Non-Custodial WaaS Explained: How Banks and Fintechs Maintain Asset Control Without Building From Scratch
Banks and fintechs entering the digital asset space face a fundamental choice: build custody infrastructure from the ground up, or rely on a third party to hold client assets. Non-custodial Wallet-as-a-Service (WaaS) offers a third path. It gives institutions the technical infrastructure they need to launch wallets, manage transactions, and serve clients, while retaining full control over private keys and assets at all times. This model delivers what institutional clients require: infrastructure that is compliant, secure, and proven at scale.
TL;DR
- Non-custodial WaaS separates infrastructure provision from asset control, so institutions keep custody while outsourcing the build.
- Multi-party computation (MPC) eliminates single points of failure in key management without requiring institutions to manage complex cryptographic engineering.
- Compliance, scalability, and security can be built into the infrastructure layer, not bolted on after launch.
- The model works for banks, payment service providers, fintechs, and any institution that needs to manage digital assets at scale.
- Cregis delivers non-custodial WaaS with nine years of operation and infrastructure supporting over $300 billion in yearly transactions.
About the Author: Cregis is an enterprise-grade crypto financial infrastructure provider with nine years of operational experience and over 3,500 institutional clients across 50+ countries. Cregis specializes in MPC-based self-custodial wallets, Wallet-as-a-Service, and crypto payment infrastructure for banks, exchanges, and financial institutions globally.
What Is Non-Custodial WaaS, and Why Does It Matter Now?
Non-custodial WaaS is infrastructure delivered as a managed service, where the vendor provides the technical stack but the institution retains exclusive control over private keys and client assets [bleap.finance]. The vendor never holds, accesses, or manages the keys. Custody stays with the institution.
This distinction matters more in 2026 than it did even two years ago. Regulators across major markets are tightening requirements around digital asset custody, obligating institutions to demonstrate clear control over client funds and documented risk management processes [bitgo.com]. At the same time, institutional demand for digital asset services is accelerating. Banks and fintechs that cannot show clean custody arrangements are finding it harder to satisfy compliance teams, auditors, and regulators simultaneously.
The traditional build-versus-buy debate misses a third option: deploy infrastructure that is already compliant, already secure, and already proven, while keeping asset control entirely in-house.
How Does the Custodial Model Differ From Non-Custodial at the Institutional Level?
The practical difference between custodial and non-custodial arrangements comes down to who holds the private key [sumsub.com].
| Dimension | Custodial Model | Non-Custodial WaaS |
|---|---|---|
| Key control | Third-party provider | Institution retains full control |
| Regulatory exposure | Provider's compliance posture affects institution | Institution owns its compliance posture |
| Counterparty risk | Present | Eliminated |
| Operational flexibility | Provider-defined | Institution-defined |
| Time to launch | Faster, but less control | Fast, with full control |
Custodial solutions offer convenience, but they introduce counterparty risk and create compliance dependencies [cobo.com]. If the custodian faces regulatory action, insolvency, or a security incident, the institution's clients are exposed. Non-custodial WaaS removes that dependency entirely. The institution deploys wallets, manages transactions, and controls assets, while the WaaS provider maintains the underlying technical layer [scalablesolutions.io].
For banks and regulated fintechs, this architecture is not just operationally preferable. It is increasingly what regulators expect [statestreet.com].
Why Is Multi-Party Computation Central to Non-Custodial WaaS?
Building on the custody distinction above, the harder technical question is how an institution retains secure key control without requiring a dedicated cryptography team to manage it.
A multi-party computation wallet solves this. MPC splits the private key into encrypted shards distributed across multiple parties or devices. No single shard can reconstruct the key alone. Transactions are signed collaboratively, without any party ever holding the complete key [fireblocks.com].
For institutions, this approach delivers several concrete benefits:
- No single point of failure. Even if one shard is compromised, the key cannot be reconstructed.
- No single person can approve a transaction unilaterally. This satisfies dual-control requirements common in banking and financial regulation [statestreet.com].
- Key shards can be distributed across on-premise hardware, cloud environments, and institutional hardware security modules (HSMs). This supports flexible deployment without sacrificing security.
- The institution never has to share key material with the WaaS provider. The vendor provides the protocol; the institution controls the outcome.
This architecture is what separates genuine non-custodial WaaS from arrangements where the vendor still holds backup keys "for recovery purposes," which reintroduce custodial risk under a different label.
What Does a Compliant, Scalable WaaS Deployment Actually Look Like?
Stepping back from the technical detail, a separate concern for most institutions is operational: how long does deployment take, and what does the compliance layer look like in practice?
