“Where is your key?”
Asked in everyday life, the question might sound like a small inconvenience. When asked inside a financial institution handling digital assets, it becomes a test of whether the organisation truly knows how assets can be moved and protected.
Ray Law, Senior Security Solution Architect at Thales, placed that question at the centre of any serious discussion on institutional digital assets, especially as banks and financial institutions move from experimentation into more operational use cases.
As stablecoins, tokenised money and digital assets move closer to institutional workflows, private key control becomes central to how institutions move assets, protect them, audit activity and respond when something goes wrong.
Much of the institutional conversation around blockchain and tokenised finance used to carry a cautious tone, with banks and regulators trying to understand where the technology could fit without weakening the trust that underpins the financial system.
The conversation has since moved into more practical territory.
Stablecoins are being considered for payments and treasury use, while banks are looking at tokenised forms of money and assets as part of a broader shift in how value could move through the financial system.
As these use cases move closer to day-to-day financial operations, security becomes much more than a technical consideration. It becomes part of the business model.
During the webinar, The Blueprint for Institutional Digital Asset Security at Scale, speakers from Visa, UOB Group, Rakkar Digital and Thales discussed how institutional adoption is changing, what risks are becoming more urgent, and why the next phase of digital asset growth will depend on more than technical controls alone.
Stablecoins Are Moving Beyond the Crypto Conversation
Sanchit Mall, Director of Digital Currencies, Asia Pacific at Visa, said the company has seen strong demand for stablecoin-related payments across both consumer and institutional use cases.
“We have been seeing tremendous growth in the demand for stablecoin-related payments,” he mentioned.
Consumers holding digital assets can link them to cards and spend through Visa’s acceptance network, while institutions are looking at stablecoins for money movement and treasury use.
“Stablecoins can let you move money seven days a week instead of five days a week,” Sanchit said, adding that Visa’s stablecoin settlement activity had reached a run rate of almost US$7 billion this year.
Stablecoin adoption is pushing the discussion beyond crypto as an investment product. Treasury use cases, especially those involving money movement outside traditional banking hours, make security harder to treat as a back-end technical issue.
Institutions now have to show that they can control and monitor these use cases safely as digital assets become more embedded in financial operations.
Sanchit framed it clearly.
“It is no longer that the technology needs to be safe. It is also the governance. The technology and the governance should merge and tackle together.”
Digital Assets Are Becoming Part of the Financial System
Yip Kah Kit, Head of Blockchain and Digital Assets at UOB Group, made a similar point from the banking side, describing digital assets as having moved closer to the core of the financial system.
UOB is looking at digital assets as part of a broader shift in how value moves, including tokenised money and investment products.
Kah Kit was careful, however, not to frame this only as a technology build. Institutions also need to rethink the operating model around digital asset activity, especially how existing risk frameworks and internal processes cope with new forms of value movement.
“We look at it from three perspectives. One is the infrastructure layer. Secondly, the processes and policies would need to be augmented. Last but not least would be the culture of the people,” he stated.
His emphasis on culture carried through the wider discussion, especially as several speakers returned to the same underlying concern.
Even with cryptographic controls and secure wallet infrastructure, the weakest point often remains human behaviour.
The Weakest Link Is Still Often Human
Arthit Sriumporn, Founder of Rakkar Digital, spoke from the perspective of a custodian who had held significant client assets.
The company was founded in 2022, headquartered in Singapore, licensed in Hong Kong and Thailand, and at its peak had around US$700 million under custody.
Holding that level of client assets made security much broader than technology, he explained.
“It was not just technology in terms of security. In fact, most of the time technology is not compromised. People [are the ones who] compromise [it],” said Arthit.
Rakkar responded by building multiple layers of control around its custody operations.
Private key shards were kept on offline, air-gapped devices, while access to signing processes involved secure facilities and biometric checks. Client-side governance controls also determined transaction limits and approval requirements.
Arthit also highlighted that a single transaction could require multiple people from both the client and custodian side before it could move forward.
Layered controls also help institutions deal with attacks that begin away from the core system, such as a compromised employee device or a social engineering attempt.
Rakkar’s founder shared one incident where one of the company’s developer devices was compromised around Token2049.
The bad actor remained in the network for some time, but luckily, he said:
“No asset got stolen. That is the real benefit of having multiple safeguards in place.”
Private Keys Are Now Institutional Infrastructure
Ray’s earlier question about where an institution keeps its key comes back into focus here.
“The first question every institution needs to answer is, where is your key? How is it generated, stored and used?” Ray remarked.
The question goes straight to the heart of digital asset security because private keys control the movement of assets.
Once institutions start handling digital assets at scale, key protection becomes one of the most important parts of the institutional blueprint.
Ray said insecure key storage and private key compromise remain among the root causes of major losses.
Some institutions, he noted, still manage keys in software, databases or configuration files, which can create serious exposure.
