Cryptographic Control Is Fiduciary Power, Not Title
Why custody, escrow, and exchange “gatekeeping” belongs inside orthodox trust law, fiduciary duty, and judicial supervision
Keywords: fiduciary power; cryptoasset custody; escrow; exchanges; omnibus wallets; multi-signature; threshold signatures; MPC; trust intention; discretion; equitable supervision; tracing; remedies
Control over an asset is not the same thing as owning it. That sentence should be banal. Yet in disputes involving digital assets it is treated as controversial, as though a technical capacity to authorise a transfer must either (i) be collapsed into title, or (ii) be regarded as a purely technical fact that places the arrangement beyond law. Both moves are doctrinal mistakes, and both produce the same practical consequence: they allow gatekeepers to present discretionary power as either “ownership” or “mere mechanics”, and thereby evade the vocabulary that equity has always used to constrain entrusted power.
The core phenomenon is simple. Modern custody and exchange arrangements frequently place another person’s proprietary position behind a gate. The gate may be a private key held by a custodian. It may be a multi-signature threshold that requires an intermediary’s co-signature. It may be an internal approval process inside an institution using threshold signing or multi-party computation. It may be a smart contract that appears automatic but contains an administrator key with pausing, upgrade, or emergency withdrawal functions. It may be an exchange’s withdrawal queue and “compliance hold” process sitting in front of pooled assets held in omnibus wallets. In all these cases, the customer’s practical ability to deal with what is described as “their” asset is contingent on another person’s decision.
The law is not unfamiliar with this structure. Equity has spent centuries dealing with it. Trusts, fiduciary obligations, and the supervision of discretion exist precisely because control can be used opportunistically when it is exercised for another or for a defined purpose. Once one stops treating cryptography as metaphysics and treats it as power over disposition, the doctrinal frame becomes surprisingly straightforward: the arrangement is either a form of holding for another (trust-like) or a promise to deliver an equivalent (debt-like), and in both cases discretionary gatekeeping powers—where assumed for another’s benefit or for a defined purpose—attract fiduciary constraints and are subject to judicial supervision.
I. Control is a power-structure, not a label
The first step is methodological. Many of the hardest disputes in this area are created by language that is meant to be reassuring rather than true. Terms of service commonly say “you remain the owner” while reserving broad rights to delay, freeze, substitute, rehypothecate, net internally, and refuse withdrawals. Conversely, some escrow arrangements are drafted in blunt commercial language that resembles debt, while the structure gives the intermediary a narrow, purpose-bound authority to release only on specified conditions. If analysis begins with labels—“custody”, “ownership”, “trustless”, “escrow”—it will be captured by marketing.
A better starting point is a power map. A power map asks: who can sign; who can delay; who can impose conditions; who can redirect; who can commingle; who controls recovery; and where, precisely, discretion sits. It deliberately ignores the superficial form of the transaction and focuses on veto points. That is not a technological fetish. It is the only way to see the arrangement as a legally relevant delegation of power.
Once one does this, the common architectures fall into a small set of recurring patterns.
In single-key custody, the customer cannot independently authorise a transfer. The custodian controls the signing capacity, and the customer’s position is mediated by an internal entitlement recorded on the custodian’s books. The legally significant facts are not the cryptography but the dependency: the custodian can delay, refuse, or condition release; can substitute assets internally; can commingle; and controls recovery. If the custodian undertakes to hold for the customer, the structure looks like classic entrusted control. If the custodian undertakes only to deliver an equivalent amount, subject to conditions, the structure looks like debt. Either way, the power is real and the question becomes how it is constrained.
In multi-signature escrow, control is divided. A typical 2-of-3 escrow creates a built-in gatekeeper: the escrow agent may not be able to move assets alone, but holds a veto and, in combination, an effective capacity to decide outcomes. The legally significant facts are the threshold, the allocation of keys, the release conditions, the dispute resolution mechanism, and the possibility of collusion. Multi-signature arrangements are valuable precisely because they make visible what is otherwise obscured: control is not a binary. Partial control—especially veto control—can be the most legally important form because it is the place where discretion lives.
