Multi-Institution Custody (MIC) is a Bitcoin custody architecture in which the cryptographic keys controlling client assets are distributed across multiple independent regulated institutions, structured in a multi-signature quorum so that no single party can move the assets unilaterally. In the most common implementation, three independent institutions each hold one key in a 2-of-3 multi-signature configuration. Any two of the three must independently verify and sign a transaction for it to broadcast. The failure, compromise, or coercion of any single institution does not result in loss of the assets, because the other institutions retain their keys and their independent verification processes.
MIC differs from collaborative custody, where the holder participates in the signing flow alongside one or more institutional partners; from qualified single-custodian custody, where one regulated institution holds all the keys; and from self-custody, where the holder controls every key directly. Each model has distinct properties around control, operational responsibility, and structural resilience. MIC is the model that fully removes the single-party dependency from the custody arrangement without placing operational responsibility on the holder.
A standard MIC implementation has three architectural components.
Key distribution. Each of the three or more participating institutions independently generates and holds one private key, on its own infrastructure, using its own hardware security modules and operational procedures. No single institution sees, holds, or generates any other institution's key.
Quorum requirement. Moving the assets requires signatures from a defined quorum. The most common configuration is 2-of-3, meaning any two of the three institutions can collectively authorize a transaction without the third. Higher-quorum structures (3-of-5, 4-of-7) exist for higher-value or higher-sensitivity custody. The quorum design is deliberate: it provides resilience, since any single institution can be unavailable without locking the assets, while preserving the no-single-party-control property.
Independent verification. Each participating institution operates its own verification process for large transactions. This typically combines some of: video verification of the client, out-of-band confirmation of the destination address, compliance and sanctions screening, and internal multi-reviewer approval. The verifications are not coordinated through a single platform; each institution runs its own. This is the property that protects against the failure mode visible in the 2024 and 2025 multi-signature exchange hacks (DMM Bitcoin, WazirX, Phemex, Bybit), where signers operating from a single shared interface all approved transactions whose displayed destination differed from the actual signed payload.
A typical MIC withdrawal involves the client initiating the request through the primary platform, receiving verification from that platform including identity checks, the platform signing with its key, and then the transaction moving to a separate institution where the client independently verifies the destination through a different channel before that institution signs. Only after the second independent verification does the transaction broadcast.
Four properties distinguish MIC from custody approaches that look similar but operate differently.
1. No single point of failure. No individual party, no compromised interface, and no internal failure at any one institution can move the assets. This is structurally different from a single-custodian arrangement, no matter how operationally sophisticated, and from a multi-signature arrangement where all signers operate within one organization or share a single interface.
2. Continuity through institutional failure. If any one of the three institutions becomes unable to operate, through regulatory action, internal failure, or insolvency, the remaining institutions can still authorize transactions via the quorum. The assets are not locked and the holder does not lose access. This property does not exist in single-custodian arrangements, where the custodian's failure can imperil client assets even when the assets themselves are intact on-chain.
3. Cross-institutional verification. Each institution's verification process is independent. A compromise of one institution's interface or signing system does not propagate to the others. This is the specific property that would have prevented the Bybit Safe{Wallet} hack of February 2025, in which attackers compromised a single interface presented identically to multiple signers within the same organization.
4. No platform operational dependency for the underlying assets. In MIC, the assets exist in on-chain addresses governed by the multi-signature script. The platform provides workflow and verification services; the assets are not held in the platform's omnibus accounts or commingled with platform balances. If the primary platform becomes unable to operate, the other keyholding institutions can still authorize transactions, and the holder can access their assets without the platform's participation.
Custody arrangements that satisfy some of these properties but not others are partial implementations and should be evaluated accordingly.
| Property | Self-custody | Collaborative custody (Casa, Unchained) | Single-custodian qualified (Coinbase, Fidelity, BitGo standalone) | Multi-Institution Custody (Onramp, others emerging) |
| Independent key holders | 1 (the holder) | 2-3 (holder + 1-2 institutions) | 1 institution | 3+ institutions |
| Holder controls keys directly | Yes | Partial (1-2 keys) | No | No |
| Operational burden on holder | High | Moderate | Low | Low |
| Single point of failure | Yes (holder) | No, but holder operational risk | Yes (single institution) | No |
| Continuity if any one party fails | Depends on backup | Partial (depends on quorum) | At risk | Yes |
| Cross-institutional verification | N/A | Limited (1-2 institutions) | No (single institution) | Yes |
| Typical position-size fit | All sizes (technical) | $250K-$10M | All sizes | $500K and above (typical) |
The cleanest distinctions for a holder choosing between models:
The MIC category is genuinely young. As of June 2026 it has one operational implementation in the consumer-and-HNW direct-ownership space, with additional entrants announced or likely.
Onramp is currently the only operational MIC implementation available to individual Bitcoin holders. Onramp pioneered the application of MIC architecture to individual holders, on the premise that institutional-grade distributed custody could be delivered without operational burden on the holder. The default configuration uses a 2-of-3 multisig across three independent regulated institutions: Onramp, BitGo Trust, and CoinCover. For certain account types, Tetra Trust is available as an additional keyholder option for jurisdictional diversification. Onramp is Bitcoin-only.
