How to Store the Bitcoin Your Business Receives Safely

Once a payment processor or wallet settles bitcoin into an address you control, the question shifts from acceptance to custody. Getting that part wrong is where businesses lose money, sometimes all of it. This guide walks through the main storage approaches available to Canadian businesses, what each one actually costs in time and risk, and the operational habits that matter most.

Nothing here is financial, tax, or legal advice. Rules change, and you should confirm current CRA and FINTRAC requirements with a qualified professional before acting.

Why storage deserves its own plan

Most merchants treat bitcoin storage as an afterthought, something to figure out after the first sale. That works fine if you're immediately converting to CAD through a processor. But if you're holding any bitcoin at all, even briefly, you need a deliberate approach.

The core issue is that bitcoin ownership is controlled by private keys, not account credentials or a bank's records. Whoever holds the private key controls the funds. There's no password reset, no dispute process, no insurance from CDIC. A mislaid seed phrase or a compromised device can mean a permanent loss with no recourse.

For Canadian businesses, there's also a reporting dimension. The CRA treats bitcoin as a commodity. Sales, conversions, and even some internal transfers can be taxable events, so your storage setup should make it easy to reconstruct transaction history when you file. Sloppy custody tends to produce sloppy records.

The main storage options

Storage solutions fall into two broad categories: those that stay connected to the internet (hot) and those that don't (cold). The tradeoff between them is access versus security. For a deeper look at how these compare in a business context, see our guide on hot wallet vs cold storage for business bitcoin.

Hot wallets

A hot wallet runs on a device with internet access, a phone, a browser extension, or software on a business computer. They're fast and easy to use, which makes them useful for funds you need to move regularly or convert to CAD quickly.

The risks are real. Hot wallets are exposed to malware, phishing, and device theft in ways that cold storage isn't. For a business, the added attack surface includes any employee who can access the machine, any browser extension installed on it, and any phishing email that hits your domain.

Hot wallets make sense for a small float of bitcoin you plan to convert within days. They're a bad home for anything you're holding longer.

Cold storage hardware wallets

A hardware wallet is a dedicated signing device, physically isolated from the internet. The private key never touches a networked computer. When you want to send bitcoin, the unsigned transaction travels to the device, gets signed offline, and the signed transaction comes back to broadcast. The key stays on the hardware.

Devices in this category have an upfront cost (typically under $200 CAD for common options) and require some setup and learning. That's a reasonable price for businesses holding meaningful amounts. The main operational risk is losing the seed phrase backup, because without it, a broken or lost device means inaccessible funds.

Multisig arrangements

With multisig, control of funds requires signatures from multiple keys, say 2 of 3. You might keep one key on a hardware device at the office, one with a trusted officer stored offsite, and one with a third-party custody provider. No single key compromise loses the bitcoin.

For businesses holding larger sums or with multiple stakeholders, multisig is worth understanding seriously. It adds complexity, but it also removes single points of failure. There's more detail on how this works in our piece on multisig wallets for business bitcoin.

Third-party custody

A qualified custodian holds the private keys on your behalf, in exchange for fees and counterparty exposure. Some Canadian businesses use this route because it offloads key management to specialists and may fit better with existing compliance frameworks.

The tradeoff is that you're trusting the custodian's security, solvency, and operations. Not all custodians are equal, and the phrase "not your keys, not your coins" exists for a reason. If you go this route, research the custodian's insurance arrangements, regulatory status, and what happens to your bitcoin if the business fails.

Operational steps that actually matter

Choosing a storage type is step one. How you run the day-to-day matters just as much.

Separate wallets for separate purposes

Don't use the same address or wallet for customer payments, long-term holdings, and operational conversions. Keeping them separate makes accounting cleaner, limits the blast radius of any single compromise, and helps you track which funds have already been reported to CRA.

A common setup: a hot wallet or payment processor address for incoming sales, a hardware wallet for any amounts you're holding beyond 48-72 hours, and a conversion account at a Canadian exchange when you want to move to CAD.

Seed phrase storage

The seed phrase (usually 12 or 24 words generated when you set up a wallet) is the master backup. Lose it and a broken device means permanent loss. Store it on paper or metal, not in a photo on your phone or a notes app that syncs to the cloud. Multiple physical copies in separate locations is the standard advice for a reason.

