Your Funds Are Not Ours. How Non-Custodial Crypto to Fiat Payments Actually Work and Why It Matters More Than Ever.
On November 11, 2022, FTX filed for bankruptcy. Around $8 billion in customer funds was gone. The year before, Celsius froze $12 billion in withdrawals. Voyager followed. BlockFi followed. Each time, the story was the same.
Customers had handed their money to a platform and trusted that it would still be there. It was not.
What all of those platforms had in common was a custodial model. They held your funds. And when things went wrong, that made you an unsecured creditor in a bankruptcy queue.
TrustLinq was built around a different starting point. Your funds should never be ours to lose.
What Custodial Actually Means
When a platform is custodial, it holds your assets on your behalf. You see a number on a screen, but the underlying crypto sits in wallets that the platform controls. You are trusting them to give it back when you ask.
In traditional banking, that is manageable because government deposit insurance exists up to a certain limit and banks are subject to strict capital requirements. Crypto custodians had neither. In many cases, there was no meaningful separation between customer funds and company funds at all.
FTX is the clearest example. Customer crypto was not ring-fenced. It was lent out, used as collateral, and in some cases simply spent. When the company collapsed, customers found out they had no priority claim. The money was already gone before the bankruptcy was filed.
This is not a criticism of crypto as a technology. It is a criticism of custody as a model.
What Non-Custodial Actually Means
Non-custodial does not mean unregulated, unstructured, or lacking controls. It means the architecture of the system prevents any third party from taking possession of your funds.
The difference is structural. A policy can be changed. A contract can be broken. A smart contract executes its rules in code, and the rules apply regardless of what is happening to the company that deployed it.
At TrustLinq, the non-custodial design is not a feature that was added later. It is the foundation everything else was built on.
How the TrustLinq Vault System Works
Every TrustLinq user has a dedicated smart contract Vault. This is an individual on-chain wallet, deployed on the blockchain specifically for you. It is not a line in a database. It is not a shared pool. It is a distinct on-chain address that belongs to you.
Here is what that means in practice.
When you onboard with TrustLinq, you provide the public address of your own wallet (called an Externally Owned Account, or EOA). This could be a MetaMask address, a Trust Wallet address, or any standard crypto wallet you already control. Your private key never leaves your hands. We never ask for it. We never see it.
We verify that you genuinely control that wallet through a cryptographic ownership test. Once verified, your Vault is created on-chain and your wallet address is permanently set as the controlling address. That address cannot be removed from your Vault under any circumstances.
From that point, all fund movements are governed by two things.
The first is your local whitelist. Funds can only leave your Vault and go to addresses that have been pre-approved. Nothing moves to an unapproved destination.
The second is the smart contract logic itself. TrustLinq’s backend can facilitate a payment that you have authorised, but it cannot move funds outside the whitelist, and it cannot override the access controls linked to your wallet.
When you initiate a payment through TrustLinq, for example sending USDT to settle a batch of affiliate invoices, you authorise the transaction. Our system debits your Vault and routes the stablecoin to a conversion address that sits on a global whitelist. That whitelist requires approval from multiple senior administrators to change. The fiat equivalent then goes to your recipient’s bank account in their local currency.
At no point do your funds sit in a TrustLinq wallet. There is no custody window.
There is also a direct emergency access option. If the TrustLinq platform were ever unavailable, you can interact with your Vault directly using a blockchain explorer like Etherscan or TronScan. Your funds are accessible to you independently of our platform. This is non-custodial in the most literal sense.
What TrustLinq Never Holds
To be direct about it:
- We do not generate, store, or manage your private keys
- Your funds are held in your individual Vault, not in a TrustLinq wallet
- We do not pool client funds
- There is no point in the payment process where your assets appear on our balance sheet
- We cannot move your funds to an address you have not whitelisted
- If TrustLinq ceased to operate tomorrow, your Vault and everything in it would remain entirely under your control
That last point is worth sitting with. Most custodial platforms could not say the same.
What So-Fit/ FINMA Regulation Adds
TrustLinq operates under Swiss So-Fit/ FINMA regulation. It is worth being clear about how this fits alongside the non-custodial architecture, because they serve different purposes.
The non-custodial design removes structural counterparty risk. The architecture prevents TrustLinq from accessing your funds. That is true regardless of our financial position.
