The definition that matters
A custodial payment gateway is one where the processor controls the private keys that hold the merchant's funds for at least some portion of the payment lifecycle. A non-custodial gateway is one where the processor never controls those keys — the funds move directly from the buyer's wallet to the merchant's wallet, on-chain, with the processor's only role being to coordinate the metadata around the transaction (generate the receive address, watch for confirmation, fire the webhook).
That's the entire definition. Everything else — the fees, the KYC requirements, the freeze risk, the legal exposure — is a consequence of which side of that line a processor sits on.
What a custodial payment looks like, step by step
The customer initiates a payment via the merchant's checkout. The merchant's frontend calls the processor's API to create an invoice. The processor returns an address that the processor controls. The customer pays that address. The funds sit in the processor's wallet, mixed with funds from all the processor's other merchants (the "omnibus" wallet). At some point — minutes, hours, sometimes days later — the processor initiates a settlement that transfers the merchant's portion to the merchant's wallet (in crypto) or converts it to fiat and wires it to the merchant's bank.
During the window between "customer paid" and "merchant received," the processor has custody of the funds. The processor's compliance team can hold them, freeze them, refund them, or transfer them under court order. The processor's CFO sees them on the balance sheet. The processor's bank sees them in the operating account.
This window is the source of every problem in the custodial model:
- It's the reason custodial processors must register as money transmitters and complete KYC on merchants.
- It's the reason they can freeze accounts.
- It's the reason their fees are higher (they have insurance + compliance + licensing costs).
- It's the reason their failure modes are worse (FTX, Celsius, BlockFi held custody of customer funds; their bankruptcies took those funds down with them).
What a non-custodial payment looks like, step by step
Two flavors here, both real, differing in their handling of chains without smart contracts.
EVM chains: contract-based atomic split
Each merchant gets their own deterministic splitter contract, deployed via CREATE2 (which lets us compute the contract's address before deployment). The contract has the merchant's payout address and the processor's fee wallet baked into its bytecode. The customer pays the splitter directly. The splitter's receive() function executes automatically, forwarding 99.5% to the merchant and 0.5% to the processor, in the same transaction. No human in the loop. No window of custody.
contract SovrnSplitter {
address payable public immutable merchant;
address payable public immutable sovrn;
uint16 public immutable feeBps; // 50 = 0.5%
receive() external payable {
uint256 total = msg.value;
uint256 fee = (total * feeBps) / 10_000;
uint256 merchantAmount = total - fee;
(bool a,) = merchant.call{value: merchantAmount}("");
require(a, "merchant transfer failed");
(bool b,) = sovrn.call{value: fee}("");
require(b, "sovrn transfer failed");
}
}The contract is immutable once deployed. There is no admin function. There is no upgrade path. The processor cannot freeze it, drain it, pause it, or modify the fee. The merchant trusts the code, not the processor. The processor is just the entity that paid the gas to deploy it.
Bitcoin: HD-derived address + atomic sweep
Bitcoin doesn't have smart contracts, so the same architecture isn't possible. Instead, the processor uses a BIP-84 master public key to derive a unique receive address for every payment. The customer pays that address. The processor's watcher detects the payment in the mempool and broadcasts a sweep transaction with two outputs — merchant 99.5%, processor 0.5% — within ~30 seconds.
This is technically a brief custody window, in the sense that the processor's master key controls the receive address until the sweep happens. But it's a structural minimum, not a business choice. The processor cannot use this custody for anything other than the sweep (the funds are never aggregated, the master key never holds an accumulated balance, the sweep is automatic). Any abuse would have to happen in the ~30-second window between detection and sweep, which is mitigable through key separation, automated monitoring, and key rotation.
Why the difference is the entire game
The custody window is what creates almost every operational and regulatory difference between the two models. Let's go through them.
1. KYC and regulatory exposure
Under FinCEN's framework, an entity is a money transmitter if it accepts value from one party and transmits it to another. The custodial processor accepts value (custody during the settlement window) and transmits it (the settlement). They are, definitionally, a money transmitter. They must register with FinCEN, register in every state they operate, complete Bank Secrecy Act reporting, and KYC their merchants.
The non-custodial processor never accepts value. Funds move from buyer to merchant directly, on-chain. The processor's role is purely informational. They are not a money transmitter under FinCEN's framework, which means the BSA's KYC obligations don't attach.
2. Fees
The custodial processor's marginal cost per transaction includes: money transmitter licensing (per state), compliance team, KYC vendor fees, audit, insurance against custody risk, banking partner fees for the omnibus accounts, and the opportunity cost of the float they're holding. Those costs are real and they add up to ~1% even in the best-run shops.
