Tokenised assets and digital currencies are hot topics in the banking and financial services world right now and that also makes them hot topics in the world of fraud and scams.

I sat down with Sophie Bowler, Chief Risk and Compliance Officer at Zodia Custody, to find out how an institutional custodian thinks about fraud risk in crypto and tokenised assets as MiCA comes into force across the EU.

For readers unfamiliar with Zodia Custody in Europe and beyond, Sophie has a simple way of describing the firm: it is a “native digital asset custodian” focused on safeguarding private keys for institutional and professional clients, built on a banking heritage through Standard Chartered Ventures. Her role is to ensure Zodia, and the European entity in this case, serves EU clients safely, resiliently, and in compliance with Luxembourg and EU regulations.

That combination of institutional clients and a bank-style approach is important context for what she says next: “the fraud risks in digital assets are often the same as in traditional finance, linked to people, process and technology layers, but the way the industry responds to them is changing rapidly - bringing expectations in line with TradFi - and regulation is accelerating that shift”.

“Institutional-grade” custody is a different proposition

To start with, I asked a very basic opening question: what’s the difference between “institutional-grade” custody and what most people experience as retail crypto?

Sophie’s answer was grounded in trade-offs. Institutional clients often have their own end clients, regulated in their own right with high regulatory expectations and oversight, and holding large values. As a result, they require resilient infrastructure, security aligned with the high standards expected in traditional financial markets, and compliance controls that meet rigorous standards. In contrast to the retail context, values are often lower, and retail customers - whilst still expecting asset safety and resilience - want low storage and transaction fees, convenience in application useability and access to multiple services.

She gave a practical example of what that means at Zodia: assets are held in cold storage as opposed to hot storage, which is commonly used by exchanges servicing retail clients. Through the use of air-gapped technology, cold storage models are not directly connected to the internet and are stored in geographically dispersed data centres with national-grade security protocols, significantly reducing exposure to cyber risk. Additionally, client assets are fully segregated when stored with Zodia - they are not comingled with those of other clients or with Zodia's own assets and are fully protected from insolvency, whereas retail-focused exchanges commonly use omnibus wallets where assets are comingled.

This could create the perception that institutional-grade security comes at the expense of usability, but this is absolutely not the case. In practice, Zodia's clients can transact 24/7 at their own discretion. Additionally, via Zodia's Interchange offering, clients can still trade through arrangements with their chosen MiCA-licensed crypto exchange, but without needing to hold assets directly on exchange (which increases their risk exposure): assets are held safely in cold storage until settlement.

For a banking audience, the key takeaway is that custody design choices can dramatically reduce exposure to certain technical risks - which is what Zodia set out to achieve from inception, and is how their custody and security infrastructure is designed However, as with any technological design, it cannot remove people, process and technology risks in their entirety, which fraudsters will always attempt to exploit. Therefore, rigour must extend to governance, control implementation and assurance, which MICA has now brought to the fore.

Fraud typologies look familiar — but MiCA raises standards significant for digital asset firms

When asked how MiCA has changed the fraud and scam threat model for institutions, Sophie is clear that the underlying tactics are not unique to digital assets. She lists impersonation fraud, “pig butchering”, social engineering, and account takeover as examples that also exist in traditional finance, which have been brought up repeatedly in my previous interviews, and also highlights how AI is increasing in prominence as part of fraud risks.

Where she sees MiCA making a difference is in reducing what she calls the “vulnerability” of the digital asset industry to fraud, particularly in a previously unregulated environment. Her argument is that MiCA requires market participants to mature, implement controls and processes meeting rigorous standards, and be subject to the close oversight of Regulatory authorities. These controls are new to crypto firms and significantly raise the bar to achieving licensing. In fact, many firms have had to significantly increase their security posture, control environment, and build out their technology, operational and compliance teams in order to do so. While Crypto Service providers already operated under national VASP regimes for anti-money laundering and counter-terrorist financing (AML/CTF), MiCA replaces those with a single EU regulation, extending the regulatory requirements substantially beyond AML/CTF and establishing a minimum 'high-bar' of requirements across the EU.

