Federal bank regulatory agencies have issued a joint statement as part of their continued efforts to provide clarity on banks’ engagement in crypto-asset-related activities.

The statement from the Federal Deposit Insurance Corporation, Federal Reserve Board and the Office of the Comptroller of the Currency describes the potential risk-management considerations related to holding crypto-assets on their customers’ behalf (“crypto-asset safekeeping”) that banks should keep top-of-mind.

The joint statement discusses existing risk-management principles that apply to such safekeeping and reminds banks that provide (or are considering providing) safekeeping of such assets that they must do so in a safe and sound manner and in compliance with applicable laws and regulations.

The statement does not create any new supervisory expectations. The agencies continue to explore ways to provide additional clarity with respect to banks’ engagement in crypto-asset-related activities.

Fiduciary obligations, general risk management

Banking organizations may provide safekeeping for crypto-assets in a fiduciary or a nonfiduciary capacity, the regulators noted. A banking organization providing safekeeping for crypto-assets in a fiduciary capacity, such as a trustee, an executor of a will, an administrator of an estate, or an investment adviser, has the authority to manage them in the same way banking organizations manage other assets they hold as fiduciaries.

As with all new products, services, and activities, banking organizations should consider potential risks prior to offering crypto-asset safekeeping, the regulators state. An effective risk assessment would consider such things as the banking organization’s:

• (1) core financial risks given the strategic direction and business model;
• (2) ability to understand a complex, evolving, and potentially unfamiliar asset class, including by keeping abreast of industry leading practices;
• (3) ability to ensure a strong control environment; and
• (4) contingency plans to address any unanticipated challenges in effectively providing services.

“Providing crypto-asset safekeeping services may entail significant resources and attention, such as developing or procuring new technology, establishing a strong control environment, and ensuring staff have appropriate technical expertise,” the joint statement reads. In addition, crypto-assets may experience price volatility, and “rapid evolution in the market could affect the technology used to provide safekeeping services.”

Cryptographic key management

One of the main risks associated with crypto-asset safekeeping is the possible compromise or loss of cryptographic keys or other sensitive information that could result in the loss of crypto-assets or the unauthorized transfer of the crypto-assets out of the banking organization’s control, the regulators say.

Safeguarding these assets means maintaining control of cryptographic keys.

Here’s the test: In general, a banking organization assumes “control” for purposes of safekeeping a crypto-asset when it can reasonably demonstrate, consistent with the standard of care established by applicable law, that no other party (including the customer) has access to information sufficient to unilaterally transfer the crypto-asset out of the control of the banking organization.

To establish initial control of a crypto-asset, a banking organization will usually require the asset to be transferred to the banking organization on the asset’s underlying distributed ledger.”

Before offering such safekeeping, a banking organization should involve its BSA officer, board and senior management in assessing potential money laundering, terrorist financing, and other illicit financial activity risks.

The same control standards should be applied to any sub-custodian used to perform crypto-asset safekeeping functions.

Risk-management protocols here should include having a contingency plan for lost or compromised keys and periodically evaluating whether the business’s management systems continue to be sufficient in light of technological developments, the regulators state.

Other risk-management considerations

The joint statements points out that crypto-assets may feature software or hardware with which the banking organization may be inexperienced or that do not readily integrate with its current technology environment. “Sound practices typically include performing a comprehensive analysis of each crypto-asset before safekeeping that crypto-asset,” the statements says. And it could entail analyzing relevant technical, operational, strategic, market, legal, and compliance considerations relating to each crypto-asset and its underlying ledger.

Specific AML and sanctions risks

Like all other banking activities, crypto-asset safekeeping relationships are subject to applicable Bank Secrecy Act/anti-money-laundering (BSA/AML), countering-the-financing-of-terrorism (CFT), and Office of Foreign Assets Control (OFAC) requirements. These laws and regulations require banking organizations to verify customer identity, perform due diligence to understand the nature and purpose of the customer relationship, perform ongoing monitoring to identify and report suspicious activity, block transactions in accordance with OFAC sanctions, and follow the Travel Rule.

The design features of distributed ledger technology (namely, the fact that it revolves around anonymity) may present challenges for complying with certain of these requirements if compliance depends on identifying information (for example, name and address) related to a transaction.

Before offering crypto-asset safekeeping, a banking organization should appropriately involve its BSA officer, board of directors (or designated committee), and senior management in assessing potential money laundering, terrorist financing, and other illicit financial activity risks.

Well-written customer agreement

As the joint statement points out, a well-written customer agreement outlining clearly defined duties and responsibilities of the parties is an important tool to manage the risks of crypto-asset safekeeping and may be used to address issues specific to this service, such as on-chain governance and voting, forks, airdrops, probabilistic settlement that may be characteristic of permissionless blockchains, the method of holding the assets (cold/hot/hybrid storage), the use of a sub-custodian(s), and the use of smart contracts.

A banking organization should be clear about its specific role in the safeguarding arrangement and make sure it is following applicable recordkeeping and reporting requirements.

Third-party risk management

As ever, third-party risks must be managed, since a banking organization is likely employing a sub-custodian for its crypto-asset safekeeping and thereby must understand the benefits and risks associated with engaging sub-custodians, applicable laws and regulations, and relevant third-party risk management practices.

“Conducting due diligence before selection of a sub-custodian is an important part of sound risk management, and includes evaluating the effectiveness of the sub-custodian’s cryptographic key-management solution, including polices, processes, and internal controls, as well as its adherence to standard safekeeping risk management practice,” the banking agencies add.

If the bank is using third-party technology to sub-custodial services, effective risk management of third-party technology in this context will generally include weighing the risks of purchasing third-party software or hardware versus maintaining such software or hardware as a service.

Audit considerations

A crypto-asset safekeeping audit should address the nuances of crypto-assets, including an assessment of cryptographic key generation, storage, and deletion; controls related to transfer and settlement of customer assets; and the sufficiency of relevant information technology systems, plus the level of the management team’s and staff’s expertise.

When audit expertise does not exist within the banking organization, management should engage appropriate external resources, with sufficient independence, to assess its crypto-asset safekeeping operations, the statement adds.

Measured enthusiasm

The banking regulators issued this document full of risk-management considerations in the digital asset space just as the US House of Representatives is set to consider the CLARITY Act, the Anti-CBDC Surveillance State Act, and the GENIUS Act, and has proclaimed this week to be “Crypto Week.”

And last month, three senior lawmakers from the House published an op-ed on CoinDesk reiterating their commitment to enacting comprehensive digital asset legislation in the 119th Congress. Earlier this year, the Trump Administration’s designated Crypto Czar, David Sacks, announced the formation of a bicameral working group focused on digital asset legislation for payment stablecoins and digital asset market structure.

At the SEC, Chairman Paul Atkins has expressed his support for providing registrants with greater optionality in determining how to custody crypto assets and allowing registrants to trade a broader variety of products on their platforms and in response to market demand.

With this joint statement on risk-management considerations for crypto-asset safekeeping, banking regulators are signaling an open approach that comes with a focus on safety and soundness, reminding banks of their obligation to comply with applicable laws and regulations and manage their risk framework as it changes with the introduction of new products, services and technology tools.

If the idea is prioritizing consumer protection while fostering innovation, the joint statement fits in well with the messaging from the other governmental entities; it’s just a bit more pointed about the protection part (“safekeeping in a fiduciary capacity”) because, well, it has to be.