A well-designed WaaS platform should address these elements:
Wallet infrastructure:
- Support for multiple blockchain networks and token standards from a single integration
- API and SDK access for developers, alongside no-code interfaces for operations teams
- Scalability to manage millions of wallet addresses without degradation
Compliance integration:
- Real-time transaction monitoring with AML screening built into the transaction flow
- Automated policy rules that respond to risk signals across deposits, withdrawals, and fund management
- Audit trails and reporting tools that satisfy regulatory review
Security architecture:
- MPC key management with HSM and trusted execution environment (TEE) integration
- Hot and cold storage tiers with programmable controls
- Certifications including SOC 2 Type II, ISO 27001, and PCI DSS
Stablecoin payment infrastructure:
- Settlement across USDT, USDC, and major assets with cross-chain capability
- Built-in checkout and payment routing for institutions serving merchants or end clients
When these elements are integrated into a single platform rather than assembled from separate vendors, the institution reduces operational overhead significantly and avoids the compliance gaps that appear at integration points between systems.
How Does Cregis Deliver Non-Custodial WaaS for Institutions?
The infrastructure context above describes what institutions need. Cregis is built to provide exactly that, without requiring institutions to assemble it themselves.
Cregis operates as the trust layer for institutional digital asset management. Its WaaS platform supports 40+ blockchain networks and 85+ tokens, manages over 100 million wallet addresses, and processes over $100 million in average daily transactions. The platform can be deployed in approximately 10 minutes via API, with no-code tooling available for non-technical teams.
The first tier of security standard of the industry underpins every deployment. Cregis combines MPC using the GG18 protocol, FIPS 140-compatible HSMs, and TEE into a unified Trust Vault Security Framework. Private keys are never held by Cregis. Institutions retain full custody. Real-time AML monitoring through partnerships with Elliptic and Regtank is embedded at the transaction level, not appended as an afterthought.
With nine years of operation and infrastructure supporting $300 billion in yearly transactions, Cregis provides the proven foundation institutions need to manage digital assets securely and at scale.
Frequently Asked Questions
What is the difference between custodial and non-custodial WaaS? In a custodial arrangement, the provider holds private keys on behalf of the institution. In non-custodial WaaS, the provider supplies the infrastructure but never accesses or holds keys. The institution retains full asset control [bleap.finance].
Is non-custodial WaaS suitable for regulated banks? Yes. Non-custodial WaaS aligns with regulatory expectations around custody control, dual authorization, and audit transparency. Institutions retain documented control over client assets, which is increasingly required by regulators [bitgo.com].
What makes MPC more suitable for institutions than multi-signature wallets? MPC does not require on-chain signatures, which reduces transaction costs and avoids exposing key structure publicly. It also supports flexible signing policies without changing the wallet address [fireblocks.com].
How long does it take to deploy a WaaS platform? With a well-designed API and SDK, integration can begin within hours. Cregis offers approximately 10-minute WaaS deployment for institutions with developer resources, alongside no-code tools for faster operational setup.
What certifications should a WaaS provider hold for institutional use? Look for SOC 2 Type II, ISO 27001, and PCI DSS as a baseline. These certifications confirm that security controls, data handling, and operational processes have been independently audited.
Can non-custodial WaaS support stablecoin payment infrastructure? Yes. Modern WaaS platforms integrate stablecoin payment infrastructure natively, supporting settlement in USDT, USDC, and other assets across multiple chains with built-in compliance monitoring.
Does using a WaaS provider mean giving up control of compliance policy? No. A properly designed platform lets the institution configure its own compliance rules, risk thresholds, and automated controls. The provider supplies the engine; the institution sets the policy.
About Cregis
Cregis is an enterprise-grade crypto financial infrastructure company serving 3,500+ businesses across 50+ countries, with offices in Hong Kong, Singapore, Dubai, Kuala Lumpur, and São Paulo. Built on MPC-based self-custodial wallet technology and a compliance-first architecture certified under SOC 2 Type II, ISO 27001, and PCI DSS, Cregis provides the infrastructure banks, payment service providers, and financial institutions need to manage digital assets securely and at scale. With nine years of operation and $300 billion in yearly transactions secured, Cregis functions as the trust layer that connects traditional financial institutions to the digital asset economy without complexity, risk, or compromise.
Ready to explore how non-custodial WaaS fits your institution's infrastructure requirements? Visit cregis.com to speak with the team.
About Cregis
Founded in 2017, Cregis is a global leader in enterprise-grade digital asset infrastructure, providing secure, scalable and efficient management solutions for institutional clients.
Built to solve the challenges of fragmented blockchain systems and asset security risks, Cregis delivers MPC-based self-custody wallets, WaaS solutions, and Payment Engine, featuring collaborative asset control and a compliance-ready ecosystem.
To date, Cregis has served over 3,500 institutional clients globally. Our solutions empower exchanges, fintech platforms, and Web3 enterprises to adopt blockchain technology with confidence. Backed by years of proven expertise in blockchain and security, Cregis helps businesses accelerate their Web3 transformation and unlock global digital asset opportunities.
