BitGo Policies

What are BitGo policies?

BitGo policies are security rules that define when and how certain actions can take place, e.g., who can approve a withdrawal, when and how funds can move. They act as protective guardrails and can be applied at the organization level or wallet level. 

• Manage risk: stops unauthorized or high-risk transactions when needed 

• Simplify compliance: keeps operational behavior consistent and auditable

• Enable control: set rules that fit your structure and risk appetite

While policies are fully customizable and manageable by clients, some are implemented and enforced by BitGo to ensure the highest levels of security and regulatory compliance. These are referred to as BitGo enforced policies. Certain aspects of these policies may not be customizable or removable due to regulatory and security requirements. 

These policies include: 

• Video identity verification policies 

• Unverified address policies

• FIat liveness check policies

How do policies work?

The Policy Engine

The Policy Engine is an automated decision-making hub that enables the creation, management and enforcement of policies across your wallets and enterprise. It is designed to help you tailor policies to meet your organization’s needs, ensure consistency and also maintains an audit log of changes made. 

When a transaction is initiated, the Policy Engine instantly checks all active policies to evaluate whether the request meets your organization’s security and operational requirements. Only transactions that meet your organization’s policies and pass required approvals are executed. 

Policy structure

Every policy is made up of four parameters that define where, when and how rules are applied. These elements work together to automate security and approval workflows. 

• Scope: what the policy covers and where it applies (e.g., specific wallet or account types)

• Touchpoint: when the policy is applied or the event that triggers the policy (e.g., a withdrawal or a settlement)

• Condition: criteria that must be met to help you tailor policies to match your risk tolerance (e.g., transaction size or asset types)

• Action: determines what needs to happen when a policy is triggered (e.g., additional approvals or rejecting a transaction)

What are some best practices?

Strong policies start with understanding your organization’s structure, users, needs and behaviors. The following best practices can help you design and maintain policies that balance security, flexibility and efficiency: 

• Review your wallets holistically 

  • Understand how you use each wallet type and consider assigning different policy frameworks based on each wallet’s purpose and risk profile

• Define user roles and responsibilities (see Admin Console)

  • Determine who can initiate transactions, approve based on transaction size and who can manage policies 

  • Ensure separation of duties between initiators and approvers

• Establish transaction thresholds

  • Define what quantifies as small, medium or large transactions for your business 

  • Align approval requirements and notification rules accordingly 

• Identify and protect against unusual activity

  • Set conditions for what constitutes uncommon or risky behavior (e.g., high-value or high-frequency withdrawals)

• Implement a whitelisting strategy 

  • Decide whether to allow withdrawals to non-whitelisted addresses and if so, require additional approvals or verification 

• Design tactical, scalable policies 

  • Use consistent scopes for clarity

  • Apply scaling conditions for transaction sizes to ensure appropriate approval layers

  • Set failsafe policies 

• Refine periodically 

  • Assess whether policies still reflect your operational needs and risk appetite

  • Adjust thresholds or approval requirements as your transaction volume and business evolve 

  • Use data and insights to identify patterns or gaps in your current set up