What crypto safekeeping rules mean for bank tech leaders

The Office of the Comptroller of the Currency released guidance this week that lays out the existing regulatory standards with which banks must comply when they hold crypto assets on a customer's behalf, a practice known as safekeeping or custody.

This guidance, cosigned by the Federal Reserve and Federal Deposit Insurance Corporation and released on Monday, does not introduce new supervisory expectations. Rather, the letter explains the existing regulations.

These regulations have shifted under the Trump administration, from requiring banks to get letters of nonobjection from regulators to hold crypto in safekeeping, to allowing banks to hold these assets without needing to tell regulators beforehand.

The importance of managing cryptographic keys properly

Whether a bank provides crypto safekeeping services in a fiduciary or non-fiduciary capacity, it must control the unique cryptographic keys associated with the assets.

This control means that "no other party — including the customer — has access to information sufficient to unilaterally transfer the crypto asset out of the control of the banking organization," according to the letter.

The OCC, Fed and FDIC highlighted some key risk management considerations in the joint statement:

• Preventing the compromise or loss of keys and sensitive information through cryptographic key management is paramount.
• Given the virtual nature of crypto assets, a robust cybersecurity environment is crucial.
• Banks must conduct a comprehensive analysis of each specific crypto asset they intend to safeguard, identifying potential vulnerabilities and dependencies.
• All crypto asset safekeeping activities remain subject to existing regulations, including the Bank Secrecy Act, anti-money-laundering regulations, countering the financing of terrorism and meeting Office of Foreign Assets Control requirements. The letter pointed out that features of distributed ledger technology may present compliance challenges, particularly regarding transaction identification.
• Well-written customer agreements are essential for managing risks and should address unique crypto-specific issues like forks (when a digital asset spins off into a new version) or airdrops (when a crypto backer distributes the asset for free, often in exchange for a promotional task).
• The bank's board, officers and employees must possess necessary internal expertise — knowledge and understanding of crypto-asset safekeeping services.

A shifting regulatory tide: From prior approval to ongoing supervision

This week's joint statement marks another step in the evolving regulatory approach to crypto assets for U.S. financial institutions and follows significant changes (framed by the agency as clarifications of existing law and regulation) from the OCC earlier in 2025.

For example, the OCC issued guidance this May that said banks could buy and sell assets held in custody at a customer's direction, not just to facilitate payments, and may outsource bank-permissible crypto activities, including custody and execution services, to third parties.

This guidance explicitly included services such as "facilitating the customer's cryptocurrency and fiat currency exchange transactions, transaction settlement, trade execution, recordkeeping, valuation, tax services [and] reporting."

When outsourcing, the bank remains responsible for the activities performed by the sub-custodian and must apply third-party risk management practices, according to the OCC.