Summary: Decision-makers don’t just need a qualified custodian; they need dual‑control MPC that enforces the “four‑eyes” principle and on‑chain audits that make reserves and approvals verifiable in real time. This guide maps the vendors actually delivering both in 2026, shows concrete implementation patterns, and offers a punch‑list you can take into RFPs.

Tokenization Custody Solution: Who Offers Custodial Services With Dual‑Control MPC Plus On‑Chain Audits?

For tokenization programs, the risk isn’t just private-key theft. It’s silent policy drift, a single compromised approver, or opaque reserves behind wrapped assets and stablecoins. The combo that works in practice is dual‑control MPC (two or more independent human approvals enforced by policy) plus on‑chain audits (public, machine‑verifiable proofs of reserves and/or on‑chain governance/audit trails).

Below is an evidence‑based map of which custodial platforms deliver both today, how they do it, and how to implement this end‑to‑end in your stack.

What “dual‑control MPC + on‑chain audits” really means in 2026

Dual‑control MPC: Threshold signing (often called MPC/TSS) that enforces at least two independent approvals for sensitive ops (transfers, policy edits), ideally with hardware‑bound factors and a policy engine (limits, whitelists, velocity). BitGo, Coinbase Prime and others expose APIs to codify this “four‑eyes” rule across wallets and portfolios. (developers.bitgo.com)
On‑chain audits: Public, programmatically verifiable proofs for either:
- Reserves (e.g., Chainlink Proof of Reserve feeds, direct address disclosures, or Merkle‑tree solvency proofs), often wired into token mint/burn logic so issuance halts if backing drops. (chain.link)
- On‑chain governance/audit trails (e.g., policy updates and approvals recorded on a chain or Layer‑2, or Safe modules that log role changes and function‑level permissions). (qredo.com)

Who actually offers both today?

Below are custodians and custody platforms that pair dual‑control MPC (or equivalent) with on‑chain auditability—either reserves transparency or on‑chain governance logs—with concrete examples you can verify.

1) Coinbase (Prime/Custody): Dual‑control MPC and live on‑chain Proof of Reserves for cbBTC

Dual‑control MPC and policy engine: Prime’s Onchain Wallet uses MPC with configurable consensus rules per portfolio, address groups, transaction types, and video approvals. Approvals can enforce the four‑eyes principle, with YubiKey + biometrics and mobile signers holding MPC shards. (help.coinbase.com)
On‑chain reserves: Coinbase publishes a cbBTC Proof‑of‑Reserves page with live BTC reserve addresses and network‑level cbBTC supply. As of January 5, 2026, the page showed 76,163.86 BTC in reserve vs 76,153.04 cbBTC outstanding across Ethereum, Base, Solana, and Arbitrum; the page is updated continuously. (coinbase.com)
Best fit: Enterprise wrappers/bridges and tokenized products that must demonstrate 1:1 backing to external counterparties and DeFi protocols. The PoR page is the authoritative reference, and policies/approvals live in Prime for dual‑control operations. (coinbase.com)

2) BitGo Bank & Trust, N.A.: Policy‑driven MPC plus PoR tooling and WBTC‑style on‑chain transparency

Regulated status: In December 2025 BitGo secured OCC approval to convert its South Dakota trust into a federally chartered national trust bank (BitGo Bank & Trust, N.A.). This puts custody under uniform federal supervision—useful for tokenization projects with bank‑grade requirements. (bitgo.com)
Dual‑control MPC and policy engine: BitGo wallets use threshold signatures (now labeled MPC in docs) with a policy engine that can require two+ admin approvals for withdrawals and lock changes; pending approvals are enforced via API. (developers.bitgo.com)
On‑chain audits: BitGo provides a Proof‑of‑Reserves framework that encourages public address disclosure and third‑party validation. For wrapped assets like WBTC (custodian BitGo), backing is inherently on‑chain via disclosed BTC addresses and on‑chain supply. (developers.bitgo.com)
Best fit: Institutions needing bank‑supervised custody plus PoR patterns (public address sets or oracle‑based PoR) for tokenized/bridged assets. (bitgo.com)

3) Crypto Finance (Deutsche Börse Group): Custodian with live Chainlink PoR for ETP reserves

What’s new: In September 2025, Crypto Finance went live with Chainlink Proof of Reserve for nxtAssets’ physically‑backed BTC and ETH ETPs, publishing reserve verification on Arbitrum via the Chainlink Runtime Environment. This lets investors independently verify that custodied assets back outstanding ETP shares. (disruptionbanking.com)
Why it matters: It’s a production example of a regulated custodian pushing reserves on‑chain for a traditional security wrapper—useful precedent for tokenized funds needing verifiable backing and exchange‑listed products. (disruptionbanking.com)

