Jul 14, 2026

How to Evaluate a Wallet-as-a-Service and Custody Infrastructure Provider (2026)

Cregis

Marketing

3 min. read

Choosing the right Wallet-as-a-Service (WaaS) and custody infrastructure provider is one of the most consequential decisions a financial institution makes when entering the digital asset economy. The provider you choose becomes the foundation of your operations: it handles how assets move, how keys are protected, and how your platform stays compliant as regulations tighten. The wrong choice leaves you exposed to inherited security gaps and compliance failures. This guide gives institutions a structured, practical framework for making that evaluation in 2026.

TL;DR

  • Regulatory scrutiny of digital asset custody is accelerating in 2026, making compliance architecture a primary evaluation criterion, not a secondary one [statestreet.com].
  • Security architecture (MPC, HSM, TEE) matters more than marketing claims. Demand verifiable certifications and an auditable track record.
  • WaaS and custody serve different operational needs. Understand which deployment model fits your compliance environment before comparing vendors.
  • Evaluate providers on integration depth, multi-chain coverage, and settlement speed, not just headline security features.
  • The right provider functions as infrastructure, not a product vendor. It should reduce your operational burden while meeting your regulatory obligations.

About the Author: Cregis has operated as enterprise-grade crypto financial infrastructure for nine years across 50+ countries, serving 3,500+ institutions including banks, payment service providers, and exchanges, with zero security incidents and $300B+ in yearly transactions secured.

Why Does the Regulatory Context Matter Before You Even Look at Vendors?

The evaluation process must start with the regulatory environment, not product features. In 2026, digital asset regulation is no longer a future concern [statestreet.com]. Regulators across major jurisdictions are actively defining what qualified custody means, which entities must hold licenses, and how client assets must be segregated and protected [sifma.org] [law.upenn.edu].

Before shortlisting any provider, your institution should answer three questions:

  • Which jurisdictions will your platform operate in, and what custody rules apply in each?
  • Does your regulatory obligation require you to maintain direct control of private keys, or can you delegate custody?
  • Will your auditors, regulators, or banking partners require specific certifications from your infrastructure provider?

The answers determine which deployment models and which certification standards are non-negotiable. Skipping this step leads to expensive retrofits later.

What Security Architecture Should You Actually Require?

Security is where most vendor evaluations go wrong. Institutions compare headline claims rather than the underlying architecture that produces those claims.

A credible institutional crypto custody provider should be able to demonstrate:

  • MPC key management: Multi-Party Computation distributes private key shards so that no single party or server ever holds a complete key. This eliminates single points of failure without sacrificing transaction speed [sumsub.com] [stripe.com].
  • HSM and TEE integration: Hardware Security Modules (FIPS 140-compatible) and Trusted Execution Environments add hardware-level isolation that software alone cannot replicate.
  • Zero Trust Architecture: Every transaction, user, and system component is verified independently. No implicit trust is granted based on network position.
  • Hot and cold storage separation: Operational liquidity needs hot wallet access. Long-term or reserve holdings need cold storage with air-gapped signing.
  • Independent certifications: SOC 2 Type II, ISO 27001, and PCI DSS are the baseline. Smart contract audits from firms like CertiK add a further layer of verifiable assurance.

A nine-year operational record with zero security incidents is a more reliable signal than any single certification. Ask every vendor for their incident history, not just their current certifications.

How Do WaaS and Custody Infrastructure Differ, and Why Does It Matter?

These two terms are often used interchangeably, but they describe different layers of the stack [dfns.co] [privy.io].

DimensionWallet-as-a-Service (WaaS)Custody Infrastructure
Primary functionCreate and manage wallets at scale for end users or business workflowsSafeguard institutional asset holdings under defined custody rules
Key controlTypically self-custodial (business retains key shards via MPC)Varies: qualified custodian, self-custody, or shared custody models
DeploymentCloud-native API or SDK integrationCloud-based or on-premise based on compliance requirements
Regulatory framingPlatform infrastructure for digital asset operationsSubject to qualified custody, trust, and licensing requirements [law.upenn.edu]
Typical use casePSPs, exchanges, fintech apps embedding wallet functionalityBanks, funds, and institutions safeguarding client or treasury assets

A business launching a payment product needs a strong digital asset management platform with WaaS capabilities. A bank holding client assets in a regulated jurisdiction needs qualified custody architecture. Many institutions need both, integrated under a single provider.

What Operational Capabilities Separate Infrastructure from a Basic Wallet Provider?

Stepping back from security architecture, a separate and equally important question is whether the provider can support your business operations at scale [stripe.com] [privy.io].

