Banking Agencies Issue Joint Statement on Risk-Management Considerations for Cryptoasset Safekeeping

Banking organizations safekeeping digital assets for customers must do so in a safe and sound manner and in compliance with applicable laws and regulations.

On July 14, 2025, the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) (collectively, the agencies) issued a joint statement (the Joint Statement) on risk-management considerations for banking organizations¹ engaged in cryptoasset safekeeping.² The Joint Statement addresses potential risk-management considerations under existing laws and regulations related to banks holding cryptoassets (i.e., controlling the cryptographic keys associated with the cryptoasset) on a customer’s behalf in a fiduciary or a non-fiduciary capacity.

Generally, cryptoasset safekeeping requires the maintenance of an effective control environment, including the “[s]tandard custodial risk management principles.” Programs and controls, however, may need to be tailored to the specific services being offered and the unique attributes of the cryptoassets under safekeeping.

According to the agencies, the Joint Statement “does not create any new supervisory expectations.” The agencies highlighted the following risk management considerations for banking organizations.

Risk Management Considerations

A banking organization should consider potential risks prior to offering cryptoasset safekeeping, taking into account the banking organization’s:

• core financial risks given its strategic direction and business model;
• ability to understand a complex and dynamic asset class;
• ability to establish and maintain a robust internal control environment; and
• contingency plans to manage unforeseen challenges in effectively providing services.

The banking organization’s board, officers, and employees should possess adequate knowledge and understanding of cryptoasset safekeeping services to ensure safe and compliant operations and controls.

A banking organization should adapt its risk governance frameworks to the evolving nature of the cryptoasset market and its underlying technology.

In addition, a banking organization should consider:

• establishing processes for determining the specific cryptoassets for which it will provide safekeeping;
• understanding any unique features of such cryptoassets that may require special solutions;
• for each cryptoasset to be held in safekeeping, identifying the vulnerabilities and dependencies that could create material risks to the bank’s safety and soundness;
• for each cryptoasset to be held in safekeeping, “analyzing relevant technical, operational, strategic, market, legal, and compliance considerations . . . as well as staying apprised of material developments specifically related to supported cryptoassets and their underlying ledgers”; and
• the potential risks associated with the different types of account models for safekeeping cryptoassets (e.g., omnibus versus separate accounts).

Cryptographic Key Management

A banking organization should consider:

• maintaining effective control standards for cryptoassets, cryptographic keys, and related sensitive information, applicable to the organization and any sub-custodian it employs;
• establishing secure generation of cryptographic keys and contingency planning for lost or compromised keys;
• whether its risk management program and systems continue to be sufficient in light of technological developments; and
• bolstering its cybersecurity to protect customer assets.

Legal and Compliance Risk

A banking organization must conduct all cryptoasset safekeeping activities in compliance with applicable laws and regulations, considering the potential for elevated levels of risk resulting from an “evolving regulatory landscape.”

At minimum, a banking organization must adhere to applicable recordkeeping and reporting requirements, as well as Bank Secrecy Act / anti-money laundering (BSA/AML), countering the financing of terrorism (CFT), and Office of Foreign Assets Control (OFAC), and Travel Rule³ requirements, including:

• customer identity verification;
• due diligence (to understand the nature and purpose of the customer relationship);
• ongoing monitoring;
• suspicious activity reporting; and
• illicit transaction blocking.

The agencies recommend that banking organizations maintain a well-written customer agreement for cryptoasset safekeeping services, “outlining clearly defined duties and responsibilities of the parties,” and covering issues unique to cryptoasset safekeeping such as “on-chain governance and voting, forks, airdrops, probabilistic settlement that may be characteristic of permissionless blockchains, the method of holding the assets (cold/hot/hybrid storage), the use of a sub-custodian(s), and the use of smart contracts.”

The agencies also recommend that a banking organization make “clear, accurate, and timely” disclosures to customers about its cryptoasset safekeeping activities, including its role in any governance or voting related to the cryptoasset.