That matters for institutions because it improves predictability. If you are a bank or regulated financial firm working with EU-based digital asset service providers, a common rulebook reduces uncertainty about governance standards and control expectations.

There is also a displacement effect. Sophie suggests that tighter regulation pushes scams and bad actors towards less regulated environments, including providers that may be in regulatory environments with lower licensing standards, reduced regulatory oversight, or environments that don’t have regulation at all.

In other words, the EU’s regulated perimeter and, by default, higher security and control standards, is likely matched by a riskier fringe of digital asset firms operating from other countries where fraud risks may ultimately be higher and thus attempts may have a higher likelihood of success. As such, when institutions are choosing their digital asset custodian, the regulatory environment should be a key focal point driving their decision.

What MiCA demands in practice: governance, custody controls and operational resilience

From Sophie’s perspective, MiCA’s practical requirements are not just about documentation of Policies and Procedures, but substantially more fundamental. She highlights several areas that affect how a crypto-asset service provider operates day to day:

• governance, oversight and accountability obligations covering shareholders, boards, senior management and all control and process owners
• custody-specific expectations around segregation of client assets, record-keeping and reconciliation of customer positions
• the need to maintain a MiCA-compliant register of client positions and provide position statements
• and crucially, the link to DORA, which is compulsory for EU crypto-asset service providers to implement, bringing digital operational resilience and rigorous oversight of third-party vendors into scope.

Her emphasis on DORA is particularly relevant for fraud discussions, because operational resilience is where many organisations expose themselves through third parties. Sophie notes that in digital assets, firms are not in a position to build everything themselves, and nor should they; they require specialist vendors to provide certain technology and software infrastructure to ensure high-calibre infrastructure. However, that dependence can create vulnerabilities as it concerns fraud, so there must be robust third-party risk management, rigorous oversight of vendors and ongoing implementation of controls to ensure fraud risks do not materialise along the supply chain.

For banks in Benelux considering digital asset services, the message is straightforward: regulatory readiness goes hand in hand with operational readiness. If your provider’s third-party risk management is not effectively implemented or is lacking, your fraud and incident risk increases even if the underlying crypto technology is strong.

Custody fraud risk: Account takeover, social engineering, phishing and the rise of AI impersonation

In custody, especially institutional custody, the fraud risk appears with the common underlying theme: a bad actor attempting to gain control of some or all of a client’s assets through account takeover, social engineering, and phishing attempts. For retail firms, fake investment schemes also appear, however this is not observed in institutional custody.

This is where her most concrete warning appears: the rise of highly convincing AI-enabled impersonation fraud. She describes seeing an increase in sophisticated AI-enabled impersonations in the digital asset industry that attempt to gain access to information or encourage staff to take certain actions, such as clicking on a malicious link. These increasingly sophisticated methods can be challenging for staff members to spot, so ensuring heightened vigilance, training and tailored controls are in place is vital.

Her response emphasises the importance of robust, consistently applied controls, as well as the segregation of duties. In practice, this means adhering to established authentication and approval processes without exception, even in the face of urgency or external pressure, and critically, integrating segregation of duties so no one person can enable critical actions or changes. The pressure tactics criminals apply are familiar to anyone in banking fraud: creating urgency, presenting plausible scenarios, and attempting to bypass checks and controls “just this once” because the client relationship is at risk. As digital asset markets mature, the expectation is that firms apply the same discipline and control standards seen in traditional financial services.

Sophie’s view is that culture and peer support matter. Rather than relying on one person to police everyone, the focus should be on building a shared, risk-aware mindset, with compliance embedded into everyday behaviour and culture.

Financial crime controls: Critical in mitigating fraud risk

As Zodia’s client base is institutional only, custody solutions are often tailored on a client-by-client basis. Depending on the type of client, they may have different arrangements with their underlying clients. This requires close collaboration between internal Zodia teams and the client during onboarding to ensure the purpose of the custody account is fully understood, the wallet set-up is correct, the individuals operating the account are known, and it is clear where funds earmarked for custody originate from. Particularly as it concerns fraud, origination of funds and the individuals operating the account are key focal areas. Zodia needs to ensure the proceeds of fraud are not being entered into custody, which requires integrated blockchain analytics, and that those operating the account are authorised to act on behalf of the client. A common weak link in many financial crime cases is not whether someone has been subject to identity verification, but whether they are authorised to represent and provide instructions on behalf of the client.

