Federal regulators have begun outlining a new, more open approach to supervising bank involvement in crypto assets with the issuance of a new joint statement on their stance toward crypto custody activities.
The Federal Reserve, Federal Deposit Insurance Corp. and Office of the Comptroller of the Currency issued a joint statement on Monday outlining risk management considerations for providing "safekeeping" services to customers.
The guidance defines safekeeping as merely holding an asset on a customer's behalf, a narrower offering that falls under the umbrella of custody services. It outlines the various legal obligations and expectations banks must meet to operate in this space, and also flags technical and managerial considerations for banks that are interested in crypto custody.
The joint statement also reminds banks interested in providing crypto safekeeping services "that they must do so in a safe and sound manner and in compliance with applicable laws and regulations." It does not create any new supervisory expectations or requirements.
Yet, while the guidance notes that the safekeeping of crypto comes with certain novel risks — such as losing or compromising a customer's cryptographic access keys — it strikes a different tone than previous interagency guidelines about handling digital assets.
Many in and around the banking sector interpreted these communications as a warning against crypto experimentation and attributed them to an overall chilling effect on bank engagement with the emerging technology during the later part of the Biden administration.
This past spring, agencies
The move comes as part of the federal government's more
Along with guidelines for protecting cryptographic keys and similar sensitive information, the joint statement calls for a four-part risk assessment. These include exploring the core financial risks that crypto safekeeping would present to a bank's strategic direction and business model; establishing a firm understanding of the crypto space and its best practices; establishing a "strong control environment"; and developing a contingency plan for unanticipated challenges.
The agencies also detail legal and compliance considerations, including the Bank Secrecy Act, anti-money-laundering requirements, restrictions on financing terrorism and sanctions imposed by the Treasury Department's Office of Foreign Asset Control.
Third-party risks were also addressed. The statement raises several considerations related to the selection of custodial sub-contractors, emphasizing the importance of conducting due diligence reviews before engaging in any contracts.
Finally, the letter noted that a strong audit program is "essential," stating that safekeeping-centric reviews should "address the nuances of crypto-assets, including an assessment of cryptographic key generation, storage, and deletion; controls related to transfer and settlement of customer assets; and the sufficiency of relevant information technology systems."
