Not every SDB is in a bank. And according to my research, certain regulations regarding "third-party access" only apply to SDBs in banks. But don't trust, verify.
It depends on your local regulations, but one should assume the key could be compromised at any point regardless of law. That's why anti-tamper + semi-regular checks are so necessary.