The statement reiterates that banks must comply with existing regulatory compliance requirements and risk management practices to protect digital assets. The emphasis here is on custody, that is, the storage of cryptocurrencies on behalf of the client.
According to the joint statement, banks may offer cryptocurrency custody as trusted custodians with legal responsibilities (fiduciary function) or through secure storage providers without management liability (non-fiduciary function), depending on the service agreement and regulatory requirements.
If a bank holds the cryptographic keys, it assumes responsibility. This means that the bank has full control and accountability. Regulators stated that banks must ensure that no one else, not even the client, can access the keys. This is what regulators refer to as the 'real control' parameter.
The main identified risks include the loss of cryptographic keys, cybersecurity breaches, market volatility, and anti-money laundering obligations. Banks are expected to implement appropriate internal controls and stay updated on developments in the cryptocurrency custody industry.
Banks must assess their technical capacity and readiness for regulatory compliance before taking on cryptocurrency custody. Institutions will need robust operational frameworks, staff experienced in cryptocurrencies, and updated technologies to manage the changing risks of digital assets.
There is also a provision for external cryptocurrency custody providers, although the bank is responsible for any failure. Regulators insist that banks must perform due diligence regarding these providers, especially concerning the storage of private keys. Agreements must clearly specify what happens when assets are compromised and providers declare insolvency.
The statement also revealed that anti-money laundering (AML), counter-terrorism financing (CTF), and OFAC regulations must be complied with. Banks must verify the identity of their clients and monitor suspicious transactions. These requirements may be more challenging to meet in a blockchain-based context, where identity is not necessarily transparent.
The official statement adds that clarity is crucial regarding the legal aspects of cryptocurrency custody management. Corporate agreements can be formalized through on-chain voting, forks, or airdrops, on behalf of all parties. Banks must also address concerns about wallet management, regardless of the type of storage, and the use of smart contracts.
Regulators also expect banks to have independent audit programs. These audits must include cryptocurrency custody controls, the management of cryptographic keys, and staff training. If they lack internal experts, banks may hire external auditors.