4) Backed Finance (Tokenization issuer working with custodians): On‑chain PoR with third‑party auditor data

The model: Backed’s tokens (e.g., tokenized treasuries and funds) publish Chainlink PoR updated about every 24 hours, with The Network Firm accessing custody bank accounts and pushing reserve data on‑chain via Chainlink. This “auditor‑to‑oracle” flow avoids issuer self‑attestation risk. (docs.backed.fi)
Where it fits: If your tokenization program wants mint/burn wired to a PoR feed with independent auditor data—not just a blog post—this blueprint is battle‑tested. (docs.backed.fi)

5) Wenia (Bancolombia Group): Stablecoin with PoR‑gated minting, live today

COPW’s reserves are published on‑chain via Chainlink PoR, integrated into the mint function to prevent “infinite mint” incidents; audits by Harris & Trotter add an off‑chain layer. It’s a concrete, live PoR‑secure‑mint pattern suitable for banks launching fiat‑backed tokens. (prnewswire.com)

6) Qredo (decentralized custody network): On‑chain governance and audit logs with dMPC

Governance and auditability: Qredo records governance policies, whitelists, and alterations immutably on the QredoChain, enabling on‑chain audit trails for approvals and role changes. It’s dMPC (consensus‑coordinated MPC) designed to remove single‑vendor single points of failure, with exportable logs for compliance. (qredo.com)
Fit: Teams that need on‑chain operational auditability and granular, codified approvals across portfolios—e.g., managers operating across CeFi/DeFi and multiple chains with institutional governance. (qredo.com)

7) Cobo Custody + Cobo Argus: MPC custody plus on‑chain RBAC and Safe‑based audit trails

Custody + policy engine: Cobo offers licensed custodial and MPC wallets with a risk/policy engine (limits, whitelists, multi‑user approvals). (cobo.com)
On‑chain auditability: Cobo Argus builds on Safe{Wallet} with on‑chain role‑based access controls and parameter‑level permissions; every permission change and DeFi interaction is recorded on‑chain via Safe modules—creating an auditable trail of who could do what, when. (docs.cobo.com)
Fit: Tokenized products that must interact with DeFi treasuries under strict, on‑chain governance (e.g., function‑scoped roles for AMM deposits, borrow limits), while assets remain under MPC custody with dual‑control off‑chain policies. (cobo.com)

8) Anchorage Digital (federally chartered crypto bank): Dual‑control governance; reserves transparency for issued products

Dual control and governance: Anchorage adds quorum‑based internal approvals for governance participation and staking from secure custody—useful for protocol votes without moving assets to hot wallets. (anchorage.com)
Reserves reporting: As issuer of USDtb with Ethena Labs, Anchorage publishes monthly reserve attestations by Deloitte (off‑chain), complementing on‑chain supply visibility. Good for bank‑grade programs where audited reports plus on‑chain transparency are required. (anchorage.com)

9) Zodia Custody (Standard Chartered‑backed): MPC via Dfns + exchange‑mirror Interchange; PoR‑friendly workflows

Key tech: Zodia integrates Dfns MPC with policy‑driven entitlements and governance quorums; Interchange keeps assets at the custodian while mirroring balances on exchanges—compatible with PoR workflows where exchanges and custodians reconcile live. (dfns.co)

Practical architectures you can deploy now

Below are three repeatable patterns we implement for clients; each enforces dual‑control MPC and surfaces on‑chain evidence.

Pattern A — Wrapped/bridged asset with live PoR and dual‑control approvals

Custody: Coinbase Prime or BitGo Bank & Trust for underlying reserves; dual‑control MPC enforced via policy engine. (help.coinbase.com)
On‑chain audits:
- Option 1: Direct address disclosure + live PoR page (cbBTC model). Mint/burn contract references a public registry of reserve addresses and checks a Chainlink PoR feed or reads Coinbase’s PoR endpoint through an oracle. (coinbase.com)
- Option 2: Auditor‑to‑oracle PoR (Backed model). Independent auditor reads custodian accounts and publishes to Chainlink; minting halts if reserves < supply or deviation > threshold. (docs.backed.fi)
Governance: Require two or more human approvers to initiate and sign any rebalancing transfer from reserve wallets; put emergency pause under a distinct quorum. (developers.bitgo.com)

Pattern B — Tokenized fund/ETP with regulated custody and on‑chain reserve proofs

