Custody-as-a-Service is totally within reach for regional banks, and you can get it up and running in just a quarter! By combining threshold-signing MPC with FIPS 140-3 HSMs, ISO 20022-native screening, and robust third-party risk controls that align with bank standards, you’re on the right track. With SAB 121 now off the table and clearer OCC guidance, it’s easier than ever to make a solid business case for a compliant, low-capex, white-label deployment. Check it out for more details: (sec.gov).

Custody‑as‑a‑Service: White‑Label Solutions for Regional Banks

Keywords that Matter to Us (and We’re All In)

• Jack Henry Banno API
• FIS Code Connect
• Fiserv Signature Developer Studio
• ISO 20022 CBPR+ (just a heads up, the end of coexistence is hitting in Nov 2025)
• FIPS 140‑3 Level 3 HSM
• FROST threshold signatures
• PQC (think FIPS 203 ML‑KEM / FIPS 204 ML‑DSA / FIPS 205)
• FFIEC third‑party risk
• OCC IL 1183/1184
• SAB 122
• FATF/EBA “Travel Rule”
• NYDFS sub‑custodian guidance
• Basel cryptoasset disclosure (mark your calendars for Jan 2026)

If you want to dive deeper, head over to swift.com for all the details.

The technical headache blocking your board’s 2026 roadmap

Your board is really eager for a concrete date on digital-asset custody, but it feels like you're trying to juggle too many balls at once. Your core system still has some work to do, InfoSec is pushing for those HSMs, risk management is all about having those reliable FFIEC-grade third-party controls, compliance is on your case about the Travel Rule and ISO 20022 mapping, and finance is looking for some straightforward answers regarding capital and GAAP. And just to throw in another layer:

• Swift is gearing up to wrap up the MT/ISO 20022 coexistence phase for cross-border payment instructions by November 2025. This means you’ll need to ensure your sanctions and KYC data are ISO-native. Check it out here: (swift.com)
• The Basel Committee is rolling out its cryptoasset disclosure framework along with some standard amendments starting January 1, 2026. You’ll want to prepare your reporting stack to break down exposures, handle stablecoins correctly, and keep an eye on liquidity metrics. More details here: (bis.org)
• Good news! OCC Interpretive Letters 1183/1184 have given banks the green light to dive into crypto custody. You can even use sub-custodians or outsource without waiting for a supervisory non-objection--just make sure your controls are up to snuff with bank standards. Get the scoop here: (occ.gov)
• And here’s a major update: SAB 121 is no more, thanks to SAB 122, which kicks in on January 30, 2025. This means SEC registrants can finally breathe a sigh of relief and won't have to deal with that pesky “custody liability” cloud hanging over them. Find out more here: (sec.gov)

The cost of waiting: missed deadlines, stranded revenue, and avoidable rework

• If you miss the ISO 20022 deadline, you’ll have to redo your transaction screening twice--first for the old MT format and then again for CBPR+. And guess what? This could lead to some data loss along the way. Total unnecessary hassle. (swift.com)
• Starting January 2026, Basel is rolling out standardized tables for crypto exposures. If you try to retrofit this after launching, you’ll be scrambling to re-map those custody ledger fields and wallet policies to capital buckets--no pressure, right? That’s a reporting mess waiting to happen. (bis.org)
• DORA is officially in effect in the EU as of January 17, 2025. If you have branches in the EU or clients in the EEA, your contracts with crypto sub-custodians and cloud providers are about to get a lot more attention, especially regarding their “critical ICT” dependencies and resilience. Get ready for some serious scrutiny if you don’t have a solid plan in place. (enisa.europa.eu)
• The FATF and EBA are expecting real enforcement of the Travel Rule--meaning info-complete transfers--starting December 30, 2024 in the EU. With many jurisdictions still behind the curve, you’ll need a solid, policy-driven approach for data collection and rejection handling right from the start. Ignore this, and you could easily walk into a sanctions/tipping-off trap later on. (eba.europa.eu)
• FIPS 140-2 modules will be a thing of the past after September 21, 2026. Trying to rebuild HSM integrations post-launch to comply with 140-3 won’t just drain your budget; it’ll likely send auditors into a frenzy. That’s a compliance cliff you definitely want to avoid. (csrc.nist.rip)

7Block Labs’ white‑label custody blueprint (technical but pragmatic)

We’ve got a custody stack that everyone's on board with--your risk, audit, and core teams alike. So why’s that? Well, it fits right in with banking controls, works seamlessly with your core systems, and is built to stand the test of time for PQC and ISO 20022.

