Business use cases
You can structure vault accounts based on your specific business use case. The following example structures are taken from common business use cases on Fireblocks. However, you can customize your Vault structure to match your organization's best practices.
Crypto-trading business segment
For the crypto-trading business segment, we recommend a segregated Vault structure. In this structure, your company creates a vault account for each of your end clients or business use cases. This structure lets you track each transaction for auditing, compliance, and Know Your Customer (KYC) purposes. It also allows you to separate your company's assets from end-client assets and oversee different branches, strategies, and operations in the same workspace.
Recommended vault accounts
Proprietary assets
- Treasury
- Market making
- OTC trading
Customer assets
- Collateral (for lending)
- Withdrawals
- Deposits
- DeFi
- Vault accounts for each corporate client, family office, etc.
Hedge funds
You can structure vault accounts per share class, product, strategy, or by the portfolio manager.
Trading firms and brokers
You can structure vault accounts to segregate any proprietary assets from customer assets.
Retail business segment
We recommend the sweep-to-omnibus Vault structure since retail customers primarily use API to automate scaling business operations.
On Fireblocks, you can use API keys to generate intermediate vault accounts, identify incoming transactions, and sweep funds to the Omnibus Deposits vault account.
The Fireblocks API can generate as many vault accounts as needed to receive direct deposits from your end clients. Then, using webhooks to monitor incoming transactions, the Fireblocks API triggers a sweep from the end-client vault account to the Omnibus Deposits vault account.
Exchanges, retail payments, lending desks, and Neo Banks
Typically, a sweep-to-omnibus Vault structure is suitable for retail businesses that serve many end clients and manage a database of customer names and IDs.
UTXO-based assets logic
Structure
In the Omnibus Deposits vault account, you can assign a deposit address (derived from the permanent wallet address of the UTXO asset) to each end client. Call the Create a new asset deposit address endpoint, then add the end client's name or ID to the description
parameter. This parameter then propagates to every transaction that uses the deposit address.
Deposits process
Funds are deposited using the following:
- The retail platform shares the deposit address with the end client.
- The end client makes a deposit.
- The incoming deposit triggers a webhook notification.
- Your client-facing software automatically notifies the end client that you received the deposit.
- The deposit transaction appears on the Transaction History page.
- Then, using the Omnibus Deposits vault account, you can invest funds from multiple end clients using one transaction.
Note
Due to the nature of UTXO-based blockchains, the transaction includes the source address for each end client, unlike account-based transactions which require an intermediary vault account.
Withdrawals process
Fireblocks recommends creating a dedicated vault account that holds funds allocated for end-client withdrawals and is detached from the Omnibus Deposits vault account. Then, you can load funds into the Withdrawal Pool or Treasury vault accounts.
Notes
- More than one Withdrawal Pool vault account may be required due to blockchain limitations.
- When investing using various financial products, such as DeFi or Staking, end clients' funds are not available in their respective vault accounts or addresses.
Account-based assets logic
Structure
In addition to a single Omnibus Deposits vault account, the workspace should contain one or more intermediate vault accounts per end client.
- Call the Create a new vault account endpoint, then add a prefix or suffix to the
name
parameter to identify the customer. This parameter then propagates to every transaction that uses the vault account. - We recommend setting the
hiddenOnUi
parameter to true for intermediate vault accounts. This makes only your Omnibus Deposits vault account and your other operational vault accounts visible in the Fireblocks Console, which helps reduce visual clutter and improves loading time. However, this means incoming transactions to intermediate vault accounts will not appear on the Recent Activity panel. To track incoming transactions, call the List transaction history endpoint, use the webhook, or view the Transaction History page. - Transactions for sweeping funds to the Omnibus Deposits vault account are displayed on the Recent Activity panel and the Transaction History page. They can also be viewed by calling the List transaction history endpoint or using the webhook.
Note
Due to the nature of account-based blockchains, transactions with account-based assets can only be transferred from one account-based address to another account-based address (unlike UTXO, where multiple addresses are included in a single transaction).
Deposits process
Funds are deposited using the following:
- The end client receives a deposit address.
- The end client makes a deposit.
- The incoming deposit triggers a webhook notification.
- Your client-facing software automatically notifies the end client that you received the deposit.
- The deposit amount is swept to the Omnibus Deposits vault account.
Withdrawals process
Fireblocks recommends creating a dedicated vault account that holds funds allocated for end-client withdrawals and is separate from the Omnibus Deposits vault account. Then, you can load funds into the Withdrawal Pool or Treasury vault accounts.
Notes
- More than one Withdrawal Pool vault account may be required due to blockchain limitations.
- When investing using various financial products, such as DeFi or Staking, end clients' funds are not available in their respective vault accounts or addresses.
Gas fee management
All transfers on Fireblocks, including those between vault accounts, occur on the blockchain. Therefore, you must pay gas fees when transferring funds from the intermediate vault accounts to the Omnibus Deposits vault account.
We recommend enabling and setting up the Fireblocks Gas Station to transfer funds automatically to the appropriate vault accounts to cover future fees. We recommend sweeping funds once per day when fees cost less.
TradFi business segment
For TradFi business segments, the recommended Vault structure varies per use case and license.
Commercial and investment banks
These banks can rehypothecate the funds in their custody and use the assets given to them as they see fit. Therefore, we recommend using the sweep-to-omnibus Vault structure to simplify investing.
Custodial banks
Since custodial banks offer custody services rather than investing funds, we recommend using the segregated Vault structure. This structure stores assets in individual vault accounts until the end client requests to withdraw funds.
A separate Fireblocks workspace
When your business use case requires more than just vault account segregation, you can request to purchase additional workspaces. Another workspace may be helpful when your use case meets one or more of the following criteria:
- You want to manage independent sets of clients or policies. For example, a corporate firm with independent sub-companies or departments may require each entity to own a separate workspace.
- You want to give your end clients and investors user access to their Fireblocks workspace. This can be accomplished by assigning a separate workspace to each customer.
- You want to give your employees different viewing privileges on vault accounts.
- You want to create different configurations. For example:
- Alternative AML defaults (such as fail-on-unknown versus pass-on-unknown)
- Different DeFi approval cap limit
- Allowing the use of Raw Signing
Updated 6 months ago