X

Banking Agencies Issue Crypto Safekeeping Guidelines

Gage Raju-Salicki Commentary by Gage Raju-Salicki

The banking agencies issued guidance for banking organizations considering or already offering safekeeping services for crypto assets.

In that joint statement, the Office of the Comptroller of the Currency ("OCC"), the Federal Reserve ("agencies") and the FDIC aimed to clarify how existing laws and risk management practices applied to this growing activity without introducing new regulations. The agencies addressed the following areas of concern:

General Risk Management Considerations

The agencies recommended that these organizations evaluate their ability to manage the risks associated with holding crypto assets. The agencies urged banks to assess their business models, operational capabilities and understanding of the rapidly evolving crypto landscape. Institutions were encouraged to ensure that boards and staff had enough knowledge to provide these services safely and in compliance with the law. The agencies emphasized the need for strong risk assessments, updated contingency plans and alignment with existing regulations.

Cryptographic Management

One of the top concerns identified was the secure management of cryptographic keys. The agencies warned banks that losing or compromising private keys could result in unrecoverable losses for customers. The agencies explained that to safely control a crypto asset, banks needed to prove that no one else (including the customer) could access the keys. The agencies highlighted the importance of storage and the selection of appropriate wallet types, such as cold or hot wallets.

Additional Risk Management Considerations

The guidance also addressed risks tied to the specific types of crypto-assets banks might hold. Because crypto assets vary widely in technical features and compatibility, the agencies said banks needed to analyze each asset's vulnerabilities before offering safekeeping services. They recommended careful evaluation of the technology supporting each asset, including its blockchain, to identify potential operational and legal risks. Banks were told to stay informed about ongoing developments affecting these assets.

Legal and Compliance Risk

The agencies reminded banks that all crypto asset safekeeping activities must comply with existing laws, such as the Bank Secrecy Act, anti-money laundering rules and OFAC sanctions. The agencies acknowledged that some features of blockchain technology could complicate compliance, such as verifying customer identity or tracing transactions. The agencies told these institutions to involve compliance officers and senior leadership before launching these services and to ensure customers clearly understood the bank's role.

Third-Party Risk Management

The guidance also covered the use of third-party service providers or sub-custodians. The agencies said that banks that outsource safekeeping functions would be held responsible for the risks posed by those partnerships. The agencies encouraged banks to perform due diligence on third-party vendors, evaluate how customer assets would be protected in case of a failure and monitor the provider's internal controls. The agencies recommended the use of clear contract terms and continuous oversight to manage third-party risks effectively.

Audit

The agencies emphasized the need for strong audit programs covering crypto asset safekeeping. The agencies said they expect internal or independent audits to assess areas like cryptographic key management, transaction controls and staff expertise. The agencies said that banks that lacked in-house knowledge must bring in external experts to review these activities.

Commentary

Gage Raju-Salicki
Gage Raju-Salicki

This joint statement from the OCC, Federal Reserve and FDIC, while not groundbreaking, is a positive development for the cryptocurrency industry. By clarifying that existing fiduciary, BSA/AML and cybersecurity regulations apply to crypto-asset safekeeping, the agencies are ultimately reinforcing the expectation that banks must approach these services with the same rigor as traditional asset custody, but with special attention paid to crypto’s unique characteristics.

The explicit focus on cryptographic key management, cybersecurity and third-party risk management speaks to that attention. The compliance recommendations emphasize the need to draft customer agreements with an understanding of the underlying technology so that users could potentially engage in on-chain governance, or receive airdrops. Contract law will be able to solve for these details, but close consultation with lawyers familiar with crypto will undoubtedly prove helpful here. On the cybersecurity front, heavy investment will have to be made into keeping data—in particular, private keys—safe from attackers. Interestingly, however, the compliance recommendations simultaneously suggests that these agencies still see crypto fitting into existing legal frameworks (such as FinCEN's Travel Rule or OFAC's sanctions regime).

Again, this guidance is not groundbreaking, but it does suggest crypto's staying power. As the House continues its "Crypto Week" with potential to pass the stablecoin-regulating GENIUS Act, issuing such a guidance makes complete sense. In this way, these agencies are signaling a kind of crypto acceptance to banks, but that there must also be careful consideration paid to crypto's more-than-money characteristics to safeguard these assets.

Email me about this

Primary Sources

  1. FDIC, Fed, OCC: Joint Notice: Crypto-Asset Safekeeping by Banking Organizations
  2. OCC: News Release: Agencies Issue Joint Statement on Risk-Management Considerations For Crypto-Asset Safekeeping

Tags

Regulated Products
Digital Assets
Body of Law
Banking Law
Jurisdiction
US - Federal
Organization
US Banking Regulators
Sub-Author
Comptroller, FDIC, Federal Reserve Board