Three major regulatory agencies speak out! U.S. bank custodial cryptocurrency regulations are out: full risk must be borne

The Federal Reserve, FDIC, and OCC jointly issued a statement clarifying the rules for banks regarding cryptocurrency custodianship.

The three major federal banking regulators released a joint statement on Monday, clarifying the regulatory requirements that banks must comply with when providing cryptocurrency custodial services to customers. The Federal Reserve (Fed), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) emphasized in this 7-page joint statement how existing laws apply to the 'safekeeping' services for cryptocurrency assets and clarified that this statement does not create new regulatory expectations.

Regulators stated in the announcement: 'Banking institutions can provide safekeeping services for cryptocurrency assets in a fiduciary or non-fiduciary capacity.'

However, the statement specifically emphasizes that banks must 'control the cryptographic keys associated with cryptocurrency assets in a manner compliant with applicable laws and regulations.' This means that once a bank holds a customer's cryptocurrency, it must fully control the private keys, bear all responsibilities, and even the customer cannot directly access those keys.

The timing of this statement coincides with the start of the U.S. House of Representatives' so-called 'Cryptocurrency Week', during which lawmakers are expected to approve several cryptocurrency bills in an effort to establish a formal regulatory framework for digital assets in the U.S. Since President Trump took office, several regulatory agencies have withdrawn the restrictive policies on cryptocurrencies that were in place during the Biden administration.

Further Reading
The U.S. House of Representatives' 'Crypto Week' starts on 7/14! What are the three major cryptocurrency bills? Will they pass?
The Democratic Party launches a week against cryptocurrency corruption! In opposition to Congress's Crypto Week, will the stablecoin bill face uncertainties?

Strict risk control requirements, banks must possess professional technical capabilities.

Regulators detailed the strict standards that banks must meet to provide cryptocurrency custodial services in the statement. First, banks must conduct a comprehensive risk assessment, including an evaluation of the nature of different cryptocurrency assets, the technology used, and the legal obligations involved. Key risks include the loss of cryptographic keys, cybersecurity vulnerabilities, market volatility, and anti-money laundering obligations.

In terms of technical capability, banks must have a robust operational framework, staff with expertise in cryptocurrency, and updated technology to handle the evolving risks of digital assets. Regulators emphasize that the bank's cybersecurity environment should be the primary focus of risk management and must continuously review the software dependencies and ledger designs supporting each token to identify vulnerabilities that may threaten security and robustness.

Additionally, banks must comply with the Bank Secrecy Act (BSA), Anti-Money Laundering (AML), Counter-Terrorism Financing (CFT), and Office of Foreign Assets Control (OFAC) requirements. These compliance requirements may be more challenging in a blockchain-based environment, as identity may not be transparent. Regulators require banks to verify customer identities and monitor for suspicious activities.

The responsibility for third-party custodianship is clear, and the bank must still bear all risks.

The statement specifically mentions the issue of liability for third-party custodial arrangements. If a bank entrusts a third-party sub-custodian or technology provider to handle cryptocurrency assets, the bank must still bear full responsibility for the performance of these vendors.

Regulators emphasize that banks must conduct due diligence before selecting a sub-custodian, which is an important component of sound risk management, including assessing the effectiveness of the sub-custodian's cryptographic key management solutions.

Banks must establish appropriate risk management processes to assess third-party key management methods, asset segregation measures, and bankruptcy protection mechanisms. Agreements should clearly specify what happens when assets are harmed and when vendors go bankrupt. Regulators also require banks to establish notification requirements for any security breaches or operational incidents.

In terms of auditing, regulators expect banks to have independent audit programs. These audits should include controls for cryptocurrency custodial safekeeping, cryptographic key management, and personnel capability assessments. If banks lack internal expertise, they can hire independent external resources to evaluate the security operations of cryptocurrency safekeeping.

Audit tests must expand to include cryptocurrency-specific elements, such as key generation, wallet security, and on-chain settlement controls.

The regulatory environment is becoming friendlier, increasing banks' willingness to enter the cryptocurrency market.

This statement reflects a significant shift in the U.S. regulatory environment's attitude toward cryptocurrencies. Since the Trump administration took office, several regulatory agencies have withdrawn previous restrictive guidelines on cryptocurrencies. The Federal Reserve has eliminated the 'reputational risk' standard in bank regulation, which had previously been criticized for being used to unfairly target cryptocurrency businesses.

In May of this year, the OCC withdrew its previous position requiring banks to obtain approval from the agency before engaging in cryptocurrency-related activities, and clearly stated that federally chartered commercial banks are allowed to buy and sell cryptocurrencies on behalf of their customers. The FDIC also announced that financial institutions are allowed to engage in cryptocurrency transactions without prior notice to the agency.

Further Reading
Ignore public opinion? The Federal Reserve cancels the 'reputational risk' review, why is this a major victory for the cryptocurrency industry?
The U.S. gives the green light! Banks can provide cryptocurrency services, and cryptocurrency companies are applying for banking licenses.

This friendlier regulatory environment may attract more banks to enter the cryptocurrency industry. According to the Wall Street Journal, a group of large banks is in 'preliminary negotiations' to issue a joint cryptocurrency stablecoin.

At the same time, some native cryptocurrency companies are seeking the opposite route: to become banks themselves. Ripple has applied to the OCC for a banking license, and stablecoin issuer Circle has taken similar actions. Last week, the Senate confirmed former blockchain company executive Jonathan Gould as the head of the OCC, marking the first time someone from the cryptocurrency industry has held a major financial regulatory position.

Further Reading
USDC issuer makes another move! Circle applies for a trust license to create the first digital currency bank.
Ripple seeks a U.S. banking license! RLUSD will receive dual regulation, competing with Circle?

'Three major regulatory agencies speak out! U.S. bank custodial cryptocurrency regulations are out: full risk must be borne' This article was first published in 'Crypto City'.