Crypto-Asset Safekeeping: What’s Involved If You’re a Bank (or if You Want to Be One)

On July 14, 2025, the federal banking agencies[1] issued a joint statement to clarify regulatory expectations for banking organizations that provide or are considering providing safekeeping for crypto-assets (“Joint Statement”).[2] After providing some key takeaways, this alert analyzes the Joint Statement and considers what is next for banking organizations and others seeking to engage in crypto-asset safekeeping.

Key Takeaways

• Safekeeping defined. Safekeeping refers to the service of holding an asset on a customer’s behalf. In the context of crypto-assets, this means controlling the cryptographic keys associated with the crypto-asset in a way that complies with applicable laws and regulations.
• Common baseline. While the Joint Statement notes it “does not create any new supervisory expectations,” its discussion of applicable risk management principles and existing law and regulations is useful as a common baseline for banks already providing safekeeping services and for potential new entrants.
• Timeliness. The Joint Statement is contemporaneous with an increase in existing banks engaging in crypto-asset safekeeping and fiduciary services involving digital assets, as well as an uptick in new bank applications where applicants seek to do the same.
• Not like traditional safekeeping. The Agencies describe this safekeeping activity as “complex,” involving a “potentially unfamiliar asset class,” requiring “requisite knowledge and understanding...[and] significant resources and attention,” and having “elevated levels of compliance and legal risks.” This makes plain that crypto-asset safekeeping is not an activity banks should engage in without considerable thought and planning.
• Key risks. Banks could be held liable for customer losses if cryptographic keys or other sensitive information results in loss or unauthorized transfer. In addition, banks employing third-party sub-custodians remain responsible for evaluating the effectiveness of the sub-custodian’s key management policies and internal controls, risk management, and recordkeeping practices. It is not clear, however, that “standard safekeeping risk management practices” or “leading practices to meet...heightened standards” yet exist, leaving clear room for market-driven initiatives.[3]
• Unanswered questions. While the Joint Statement is broad in scope, it leaves various questions unanswered, such as:
  • Is the full body of existing regulations applicable to how banks should consider operational and cyber risks associated with the activity?
  • What contingency plans do banks need to implement to address unanticipated challenges in effectively providing crypto-asset safekeeping services?
  • Are there any circumstances under which a bank would not be responsible for the activities performed by a sub-custodian?

More on these and other points in our analysis below.

Background

The Joint Statement marks the new administration’s first interagency statement on crypto-asset safekeeping by the federal banking regulators. It is possibly the first in a series of releases, as the Agencies “continue to explore ways to provide additional clarity with respect to banks’ engagement in crypto-asset-related activities.”[4] It also follows actions taken last March (by the OCC)[5] and April (by the FRB and OCC),[6] when the Agencies withdrew various Biden-era interpretative letters and supervisory statements involving crypto-assets.

The Joint Statement catalogs a wide body of existing law, regulations, guidance, and risk management principles associated with offering crypto-asset safekeeping services. It is divided into six sections, highlighting various risk management and legal and compliance risks, while also describing associated mitigants.

Summary

1. General Risk Management Considerations

The Agencies make various references to the newness of crypto-asset safekeeping activity and the potential lack of familiarity that banks may have with crypto-assets generally.

According to the Joint Statement, a bank contemplating crypto-asset safekeeping should perform an effective risk assessment that considers various potential risks, including the bank’s:

• Core financial risks, given the strategic direction of the business model;
• Ability to understand a complex, evolving, and potentially unfamiliar asset class, including keeping abreast of industry leading practices;
• Ability to ensure a strong control environment; and
• Contingency plans to address any unanticipated challenges in effectively providing services.[7]

The Agencies note throughout the Joint Statement that the crypto-asset market and underlying technology are not static—they evolve, and, therefore, a bank’s risk governance framework needs to “appropriately adapt.” Banks should:

• Equip and prepare boards, officers, and staff with requisite knowledge of crypto-asset safekeeping knowledge so that they can establish adequate operational capacity and appropriate controls;
• Devote resources and attention to procuring or developing new technology, establishing a strong control environment, and ensuring staff have appropriate technical expertise; and
• Establish governance frameworks that can adapt to crypto-asset price volatility, potentially affecting asset values and customer demand.[8]

2. Cryptographic Key Management

One “primary risk” of crypto-asset safekeeping cited by the Agencies is the possible compromise or loss of cryptographic keys or other “sensitive information” that could result in the loss of crypto-assets or the unauthorized transfer of the crypto-assets out of the bank’s control. “Sensitive information” includes any information that could be used to transfer crypto-assets, including “seed phrases” used to regenerate keys and other backup material.[9]

This means banks could be liable for their customers’ losses. To address this risk, the Agencies state that banks need to maintain control over private keys and related sensitive information.

