In both cases one is susceptible to the custodian rugging the keys (which is why we have redundancy!), but I think the SDB is superior for several reasons:
Proof of Tamper: Good security practice is to use anti-tamper seals on your physical back-ups. This way you know if the key has been accessed and can subsequently rotate it. This is not possible with the online custodian, and you have to take their word that the key hasn't been compromised.
Proof of Identity: Depending on policy, the bank SDB can only be accessed in-person by the owner. One would need a rather convincing doppelganger to circumvent this check. Meanwhile, the online custodians likely have identification systems that can be gamed by increasingly sophisticated AI fakes.
Privacy: Odd that I should bring this up for a KYC bank, but it's noteworthy that the bank does not need to access the xPub quorum to store your key. While the bank knows who you are and that you have a box, they do not know the contents (or even that it's Bitcoin-related at all). The online custodians meanwhile have access to all wallet information.
For the record: I only think a SDB is worth it if one does not otherwise have access to enough secure locations to geographically distribute their back-ups.
There may be an argument for using both - one as deep and one as intermediate storage. Not sure on the costs of a SDB though… As a plus I think you can authorise access to someone else with all the checks in place.
reply
Somewhere in the ballpark of £20-30 a month. One has to assess whether or not the cost is worth it, but I'm assuming that custodial multi-sig wouldn't be considered for anything other than large amounts to begin with.
reply
It depends on how high we go!
As an aside, I pretty disappointed that after 100’s years of technological innovation and financial progress we are still reduced to burying our money like Long John Silver, a Roman Legionaire or Napoleonic Soldier…
reply
Not every SDB is in a bank. And according to my research, certain regulations regarding "third-party access" only apply to SDBs in banks. But don't trust, verify.
reply
It depends on your local regulations, but one should assume the key could be compromised at any point regardless of law. That's why anti-tamper + semi-regular checks are so necessary.
reply