When a Crypto Custodian Tried to Outsource Trust: Javier's Night Shift
Javier ran a mid-sized crypto custodian based in Madrid. He had started the company in 2019, back when compliance felt like a paperwork headache rather than a nightly adrenaline rush. By 2023 he was fielding calls from big institutional money managers: they wanted regulated custody, easy onboarding for EU clients, and the ability to move capital quickly across borders. The problem was simple and familiar - onboarding required passport scans, proof of address, and transaction histories that regulators had come to expect.
So Javier did what a lot of smart, tired people do: he hired a low-cost vendor outside the EU to store and validate identity documents. It cut costs and sped up on-ramps. His customers were happy, the internal dashboards looked healthy, and the servers hummed in an anonymous data center somewhere that refused to answer questions at 3 a.m.
Meanwhile, the EU ratified Regulation (EU) 2023/1114 - the Markets in Crypto-Assets regulation, better known as MiCA. It introduced clearer rules for crypto-asset issuers and service providers, and importantly, it made cross-border provision of regulated services under a single-member state license easier to do. That passporting clarity attracted capital like moths to a porch light. As it https://mozydash.com/2025-market-report-on-the-convergence-of-privacy-tech-and-heavy-capital/ turned out, the very clarity that invited large funds to enter the EU market also shone a bright regulatory flashlight on Javier's offshore passport repository.
The Hidden Cost of Thinking Data Could Live Anywhere
What happens when a passport scan is both the key to a trading account and the most sensitive personal data a company holds? It becomes a liability that courts, regulators, and angry counterparties will notice. MiCA did not invent KYC or data protection rules, but it changed the economics. Suddenly, compliance was not a cost center you could quietly optimize away - it was a competitive moat for service providers that could demonstrate robust controls.
Why did firms like Javier's think outsourcing passport storage to offshore vendors was safe? Several erroneous assumptions drove that choice:
- That cross-border vendors were neutral service providers rather than legal nodes in compliance chains. That the risk of enforcement was low because regulators were still learning about crypto. That a single box labelled "GDPR" in vendor contracts was a sufficient shield.
These assumptions collapsed under scrutiny. GDPR is not a decorative sticker - it imposes obligations on data controllers and imposes heavy fines where processing of special categories of data is mishandled. MiCA's passporting and licensing regime meant more eyes on market participants. Firms attracting institutional capital suddenly had auditors, trustees, and AML supervisors examining data flows that used to be invisible. This led to regulatory inquiries, reputational damage, and for some, the high cost of emergency data migrations.
Why "Just Move the Server" Doesn't Solve the Problem
You might think the solution is straightforward: move the passport scans back to the EU, sign a few templates, and sleep easy. If only it were that simple.
Here are reasons that simple fixes fail:
- Data residency alone is not compliance. Where data is stored matters, but so do who can access it, how it is processed, and the legal basis for that processing. A Swiss box with no access controls remains a risk. SCCs and contractual safeguards are necessary, but they do not eliminate supervisory scrutiny. Regulators ask for evidence of technical measures, logs, and incident response - not just signed contracts. Legacy operational choices create migration friction. Large datasets of verified documents accumulate in heterogeneous formats. Migrating them securely without introducing new exposures is costly and time-consuming. Risk of vendor concentration. Many firms choose the same global KYC providers. That makes a single vendor incident a systemic problem, and shows trustees and counterparties that an entire market relies on one choke point.
What about privacy-preserving technologies? Promises abound - zero-knowledge proofs, verifiable credentials, self-sovereign identity. They are promising, but most are not yet mature enough to replace current KYC operations at scale. That means firms face a hard trade-off: adopt bleeding-edge tech (and risk integration failures), or harden existing processes and accept the cost.
How One Compliance Lead Turned Risk into an Onboarding Advantage
I used to believe the obvious route was cheapest. I was wrong. I remember sitting across from a compliance lead at a continental bank-turned-custodian who had seen the crash-and-burn approach first-hand. She made a different choice.
Instead of mass-moving all data back to an in-house archive, she designed a layered solution:
Segmented data by criticality. Scans used only for verification were replaced with attestations whenever possible. The original scans were either deleted or put into hardened, access-controlled vaults. Adopted verifiable credentials (VCs) for recurring clients. The first onboarding used conventional checks; subsequent logins referenced cryptographic attestations issued by trusted third parties. That removed the need to store raw scans in many cases. Contracted KYC vendors with EU-licensed entities and audited their security posture. She insisted on data processing addendums, breach notification clauses, and technical evidence such as encryption-at-rest and key management policies. She ran tabletop exercises to ensure the vendor would behave under regulatory stress. Deployed a parallel architecture for institutional clients: custodial services that kept identity data in dedicated HSM-backed storage with strict role-based access and immutable audit trails.As it turned out, these measures reduced the attack surface and eased regulatory arms-length checks. The custodian could present a clean narrative to auditors: we do onboarding; we keep verifiable claims, not raw scans; we can revoke attestations; we use EU-hosted vaults for any retained sensitive data. That narrative mattered more than a checklist of controls.