Threshold signature and MPC custody complicate appearances while often preserving the same underlying power structure. On-chain, a threshold/MPC system may look like a single signature. In reality, it can be a committee decision embedded in a technical procedure: a risk team can impose a hold; an approval workflow can require multiple actors; a compliance unit can veto; an internal exception process can override. The legal facts are therefore governance facts: who can initiate signing, who can block it, what standards are said to apply, what audit trail exists, and who can rotate or reconstitute the key shares. The technical design can conceal discretion, but it cannot abolish it.
Smart-contract escrow with administrative controls presents a particularly sharp version of the same problem. The rhetoric is that the contract is automatic. The reality is that many systems contain privileged functions: pause, upgrade, emergency withdrawal, parameter change, oracle control. The contract therefore has two layers: the release logic and the meta-control. The moment a small set of controllers can intervene, the system is no longer meaningfully “beyond discretion”. It is discretion in a more concentrated, less visible form.
Exchange custody, finally, is the hard case because it combines pooling, internal ledgers, discretionary withdrawal gates, and insolvency-facing risk. Exchanges typically use omnibus wallets and internal account balances; most “transfers” are internal book entries. There is often hot/cold partitioning, withdrawal queues, risk scoring, manual review, and discretionary holds. The legally significant facts are the exchange’s capacity to commingle customer and house assets, to use or rehypothecate, to substitute, to net, to delay, and to privilege some customers over others through processing choices. These are not peripheral operational details. They are the infrastructure of discretion.
II. When custody is trust, and when it is not
Trust law is not a museum of physical possession. It is a system for imposing obligations of a particular type: obligations that require the holder of control to deal with property for another or for a defined purpose. The orthodox “three certainties” remain the frame: intention, subject matter, and constitution. The difficulty in modern custody is not that these concepts fail; it is that they are often discussed in the wrong language.
Intention is objective. It asks whether the words and conduct show an intention to impose trust-like obligations rather than to create only personal rights. A platform can say “you remain the owner” and still structure a relationship that, in substance, is debt: the platform undertakes only to deliver an equivalent amount, reserves wide rights of use, and places the customer squarely within counterparty risk. Conversely, a platform can avoid the word “trust” and still create trust-like obligations by undertaking segregation or purpose-limited holding.
Subject matter is not defeated by the absence of physical earmarking. Modern commerce is built on intangible rights and pooled funds. Trusts can subsist over bank balances, dematerialised securities, and pooled client money. What matters is identifiability. In intermediated systems, identifiability is supplied by records, reconciliation, and defined pool boundaries. If a custodian says “this is a client pool” and maintains accounting that makes each customer’s entitlement ascertainable, subject matter can be sufficiently certain even if individual units are substituted within the pool. If, however, the “pool” is not a client pool at all but an undifferentiated treasury of the platform, subject matter problems often reflect a deeper truth: the platform never intended to hold for customers; it intended to use.
Constitution is often misunderstood because people imagine it requires physical delivery. In truth, constitution requires that the rights be placed under the trust obligations: by transferring the relevant rights to the trustee, or by declaring a trust over rights already held. In custody, constitution can occur by placing the asset under the custodian’s control architecture (single-key, multi-signature, threshold governance) with acceptance of the undertaking. The legal point is not mystical: the asset becomes subject to an obligation of administration for another.
These principles produce a disciplined way to handle the exchange problem. Many exchange terms contain custody language while operations involve commingling, substitution, use, and withdrawal discretion. The correct analysis separates two questions that are too often conflated: whether a trust was created at all, and whether later conduct is a breach of that trust. Commingling does not automatically mean “no trust”; it can be evidence that the platform never intended segregation, or it can be a breach of a prior undertaking to segregate. That distinction matters because it changes remedies and priorities, especially in insolvency.
There is a further boundary: trust versus debt. The debt model is not inherently illegitimate. A platform can say, candidly, that customers have only a personal claim for an equivalent, and that the platform may use assets. What is illegitimate is the hybrid: marketing custody while reserving free use and discretionary control that allows the platform to monetise customer dependence without admitting it is asking for permission to run conflicts.
III. Fiduciary duty arises from gatekeeping power
Even where trust classification is contested or fails, fiduciary analysis often remains central because the wrong that matters is frequently the misuse of power, not merely the misdescription of title. Fiduciary obligation is not a general duty of care. It is a loyalty constraint triggered by a position: one party is entrusted with discretionary power that can be exercised to affect another’s interests, and the entrusted party can exploit that position unless constrained.