To “assume control,” banks need to reasonably demonstrate that no other party—including the customer—has access to information sufficient to unilaterally transfer the crypto-asset out of the control of the bank. (Note, however, that simply taking possession of cryptographic keys may not be enough to demonstrate “control” of the crypto-assets.)[10] Banks are expected to apply equivalent control standards to any sub-custodians doing safekeeping functions on the banks’ behalf.

Additional risk management issues include ensuring secure generation of keys and contingency planning for lost or comprised keys by determining whether key management systems remain robust in light of technological developments, such as, e.g., various types of wallet specifications, differences between hot and cold wallets, and whether the cryptographic keys generated by any one wallet meet the requirements of a bank’s control environment.[11]

While the Joint Statement notes the potential “increased operational risks” associated with crypto-asset safekeeping and the importance of a bank’s cybersecurity environment as a key focus of risk management, its treatment of operational and cyber risk as applied to crypto-asset safekeeping is relatively thin.[12] It would be helpful, for example, for the Agencies to expand on:

• The importance of multi-layered security architecture;
• Resiliency and recovery planning; and
• The potential applicability of the Agencies’ 2021 computer-security incident notification requirements for banks and their service providers.[13]

3. Additional Risk Management Considerations

Crypto-assets vary in technical structure, governance rules, and risks. For example, they may exist on ledgers that are incompatible with each other or have been created through open-source development that would not have required specific disclosures. Banks need to thoroughly evaluate each type before safekeeping the crypto-asset.[14] The Agencies recommend:

• Performing a comprehensive analysis of each crypto-asset’s technical, operational, strategic, market, legal, and compliance considerations, and its underlying ledger; and
• Staying apprised of related material developments for each asset.[15]

Banks also need to consider the benefits and risks associated with different safekeeping models (e.g., omnibus accounts may be more efficient but also more attractive targets for theft).[16]

4. Legal and Compliance Risk

The Joint Statement reminds banking organizations that safekeeping relationships are subject to the Bank Secrecy Act (BSA)/anti-money laundering, and Office of Foreign Assets Control requirements.[17] The Agencies note certain challenges for maintaining compliance with these requirements, given the nature of distributed ledger technology, underscoring the importance of involving the bank’s BSA officer, board of directors, and senior management in evaluating illicit financing risks before offering crypto-asset safekeeping.

The Agencies also note that having “well-written customer agreements” can be useful in managing risks, including descriptions of:

• Forks, airdrops, on-chain governance, and voting;
• Probabilistic settlement risk on permissionless blockchains;
• How crypto-assets are held (i.e., cold, hot, hybrid storage); and
• The bank’s use of sub-custodians and smart contracts.[18]

Banks can also mitigate the risk of customer confusion by providing clear, accurate, and timely information on their crypto-asset safekeeping activities.

5. Third-Party Risk Management

Until the Joint Statement, the Agencies have consistently maintained that “a banking organization is responsible for conducting its activities in compliance with applicable laws and regulations, including those activities involving third parties. The use of third parties does not abrogate these responsibilities.”[19]

The Agencies, in the Joint Statement, note that “subject to the terms and conditions in the customer agreement, a banking organization is responsible for the activities performed by the sub-custodian.[20] It is not clear whether the “subject to . . .” language is intended to depart from prior third-party risk management guidance, or if it is intended to reflect specific circumstances where the sub-custodian has a contractual obligation to notify the bank of material events.

In addressing the risk posed by third-party sub-custodians or other service providers, the Agencies note the utility of conducting due diligence on a sub-custodian’s:

• Recordkeeping and risk management practices (e.g., do they avoid commingling assets, how do they treat assets in the event of an insolvency/operational disruption);[21] and
• Cryptographic key-management solution, including polices, processes, and internal controls and adherence to “standard safekeeping risk management practices.”

Banks should also weigh the risks and benefits of buying third-party software or hardware versus maintaining the software or hardware as a service.

6. Audit

The Agencies note that audit is essential to ensuring sound operations and effective controls over crypto-asset safekeeping and recommend:

• Including crypto-asset safekeeping activities in the bank’s audit program, emphasizing (1) cryptographic key generation, storage, and deletion; (2) controls regarding transfer and settlement of customer assets; (3) the sufficiency of information technology systems; (4) management and staff expertise; and (5) implementation of safekeeping controls; and
• Engaging appropriate external and independent experts where internal expertise is lacking.[22]

What’s Next

Although the Joint Statement does not “create any new supervisory expectations,” it sends a clear message: regulators expect banks to bring a high degree of preparedness, specialization, and risk management to crypto-asset safekeeping.

Together with the GENIUS Act, the Joint Statement represents a broader movement toward a clear federal regulatory framework for digital assets. It is a reminder to banks and the broader market that safekeeping and custody are separate but related concepts and that these services, as applied to on-chain crypto-assets, are not routine extensions of traditional safekeeping and custodial practices. They involve unique technology and infrastructure, tailored customer agreements, and policies and procedures that reflect their relative newness and complexity.

