11 Questions You Should Ask Your Bitcoin Exchange

Whether you’re an individual investor, business owner, or institution, you must ensure your Bitcoin exchange is a partner you can trust with your money and information, even if you self-custody your bitcoin after purchasing.

To help you do your diligence on security and custody, we share 11 questions you should be asking your bitcoin exchange.

1. How is my bitcoin secured?
2. How do you help me protect my account?
3. Do you use third parties for your custody?
4. Do you lend out client deposits?
5. Do you have Proof of Reserves?
6. Has your data or custody ever been compromised?
7. How do you protect my information?
8. How are dollar deposits secured?
9. What happens to my funds if you go bankrupt?
10. Do you have insurance?
11. Are you audited, licensed, and regulated?

How Does River Answer These Questions?

River is a client-first Bitcoin-only financial institution that empowers the long-term investor. While we actively encourage self-custody, we recognize that some clients prefer to entrust River with their bitcoin. For these clients, security will always be our number one priority. We give you a clear understanding of River’s security by sharing our own answers to the 11 questions you should ask your bitcoin exchange.

1. How Is My Bitcoin Secured?

100% of client bitcoin deposits are kept in cold storage after being purchased. River has full control over its custody infrastructure to minimize dependencies on third parties. Cold storage vaults are set up using Bitcoin’s multi-signature capabilities, which provide three primary benefits:

1. Redundancy to eliminate single points of failure. Cold storage keys are generated in separate locations, each having a physical and digital backup. The backups are then stored in different physical locations.
2. Geographic redundancy: Key generation and distribution across the United States provides resiliency against local threats and natural disasters.
3. Added protection against external threats, who would need to compromise three of five keys to cause a loss.

Keeping all client deposits in cold storage is made possible by having some of River’s own bitcoin in hot wallets for operations such as transfers, purchases, sales, and withdrawals.  

2. How Do You Help Me Protect My Account?

River offers intelligent features to help clients protect their funds and personal information. 

• 2 Factor Authentication: River accounts use mandatory multi-factor authentication, via one-time passcodes (specifically TOTP) or SMS.
• Device Verification: Any device signed into River must be verified by email. This protects you in the event that your login information is stolen.
• Account Notifications: Clients receive real-time notifications when security-critical actions are taken, such as a bitcoin purchase, sale, withdrawal, or deposit.
• Inheritance: The inheritance feature allows clients to ensure their funds are passed down to their beneficiaries in the case of an untimely death. This feature ensures that no login information needs to be shared to access your bitcoin to maximize account security.

We’re committed to ensuring clients always remain ahead of threats and will continue to add more tools as new threats emerge.

3. Do You Use Third Parties For Your Custody Infrastructure?

River maintains its own cold storage custody; no third parties have access to private keys.

Since its founding, River’s core infrastructure has been built to minimize dependencies on third parties. Relying on a third party to operate your core business creates a dependency, which inherently introduces risk to its security. Such dependencies should be avoided whenever possible. We can provide a higher level of security for our clients because we have full control over our custody infrastructure.

4. Do You Lend Out Client Deposits?

No. All client bitcoin deposits at River are held in full reserve, which means that bitcoin is never lent out. Our clients can verify that we hold their bitcoin deposits through our monthly proof of reserves.

Operating on anything less than a 100% full reserve model introduces significant risks to a Bitcoin business and its clients. By using a full reserve model, River significantly reduces the risk of liquidity crises, insolvency, and mismatches between our assets and liabilities.

5. Do You Have Proof of Reserves?

Yes. River provides Proof of Reserves to clients and the general public. Our Proof of Reserves is published monthly and proves that we hold 100% of bitcoin deposits in full reserve.

To learn more about our Proof of Reserves, we have a variety of resources available:

• Our reserves page includes our historical proofs and FAQs.
• A video tutorial from our CEO, Alex Leishman, shows how to verify your deposits.
• Our Learn article describes what a Proof of Reserves is, and why it’s important.

6. Has Your Database or Custody Ever Been Compromised?

No. Neither River’s internal database of client information nor our custody systems have ever been compromised by a breach, social engineering scam, or physical attack.

7. How Do You Protect My Personal Information?

Client information is protected through strict data controls. Client data is encrypted in transit and storage. Strong encryption ensures that if data is intercepted, it cannot be recovered without associated key material held by River. Internal controls follow the principle of least privilege to ensure that personally identifiable information is only accessible to specific employees performing roles related to client service and compliance. Additionally, all River employees use modern, phishing-resistant two-factor authentication to access our internal systems. These safeguards minimize the risk of unauthorized access to our client databases.

Lastly, River’s compliance with the SOC II guidelines requires extensive controls around data privacy and internal controls.