1) Key and signing architecture (security‑first, auditor‑ready)

• Threshold Signatures: We’re implementing a FROST-style setup with a two-round Schnorr approach for the chains we support. For when we need it, we’re using ECDSA/EdDSA curves through TSS. What’s really awesome about this? No single Hardware Security Module (HSM) has the entire private key, which keeps our signer sets crypto-agile. And we make sure to enforce all our policies right at the threshold layer. If you want to dive deeper, you can learn more here.
• Dual-Control Co-Signing: We ensure that one share is securely stored in a FIPS 140-3 Level 3 HSM (you know, like the Luna 7), while the other shares are safely kept in isolated signers with some rate-limited execution or supported by enclaves. This approach helps us steer clear of any hot-key monocultures. If you want to dive deeper, check out more details here.
• PQC-Ready Backups: We’re taking a solid approach for our backups by encrypting shard escrow and recovery payloads using ML-KEM (FIPS 203) and signing escrow manifests with ML-DSA (FIPS 204) in hybrid mode. Plus, we’ve got LMS (FIPS 205) ready to roll for any hardware-constrained situations. It’s all about creating a strong migration path for PQC right from the start. Want to dig deeper? Check it out here.
• Roadmap Compliance: We’re keeping the September 21, 2026, 140-2 sunset date front and center as we design everything, and we’re currently following the CMVP processes. This approach helps us avoid any revalidation hassles down the line. You can take a look at the roadmap here.

What you’ll get:

• A clear separation of duties using M-of-N setups, policy quorums, and a mix of signers.
• Fast disaster recovery with RTO/RPO in under 60/15, thanks to escrowed, PQC-wrapped shards and geo-redundant attestations.
• Change control with proof: each policy update generates an immutable config hash along with signatures from reviewers.

2) Policy engine + compliance automation (Travel Rule, sanctions, ISO 20022)

• Pre-send controls:
  • We’re working on mapping ISO 20022 messages to cover all payment party fields. If a transaction is missing the originator or beneficiary identifiers, we’ll either reject it or hold it until we’re sure it’s compliant with the CBPR+ end-of-coexistence and the Travel Rule's data requirements. Want to dive deeper? Check out more details here.
  • We’re rolling with both on-chain allow/blocklists and off-chain KYC lookups. On top of that, we’ll set up a case routing system that keeps a close eye on the whole process with “detection → cure → re-screen” stages, plus time-stamped logs for audits.
• EU/UK coverage: We’re getting ready to implement the EBA’s 2024 Travel Rule Guidelines, which cover all the essential data fields and remediation workflows. We're also tuning into FATF’s updates on cross-border enforcement and stablecoin risks that are on the agenda for 2024/2025. If you’re curious, you can read more about it here.
• U.S. alignment: We’re keeping in line with the OCC IL 1183/1184 guidelines, which clearly support sub-custody and outsourcing backed by bank-grade third-party risk management. Our controls will be in sync with the 2023 Interagency TPRM guidance and the 2024 Fed CA 24-2 memo. For more details, check out the full scoop here.

3) Core banking integration (Jack Henry, FIS, Fiserv) without rip‑and‑replace

• Jack Henry Banno: We’re simplifying the way you handle custody UX in digital banking with our OAuth2/OIDC SSO, Admin/Consumer APIs, and the Banno Plugin framework. No more hassles with data duplication--now you can enjoy a single customer identity! Dive into the details here.
• FIS Code Connect: We take care of custody events--like deposits, withdrawals, and fee captures--by transforming them into solid ledger entries. And with more than 700 APIs available for things like KYC/KYB and treasury workflows, you can expect a nice return on investment that really boosts your business case. Want to learn more? Check it out here.
• Fiserv (Signature/Developer Studio): We're aligned with the Banking Hub and Signature connectors, working on account posting, syncing customer profiles, and managing statements. Plus, we’re all set to ensure a seamless transition for your Developer Studio workspaces. Check out the details here.