Key operational requirements to evaluate:

  • Multi-chain coverage: A provider supporting 40+ networks and 80+ tokens means you are not forced to stitch together multiple providers as your asset coverage grows.
  • Settlement speed: T+0 real-time settlement matters for payment flows and treasury operations. Delayed settlement creates float risk and reconciliation complexity.
  • Policy and compliance automation: Built-in AML screening (Know Your Transaction), programmable risk rules, and automated controls reduce manual compliance overhead.
  • Integration depth: Developer APIs, SDKs, and no-code business suites determine how quickly your team can deploy and how much custom engineering is required.
  • Onboarding speed: A provider that takes months to integrate creates operational drag. Enterprise WaaS deployment should be measurable in days, not quarters.

Ask vendors for documented integration timelines with clients at a similar scale to your own. A ten-minute deployment claim is only meaningful if it is validated by institutional clients, not just developers running proof-of-concept tests.

How Should You Assess a Provider's Compliance Posture?

Building on the operational criteria above, the harder question is how deeply compliance is embedded in the provider's architecture versus bolted on as a feature layer.

Compliance-native infrastructure means:

  • AML/KYT screening runs at the transaction level in real time, not as a batch process after funds have moved.
  • The provider holds relevant licenses: Treasury licenses, Trust or Company Service Provider (TCSP) licenses, and jurisdiction-specific approvals.
  • Audit trails are complete, exportable, and compatible with your internal compliance and reporting workflows.
  • The provider actively participates in regulatory dialogue and industry standard-setting, rather than reacting to rules after they are finalized.

Compliance is not a constraint on good infrastructure. It is what makes that infrastructure usable for regulated institutions.

Frequently Asked Questions

What is the difference between custodial and non-custodial wallet infrastructure? In custodial models, the provider holds private keys on behalf of clients. In non-custodial or self-custodial models, the client retains key control, often through MPC, while the provider supplies the infrastructure layer [sumsub.com].

What certifications should an institutional custody provider hold? At minimum: SOC 2 Type II, ISO 27001, and PCI DSS. Smart contract audits and additional jurisdictional licenses are important depending on your operating environment.

Is cloud-native custody appropriate for regulated institutions? Yes. Cloud-native and on-premise deployment are both viable models for regulated institutions, each suited to different compliance and control requirements [stripe.com].

How do I verify a provider's security track record? Request their incident history, third-party audit reports, and client references at institutional scale. Certifications confirm current standards; an operational record confirms sustained performance.

What is Know Your Transaction (KYT) and why does it matter? KYT is real-time AML screening applied at the transaction level. It identifies high-risk counterparties and flagged addresses before funds settle, which is a regulatory requirement in a growing number of jurisdictions.

How many blockchain networks should a provider support? There is no universal answer, but coverage of 40+ networks is a reasonable baseline for institutions with diversified digital asset operations. Prioritize depth of integration over breadth of names on a feature list.

What is the right question to ask about pricing? Ask for total cost of ownership across integration, ongoing support, compliance tooling, and scaling fees, not just the headline API rate.

About Cregis

Cregis is enterprise-grade crypto financial infrastructure built for banks, payment service providers, exchanges, and institutions operating at scale. Its platform covers Wallet-as-a-Service, a stablecoin payment engine, and custody infrastructure secured by MPC, HSM, and TEE architecture, all certified to SOC 2 Type II, ISO 27001, and PCI DSS standards. With nine years of operation, zero security incidents, and $300B+ in yearly transactions secured across 50+ countries, Cregis is positioned as the trust layer of the digital asset economy. Its first-tier security standard gives regulated institutions the foundation they need to operate confidently in an environment where compliance and security are not optional.

If your institution is evaluating WaaS or digital asset custody solution providers for 2026, Cregis offers the infrastructure, compliance architecture, and operational track record to support that decision. Visit cregis.com to learn more or speak with the team directly.

References

  1. Non-Custodial Wallet Providers and Broker-Dealer Regulation - SIFMA (sifma.org)
  2. Digital asset regulation accelerates in 2026 | State Street (statestreet.com)
  3. Custodial vs Non-Custodial Wallets: Key Differences | The Sumsuber (sumsub.com)
  4. Wallet-as-a-service explained for modern businesses (stripe.com)
  5. The Wallet Service Guide - DFNS (dfns.co)
  6. Crypto Custody • Faculty • Penn Carey Law (law.upenn.edu)
  7. Wallet-as-a-service (WaaS): Simplifying digital wallet management (privy.io)