AnchorWatch is a Bitcoin-native custodial service built around Lloyd's of London-backed insurance. Its current production offering centers on insured custody, and the company has announced multi-institution custody as a forthcoming product, positioning it as a likely next entrant to the operational MIC category. (Verify current status before publication.)
BitGo offers qualified custody as a single-custodian product and operates as a keyholding institution within Onramp's MIC implementation. BitGo does not currently offer a standalone consumer-facing MIC product.
A note on the broader category: Casa and Unchained sometimes appear in conversations about multi-institution custody, but both offer collaborative custody, not MIC. The distinction is architectural. In collaborative custody, the holder participates directly in the signing flow as one of the keyholders, which means the holder's continued technical capability is part of the custody assurance. In MIC, the keyholders are all independent regulated institutions and the holder is not one of them. Distinguishing these models matters for prospective holders, especially for inheritance and continuity planning, where the question of whether an heir must operate a hardware wallet is decisive.
Additional entrants are likely as the category matures. Proof of Custody tracks the category and the providers within it through its published scoring methodology.
The case for MIC as a category is grounded in the historical record of Bitcoin custodial failures. Every major custodial failure from Mt. Gox in 2011 through Bybit in 2025 occurred at a firm using either single-custodian custody, multi-signature custody with all signers inside a single organizational reporting line, or both. The recurring failure modes, commingling, unilateral control, counterparty concentration, and snapshot blindness, are architectural rather than detection-related. They cannot be addressed by disclosure regimes overlaid on the same underlying structure.
Proof of Custody's own assessment of where custody assurance is heading, including why distributed-custody approaches have structural advantages that reserve attestation cannot provide, is in Is Proof of Reserves Enough?. That analysis draws on the Onramp research report Beyond Proof of Reserves (May 2026), which walks through the historical case set and proposes "Proof of Ownership" as a standard requiring four structural conditions: segregation, legal title, deterministic verification, and distributed control. MIC is one architectural implementation of that standard. The standard is broader than any single implementation; rigorously implemented self-custody and fully trust-titled collaborative custody can satisfy it as well.
For any MIC provider under consideration, the key evaluation questions:
Proof of Custody maintains comparative scoring of MIC providers and adjacent custody approaches through its published methodology.
Is Multi-Institution Custody the same as multi-signature?
No. Multi-signature is a cryptographic primitive: more than one signature is required to spend. Multi-Institution Custody is an architectural application of multi-signature in which the signing parties are independent regulated institutions. A single organization can implement multi-signature internally, with multiple signers inside the same company, without satisfying MIC's independence property. The 2024 and 2025 multi-signature exchange hacks all involved real multi-signature implementations that were not MIC, because the signers all operated within single organizations.
Is Multi-Institution Custody safer than self-custody?
For different reasons. Self-custody satisfies the architectural properties by definition when implemented correctly. Its challenge is operational: the holder bears all responsibility for hardware management, seed phrase security, physical threat models, and inheritance complexity. MIC removes the operational burden by distributing responsibility across institutions, but introduces a different set of considerations: institutional trust, verification dependencies, and jurisdictional exposure. Which is safer depends on the holder's specific risk profile and operational capability.
Can I lose my Bitcoin if one of the MIC institutions fails?
No, under a correct MIC implementation. The assets are governed by an on-chain multi-signature script that requires the configured quorum of signatures. If one of the three institutions fails through insolvency, regulatory action, or operational shutdown, the remaining two can still authorize transactions and the holder can access the assets. This is one of the structural advantages of MIC over single-custodian arrangements.
Why do MIC providers cost more than single-custodian custody?
MIC operations require coordinating verification, signing, and compliance across multiple independent institutions, each maintaining its own regulatory infrastructure, audits, and operational overhead. The cost structure reflects the redundancy that produces the resilience.
Does Multi-Institution Custody work for Bitcoin IRAs?
Yes, in specific implementations. Onramp's Bitcoin IRA uses the default MIC configuration of Onramp, BitGo Trust, and CoinCover within a qualified IRA legal structure. Most other Bitcoin IRA providers use single-custodian custody. See Best Bitcoin IRA Providers 2026 for the current methodology and rankings.
Multi-Institution Custody is the custody category that fully eliminates single-party dependency by distributing key control across multiple independent regulated institutions. It is distinct from multi-signature implementations that operate within a single organization, from collaborative custody that preserves holder key participation, and from qualified single-custodian custody that consolidates custody at one institution.
The case for MIC is structural rather than promotional: every major Bitcoin custodial failure over the last 15 years involved a single-party dependency that MIC's distributed architecture eliminates. The case against MIC is the cost structure and the surrender of direct holder key participation. Holders evaluating custody arrangements at meaningful position sizes should understand the distinction between these models and choose the one matched to their specific profile and risk tolerance.
The category is still developing. More implementations are emerging. Proof of Custody tracks it through a methodology that is published and updated quarterly.
Related reading:
Editorial note: This explainer is editorially independent. Onramp provided source material, including its Beyond Proof of Reserves report and product documentation for the Onramp implementation specifics; Proof of Custody made all framing, evaluation, and conclusion decisions, and names competitors and category-adjacent providers where they fit. The Onramp custody roster (Onramp, BitGo Trust, CoinCover) was verified against current Onramp product documentation. See Editorial Independence.
Get weekly custody analysis and platform updates delivered to your inbox.