The global crypto-asset market cap has increased from approximately $2.3 trillion on election day, November 5, 2024, to approximately $3.9 trillion today, some eight months later. That rise in demand has been accompanied by a dramatic change in how U.S. federal regulators approach crypto-assets. During the last administration, some financial institutions felt discouraged from offering crypto-asset products and services, which this administration emphatically reversed. Today, as a result of market growth, customer demand, and a more favorable regulatory environment, many financial institutions are exploring or launching crypto-related products and services.
Recently, the Office of the Comptroller of the Currency, Federal Reserve Board, and the Federal Deposit Insurance Corporation (collectively, the “Federal Bank Regulators”) have taken pro-active steps to communicate their support for market participants under their supervision to engage with crypto-assets. They have withdrawn prior crypto-asset related guidance, issued new guidance, and their leaders have made numerous public appearances talking about their support for innovation in these markets. For financial institutions regulated by these agencies, the message is clear directionally; there is openness to financial institutions offering crypto-asset products and services. That supportive messaging is crucial but financial institutions also remain eager for specific guidance on how to engage in these markets while remaining regulatorily compliant.
On July 14, 2025, the Federal Bank Regulators issued a Joint Statement with guidance on how banks should approach risk-management in offering crypto-asset safekeeping services. The guidance is fairly general and does not provide granular detail such as specific policies and procedures a bank must implement, or examples of reasonable approaches. But the principles-based guidance still provides valuable insights into the risks that Federal Bank Regulators deem most significant. The Joint Statement applies existing laws, regulations, and risk management principles; it explicitly does not create any new supervisory expectations.
It acknowledges that banks may provide crypto-asset safekeeping services in a fiduciary or non-fiduciary capacity, with fiduciary services subject to federal and state laws and regulations, as well as the terms of the fiduciary relationship. Non-fiduciary safekeeping services are established by the client contract and the Joint Statement directs readers to the Custody Services booklet of the Comptroller’s Handbook for further guidance.
Effective Risk Assessment Prior to Offering Crypto-Asset Safekeeping
The Federal Bank Regulators advise that—as with all new products, services, and activities—banks should consider risks before offering crypto-asset safekeeping. That risk assessment should consider the fast-evolving nature of crypto-assets and the complexity they may present, the bank’s ability to ensure effective controls, and contingency plans to address unexpected challenges, as well as core financial risks to the bank’s business model. Because of the different risks and technologies that crypto-assets may present, prior to offering safekeeping services, banks should be prepared to devote significant resources to establishing a strong control environment supported by sufficient technical expertise.
Cryptographic Key Management
One major crypto-asset risk is safeguarding cryptographic keys and other sensitive information that could facilitate the unauthorized transfer of crypto-assets out of the bank’s control. The Joint Statement explains that “control” for purposes of safekeeping requires banks to be able to “reasonably demonstrate . . . that no other party—including the customer—has access to information sufficient to unilaterally transfer the crypto-asset out of the control of the banking organization.” This will typically require that the crypto-assets be transferred to new blockchain addresses that are solely in the bank’s control. If the customer or others hold a copy of the private key for the address where the crypto-assets were held prior to the safekeeping relationship, it may allow the customer or others to transfer the assets without the bank’s involvement, which is inconsistent with required safekeeping controls. The Banking Regulators emphasize that because crypto assets are virtual and may carry increased operational risks, banks should focus on cyber security risk management.
Risk Management Tailored to the Type of Crypto-Asset
Different types of crypto assets may require different key management solutions, and banks should design their risk management systems with this in mind. The Joint Statement notes that traditional safekeeping principles apply, including ensuring an effective control environment and independent assurance, but that these may need to be tailored to the specific services being provided. In designing an effective risk management program, banks may also consider the “technical, operational, strategic, market, legal and compliance” implications posed by each crypto asset and underlying ledger that it plans to support. The Federal Bank Regulators also advise that banks should carefully consider the most appropriate type of safekeeping account model for its business. For example, an omnibus account might be more efficient than maintaining separate accounts for each customer, but could create larger risks.
Legal and Compliance Risk
The Joint Statement reminds banks that crypto-asset safekeeping is subject to Bank Secrecy Act/Anti-Money Laundering (“BSA/AML”), Countering of Financing Terrorism (“CFT”), and the requirements of the Office of Foreign Assets Control (“OFAC”). The Joint Statement warns that blockchain features like anonymity may make compliance challenging because identifying information of transaction parties is typically not available on public ledgers. Therefore, banks should include their BSA officers, boards of directors, and senior management in considering the potential risk of illicit financial activities before offering safekeeping services.
The Federal Bank Regulators also acknowledge that the evolving regulatory landscape poses additional legal and compliance risks. They advise that clear and timely written customer agreements and disclosures about the bank’s role and the issues specific to crypto-asset safekeeping can help control and mitigate these risks. Some of the potential sources of risk listed in the Joint Statement include: on-chain governance and voting, forks, airdrops, probabilistic settlement of transactions, the method of holding the assets (cold/hot/hybrid storage), the use of sub-custodians, and the use of smart contracts.
Third Party Risk Management
Banks may engage a third-party as a sub-custodian or to outsource certain aspects of crypto-asset safekeeping. The Joint Statement reminds banks that while they may delegate, they are still responsible for the activities provided by third parties. Therefore, banks should assess risks, conduct due diligence, and monitor third-party service providers. Banks may want to pay particular attention to their compliance with general safekeeping risk management practices, potential treatment of customer assets in the event of insolvency or operational disruption, and cryptographic key-management solutions, including polices, processes, and internal controls. The SEC is preparing to address the obligations of investment advisers with respect to the safekeeping of their clients’ crypto assets, either through rule amendments or guidance. When the SEC promulgates new guidance, it may also impact banks that outsource to SEC-regulated third parties.
Audit
Finally, audit programs should include the bank’s crypto-asset safekeeping activities, and third-party risk management as applicable. The Federal Bank Regulators advise that audits should assess cryptographic key generation, storage, and deletion; controls related to transfer and settlement of customer assets; and the sufficiency of relevant information technology systems. If the bank does not have the expertise, it should engage an independent external auditor to assess the crypto-asset safekeeping operations.