Where 7Block Labs Fits In:

• Check out our integration accelerators! We’ve got everything you need with our blockchain integration, web3 development services, and custom blockchain development services. And don’t forget, our security audit services will keep everything secure and running smoothly.

4) Reporting and attestations (Basel 2026 + board communications)

• Basel cryptoasset disclosures: We’ve sorted wallet classes into Group 1 and 2 and stuck to the stablecoin criteria. This way, when 2026 rolls around, you can easily fill in the Committee’s standardized tables with just a few clicks. (bis.org)
• “Trust without leaking PII”: We've got optional Merkle-tree proofs and ZK attestations that show 1:1 reserves to both auditors and clients, and the best part? We do it all without revealing any addresses. We've taken inspiration from the top PoR leaders out there. (blog.kraken.com)

5) Procurement‑ready deliverables (what your committees will ask for)

• FFIEC Third-Party Risk Artifacts: This stuff covers a service description, a dependency map that includes cloud and HSM CSPs, a control library that lines up with the Interagency TPRM, incident playbooks that align with DORA, and a structured alignment for sub-custodians per NYDFS. Take a look at it here.
• Crypto Policy Pack: Check it out! We’ve put together a wallet policy matrix, standard operating procedures (SOPs) for the Travel Rule, guidelines for sanctions re-screening, and even ISO 20022 field mapping. We’ve also included some handy compensating controls for unhosted wallets. Oh, and don’t forget about the annual testing calendar to help you stay organized and on schedule!
• Technical Runbooks: This dives into the entire HSM lifecycle--everything from firmware and FIPS updates to shard rotation ceremonies, changes in signer quorum, and even the emergency pause procedure.

Check out these awesome offerings from 7Block Labs that you might find interesting:

• Take a look at their smart contract development services. They’re ideal for creating custody workflows, like setting up scheduled payouts and escrow deals.
• If you're looking to securely transfer assets between L2s or sidechains, their cross‑chain solutions development might be exactly what you need.
• And once your legal team gives you the thumbs-up, don’t forget to check out their asset tokenization services. They’re perfect for kicking off deposit-like token pilots.

U.S. Regional Bank on Jack Henry Banno with EU Wealth Clients

• The Challenge: We’ve got to implement BTC/ETH custody for our high-net-worth clients, making sure our Luxembourg branch sticks to DORA and the EU Travel Rule. On top of that, the board wants to see sanctions logs that align with ISO 20022, and the finance team is curious if SAB 121 is still a thing.
• The Game Plan:
  • Threshold Policy: We’re rolling out a 2-of-3 policy that combines Ops HSM, Risk HSM, and an automated policy signer. For that extra layer of security, we’ll be using FIPS 140‑3 Level 3 HSMs and making sure our signers are diverse. On top of that, we’ll back up our shards, encrypting them with ML‑KEM, and we’re committed to running test restores every three months. (data-protection-updates.gemalto.com)
  • Banno Integration: We’re planning to tap into Admin/Consumer APIs for single sign-on (SSO) and role assignments. We’ll also make sure users can check the Travel Rule completeness before clicking “Send.” (jackhenry.dev)
  • Compliance: We’re looking at OCC IL 1183/1184 to clear up what’s okay when it comes to outsourcing and sub-custodians. We’ll also double-check that SAB 122 has officially replaced SAB 121, keeping us in line with GAAP presentation. Oh, and we can’t forget to add EBA Travel Rule checks for our EU transfers! (occ.gov)
  • The Result: We’re putting together a board-ready package that includes ISO 20022-mapped screening logs, making it easy for us to switch to CBPR+ in November 2025. Plus, we’ll have a Basel-ready exposure export lined up for 2026. (swift.com)

2) U.S. Bank on FIS Code Connect Targeting Treasury Clients Using USDC Settlement