Custody: Crypto Finance (Deutsche Börse Group) holds BTC/ETH; the issuer (e.g., nxtAssets) publishes on‑chain PoR via Chainlink CRE on Arbitrum; investors verify ETP backing in real time. Pair with dual‑control MPC workflows for any creation/redemption action. (disruptionbanking.com)
Bonus: For cross‑chain distribution, add CCIP or native bridges only after PoR gating to avoid minting on unsupported chains. (chain.link)

Pattern C — DeFi‑active treasury with on‑chain operational audit trail

Custody: Cobo Custody MPC for asset safekeeping and policy rules (velocity, whitelists, approver groups). (cobo.com)
On‑chain governance: Cobo Argus + Safe module to encode roles at function/parameter level (e.g., “role X can add liquidity up to N, only to allow‑listed pools”), with all role grants and policy changes logged on‑chain. Dual‑control MPC gates transfers back to custody or to exchanges. (docs.cobo.com)

12 best emerging practices we’re seeing from leading tokenization teams

Tie mint/burn to PoR in code. Use Chainlink PoR feeds to gate minting; don’t just “publish a dashboard.” This is now live in production for stablecoins (Wenia’s COPW) and wrapped assets. (prnewswire.com)
Prefer auditor‑sourced PoR data. Backed routes reserve checks from an independent auditor to Chainlink oracles, reducing self‑attestation risk called out by third‑party analyses. (docs.backed.fi)
Dual‑control at two layers. Enforce four‑eyes in the custodian’s policy engine (BitGo/Coinbase) and in the smart‑contract layer (multi‑sig governor or Safe module) so one compromised identity cannot unilaterally mint/redeem. (developers.bitgo.com)
Publish addresses or feeds—not PDFs. For wrapped BTC, Coinbase’s cbBTC page discloses addresses and supply by network for live reconciliation. Prefer feeds with update thresholds (e.g., 1–10% deviation triggers) to avoid stale data. (coinbase.com)
Encode role‑based permissions on‑chain. Safe‑based RBAC (Cobo Argus) provides an immutable audit trail of who could call what function when—audit gold for internal controls testing. (docs.cobo.com)
Use dMPC where independence matters. Qredo’s consensus‑driven MPC eliminates single‑vendor key custody and records governance changes on‑chain; helpful for multi‑manager arrangements. (support.qredo.com)
Prefer bank‑supervised custody when your board asks. BitGo’s OCC‑chartered national trust bank status (and Anchorage’s federal charter) de‑risks regulator conversations for large issuers. (bitgo.com)
Show daily collateral composition for fiat‑like tokens. Under MiCA, SG‑Forge discloses collateral for EURCV/USDCV; combine with oracle‑published feeds as markets mature. (sgforge.com)
Bake emergency “kill‑switches” into policy and code. Use PoR thresholds to auto‑pause minting; in wallets, impose video approvals or extended quorum for “break‑glass” actions. (chain.link)
Choose modern TSS. Libraries like FROST (for EdDSA) and newer Schnorr TSS like Arctic reduce rounds and improve signer UX—especially valuable for high‑frequency operations. Ask vendors which protocols they’ve implemented. (dfns.co)
Plan for post‑quantum. Threshold ML‑DSA research from JPMorgan et al. shows how MPC can scale to PQ signatures; future‑proof long‑dated RWAs. (eprint.iacr.org)
Demand exportable logs. Whether from Qredo’s L2, Coinbase Prime activity, or Safe module events, insist on machine‑readable exports for SOC/ISO audits and internal control testing. (qredo.com)

2026 buyer’s short‑list: who to pilot for which job

Need a public PoR page today for a wrapped/bridged token? Start with Coinbase cbBTC’s model and Prime’s consensus rules; alternatively implement Backed’s auditor‑driven PoR design with your chosen custodian. (coinbase.com)
Tokenizing an ETP or fund for public markets? Copy Crypto Finance + nxtAssets’ setup: regulated custody, Chainlink PoR on Arbitrum, and dual‑control policies for creations/redemptions. (disruptionbanking.com)
DeFi‑active treasury with in‑contract controls? Use Cobo Custody + Argus to encode role scopes on‑chain, with MPC and policy engines off‑chain for cash‑management rails. (docs.cobo.com)
Bank‑grade custody requirement with MPC and policy engine? Short‑list BitGo Bank & Trust, N.A. and Anchorage; add Zodia (MPC via Dfns) where a bank‑backed model is desired and Interchange workflows are relevant. (bitgo.com)

Implementation checklist (drop into your RFP)