That framing fits cryptographic control with uncomfortable precision. The most valuable powers in custody and exchange settings are often veto powers: the ability to delay, freeze, refuse, condition, or release. Those are precisely the powers that can be used as leverage, preference, or profit devices. The law’s response is orthodox. Where a person holds such powers for another’s benefit or for a defined purpose, equity demands: no conflict unless properly authorised; no unauthorised profit; proper purposes; and, where the power affects multiple entitled parties, even-handed administration.
The conflict patterns in custody are not exotic. They are the standard loyalty problems in modern dress.
Undisclosed use or rehypothecation is the cleanest case. If assets held under custody rhetoric are used for the platform’s own profit—lending, internal financing, liquidity deployment—the platform has placed itself in a conflict between profit and the customer’s entitlement to availability and risk-limited holding. The legal question becomes authorisation: was the use permitted, and was consent informed and specific? Broad boilerplate is not the same as informed consent where the economic substance of the relationship is marketed as safekeeping.
Profit through delay is a subtler but structurally similar problem. Withdrawal delay can be used to manage liquidity shortfalls, to keep assets on platform longer, to preserve internal positions, or to extract fees and spreads. Even if some delay is justifiable for security or legal compliance, the discretion is vulnerable to collateral purposes. Fiduciary analysis is designed for precisely this: it does not require that the customer prove what would have happened in a counterfactual world of immediate withdrawal, and it refuses to treat the platform’s informational advantage as a shield.
Selective processing and internal preference arise where platforms decide whose withdrawals are accelerated, whose are slowed, whose accounts are “risk reviewed”, and whose are waved through. In pooled custody systems, discretionary processing becomes a distributive decision. The platform’s power resembles administration of a common fund, and equity’s insistence on even-handedness becomes the right vocabulary for constraining preference disguised as “operations”.
“Compliance holds” deserve separate attention because they are rhetorically protected. The point is not to deny that legal obligations exist. The point is that invoking compliance does not create unreviewable dominion. A hold genuinely imposed for lawful purposes, applied by disclosed criteria, and lifted when satisfied is one thing. A hold used to manage liquidity, retaliate, extract concessions, or impose new terms retrospectively is another. The distinction between proper purpose and collateral purpose is an old one. The novelty is only the setting.
Mixed-control governance does not dissolve fiduciary constraint. An escrow agent who cannot move assets alone can still be a fiduciary because it holds a decisive veto or release power. A committee that must approve signing can still be constrained because the committee holds power for others. A recovery agent who can reassign access can still be constrained because recovery authority can be functionally equivalent to dispositive authority. Partial powers can be the most dangerous because they are easier to deny: “we cannot move anything unilaterally” is a convenient phrase for someone who can still block everyone else.
IV. Judicial supervision is the missing doctrinal bridge
Many crypto-exceptional arguments rely, quietly, on a claim about impotence: that because the chain will accept a valid signature, and because the court cannot “force a key to sign”, equitable supervision is either irrelevant or empty. That claim misunderstands what equity supervises. Equity supervises persons who hold powers for others and the purposes for which those powers are exercised. Its jurisdiction is characteristically in personam. It does not need to operate the asset. It needs to control the controller.
The orthodox supervision of discretionary powers supplies the doctrinal bridge. Equity distinguishes between controlling a discretion by substituting the court’s own decision and supervising whether the discretion has been properly exercised. Supervision is not a merits appeal. It asks whether the power was exercised in good faith, for proper purposes, by reference to relevant considerations, without caprice or irrationality, and without disloyal self-interest.
That grammar maps directly onto custody governance. Risk committees, exception processes, freeze/release rules, manual overrides, emergency admin keys, and recovery processes are discretions in functional form. They are not “technical details”; they are the locations where human judgment determines whether another’s proprietary position may be altered.
This is also where the phrase “uncontrollable authority” becomes revealing. A wide discretionary power can be drafted in broad language, even language suggesting it is unfettered. Yet breadth does not immunise the power from supervision. If anything, breadth enlarges the space in which collateral motives can operate, and thereby increases the importance of proper-purpose policing. A platform cannot draft itself into a private sovereign position and then insist that the law must treat the resulting power as a mere fact.
