When the SEC staff rescinded the crypto safeguarding liability in 2025, a reasonable reader might have concluded that custody obligations had dropped out of public filings. They did not. Staff Accounting Bulletin No. 122 removed the balance-sheet recognition that SAB 121 had required, but it was explicit that the duty to explain custody risk to investors survives-and it pointed to where: the disclosure rules in Regulation S-K and two FASB Codification topics. The obligation moved from a recognized liability to narrative disclosure, not out of the filing entirely.

SAB 122 states the continuing requirement directly, listing the specific provisions that still apply to a company holding crypto for others.

"These requirements include, but are not limited to, Items 101, 105, and 303 of Regulation S-K; FASB ASC Subtopic 450-20; and FASB ASC Topic 275, Risks and Uncertainties."- SEC, Staff Accounting Bulletin No. 122, source

Where custody risk lives in a filing

Each cited Regulation S-K item maps to a part of the document. Item 101 (Description of Business) calls for a narrative description of the business, so a custodian or exchange describes here that it safeguards crypto-assets for users, how that service works, and its general scale-the qualitative picture of the custody operation. Item 105 (Risk Factors) requires disclosure of the material factors that make an investment in the company speculative or risky; for a crypto custodian, that is where the risks of holding cryptographic keys, loss or theft of customer assets, technological vulnerabilities, and legal and regulatory uncertainty are spelled out. Item 303 (Management's Discussion and Analysis) requires discussion of known trends, events, and uncertainties reasonably likely to have a material effect; a material custody exposure or a developing loss event would be discussed here.

The two FASB references add the financial-statement side. ASC Subtopic 450-20 (Loss Contingencies) is the framework SAB 122 directs entities to for deciding whether to recognize or disclose a liability for the risk of loss-an actual accrual only when a loss is probable and estimable, with disclosure of reasonably possible losses otherwise. ASC Topic 275 (Risks and Uncertainties) requires disclosures about significant concentrations and risks inherent in operations. Together, these mean that even without a recognized safeguarding liability, a material custody risk surfaces in the notes through contingency and risk-and-uncertainty disclosures.

Why narrative disclosure carries the weight now

The shift changes the texture of what investors get. Under SAB 121, the safeguarding obligation appeared as a large, quantified liability-and-asset pair on the face of the balance sheet, giving a single dollar figure for customer assets held. Under the post-SAB 122 regime, that figure is no longer recognized as a liability unless a probable loss exists; instead, the scale and risk of the custody business are conveyed through the business description, risk factors, MD&A, and contingency notes. The information is arguably more contextual-it explains the nature of the risk rather than booking the gross value-but it requires reading across several parts of the filing rather than glancing at one balance-sheet line.

For anyone evaluating a crypto custodian or exchange, the practical takeaway is to read the whole document. The custody operation's description sits in the business section, its hazards in risk factors, its developing pressures in MD&A, and any probable loss in the contingency footnote-with concentration risk under Topic 275. SAB 122 ties these together as the continuing disclosure expectation for safeguarding obligations.

How the contingency framework changes what gets recognized

The pointer to ASC Subtopic 450-20 is the hinge of the new regime, because it sets a probability threshold that the old model did not. Under SAB 121, the safeguarding obligation produced a recognized liability automatically, equal to the fair value of all customer crypto, regardless of whether any loss was likely. Under ASC 450-20, a loss contingency is accrued as a liability only when a loss is both probable and reasonably estimable; when a loss is reasonably possible but not probable, the entity discloses the nature of the contingency and, where practicable, an estimate or range, rather than recording a liability. Applied to crypto custody, that means a custodian generally carries no safeguarding liability on its balance sheet in the ordinary course, recognizing one only when a specific loss-a breach, theft, or asserted claim-rises to the probable-and-estimable level. The risk of holding customer crypto does not vanish; it moves from an automatic recognized figure to a contingency assessed under the same standard that governs other operational risks.

That is why the Regulation S-K narrative carries more of the informational load after SAB 122. With no standing liability to quantify the custody pool, the size and nature of the custody business and its attendant risks are communicated through Item 101's business description and Item 105's risk factors, while Item 303's MD&A is the place a developing pressure-rising loss frequency, a regulatory inquiry, a concentration of customer assets-would be surfaced as a known trend or uncertainty. ASC Topic 275 reinforces this by requiring disclosure of significant concentrations and the risks inherent in operations, which for a custodian can include concentration in particular tokens, customers, or custody arrangements. The net effect is a disclosure package that explains the obligation qualitatively and flags material exposures, in place of a single grossed-up balance-sheet number.

One caveat applies. SAB 122 is staff interpretive guidance, and the Regulation S-K items it cites are existing, generally applicable disclosure rules, not crypto-specific mandates; the bulletin reminds filers that those general rules reach custody obligations. What changed is the locus of disclosure-from a recognized liability to narrative and contingency disclosure-not the underlying expectation that investors be told about the obligation to safeguard crypto-assets held for others.