• Problem: We really need a fast way to connect our ERP to custody posting while ensuring we're sticking to OFAC/Travel Rule requirements. And we’d love to do all this without having to completely overhaul our core system.
• Solution:
  • Let's tap into Code Connect's posting and KYC APIs to whip up some unified ledger entries. On top of that, our custody policy has got us covered--we always check the pre-send transaction data and sanctions, and we'll hit the brakes with an "execution hold" if any ISO fields are missing.
  • We've got some impressive stats from an independent TEI study showing a 193% ROI for API enablement via Code Connect. This kind of data could really help sway your CFO to approve the pilot. (fisglobal.com)

3) NYDFS-Supervised Trust Sub-Custodian Model

• Problem: We've got some confusion to clear up regarding beneficial interest, segregation, and controls with sub-custodians.
• Solution: Let’s get our contracts and runbooks aligned with the NYDFS’s updated 2025 guidance on insolvency, sub-custodians, and disclosures. We’ll also outline our segregation model, checking out both omnibus and segregated addresses to ensure everything’s in line with that guidance. For more details, feel free to check out the full scoop here.

Best emerging practices we implement now (so you don’t re‑platform in 2026)

• PQC-hybrid from day one: Don’t forget to encrypt all your long-term key backups with ML-KEM and sign your recovery manifests using ML-DSA. It’s also a good idea to keep LMS handy as a hardware-friendly backup. This approach will help you avoid a crypto-agility retrofit down the line in 2026/27. (csrc.nist.gov)
• Threshold-first signing: Choose FROST/TSS over depending on single-HSM keys. This approach boosts your signer diversity and enhances operational resilience. Also, make sure to align your business policies with factors like quorum limits (amounts, velocities, counterparties). (rfc-editor.org)
• ISO 20022-native screening: Instead of just adding on the Travel Rule, go ahead and collect those essential originator and beneficiary fields before signing. And don't forget to store those CBPR+ fields in your case management system. (swift.com)
• Outsourcing with Evidence: When you’re putting together those sub-custodian contracts and chatting with cloud or HSM vendors, make sure to stick to the Interagency TPRM and OCC IL 1184 guidelines. It’s super important to include resilience SLAs, the right to run penetration tests, and solid exit plans that meet the DORA “critical ICT” standards, especially if you’re linked to the EU. Check out the details here.
• Basel-ready data model: Organize your wallets based on Basel groupings, stablecoin criteria, and liquidity buckets. This will help ensure that your disclosures are quick extracts rather than drawn-out projects come January 2026. (bis.org)

Implementation plan -- 12 weeks to “board demo” and compliance sign‑off

• Weeks 1-2: We're jumping right into the target-state design and control mapping (OCC IL 1183/1184; Interagency TPRM). We'll also be setting up those PQC/key ceremonies and getting to grips with the ISO 20022/Travel Rule data model. What we’ll deliver: architecture, RACI, and a test plan. You can check it out here: (occ.gov).
• Weeks 3-4: It’s time to get the HSM ready (FIPS 140‑3), establish signer diversity (FROST/TSS), and secure everything with vault and escrow encrypted under ML‑KEM. Our main deliverables during this phase will be the ceremony records. For more info, head over to (data-protection-updates.gemalto.com).
• Weeks 5-8: We'll dive into core integration, whether it's Banno, Code Connect, or Fiserv. We’re also setting up those sanctions/Travel Rule pre-send gates and taking care of ISO 20022 export, while making sure we align with NYDFS sub-custodian if necessary. The aim here is to deliver a solid UAT build. You can find more details at (jackhenry.dev).
• Weeks 9-10: Get ready for some serious DR/BCP tests, a red-team exercise focused on policy bypass, and an auditor dry-run for Basel/board reporting.
• Weeks 11-12: We’ll cap things off with a limited-scope launch that involves our internal treasury and 10 pilot clients. After that, we’ll assess the metrics and make the call on whether we’re ready to go or not.

Here’s the awesome crew we have on board:

• We’ve got a team of core integration engineers and ZK/Solidity specialists who are ready to jump in and assist you with our awesome web3 development services.
• Our compliance engineers are on hand to help you get a grip on the Travel Rule and ISO 20022 policies, making sure you have all the right documentation to keep those regulators satisfied. For more info, check out our security audit services.
• Looking to package custody for your mobile or web app? No worries! Our product and GTM enablement team has got you covered with our dApp development accelerators.

