Written by: FinTax

News Overview

Reportedly, on July 14, 2025, the Federal Reserve, the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) issued a joint statement (hereinafter referred to as the 'statement') guiding banks on how to provide custody services for crypto assets to clients. This is the latest initiative taken by regulatory bodies during the Trump era when weighing how traditional lending institutions should engage in digital asset business. The statement notes that banks considering providing custody services for crypto assets should consider the continuously changing characteristics of the crypto market, including the technology behind crypto assets, and they must implement a risk management framework that can adequately adapt to the associated risks.

Previously, regulators withdrew guidance on crypto industry risks in April, allowing lending institutions to more freely provide products and services to clients engaged in digital asset trading. At that time, the Federal Reserve also revoked the directive requiring banks to notify in advance about crypto asset activities in 2022.

FinTax Brief

1. Statement Content: Six Key Risk Points of Bank Crypto Custody

The joint statement lists a series of existing laws, regulations, guidelines, and risk management principles related to the provision of custody services for crypto assets, highlighting various management, legal, and compliance risks, and outlining relevant mitigation measures. The statement is divided into six parts:

(1) General Risk Management Considerations: Banking institutions should consider potential risks before providing custody services for crypto assets. Effective risk assessments should involve the bank's core financial risks, understanding the asset class, ensuring a strong control environment, emergency plans, and employees' necessary knowledge of crypto asset custody, in order to provide services in a secure and robust manner. Furthermore, banks providing custody services for crypto assets should also consider the continuously changing characteristics of the crypto asset market and build a risk governance framework that can adequately adapt to related changes.

(2) Crypto Key Management: The loss or leakage of encryption keys or other sensitive information is one of the main risks in the custody of crypto assets. Banking institutions should have control over the crypto assets, meaning they must reasonably prove that no other parties can obtain sufficient information to transfer the crypto assets out of the bank's control. Such control standards should also apply to the bank's sub-custodians. Additionally, banking institutions should consider how to securely generate encryption keys, develop contingency plans for key loss or leakage, and focus on their cybersecurity environment as part of risk management.

(3) Other Risk Management Considerations: Different types of crypto assets require different key management solutions, or there may be a lack of experience or capability in handling software or hardware requirements within banks, and the potential risks involved with different account models may also vary. Therefore, while banking institutions adhere to standard custody risk management principles, they also need to make adjustments based on the specific custody services provided.

(4) Legal and Compliance Risks: First, like other banking activities, crypto asset custody activities must comply with the Bank Secrecy Act (BSA), Anti-Money Laundering (AML), Counter-Terrorism Financing (CFT), and the requirements of the Office of Foreign Assets Control (OFAC). Secondly, changes in the regulatory environment for crypto assets can also bring higher compliance risks, and banking institutions should ensure that relevant activities comply with all applicable laws and regulations. Finally, customers may misunderstand the role of banking institutions in custody arrangements, leading to risks, which requires banks to provide clear, accurate, and timely information about their custody activities to mitigate such risks. At the same time, banking institutions should also adhere to applicable record-keeping and reporting requirements.

(5) Third-Party Risk Management: 'Third-party risk' refers to the risks brought by sub-custodians or other service providers (such as technology providers, cash management institutions) that banks collaborate with. Banks are responsible for the activities conducted by their sub-custodians under the terms and conditions, therefore, banks should conduct adequate due diligence, including assessing the sub-custodian's key management solutions, their compliance with custody risk management principles, how customer assets are handled in the event of bankruptcy or operational failure, and the appropriateness of their risk management and record-keeping. For other service providers, banks should weigh the risks of purchasing third-party software or hardware, as well as the risks of maintaining such software or hardware as a service.

(6) Audit Requirements: Audit procedures are critical for effective risk management and internal control. Therefore, the audit procedures of banking institutions should appropriately cover crypto asset custody services (including third-party risk management), focusing on the unique risks of crypto asset custody, such as key generation, storage, and deletion, the transfer and settlement of crypto assets, the adequacy of related information technology systems, and assessing employees' capabilities in identifying and controlling crypto asset risks. If a banking institution lacks audit expertise, it should engage an appropriate independent third party for the audit.

