Continuous Safeguarding Verification for MiCA Custody CASPs

Cryptographically verifiable evidence that your Article 70 and 75 obligations are being met — continuously, not quarterly.

For MiCA-licensed custody CASPs across Europe

THE REGULATORY GAP

MiCA tells you what to prove. Not how to prove it.

Articles 70 and 75 of MiCA require custody CASPs to segregate client crypto-assets, maintain an accurate register of positions per client, and prevent use of client assets for the CASP's own account.

But the regulation prescribes no verification methodology. No attestation standard. No technical framework for demonstrating continuous adherence to these obligations.

The result: quarterly self-reports that satisfy no one — not your NCA, not your auditors, not your board.

1

Asset segregation

Self-reported quarterly
2

Register of positions

Excel reconciliation
3

Own-account prohibition

No verification method

HOW IT WORKS

Four stages. Cryptographic certainty at every step.

01

Ingest

Custodian submits client liability snapshot via secure API. Schema-validated, rejection on any anomaly.

02

Verify

On-chain asset balances verified against declared wallet sets. Dual-provider confirmation. No single point of trust.

03

Attest

Merkle sum tree binds every client position. Dual-signed attestation — custodian and Bastion. Tamper-evident.

04

Anchor

Attestation hash anchored on Ethereum mainnet. Immutable, publicly verifiable, timestamped.

Every attestation produces an audit-grade evidence pack your NCA can verify independently.

FOR COMPLIANCE TEAMS

Built for the people who face the regulator.

Audit-Grade Evidence

Every attestation cycle produces structured evidence packs — compliance reports in PDF and JSON, signed attestation envelopes, wallet manifests, and tree metadata. Designed for NCA supervisory reviews, not marketing dashboards.

Supplements, Never Replaces

Bastion strengthens your existing controls and audit processes. We don't replace statutory audits or Big 4 oversight. We make the evidence they rely on cryptographically verifiable. Bastion does not provide real-time monitoring, connect to NCA data sources, or replace statutory audit obligations. We produce the cryptographic evidence that makes those audits faster and more defensible.

NCA-Ready from Day One

Built for European NCA supervisory expectations — BaFin, AFM, AMF, MFSA, and beyond. Configurable evidence packs per jurisdiction. DORA-ready operational documentation included.

SECURITY & ARCHITECTURE

Infrastructure-grade. Not startup-grade.

AWS eu-central-1 (Frankfurt). All production data is processed and stored exclusively within the EU.

AWS KMS for all cryptographic operations. No key material in application memory.

Dual-signature attestations. Custodian and Bastion must both sign.

Deterministic attestation pipeline. Same inputs, same outputs, every time.

Full audit trail. Every action logged, timestamped, attributed.

DORA-compliant operational resilience documentation.

attestation:
  cycle_id:     "cyc_2026-03-30_001"
  status:       COMPLETED
  assets:       ✓ Verified (2 providers)
  liabilities:  ✓ Committed (Merkle root)
  signatures:   ✓ Dual-signed
  anchor:       ✓ Finalized (block 21847392)
  evidence:     12 artefacts generated

Ready to close the Article 75 gap?

Bastion works with a small number of custody CASPs in a structured 90-day pilot. If your organisation holds MiCA Article 75 authorisation and wants to move beyond quarterly self-reporting, let's talk.

Currently accepting pilots from MiCA-licensed custody CASPs.

Start the conversation

No sales automation. No drip campaigns. A human responds.