Businesses should also think about who else can access the seed phrase if the primary key holder is unavailable. This is especially relevant for small companies where one person manages crypto payments, and it's worth documenting in your internal procedures.

Keeping software current

Wallet software and firmware receive security updates. Running outdated versions is an unnecessary exposure. Set a recurring reminder to check for updates, even if you check quarterly.

Limiting access and logging transfers

Restrict who can initiate bitcoin transfers. For businesses with multiple staff, consider requiring sign-off from a second person for any transfer above a set threshold. Keep a log of all movements with dates, amounts, and destination addresses. This serves both your internal controls and CRA record-keeping requirements.

Record-keeping for CRA purposes

Canada treats bitcoin as a commodity under the Income Tax Act. When your business accepts bitcoin, the fair market value in CAD at the time of receipt typically counts as business income. If you later sell or convert that bitcoin at a different price, there may be a capital gain or loss to account for, though the exact treatment depends on whether CRA considers you to be trading or investing.

Your storage setup should make it straightforward to pull:

• Date and time of each receipt
• CAD fair market value at receipt (many use the rate from a major exchange)
• Address that received the payment
• Any subsequent transfers and their dates

Keeping this data alongside your wallet history makes year-end accounting much less painful. Some accounting software now ingests wallet transaction exports directly. If yours doesn't, a spreadsheet works fine.

For FINTRAC purposes, businesses classified as money services businesses (MSBs) have registration and reporting obligations that apply to crypto transactions. Whether your bitcoin acceptance activity qualifies your business as an MSB is a legal question you should get answered by a professional, not resolved by guessing.

What to look out for

Risk	Where it comes from	Mitigation
Seed phrase loss	Poor physical backup	Multiple copies, separate locations
Device theft	Hardware wallet or phone stolen	Seed phrase backup lets you restore; PIN on device
Phishing	Fake sites, emails	Verify wallet software sources; bookmark legitimate URLs
Employee error or fraud	Access too broad	Limit transfer permissions; require approvals
Exchange insolvency	Funds held at third party	Minimize balances held at exchanges
Malware on business devices	Hot wallet exposure	Dedicated device or cold storage for meaningful amounts

The risks above aren't hypothetical. Canadian businesses have lost funds to all of them. Protecting against most of these doesn't require expensive tools, just consistent habits and a realistic view of where your weak points are. For a broader look at fraud risks specific to payment acceptance, see our guide on protecting your business from bitcoin payment scams.

FAQ

Do Canadian businesses need to report bitcoin holdings to CRA even if they haven't sold?

Unrealized holdings generally don't trigger a tax event on their own. The taxable event typically happens when you dispose of bitcoin, through a sale, conversion to CAD, or using it to purchase goods or services. That said, CRA's guidance has evolved and continues to develop, so confirm current rules with a tax professional rather than relying on this article.

Is it legal for a Canadian business to hold bitcoin in a hardware wallet rather than at an exchange?

Yes. Holding bitcoin in self-custody isn't restricted. Whether you're subject to FINTRAC registration as an MSB depends on the nature of your bitcoin activities, not where you store the funds. Self-custody is common among businesses that want to reduce exchange counterparty risk.

What happens to our bitcoin if the person managing the wallet leaves the company?

This is a real operational problem and worth addressing before it happens. If only one person knows the seed phrase or has access to the hardware wallet, their departure or incapacitation can lock the business out of its funds. Document your seed phrase storage location and access procedures, and make sure at least one other authorized person can access them.

How often should we move bitcoin from a hot wallet to cold storage?

There's no universal rule, but a common approach is to move anything above a threshold you'd be uncomfortable losing. Some businesses sweep daily, others weekly. The right frequency depends on your transaction volume and how much risk you're comfortable leaving on internet-connected devices.

Does using a non-custodial wallet affect our ability to get crypto business insurance?

Insurance products for crypto custody are still maturing in Canada, and coverage terms vary widely by provider. Some insurers will cover hardware wallet setups; others only cover custodians meeting specific security certifications. Get the specifics in writing from any insurer before assuming coverage applies.