Security and approvals

Mandate dual‑control (two human approvers minimum) for: policy edits, withdrawals above X, mint/burn, key shard rotations. Require hardware‑bound factors. (developers.bitgo.com)
Ask which MPC/TSS protocol is used (e.g., FROST for EdDSA chains), how many rounds per signature, and device binding method. (dfns.co)

On‑chain auditability

Require a production PoR mechanism:
- Direct address disclosure with a real‑time dashboard, or
- Oracle‑based PoR with auditor‑sourced data and mint gating (“secure mint”). (coinbase.com)
If treasury interacts with DeFi, demand Safe‑based modules (or equivalent) with on‑chain RBAC and event logs export. (docs.cobo.com)

Regulatory/operational

Confirm charter and jurisdiction (e.g., OCC‑chartered national trust bank; federal/FINMA/NYDFS). Align with your auditor’s “qualified custodian” interpretation. (bitgo.com)
Ask for SOC 2 Type II, ISO 27001, plus how change‑management and incident response are tied to on‑chain logs. (cobo.com)

Tokenization lifecycle

Require mint/burn hooks to PoR feeds and emergency pause conditions.
Define creation/redemption SLAs and how dual‑control approvals are executed via API (bulk approvals, time‑locks). (help.coinbase.com)

Reporting

Exportable approval logs and PoR history (chain links, block numbers) fit for external audit workpapers. (qredo.com)

Common pitfalls and how to avoid them

“We do audits”—but nothing’s on‑chain. Demand feeds/contracts you can integrate into protocols, not just PDFs or marketing pages. Use Coinbase’s cbBTC page or Backed’s PoR documentation as the bar. (coinbase.com)
Self‑attested PoR. Some PoR feeds still rely on issuer APIs; prefer auditor‑sourced or custodian‑verified data. If you must start with self‑attestation, set a timeline to graduate to third‑party sourced feeds. (coindesk.com)
Single‑layer approvals. One compromised admin should never be able to mint, move, or rewrite policies—enforce dual‑control in both wallet policy engine and on‑chain governance. (developers.bitgo.com)

Roadmap watch

Banks moving in: OCC trust charters for digital‑asset custodians (e.g., BitGo) advance bank‑grade tokenization routes in the U.S. Expect more issuers to demand bank‑supervised custody plus on‑chain PoR. (bitgo.com)
PoR “secure‑mint” becoming table stakes: Expect more stablecoins, wrappers, and tokenized funds to make minting contingent on oracle‑verified reserves—COPW and cbBTC set the tone. (prnewswire.com)
Faster threshold signatures and PQ‑readiness: Adoption of FROST/Arctic TSS and research on threshold ML‑DSA indicates lower latency MPC and long‑horizon cryptographic resilience for RWAs. (dfns.co)

How 7Block Labs can help

We design and implement these architectures end‑to‑end: MPC wallet policy models, PoR‑gated token contracts, Safe modules for on‑chain RBAC, and integration with custodians’ APIs for creations/redemptions. If you want a rapid vendor bake‑off, we’ll stand up a sandbox that pushes reserves on‑chain, enforces dual‑control in both layers, and surfaces audit‑ready logs in under four weeks.

If you need a head start, we can help you pilot with:

Coinbase Prime (policy engine + cbBTC PoR pattern), BitGo Bank & Trust (bank‑grade MPC + PoR), or Crypto Finance (regulated custody + on‑chain PoR for ETPs). (help.coinbase.com)

References you can check right now

Coinbase cbBTC Proof‑of‑Reserves (live addresses/supply by network). (coinbase.com)
BitGo: OCC‑chartered BitGo Bank & Trust N.A.; MPC/TSS policy engine; PoR developer docs. (bitgo.com)
Crypto Finance x nxtAssets: Chainlink PoR for ETP reserves on Arbitrum. (disruptionbanking.com)
Backed Finance: Auditor‑to‑oracle PoR architecture and update cadence. (docs.backed.fi)
Wenia (Bancolombia): PoR‑gated mint for COPW with third‑party audits. (prnewswire.com)
Qredo: On‑chain governance/audit logs for dMPC. (qredo.com)
Cobo Argus: Safe‑based on‑chain RBAC and auditability; Cobo custody policy engine. (docs.cobo.com)
Anchorage Digital: Quorum‑based approvals for governance and staking; USDtb monthly reserve attestations by Deloitte. (anchorage.com)

Need a working PoR‑gated tokenization pilot with dual‑control MPC? We can get you from requirements to a live, auditable prototype in one sprint.