Prove -- GTM metrics that matter to regional banks

We bridge the gap between engineering and actual business outcomes:

• Time-to-market: We're shooting for a smooth ≤ 90 days to kick off a limited pilot with real clients on platforms like Jack Henry/FIS/Fiserv.
• Cost to integrate: By using vendor APIs, we’re cutting down on the need for custom core development. Research shows that API-driven integrations can lead to impressive triple-digit ROI--just check out the FIS Code Connect TEI, which boasts an incredible 193% NPV over three years. That’s definitely something to highlight when you talk to the board. (fisglobal.com)
• Operational risk: We keep zero single-point key risk in mind (yep, that includes threshold + HSM), with an RTO of ≤ 60 minutes and RPO of ≤ 15 minutes for shard recovery. Plus, we make sure that every policy change gets the thumbs-up with clear reviewer provenance.
• Compliance SLA: We promise 100% Travel Rule field completeness on outbound transactions. Our ISO 20022 logs will be ready to go well before the Nov 2025 cutover, and we’ll whip up Basel 2026 disclosures straight from tagged exposure data--no last-minute scrambles here! (swift.com)
• Revenue enablement: We’ve successfully brought on board treasury and wealth segments with custodial support for BTC/ETH/USDC, setting the stage for cross-selling opportunities like escrow, settlement, and custody fees. And of course, we keep the reporting clear and transparent for the board.
• Vendor risk posture: Our contracts are in line with Interagency TPRM, OCC IL 1184 outsourcing, DORA oversight (when needed), and NYDFS sub-custodian expectations. This strategy really helps smooth out any bumps during examiner reviews. (fdic.gov)

Brief in‑depth details (why this works technically and with regulators)

• Good news! The SAB 121 overhang is finally behind us, thanks to the rescission of SAB 122 on January 23, 2025. This change makes GAAP and capital optics for custody services way easier for SEC registrants. Now, finance teams can focus on fee income and managing operational risk without getting stuck dealing with a synthetic liability. (sec.gov)
• Big changes are coming with OCC IL 1183--bye-bye to the “non‑objection” hurdle from IL 1179! Plus, IL 1184 clarifies that banks can manage custody and execution while also outsourcing to sub‑custodians, as long as they keep solid risk management in place. This really opens up the legal pathway for white‑labeling. (occ.gov)
• Don’t forget to mark your calendars for November 2025! That’s when the ISO 20022 CBPR+ coexistence wraps up, giving you access to clean, structured compliance data. Our custody stack is built to capture and store these fields, along with your Travel Rule evidence, making audits a breeze during and after the transition. (swift.com)
• Basel’s 2026 disclosure framework is stirring things up by requiring both qualitative and quantitative templates for crypto exposures. Don’t worry, though; we’ve got your back! We're linking wallet policies to the categories that drive those templates, so you can automate risk reporting instead of scrambling at the last minute. (bis.org)
• DORA is officially live! EU regulators are gearing up to take a close look at “critical ICT” providers and their contracts. Our vendor pack--complete with runbooks, SLAs, and exit plans--is all set for this scrutiny, so your EU operations won’t slow down your launch in the U.S. (enisa.europa.eu)

---

If you want a strong engineering strategy combined with a story that will wow the board, we’re here to help get your pilot project rolling with:

• Check out our custom blockchain development services for a wide range of needs, from custody core setups to policy creation and KMS integration.
• We offer blockchain integration with your favorite core systems--like Banno, Code Connect, or Fiserv.
• Our security audit services help you map out and test all the evidence you need for compliance with policies, the Travel Rule, ISO 20022, DORA, and TPRM.

---

If you're the CIO/CTO or Head of Digital at a regional bank in the U.S. that's working with Jack Henry, FIS, or Fiserv, and your board is itching to kick off a custody pilot before the ISO 20022 cutover in November 2025 and Basel's disclosures in January 2026, why not grab a quick 45-minute readiness review with us at 7Block Labs this week? We’ll put together a solid game plan for you--complete with architecture, a control map, core integration scope, and pilot KPI targets--everything packaged nicely for your board in just 10 business days. And just so you know, if we don't hit that timeline, the whole engagement’s on us.