The non-custodial processor's marginal cost is the cost of running the server. Sovrn's marginal cost per transaction is roughly $0.0003 (Solana RPC + price-feed lookup). Charging 0.5% leaves ~99% margin on each transaction, which is what lets us run the business without taking custody.
3. Freeze risk
A custodial processor can freeze your account. The funds are on their balance sheet, and their compliance team has authority to hold them pending review. If you're in a vertical their automated risk system flags (research peptides, VPN, adult, gaming, even some legal cannabis-adjacent verticals), this freeze is likely to happen at some point.
A non-custodial processor cannot freeze your account because there are no funds to freeze. Your funds are in your wallet, controlled by your keys. The worst the processor can do is stop processing future payments — which means stop generating you new addresses. The funds you've already received are yours, irrevocably.
4. Counterparty risk
If a custodial processor goes bankrupt, the funds they're holding for you go into the bankruptcy estate. You become an unsecured creditor. This isn't theoretical — it's what happened to FTX customers, BlockFi customers, Celsius customers, and several smaller crypto-payment companies in the 2022–2023 cycle.
If a non-custodial processor goes bankrupt, your funds are unaffected. The processor's website goes down; you lose the ability to create new invoices through that processor. You can migrate to a different processor or run BTCPay Server yourself. The funds in your wallet are unchanged.
5. Refunds and reversibility
This is the one area where custodial is genuinely better. In the custodial model, the processor can issue a refund from their pool, even if your wallet doesn't have the funds at that moment. In the non-custodial model, refunds come from the merchant's wallet, which means you need the funds available to refund.
For most merchants this is a small operational consideration. For some (high refund-rate verticals like consumer goods), it's a real trade-off worth thinking about.
The architectural smell tests
A non-custodial processor will pass all of the following. A custodial processor will fail at least one.
- The merchant's payout address (or xpub, or contract address) is on-chain and publicly verifiable. If the address is one that the processor controls and the funds get forwarded to you later, that's custodial.
- The settlement contract or sweep mechanism is open source. You can read it and verify that there's no admin function, no pause, no upgrade path, no way for the processor to intervene.
- The processor publishes their fee wallet address. You can look at it on the block explorer and see exactly what they've earned. There's no hidden margin.
- The processor doesn't have a money transmitter license. They don't need one because they're not a money transmitter. If they have one, they are, and the non-custodial claim is marketing.
- The processor cannot reverse, refund, or freeze your transactions. The merchant has to do refunds themselves because that's the only party with custody of the funds.
Some processors describe themselves as "non-custodial" because the funds eventually arrive at the merchant's wallet without an intermediate withdrawal step. That's not non-custodial — that's "automated settlement of custodial funds." The real test is: at any point in the lifecycle, did a private key controlled by the processor have authority over the funds? If yes, custodial.
Why this matters even if you're not in a high-risk vertical
You might be a low-risk merchant in a normal industry, never expect a freeze, never need to worry about KYC. Does the custodial/non-custodial distinction still matter to you?
Yes, in two ways.
First, compliance regimes change. The MCC code that's fine today gets flagged in a future risk-policy update. The "low-risk" label gets re-categorized. Maybe you've been on Stripe for five years and your MCC just got moved to elevated risk because of an upstream policy change. The non-custodial architecture is what protects you from that future re-categorization, because there's no processor's risk team in the loop.
Second, costs compound. 0.5% vs 1% feels small until you multiply by your annual volume. A merchant doing $500k/year through Coinbase Commerce pays $5,000/year. The same merchant through Sovrn pays $2,500. The non-custodial model is structurally cheaper because the operating costs are structurally lower, and that delta accrues to the merchant.
The honest case for custodial
I'm not going to pretend custodial is the wrong answer for everyone. There are legitimate reasons to pick it:
- You want a single dashboard that handles fiat off-ramp, crypto/fiat conversion, multi-currency settlement, all integrated.
- You want a processor who handles refunds from their pool so you don't have to keep float in a hot wallet.
- You have a compliance department that wants a regulated counterparty, not an unregulated software service.
- Your volume is small enough that the absolute fee difference doesn't matter.
For those cases, Coinbase Commerce is genuinely a fine choice. The trade-offs are real and conscious.
What you shouldn't do is pick a custodial processor without realizing it. Many "no-KYC crypto payment processors" are custodial with conditional KYC, and the conditional becomes mandatory the moment your account hits the threshold. The architectural distinction is what determines whether the processor can demand KYC from you tomorrow, not whether they happen to be doing so today.
Sovrn is hosted non-custodial. We never touch your funds. You get a working API in 60 seconds at 0.5% flat.