8. How Are Dollar Deposits Secured?

US dollars deposited on River are held in an interest-bearing account at our partner, Lead Bank, which provides FDIC insurance up to $250,000. This means that in the event of a bank failure, River would work with the FDIC to ensure that each client receives their insured funds back in full. Interest accrues daily and is paid out by Lead Bank monthly. It can be paid out in bitcoin, directly to our cold storage.

9. What Happens to My Funds if You Go Bankrupt?

River’s clients own their bitcoin, even when in our custody. 

Bankruptcy treatment of client assets has been a big topic in Bitcoin. While there isn’t a universal binding precedent available, courts are increasingly indicating that clients can own their bitcoin while it is under the custody of a brokerage, and that their bitcoin can be returned to them rather than being included in a bankruptcy estate. A key factor is the client agreement. Our Terms of Service are clear: “You own your bitcoin.” This is in contrast to some notorious products where customers of other companies agreed to transfer ownership (often in return for receiving yield). 

We also think that the chances of a River bankruptcy are very low. River has no debt obligations and maintains bitcoin assets well in excess of our client deposits, as evidenced by our Proof of Reserves attestations.

10. Do You Have Insurance?

While US dollar deposits held on River are FDIC-insured by Lead Bank up to $250,000, bitcoin deposits are not insured. 

Some bitcoin custodians market their products as being covered by insurance. However, most insurance policies for bitcoin deposits cover a small portion of deposits and only provide coverage for specific events such as external theft or natural disasters. Because of this, we believe that providing the most secure possible custody solution is the best way to protect client deposits.

11. Are You Audited, Licensed, and Regulated?

Yes. River’s security has been extensively tested by independent auditing firms. In 2024, we successfully achieved SOC 2 Type II compliance, the gold standard for vetting a financial institution’s internal controls and systems.

Each calendar year, River’s financials are audited by BPM, an independent accounting and auditing firm. This process provides reasonable confidence around River’s financial statements and records of client cash and bitcoin balances.

River operates in 48 US states and Puerto Rico. We carry Money Transmitter Licenses in all states where we are required to carry them. You can review all of our licenses on this page.

Additionally, in each state where River operates, the state’s department of financial institutions (or similar) maintains the right to examine River’s financials and operations, which happens on a regular basis.

Still Looking For More?

The 11 questions covered in this paper are a good starting point for vetting the security of your Bitcoin exchange. However, you can always go further. Below we share some additional nice-to-have questions, as well as resources to educate yourself on bitcoin custody. After all, one of the best ways to be confident in your bitcoin security is by simply gaining a better understanding of the technology.

12. How Does River Test Its Own Security?

While security is a shared responsibility of all River employees, we have a security team that continually reviews critical components of our applications and infrastructure.

Additionally, River enlists the help of an independent third party, Doyensec, to carry out regular security reviews of our critical systems. These penetration tests are carried out as white-box exercises, meaning full source-code access is provided to the auditor to help identify any defects or vulnerabilities in the implementation.

13. What Would Happen to My Funds in the Event of My Death?

River allows you to name individuals, trusts, or organizations as beneficiaries on your accounts. Designating an account beneficiary or beneficiaries establishes a transfer on death registration for your account. 

If you have an authorized transfer on death plan when you pass, your beneficiaries will need to contact River to transfer your assets into their names. Once necessary documents are received, a new account will be set up for the beneficiary, so the assets held in your account can be transferred. If you do not have a designated beneficiary upon death, your funds will likely go into probate, along with the rest of your estate.

To learn more about the transfer of funds in the event of a death, you can visit our Help Center article on beneficiaries and our Learn article on what happens to your bitcoin upon death.

14. What Backup and Redundancy Plans Are in Place at River?

River’s custody solutions are implemented so that each piece of the puzzle has backup options. A multi-signature setup provides a first layer of redundancy. Additionally, keys for the vault are generated in separate locations, each having a physical and digital backup. The backups are then stored in different physical locations. River’s internal database is secured across multiple clouds and on-premise.

Geographically distributing backups is a form of geo-redundancy: these practices work to mitigate unforeseen, external events that are rare. Consider a scenario where the keys for a multisig vault are all generated and stored in the same location; if there is a natural disaster or a fire, the keys could be gone, and funds might be lost.

Our cold storage is designed such that, even if unexpected events happen in multiple locations across the US, client funds would remain secure and 100% available for withdrawal. Additionally, no single employee at River has access to all keys, removing single points of failure within the business.

Additional Resources on Bitcoin Security

To understand more about the security of River’s products, we have blog posts describing: 

• How Your Bitcoin Flows Through River 
• How River Secures Client Funds 
• River’s Proof of Reserves
• How River’s Bitcoin Interest on Cash product works.

We have an entire Learn platform dedicated to educating people on Bitcoin Basics, How to Store Bitcoin, and more.

• We have anarticle on how to get started with self-custody.
• Learn the differences between traditional bank accounts and bitcoin custodial storage.
• In this article we explore how businesses should store bitcoin.