On July 14, the Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (the Board), and the Federal Deposit Insurance Corporation (FDIC) jointly issued a statement addressing the safekeeping of crypto-assets by banking organizations on behalf of their customers. This announcement clarifies how existing laws, regulations, and risk management principles apply to the safekeeping of crypto-assets by banks and does not create any new supervisory expectations. Importantly, the federal banking regulators clearly signal that banks can serve as custodians of digital assets including storing cryptographic keys.
Understanding Safekeeping vs. Custody
The statement distinguishes between “safekeeping” and “custody,” with safekeeping defined as holding an asset on a customer’s behalf. While custody encompasses a broader range of services, the focus of the joint statement is on the safekeeping aspect, emphasizing compliance with existing regulatory frameworks without introducing new supervisory expectations.
Fiduciary and Non-Fiduciary Capacities
Banking organizations can offer safekeeping services in either a fiduciary or non-fiduciary capacity. Those acting in a fiduciary role must adhere to 12 CFR 9 or 150, as applicable, state laws and regulations, and any other applicable legal provisions, ensuring they manage crypto-assets with the same diligence as other fiduciary assets. This includes trustees, executors, administrators, and investment advisors who have the authority to manage these assets responsibly.
Risk Management Considerations
The agencies highlight the importance of robust risk management practices. Safekeeping crypto-assets involves controlling cryptographic keys, which are crucial for maintaining asset security. Banking organizations must assess potential risks, including financial, operational, and technological challenges, and ensure their board of directors, officers and employees are equipped with the requisite knowledge and understanding of crypto-asset safekeeping services to handle these complexities. The statement notes that effective risk management includes developing and maintaining appropriate processes for determining the specific crypto-assets for which the banking organization will provide safekeeping. This typically includes the performance of a comprehensive analysis of each crypto-asset prior to safekeeping, including identification of vulnerabilities and dependencies which could create material risk to the banking organization’s safety and soundness. The guidance also suggests that given the virtual nature of crypto-assets, a bank’s cybersecurity environment should be a key focus of risk management.
Cryptographic Key Management
A primary concern in crypto-asset safekeeping is the management of cryptographic keys. The loss or compromise of these keys can lead to unauthorized asset transfers, posing liability risks for banking organizations. Effective control of these keys is essential, requiring secure generation, storage, and contingency planning to address potential vulnerabilities. The guidance states that in general, a bank has “control” of a crypto-asset when it can reasonably demonstrate that no other party, including the customer, has access to information sufficient to unilaterally transfer the crypto-asset out of the control of the bank.
Legal and Compliance Risks
The statement warns that crypto-asset safekeeping may involve elevated levels of compliance and legal risks due to the evolving regulatory landscapes. Crypto-asset safekeeping is subject to compliance with the Bank Secrecy Act, anti-money laundering regulations, the Travel Rule, Combatting the Financing of Terrorism and Office of Foreign Assets Control requirements, among other legal requirements. Banking organizations must verify customer identities, conduct due diligence, and monitor transactions to prevent illicit activities. The evolving regulatory landscape necessitates clear customer agreements and adherence to all applicable laws. The statement recommends customer agreements clearly define the duties and responsibilities of the parties, as well as address issues specific to crypto-asset safekeeping such as on-chain governance and voting, forks, airdrops, probabilistic settlement and smart contract usage.
Third-Party Risk Management
In some cases, banking organizations may engage third-party sub-custodians or service providers for safekeeping services. It is crucial to understand the risks and benefits of such engagements and ensure compliance with relevant laws and regulations. Due diligence in selecting sub-custodians and evaluating their risk management practices is vital.
Audit and Oversight
Audit programs play a critical role in effective risk management, providing coverage over crypto-asset safekeeping activities. These audits should assess key management, transaction controls, and the sufficiency of information technology systems. When internal audit expertise is lacking, sufficiently independent external resources should be engaged to assess safekeeping operations.
Our Take
As the digital asset market continues to evolve, banking organizations must navigate the complexities of crypto-asset safekeeping with diligence. This statement from the OCC, the Board, and FDIC serves as a guide for banking institutions to align their practices with existing regulations, ensuring the safe and sound management of crypto-assets. The legal framework surrounding digital assets is constantly evolving and it is imperative that banks carefully navigate the crypto-asset safekeeping market.
