increasing.
Does escheatment mean the asset is permanently lost? No. Escheatment transfers custody to the state, which typically holds the asset (or its cash equivalent) until the rightful owner comes forward to claim it [witheisen.com][sd13.senate.ca.gov].
How should enterprises handle dormant wallets that span multiple jurisdictions? The holder's state of incorporation often serves as the default jurisdiction when the owner's address is unknown. Enterprises should map their exposure by jurisdiction and align reporting to each state's filing deadlines.
Can wallet architecture be retrofitted for dormancy compliance? Some capabilities can be added, but key continuity and address-level monitoring are significantly harder to retrofit than to build in from the start. Enterprises evaluating new custody platforms should treat dormancy compliance as a first-order architecture requirement.
About Cregis
Cregis is an enterprise-grade crypto financial infrastructure company that operates as the Trust Layer for the digital asset economy, serving 3,500+ businesses in 50+ countries. Its platform spans Wallet-as-a-Service, a stablecoin payment engine, and a programmable policy engine, all built on MPC key management, HSM-based security, and a Trust Vault Security Framework certified to SOC 2 Type II, ISO 27001, and PCI DSS standards. For institutions navigating dormancy compliance, Cregis provides the infrastructure foundation that makes policy enforceable at scale: address-level visibility across networks, granular access controls, audit-ready logs, and key continuity. As unclaimed property law continues to evolve around digital assets, having the right custody foundation is not optional.
Ready to assess whether your wallet infrastructure can support dormancy compliance at scale? Learn more at cregis.com.