Practical enforceability follows from the same orthodox starting point. Courts do not need to reverse protocol. They restrain and compel persons: injunctions, mandatory orders, disclosure orders, accounting, and—crucially—coercive enforcement through contempt. If a custodian or exchange sits within the court’s reach, the court can require segregation, require processing, restrain disposal, compel disclosure, require an account of profits, and order structural remedies. Where power is institutional rather than individual, equity’s remedies have always included institutional re-ordering: substitution of trustees, appointment of receivers, supervised administration, and conditions imposed on the exercise of power.
There is a further virtue in the supervision frame. It does not require courts to become technologists. It requires them to do what they already do: insist on legible purposes, relevant reasons, and accountable processes. A custody platform that interferes with access to assets should be able to articulate criteria, apply them consistently, record decisions proportionately to stakes, and exclude collateral motives. That is not regulatory preaching. It is the minimum content of lawful discretion where one party is empowered to constrain another’s proprietary position.
V. Remedies respond to power without pretending to rewrite code
Once the arrangement is seen as a power structure, remedies become less mysterious. The remedial task is not to achieve protocol reversal. It is to respond to misuse of entrusted control through orthodox categories: proprietary responses where a proprietary base exists; fiduciary accountability where disloyal power has produced profit or structural abuse; and personal remedies where proprietary claims fail.
Interim relief matters because control disputes are vulnerable to being converted into faits accomplis. Preservation through injunctions and freezing orders is often the only way to prevent the gatekeeper from moving assets while the dispute is litigated. Information orders matter because the crucial evidence is frequently not the chain but the intermediary’s internal mapping between external addresses and internal ledgers, between withdrawal decisions and authorising personnel, between “holds” and reasons. In intermediated systems, records are not a convenience; they are the factual substrate of rights.
Proprietary remedies, where available, proceed by tracing into substitutes and recovering identifiable proceeds. Tracing is not a cause of action; it is a method of identifying what has become of property. Commingling changes allocation and priority; it does not abolish principle. Mixed funds and pooled entitlements are a familiar problem in equity, and the law’s techniques—allocation rules, equitable accounting, charges—exist precisely to address the consequences of mixing.
Fiduciary remedies remain crucial even when trust classification is difficult, because the core wrong in many custody and exchange scandals is not “you failed to give me title”; it is “you used the gate you were entrusted with to profit, preference, or coerce”. Accounting for profits is the paradigmatic response. It is directed to the fiduciary’s gain and the integrity of the office, not to whether a claimant can point to a specific unit and say “that one is mine”. That matters in omnibus systems where the platform’s gain may be generated by structural exploitation rather than by a single misapplied asset.
Enforcement, finally, should be described in blunt terms. Equity orders persons. It compels and restrains. It polices refusal through contempt. It can also reorder governance where discretion is abused: requiring independent control, imposing supervision, transferring custody, appointing receivers, conditioning the exercise of emergency powers, mandating records and criteria. None of this requires fantasy. It requires courts to treat gatekeeping as responsibility, not as “technology”.
VI. The non-exceptionalist conclusion
The most damaging move in this field is the insistence that digital assets sit outside equitable control. It is sometimes dressed up as technical realism. In truth, it is a category error. Equity’s control has never depended on operating the thing. It depends on controlling those who hold power over it.
The question for courts and market participants is therefore not whether the law must invent a special category for cryptography. The question is whether intermediaries who choose to intermediate control will be allowed to pretend that their discretion is either ownership or mere mechanics. The answer should be no. The law already has a vocabulary for entrusted gatekeeping: trust analysis where holding is for another; fiduciary loyalty where power creates conflicts and temptation; supervision of discretions where breadth and opacity invite collateral motives; and remedies that respond to power without claiming to reverse protocol.
In that frame, the practical demand on institutions is also orthodox. Choose the model and make it legible. If the platform holds for customers, then non-use, purpose limitation, record integrity, and constrained discretion are not optional extras; they are the legal content of custody. If the platform owes an equivalent and intends to use assets, then candour is the price: admit the debt model and disclose counterparty risk. What must not be tolerated is the comforting fiction of custody paired with the quiet reality of discretionary dominion.
Cryptographic control, properly understood, is not a new kind of title. It is a new surface on which an old problem appears: power over another’s property. Equity exists because such power is never merely technical. It is always moral in the only sense the law needs: it is a position that must be constrained.