FINMA regulation adds external accountability. It means our AML and KYC frameworks, compliance procedures, and operational controls are subject to independent supervisory oversight. There is a regulatory authority with real enforcement power that monitors how we operate.
For finance teams that need to satisfy a compliance committee, a board, or an external auditor about the payment infrastructure they are using, this combination is a clean answer. The architecture makes custody structurally impossible. The regulator independently verifies that we operate correctly within that architecture.
Switzerland also provides legal clarity and jurisdictional stability. For businesses that have spent time dealing with offshore processors, that matters more than it might initially seem.
What This Means for Your Risk Profile
If you are a CFO, treasury manager, or Head of Payments evaluating crypto payment infrastructure, here is how to frame this.
Balance sheet exposure. Using a custodial processor means your operational funds are sitting on someone else’s balance sheet. With TrustLinq, your stablecoins stay in your Vault until you authorise settlement. There is no counterparty exposure to manage.
Counterparty risk. What happens to your funds if TrustLinq runs into financial difficulty? With a custodial provider, you become an unsecured creditor. With TrustLinq, the answer is nothing, because your funds were never ours to begin with.
Audit trail. Every action involving your Vault is an on-chain transaction. Vault creation, withdrawals, payments, whitelist changes. The record is immutable and exists independently of TrustLinq’s own reporting. Your finance team can verify it directly.
Operational continuity. Because your assets are not held by us, your exposure to our operational risk is limited to execution. You are not dependent on our solvency to access your money.
Regulatory defensibility. For businesses in online gaming, forex, affiliate marketing, and financial services that face additional scrutiny, using a FINMA-regulated, non-custodial provider is a materially better compliance answer than an unregulated custodial processor.
Global Reach, Same Architecture
The non-custodial structure does not limit what TrustLinq can do. Our network covers settlement into 80+ fiat currencies across 170+ countries via local bank transfer. Stablecoins go in, local currency fiat goes out, and the counterparty risk profile described above stays intact throughout.
For businesses running high-volume, multi-geography payment operations, this is the combination that has been missing. The treasury flexibility of stablecoins, the compliance standing of a Swiss-regulated entity, and an architecture that keeps your funds under your control at every step.
The Bottom Line
FTX, Celsius, Voyager. These were not freak events. They were the predictable outcome of a model where user funds sat under the control of a third party with no structural safeguard.
Non-custodial architecture exists to make that outcome impossible by design. At TrustLinq, it is not a feature we added to a product that already existed. It is the reason the product was built the way it was.
If you want to understand how this works for your specific payment setup, the best next step is a conversation with our team.
FAQ’s
TrustLinq is fully non-custodial. Your funds are held in a dedicated smart contract Vault that you control through your own private key. TrustLinq never generates, holds, or manages private keys and cannot access your funds outside of transactions you explicitly authorise.
A smart contract Vault is an individual on-chain wallet deployed specifically for you. It is governed by programmable rules rather than a simple private key. Your TrustLinq Vault is linked exclusively to your own wallet address and enforces whitelist-based controls so funds can only move to pre-approved destinations. The rules are encoded in the contract and cannot be overridden by TrustLinq.
No. All movements from your Vault are restricted to whitelisted addresses and require your authorisation. TrustLinq’s system can facilitate payments you have approved, but cannot route funds to any address outside the whitelist. This is enforced at the smart contract level, not by internal policy.
Your funds remain in your on-chain Vault, which you can access directly using a blockchain explorer such as Etherscan (Ethereum) or TronScan (Tron) with your own wallet. Your Vault does not depend on TrustLinq’s platform being operational.
Yes. TrustLinq operates under Swiss So-Fit/ FINMA regulation, which provides independent oversight of our compliance, AML/KYC, and operational frameworks.
We support major stablecoins including USDC, EURC USDT on Ethereum and USDT Tron, and settle into 80+ fiat currencies across 170+ countries via local bank transfer.
FTX and Celsius were custodial platforms that held customer funds in accounts they controlled. When both became insolvent, customers became unsecured creditors with no priority claim on their own money. TrustLinq’s architecture makes this scenario structurally impossible because we never hold your funds in the first place.
Turn Crypto Into Real World Payments
Use stablecoins to pay any bank account worldwide through a Swiss-regulated framework.
Spend crypto without waiting for merchant adoption.