2. Policy Background: Trump Promotes Crypto Regulatory Reform

Since Trump's second term began, there has been a significant shift in the U.S. government's attitude toward crypto assets, and this joint statement was issued against that backdrop. In recent months, several banking regulatory bodies in the U.S. have taken a series of actions to withdraw various interpretative letters and regulatory statements regarding crypto assets from the Biden era. One significant measure was the removal of the 'reputational risk' assessment from the regulatory process, replacing it with more specific categories of financial risk to effectively avoid the phenomenon of supervisory agencies pressuring banks to refrain from providing services to crypto asset companies, helping to alleviate banks' real concerns about serving controversial industries such as crypto assets.

Another significant measure is the removal of the prior notification requirement for engaging in activities related to crypto assets. Under previous policy, banks were required to obtain a written 'no objection letter' from regulators before participating in activities related to crypto assets. Now, banks' crypto activities no longer need to follow this procedure but will be monitored through regular regulatory processes.

Additionally, various banking regulatory bodies have restored previous regulatory policies that conflicted with the Biden administration's regulatory philosophy, such as the OCC again allowing its regulated entities to buy and sell custodial crypto assets based on customer instructions, and permitting them to outsource custodial and execution services to third parties provided that those third parties can manage the risks appropriately.

After Trump took office, he reversed the previous U.S. government's guidelines urging banks to exercise caution in the crypto field and implemented comprehensive regulatory reforms for crypto assets. This was a fulfillment of his political commitment and an important initiative to position the U.S. as the world's 'crypto capital' and stimulate innovation and development in the U.S. economy. The joint statement released this time constitutes a part of the U.S. crypto asset regulatory reform and marks the beginning of the U.S. government guiding banks and other entities to participate in crypto asset activities in a compliant, safe, and robust manner by refining regulatory rules and enhancing business guidelines, following the abandonment of several enforcement-focused regulatory policies to energize the market. More crypto-friendly statements may be released in the future.

3. Significance and Outlook: The Regulatory Future of Bank Crypto Custody

Overall, the statement discusses how existing laws, regulations, and risk management principles apply to crypto asset custody, aiming to provide guidance to banks that offer or consider offering custody services for crypto assets, reflecting a more lenient regulatory stance while still emphasizing that banking institutions should strictly control risks in crypto asset custody activities and comply with core principles such as safety, soundness, and consumer protection, reflecting the regulatory bottom line of U.S. banking regulatory agencies in the crypto industry.

For banks that are engaged in or considering engaging in crypto asset custody business, the statement provides an entry opportunity in the field of crypto asset custody for banks with appropriate risk control capabilities and sound governance structures, bringing new opportunities. On the other hand, the statement also provides specific references for the risk management matters of banks that already engage in crypto asset custody business, with regulatory bodies continuing to focus on reviewing the compliance and safety of all aspects, including operations, legal, and financial. According to the statement, banking institutions may need to make certain adjustments to product rules and internal policies and procedures to reflect the unique risks and compliance obligations of crypto asset custody, such as improving cybersecurity protocols and key management systems, and conducting regular security tests.

It should be noted that although the statement provides some clarity, under the context of government reforms in crypto regulation, there remains uncertainty in the federal and state regulatory and legal environments. Merely meeting all elements of the statement may not fully comply with regulatory requirements. Banks and regulatory agencies at various levels must maintain ongoing communication and keep compliance records to prepare for rigorous regulatory scrutiny.

From a longer-term perspective, the refinement of crypto custody regulations in the U.S. may attract more crypto asset companies to return or enter the U.S. market and promote the innovative development of the U.S. blockchain industry. As traditional financial institutions deepen their involvement in the crypto asset field, related services such as crypto asset custody will be incorporated into existing regulatory frameworks, and financial activities surrounding crypto assets will thrive in a safer and more regulated environment.