“Software keys can be copied and stolen silently,” said Ray. “By the time you know a key is compromised, the damage is already done.”
Thales sees the answer in hardware-backed protection, policy-based access controls and a lifecycle view that covers how keys are generated, stored, used and recovered.
Ray also stressed the need for multi-party authorisation, where no single person or compromised credential can move assets alone.
“Beyond prevention, audit trail matters,” he added.
A strong audit trail matters because institutions need to prove what happened, who approved an action, where it came from and whether controls operated as intended.
Security Has to Move Beyond Perimeter Defence
Kah Kit pushed the discussion beyond perimeter defence, arguing that institutions should not rely only on building higher walls around their systems as attack surfaces widen.
Instead, they should consider an “assumed breach” approach.
Institutions still need to secure their perimeter, but they also need visibility into activity inside their ecosystem.
“In addition to securing your perimeter, we should also look at how we use transaction analytics or even AI to monitor what is happening within our ecosystem,” Kah Kit stated.
Digital asset security also cannot just depend on one perfect wall.
Institutions must be alert and need to always assume that something, somewhere, could fail, and design controls that can contain the damage before it reaches the assets they are trying to protect.
AI Is Becoming Both the Threat and the Defence
AI brings its own complications. Like blockchain, it can strengthen both attackers and defenders.
Bad actors can use it to make fraud and social engineering move faster, while institutions can use AI-driven analytics to review activity at a scale that would be difficult for human teams to manage on their own.
“The timeless truth is that we should always use technology to fight technology,” said Kah Kit.
Yet he also warned against relying on automation alone. In his view, human oversight remains critical, especially when AI agents begin operating inside financial workflows.
Kah Kit also raised the need for “cognitive brakes.”
If AI agents are given authority to act within financial operations, institutions need clear boundaries and circuit-breaker-style checks before any mistake scales too quickly.
Ray then brought the discussion back to the security of AI systems themselves.
Institutions offering AI-powered tools must also protect those systems from manipulation, including attacks that try to trick models into exposing sensitive data.
AI security, in other words, has to cover both sides of the equation: how institutions use AI to monitor threats, and how they protect the AI tools they deploy.
Compliance Is Only the Starting Point
Regulation is also evolving, but the panel made clear that compliance alone cannot be the ceiling.
Ray said regulatory frameworks often mandate outcomes, such as securing private keys, without always specifying the exact technical model.
“Do not just wait for regulations to tell you the answer,” he told.
Institutions still need to treat regulation as a baseline and think carefully about whether their controls can withstand real scrutiny. After a breach, the harder question will be whether the institution did enough.
Kah Kit, who previously worked with the Bank for International Settlements, offered a more regional perspective.
He responded by saying that regulators in this part of the world have generally done a good job balancing trust, resilience, innovation and market development.
But he also observed a shift in regulatory scrutiny.
Previously, having the right policy and process may have been enough. Now, quoting Kah Kit:
“It is not just enough that you have a nice policy that you file in the cabinet. [Regulators would want to know] How well do you implement them?”
Digital Asset Risk Does Not Stop at Borders
Effectiveness becomes harder to prove when digital assets cut across sectors and borders because criminal networks do not operate neatly within one jurisdiction, but financial institutions and regulators often still do.
Kah Kit said the industry needs stronger collaboration models, including public-private mechanisms and cross-border intelligence sharing.
He pointed to examples such as Singapore’s COSMIC platform and Malaysia’s national fraud portal in the traditional finance space, but said similar mechanisms need to develop in the tokenised world.
“Criminals operate in networks, and as financial institutions, we cannot operate in silos,” he said.
Sanchit also noted that regional consistency matters. In fragmented markets, bad actors can exploit weaker jurisdictions or regulatory gaps.
“Inter-regional, inter-country collaboration is very important,” he said.
Interoperability also becomes important once digital assets move beyond isolated use cases. Sanchit gave his thoughts that institutions will need ways to work across different networks and digital asset ecosystems if they want these models to scale.
Security Should Be the Reason Digital Assets Can Scale
Taken together, the discussion showed that institutional digital asset security cannot be reduced to a single tool, control or compliance checklist.
Private key protection, hardware-backed security and multi-party approvals all matter, but they need to sit within a broader operating model that also accounts for governance, people and real-time monitoring.
The institutions that move ahead will be the ones that design security into the operating model from the start, rather than adding it after the product is built.
Arthit summed up the opportunity well.
“Do not let security be the barrier,” he said.
His point lands neatly at the end of the discussion.
Security should not slow institutional adoption by sitting outside the business. Done properly, it becomes the reason digital assets can move into the financial system with trust and scale.
Watch the full webinar, The Blueprint for Institutional Digital Asset Security at Scale, right down below.
Featured image: Edited by Fintech News Singapore based on an image by user4894991 via Magnific.