The Morrison Foerster Financial Services and Digital Assets groups will continue to monitor and analyze these and related developments. If you have questions or would like to discuss these issues further, please contact the authors of this client alert.

Gloria Ren, a summer associate in Morrison Foerster’s New York office, contributed to this alert.

[1] Federal Reserve Board (FRB), Office of the Comptroller of the Currency (OCC), and Federal Deposit Insurance Corporation (FDIC) (collectively, the “Agencies”).

[2] “Banking organizations” (or “banks,” for purposes of our summary) includes national banks, federal savings associations, and federal branches and agencies of foreign banks.

[3] FRB, OCC, FDIC Joint Statement, “Crypto-Asset Safekeeping by Banking Organizations” (July 14, 2025) at n.8, 6 (July 14, 2025) (“Joint Statement”), https://www.federalreserve.gov/newsevents/pressreleases/files/bcreg20250714a1.pdf.

[4] Board of Governors of the Federal Reserve System, “Agencies issue joint statement on risk-management considerations for crypto-asset safekeeping” (July 14, 2025).

[5] Office of the Controller of the Currency, “OCC Clarifies Bank Authority to Engage in Certain Cryptocurrency Activities,” News Release 2025-16 (Mar. 7, 2025), (the OCC rescinded Interpretive Letter 1179 outlining a supervisory nonobjection process for banks seeking to engage in the activities addressed in Interpretive Letters 1170, 1172, or 1174. Letters 1170, 1172, and 1174 address whether banks may provide crypto-asset custody services, whether banks may hold dollar deposits serving as reserves backing stablecoins in certain circumstances, and whether banks may (1) act as nodes on an independent node verification network (i.e., a distributed ledger) to verify customer payments and (2) engage in certain stablecoin activities to facilitate payment transactions on a distributed ledger, respectively).

[6] See Board of Governors of the Federal Reserve System, “Federal Reserve Board announces the withdrawal of guidance for banks related to their crypto-asset and dollar token activities and related changes to its expectations for these activities” (Apr. 24, 2025). (The FRB, FDIC, and OCC withdrew from two 2023 statements jointly issued by the federal bank regulatory agencies that addressed crypto-asset risks and liquidity risks to banking organizations resulting from crypto-asset market vulnerabilities. The FRB also withdrew from its 2023 letter regarding the supervisory nonobjection process for state member bank engagement in dollar token activities and its 2022 supervisory letter establishing an expectation that state member banks provide advance notification of planned or current crypto-asset activities.)

[7] Joint Statement at 2.

[8] Id.

[9] Id. at n.9.

[10] Id. at n.10 (a bank taking possession of the key may not be sufficient to establish control, as the customer could have retained copies of the key or given it to others).

[11] Id. at nn.12–13 (cold wallets, which are disconnected from the internet, may be more secure than hot wallets, which remain online at all times, because cold wallets are less accessible).

[12] See OCC Bulletin 2023-22, “Cybersecurity Supervision Work Program,” which provides considerations aligned with existing supervisory guidance and the NIST Cybersecurity Framework.

[13] See OCC, FRB, FDIC, “Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers,” 86 Fed. Reg. 66,424 (Nov. 23, 2021).

[14] For fiduciary accounts administered by national banks and FSAs, reviews of risks associated with safekeeping are required by regulation. See 12 CFR § 9.6(a); 12 CFR § 150.200.

[15] Joint Statement at 3.

[16] Id. at n.19.

[17] Id. at 4–5.

[18] Smart contracts are programs stored on a blockchain that are automatically executed when predetermined terms and conditions are met. If the crypto-assets under custody depend on smart contracts, a banking organization should exercise appropriate governance and oversight of these smart contracts throughout their life cycle.

[19] FRB, FDIC, OCC, “Interagency Guidance on Third-Party Relationships: Risk Management,” 88 Fed. Reg. 37,920 (June 9, 2023); see also FRB, FDIC, OCC, “Third-Party Risk Management, A Guide for Community Banks” (May 3, 2024) at 21, https://www.fdic.gov/resources/bankers/third-party-relationships/third-party-risk-management-guide.pdf (“A banking organization’s board of directors has ultimate responsibility for providing oversight for third-party risk management and holding management accountable...”).

[20] Joint Statement at 6.

[21] If a sub-custodian commingles its own assets with assets being held on behalf of the banking organization, this could risk the crypto-assets being treated as property of the sub-custodian in certain circumstances, such as bankruptcy. Similarly, if a sub-custodian fails to maintain proper recordkeeping or contingency planning, an operational disruption could prevent the banking organization’s customers from being able to access their crypto-assets, potentially for an extended period of time or even permanently.

[22] Id. at 7.

[View source.]