Third-Party Risk Management

The agencies recommend effective risk management of third parties when employed for sub-custodial services or activities other than custodial services.

Banking organizations employing a sub-custodian for cryptoasset safekeeping should understand the risks of such practices (including potential responsibility for sub-custodian activity and treatment of customer assets in the event of the sub-custodian’s insolvency or operational disruption), the applicable laws and regulations, and any relevant third-party risk management guidance issued by the agencies (e.g., the 2023 Interagency Guidance on Risk Management. For more information, see this Latham blog post).

Third-party risk management processes, including due diligence before selection of a sub-custodian, should take into consideration the risks posed by a particular activity and any applicable regulatory requirements.

Audit

A banking organization’s audit program should adequately cover its cryptoasset safekeeping activities, including controls related to:

• cryptographic key generation, storage, and deletion;
• transfer and settlement of customer assets;
• information technology systems; and
• third-party engagement and risk management.

Conclusion

The Joint Statement is the latest in a series of crypto-centric actions from the agencies, which align with the current administration’s support for the digital asset industry, including:

• the OCC’s March 2025 reaffirmation that banks may participate in a range of cryptocurrency activities (for more information, see this Latham blog post);
• the FDIC’s March 2025 Financial Institution Letter that provided new guidance for FDIC-supervised institutions engaging in or seeking to engage in crypto-related activities (see this Latham blog post);
• the FRB’s April 2025 rescission of 2022 guidance that required banks to notify the FRB prior to engaging in cryptoasset-related activities, and to receive a written notification of supervisory nonobjection from the FRB before engaging in the covered cryptoasset and stablecoin activities (see this Latham blog post);
• the OCC’s May 2025 Interpretive Letter affirming that banks may provide and outsource cryptocurrency custody and execution services on behalf of customers (see this Latham blog post); and
• the agencies’ collective withdrawal in March 2025 and April 2025 from two 2023 joint statements on cryptoasset risks to banking organizations (see this Latham blog post and this post).

While not overtly “cypto-friendly,” the Joint Statement may be viewed as a positive step toward regulatory normalization of cryptoasset engagement and custody in the banking sector. This focus on existing risk management practices and third-party oversight is very much commensurate with other legitimate banking activities. It suggests that the agencies are beginning to consider cryptoassets to be a novel financial asset class on par with other asset classes, rather than assets with inherently acute and insurmountable risks.

Finally, the agencies also noted that they will “continue to explore ways to provide additional clarity with respect to banks’ engagement in cryptoasset-related activities.” As Congress considers bills to give structure to the digital asset and stablecoin markets, continued clarity from the banking regulators amidst the “evolving regulatory landscape” will be critical for traditional financial institutions seeking to begin (or ramp up) their engagement with cryptoassets.

1. Under the Joint Statement, “[f]or the OCC, ‘banking organizations’ includes national banks, Federal savings associations, and Federal branches and agencies of foreign banks. For the [FRB], ‘banking organizations’ includes all U.S. bank holding companies, state member banks, Edge and agreement corporations, and uninsured state-licensed branches and agencies of foreign banks. For the FDIC, ‘banking organizations’ includes all insured state nonmember banks, insured state-licensed branches of foreign banks, and insured state savings associations.” ↩︎
2. As noted in the Joint Statement, “safekeeping” is defined as “the service of holding an asset on a customer’s behalf” whereas “custody” is intended to “encompass…all the services a banking organization may provide in relation to assets held on a customer’s behalf.” ↩︎
3. BSA rule 31 CFR 103.33(g), which requires financial institutions or Virtual Asset Service Providers (VASPs) to share specific information about transmittal orders for funds or cryptocurrency exceeding $3,000 with the receiving financial institution. It aims to combat money laundering and terrorist financing by ensuring that certain details about the originator and beneficiary of a transaction are transmitted along with the asset transfer. ↩︎