Dual control and the overlooked risk of staff turnover

To mitigate the risk of single-person abuse, Sophie explains that at Zodia, no individual has the authority to access client accounts or initiate transfers independently. Instead, robust controls are embedded throughout every process -particularly in key management - with strict segregation of duties at each stage. This design significantly reduces the effectiveness of phishing or impersonation attacks, as no single individual can regenerate keys or execute material actions in isolation.

Importantly, the same principle extends to the client side. Transactions require approval from multiple authorised individuals, typically governed by mandates approved at the Board level. This ensures that only properly appointed and permissioned parties can access the custody account and authorise transfers, providing an additional layer of protection against fraud and unauthorised activity.

She also flags a risk that banks will recognise immediately: people change. Client organisations have turnover, and a new client representative cannot be treated with any less rigour simply because the client is longstanding. In her view, you cannot become more flexible in these moments; the new person must be subject to the required authentication controls without exception.

In other words, the highest risk point in a relationship might be when it feels routine, and the client is long-standing.

Liability is important, but trust matters more

Asked where liability sits when something goes wrong, Sophie points to MiCA’s framework around responsibility. Liability is closely linked to whether a custodian can demonstrate that appropriate and robust safeguarding arrangements and controls were in place if assets are lost due to a fault with the custodian. Where these standards are not met, firms may be held liable for losses, rather than liability applying automatically in all cases.

As she says, this is more than a legal question. For Sophie, custody is fundamentally about trust. She makes a distinction that is useful for any discussion of fraud in digital assets: on a blockchain, assets do not simply vanish; what is often “lost” is access. The assets can still be seen on-chain, but the rightful owner can no longer access and control them.

That practical reality shapes the responsibility of custodians: preventing loss of access to private keys due to process failures, compromised credentials, or social engineering is at the centre of risk management in digital assets.

In conclusion

I asked Sophie: “if you could fix one thing in the industry by waving a magic wand, what would it be?”

Her response was not a new tool or a clever technical control. If she could design one cross-industry mechanism to reduce investment fraud losses, it would be “accelerating maturity”.

She describes an industry with mixed maturity levels, including many start-ups and scale-ups where rapid growth, mixed with implementation of regulatory regimes, can place pressure on internal teams, firm leadership and Boards. Whilst it is not unexpected given the relatively nascent state of the industry, it is important that focus is now turned to regulatory compliance and ensuring that control development and operation is not treated as a “side of desk” task without the required investment. This is how fraud, security and other risk typologies appear.

MiCA, in her view, is pushing the industry towards a minimum standard of maturity, and effective regulatory supervision and enforcement will be essential to accelerate that shift further.

She also challenged the notion that digital assets are inherently high-risk. Her argument is that risk often sits less in the product and more in how it is managed - crypto after all is just another asset class. She points to blockchain transparency and notes that, from a financial crime perspective, that transparency and immutability improve the ability for financial crime officers to identify and investigate financial crime risks, as you can see all wallets the assets have ever passed through. This, in her view, far increases the effectiveness of financial crime risk identification, whereas in traditional finance, cash cannot be as effectively traced between banks. It is for digital asset firms to implement adequate controls to capitalise on the transparency that blockchain enables.

For banks, the conclusion is practical: the fraud conversation with respect to digital assets should focus less on the technology infrastructure and more on governance, operational discipline, risk management, and the consistency of controls across the ecosystem, especially at the boundaries where regulated institutions interact with less-regulated services.

Tokenisation, digital assets, stablecoins and more are topics we will continue to discuss at The Banking Scene Conference Amsterdam on March 24, where you can meet a few of the Zodia Custody team, including their Chief Products Officer, Anoosh Arevshatian, who will be sharing her insights in the session "Rethinking Relevance in a World of Tokenised Assets and Digital Currencies".