From Offshore Panic to Orderly Capital Entry: What Changed
Once the custodian cleaned up operations, the results were obvious and instructive. Institutional clients who had been sitting on the fence started moving capital. Why?
- Regulatory clarity under MiCA meant funds could rely on consistent cross-border service provision - provided the custodian could show clean data governance. Auditors and trustees liked the verifiable credentials approach because it reduced chain-of-custody issues. They could audit attestations rather than raw documents. Operational uptime improved when fewer people had access to raw identity materials, lowering the risk of human error and insider threats.
That said, the transformation was not free. It required negotiation with vendors, investment in cryptographic tooling, and a willingness to accept slower onboarding in a narrow band where proofing could not be attested. But the cost of not doing it - regulatory fines, frozen assets, or reputational damage - would have been orders of magnitude higher.
So what does a firm that faces a similar choice do today? Here are practical, skeptical recommendations based on hard-won experience:
- Audit your data lifecycle. Where are passport scans created, stored, transmitted, and destroyed? Map the flows and assign responsibility at each node. Prioritize attestation over storage. Use third-party attestations or verifiable credentials when possible. Keep raw sensitive documents only when legally necessary and for the shortest time needed. Choose KYC vendors with EU legal entities and inspect their technical controls, not just their marketing decks. Ask for penetration test results and SOC reports. Implement layered access and immutable logging. If a regulator asks who accessed a passport scan, you should be able to answer with timestamps and justification, not guesswork. Plan for audits and data subject requests. MiCA brought capital, and with that came custodians who demand due diligence. Be prepared to produce evidence quickly.
Tools and Resources That Actually Help
Here are tools and references that can be used immediately. I list them with skepticism - no vendor is a silver bullet.
- Regulatory texts: Read Regulation (EU) 2023/1114 (MiCA) and the consolidated GDPR text. Knowing the law beats believing sales slides. Data transfer guidance: Consult the European Data Protection Board (EDPB) notes on transfers and the European Commission's standard contractual clauses when moving data out of the EEA. KYC providers: Consider providers with primary operations in the EU - examples include IDnow, Onfido (with EU entities), and local banking-grade identity services. Verify their EU legal entity and audit reports. Privacy-preserving identity: Explore W3C Verifiable Credentials and Decentralized Identifiers (DIDs). Pilot projects are useful; don't bet the farm on unproven cryptography. Encryption and key management: Use HSM-backed key management and ensure your cloud provider supports customer-managed keys in-country. Incident response playbooks: Draft and rehearse breach response for identity data. Exercise the steps with vendors and legal counsel.
Questions You Should Be Asking Today
- Do we actually need to store the passport, or can we store a cryptographic attestation that identity checks passed? Who is the data controller and who is the processor under GDPR, and how does that map onto our vendor contracts? What happens if our KYC vendor gets a lawful order in their jurisdiction - can they be forced to hand over EU citizens' data without our knowledge? How will MiCA's passporting regime affect our obligations when we onboard clients from another member state under our license? Are our trustees and auditors comfortable with our identity architecture, or will they demand changes that disrupt service?
If you are not asking those questions, you are probably outsourcing risk and calling it optimization. That optimist view is expensive when regulators start asking for the logs.
Final Notes from Someone Who Burned a Few Bridges
I admit it: I once proposed "cheap offshore storage" as a way to reduce onboarding friction. It worked for a while until a data subject exercised rights and the team realized no one could explain where the copies lived. We paid for the oversight, and the cleaning operation was surprisingly expensive - both in money and time.
MiCA changed the incentives. It didn't magically make firms safer, but it made unsafe practices visible. Large capital entry into EU crypto markets revealed weak links across the ecosystem. Firms that embraced verification-first approaches, hardened access to sensitive material, and chose partners with accountable legal presence in the EEA found themselves in a stronger position.
So what's the unconventional angle? Treat personal identity data the same way you treat custody of assets. If a passport scan unlocks capital, then protect it with the same rigor you use for private keys. Don't pretend a vendor agreement or a faraway server is a substitute for defensible controls. Regulators, auditors, and institutional clients will demand proof, not promises.
Want a quick starter plan?
Map every identity artifact and justify its retention. Replace raw storage with attestations where legally acceptable. Move any required retained data to EU-hosted, HSM-backed storage with strict access controls. Run vendor audits and tabletop breach drills every six months. Document everything - narrative beats checkboxes when you need to explain to regulators or custodians.Questions? Which part of your onboarding pipeline has the highest friction and the least documentation? How confident are you that a regulator could ask for access logs and you'd have them ready in 24 hours? If the answer is anything less than "confident," you probably have an offshore passport somewhere that deserves a proper audit.
Regulatory clarity brought capital into the market. That rarely happens without a price. The good news is the price buys something useful: predictable rules, clearer audits, and a chance to make onboarding both safer and, eventually, faster. The skeptical advice I give now is the one I wish I'd followed earlier - stop hiding passports in cheap vaults and start treating identity as the asset it is.