Founder voice · 14 May 2026
MPC custody and the UK perimeter — where is your safeguarding "place of supply"?
On 14 May 2026 we submitted Finray's response to FCA CP26/13 on the proposed Cryptoasset Perimeter Guidance. Of the substantive points we raised, one question goes unaddressed in the draft PERG 19 in a way that affects almost every institutional-grade custody architecture in 2026: where is the territorial "place of supply" of safeguarding when private keys are held under threshold MPC?
The proposed framework lives in two sections. PERG 19.3.2 sets the territoriality test — a firm is providing a UK cryptoasset service when the "place of supply" is the United Kingdom, and the FCA proposes to read place of supply through the location of the operations that actually deliver the service. PERG 19.6.2 then defines safeguarding by reference to control: holding the means by which a cryptoasset can be transferred, exercised typically through possession of private keys or of a sufficient share of them under a key-sharing arrangement. The draft is explicit that threshold and multi-signature schemes meet the control test. It does not address what happens to the territoriality test when that control is, by design, distributed across jurisdictions.
That gap is not academic. In 2026, the default institutional cryptoasset custody architecture is threshold MPC — typically 2-of-3 or 3-of-5 schemes, in which the private key is never reconstructed in cleartext. Each shard is a secret share; no single shard, and no single shard holder, has the authority to move assets. The shards are deliberately placed in separate jurisdictions for operational resilience and to harden against compromise of any one site. The orchestrator — the firm running the signing protocol that initiates a transfer and coordinates the shard holders — may itself sit in a fourth jurisdiction, distinct from any of the shard sites. A regulator that asks "where is the safeguarding done" is asking a question the architecture does not answer cleanly.
There are four readings of PERG 19.3.2 available on the current text, and the draft does not choose between them. The "place of supply" could be (a) any jurisdiction in which a key shard is held, (b) the jurisdiction of the orchestrator that coordinates the signing ceremony, (c) the jurisdiction from which the resulting signed transaction is broadcast to the network, or (d) some weighted combination that varies by architecture. Each reading produces a different UK perimeter footprint, a different set of authorisation triggers, and a different exposure for foreign-domiciled custodians servicing UK consumers. Procurement teams cannot price that ambiguity. Boards cannot underwrite it. It needs to be resolved.
Our submission proposes the orchestrator. The locus of control over the signing process — the firm that initiates the protocol, decides which transactions to sign, and assembles the partial signatures into a valid transaction — is the entity exercising the requisite degree of control over the means of transfer in any operationally meaningful sense. Shards held under sufficiently constrained arrangements (HSM-backed, single-purpose, bound to a specific protocol) are infrastructure: they enable the signing operation but do not authorise it. Reading PERG 19.3.2 against the orchestrator is the only reading that aligns the territoriality test with where the firm-level decision to safeguard a particular asset is actually taken, and it is the only reading that produces a stable UK perimeter as custody architectures continue to fragment.
The UK is not alone in needing to answer this. MiCA Article 75 frames CASP custody around "custody and administration of cryptoassets on behalf of clients" and inherits the same control-based logic without addressing distributed control. Neither the European Banking Authority nor ESMA has produced a worked example for threshold-signature territoriality under the Level 2 measures. The Swiss perimeter under FINMA's FinIA/FinSA framework sits in an analogous position. Whoever resolves the question first — the FCA via PERG 19, or one of the EU authorities via MiCA L2 — will, in practice, shape the institutional custody architecture that the rest of the decade is built on. Vendors and regulated firms will reorganise around the first credible answer.
Our full CP26/13 response is at finray.tech/regulatory/cp26-13-response/, published with consent. The CP26/13 consultation closes on 3 June 2026, so other vendors and regulated firms have approximately three weeks to file. Anyone operating threshold-signature custody for UK consumers — or selling custody infrastructure to firms that do — has a direct interest in PERG 19.3.2 receiving a worked example before the final guidance is published. The architectural question is not going away; the only question is which regulator answers it first, and on whose preferred reading.