- Banks must implement strong cybersecurity and comply with laws when holding crypto assets.
- Crypto custody services require full control of keys and continuous risk assessments.
- Banks are liable for third-party custodians and must perform strict due diligence checks.
U.S. federal banking regulators issued a joint statement today highlighting the legal and operational obligations for banks offering crypto-asset custody services. The Federal Reserve, the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) jointly released the statement. It reinforces the need for banks to comply with existing laws when engaging in cryptocurrency-related activities, particularly in custody services. The regulators clarified that the statement introduces no new regulatory requirements but emphasizes current obligations under federal law.
Banks holding digital assets, including Bitcoin, must follow applicable regulations and implement robust risk management procedures. The statement notes that both fiduciary and non-fiduciary forms of custody are permitted under current laws. Fiduciary safekeeping obligations fall under regulations such as 12 CFR 9 or 150, depending on the bank’s charter. Banks must also consider applicable state laws and the terms of the customer agreement when offering these services.
Crypto Custody Requires Strong Risk Controls
The joint statement emphasizes that safekeeping crypto-assets involves unique operational and technological risks. Banking organizations must maintain advanced cybersecurity systems to manage cryptographic keys and prevent unauthorized asset transfers. The loss or compromise of private keys presents significant risks, and banks must be prepared to mitigate them. Staff with expertise in digital asset security and technology are essential for providing reliable custody services.
In addition to technological infrastructure, compliance with anti-money laundering (AML), countering the financing of terrorism (CFT), and sanctions regulations is required. These include adherence to the Bank Secrecy Act (BSA) and guidelines from the Office of Foreign Assets Control (OFAC). The agencies stated that cryptocurrency custody must be conducted with the same rigor as traditional banking services. Banks must develop, maintain, and regularly update their risk management programs to address emerging threats.
Before initiating crypto custody services, banking organizations must conduct a comprehensive risk assessment. This includes understanding the nature of different crypto-assets, associated technologies, and relevant legal considerations. Banks are expected to evaluate potential risks and implement controls tailored to the crypto-specific environment. These steps must be documented and aligned with existing supervisory expectations.
Responsibility and Oversight in Sub-Custodial Relationships
The statement underscores that banks remain fully responsible for the actions of third-party custodians they may engage. Even when sub-custodians are used, the bank must ensure they meet all risk management and security requirements. The due diligence process should include evaluating the sub-custodian’s key management solutions, internal controls, and policy adherence. All responsibilities outlined in the customer agreement remain the bank’s legal obligation.
Banking organizations must “reasonably demonstrate” that assets held in custody are fully under their control. No unauthorized party, including the customer, should be able to access the assets while under the bank’s safekeeping. This standard ensures that asset custody aligns with industry practices and legal requirements. Regulators expect banks to implement effective governance mechanisms around third-party arrangements.
Related: Fed Removes Reputational Risk, A Positive Signal for Crypto?
Regulatory Shift Signals Greater Institutional Integration of Crypto
Recent developments reflect a more defined regulatory approach toward banks participating in the crypto sector. Earlier this year, the OCC confirmed that national banks can now buy and sell cryptocurrencies for their accounts. The FDIC followed up with updated guidance, stating that prior approval is no longer necessary for banks to initiate cryptocurrency activities. The Federal Reserve issued a similar notice in April, supporting supervised participation by banking organizations.
Such developments indicate a shift toward more lenient yet systematic attitudes among regulators regarding the involvement of banks in digital assets. Regulators are ensuring controlled expansion in this area, emphasizing compliance and safety. The use of bitcoin and other digital assets by institutions is gaining increasing favor within a regulatory framework. The present joint statement is in a series of measures intended to facilitate the direction of the financial sector over these developments.
