You can structure vault accounts based on your specific business use case. The following example structures are taken from common business use cases on Fireblocks. However, you can customize your Vault structure to match your organization's best practices.

Crypto-trading business segment

For the crypto-trading business segment, we recommend a segregated Vault structure. In this structure, your company creates a vault account for each of your end clients or business use cases. This structure lets you track each transaction for auditing, compliance, and Know Your Customer (KYC) purposes. It also allows you to separate your company's assets from end-client assets and oversee different branches, strategies, and operations in the same workspace.

Recommended vault accounts

Proprietary assets

• Treasury
• Market making
• OTC trading

Customer assets

• Collateral (for lending)
• Withdrawals
• Deposits
• DeFi
• Vault accounts for each corporate client, family office, etc.

Hedge funds

You can structure vault accounts per share class, product, strategy, or by the portfolio manager.

Trading firms and brokers

You can structure vault accounts to segregate any proprietary assets from customer assets.

Retail business segment

We recommend the sweep-to-omnibus Vault structure since retail customers primarily use API to automate scaling business operations.

On Fireblocks, you can use API keys to generate intermediate vault accounts, identify incoming transactions, and sweep funds to the Omnibus Deposits vault account.

The Fireblocks API can generate as many vault accounts as needed to receive direct deposits from your end clients. Then, using webhooks to monitor incoming transactions, the Fireblocks API triggers a sweep from the end-client vault account to the Omnibus Deposits vault account.

Exchanges, retail payments, lending desks, and Neo Banks

Typically, a sweep-to-omnibus Vault structure is suitable for retail businesses that serve many end clients and manage a database of customer names and IDs.

UTXO-based assets logic

Structure

In the Omnibus Deposits vault account, you can assign a deposit address (derived from the permanent wallet address of the UTXO asset) to each end client. Call the Create a new asset deposit address endpoint, then add the end client's name or ID to the description parameter. This parameter then propagates to every transaction that uses the deposit address.

Deposits process

Funds are deposited using the following:

1. The retail platform shares the deposit address with the end client.
2. The end client makes a deposit.
3. The incoming deposit triggers a webhook notification.
4. Your client-facing software automatically notifies the end client that you received the deposit.
5. The deposit transaction appears on the Transaction History page.
6. Then, using the Omnibus Deposits vault account, you can invest funds from multiple end clients using one transaction.

📘

Note

Due to the nature of UTXO-based blockchains, the transaction includes the source address for each end client, unlike account-based transactions which require an intermediary vault account.

Withdrawals process

Fireblocks recommends creating a dedicated vault account that holds funds allocated for end-client withdrawals and is detached from the Omnibus Deposits vault account. Then, you can load funds into the Withdrawal Pool or Treasury vault accounts.

📘

Notes

• More than one Withdrawal Pool vault account may be required due to blockchain limitations.
• When investing using various financial products, such as DeFi or Staking, end clients' funds are not available in their respective vault accounts or addresses.

Account-based assets logic

Structure

In addition to a single Omnibus Deposits vault account, the workspace should contain one or more intermediate vault accounts per end client.

• Call the Create a new vault account endpoint, then add a prefix or suffix to the name parameter to identify the customer. This parameter then propagates to every transaction that uses the vault account.
• We recommend setting the hiddenOnUi parameter to true for intermediate vault accounts. This makes only your Omnibus Deposits vault account and your other operational vault accounts visible in the Fireblocks Console, which helps reduce visual clutter and improves loading time. However, this means incoming transactions to intermediate vault accounts will not appear on the Recent Activity panel. To track incoming transactions, call the List transaction history endpoint, use the webhook, or view the Transaction History page.
• Transactions for sweeping funds to the Omnibus Deposits vault account are displayed on the Recent Activity panel and the Transaction History page. They can also be viewed by calling the List transaction history endpoint or using the webhook.

📘

Note

Due to the nature of account-based blockchains, transactions with account-based assets can only be transferred from one account-based address to another account-based address (unlike UTXO, where multiple addresses are included in a single transaction).

Deposits process

Funds are deposited using the following:

1. The end client receives a deposit address.
2. The end client makes a deposit.
3. The incoming deposit triggers a webhook notification.
4. Your client-facing software automatically notifies the end client that you received the deposit.
5. The deposit amount is swept to the Omnibus Deposits vault account.

Withdrawals process

Fireblocks recommends creating a dedicated vault account that holds funds allocated for end-client withdrawals and is separate from the Omnibus Deposits vault account. Then, you can load funds into the Withdrawal Pool or Treasury vault accounts.

📘

Notes

• More than one Withdrawal Pool vault account may be required due to blockchain limitations.
• When investing using various financial products, such as DeFi or Staking, end clients' funds are not available in their respective vault accounts or addresses.

Gas fee management

All transfers on Fireblocks, including those between vault accounts, occur on the blockchain. Therefore, you must pay gas fees when transferring funds from the intermediate vault accounts to the Omnibus Deposits vault account.

We recommend enabling and setting up the Fireblocks Gas Station to transfer funds automatically to the appropriate vault accounts to cover future fees. We recommend sweeping funds once per day when fees cost less.

TradFi business segment

For TradFi business segments, the recommended Vault structure varies per use case and license.

Commercial and investment banks

These banks can rehypothecate the funds in their custody and use the assets given to them as they see fit. Therefore, we recommend using the sweep-to-omnibus Vault structure to simplify investing.

Custodial banks

Since custodial banks offer custody services rather than investing funds, we recommend using the segregated Vault structure. This structure stores assets in individual vault accounts until the end client requests to withdraw funds.

A separate Fireblocks workspace

When your business use case requires more than just vault account segregation, you can request to purchase additional workspaces. Another workspace may be helpful when your use case meets one or more of the following criteria:

• You want to manage independent sets of clients or policies. For example, a corporate firm with independent sub-companies or departments may require each entity to own a separate workspace.
• You want to give your end clients and investors user access to their Fireblocks workspace. This can be accomplished by assigning a separate workspace to each customer.
• You want to give your employees different viewing privileges on vault accounts.
• You want to create different configurations. For example:
  • Alternative AML defaults (such as fail-on-unknown versus pass-on-unknown)
  • Different DeFi approval cap limit
  • Allowing the use of Raw Signing