U.S. Financial Regulators Warn Banks About Risks of Crypto-Asset Custody

The Federal Reserve, OCC, and FDIC issued a joint statement emphasizing risk management requirements for banks holding crypto-assets.

The joint statement from the three largest U.S. financial regulators, the Federal Reserve System, the Office of the Comptroller of the Currency (OCC), and the Federal Deposit Insurance Corporation (FDIC), outlines key requirements for banking organizations providing crypto-asset custody services. The document focuses on managing cryptographic keys, assessing technology risks, complying with laws, and proper oversight of sub-custodians.

The regulators don’t introduce new requirements but clarify how existing laws apply to crypto-asset custody. The statement specifies that the term “safekeeping” refers to holding assets on behalf of a client, as opposed to “custodial services,” which cover a broader range of functions.

Banks may provide custody services in both fiduciary and non-fiduciary capacities. In the fiduciary case, provisions under 12 CFR 9 and 150, as well as additional legal requirements, apply.

Key risks identified include:

1. Compromise of cryptographic keys. If assets fall outside the bank’s control, the bank may be held liable for client losses.
2. Low compatibility of technological infrastructure with blockchain solutions. Banks must adapt existing systems and train personnel.
3. Legal risks. Banks must comply with BSA/AML/CFT regulations and the Office of Foreign Assets Control (OFAC) requirements, including client identification and implementation of the Travel Rule.
4. Use of sub-custodians and technology providers. The bank is responsible for third-party actions, including in cases of bankruptcy or failures.
5. Asset-specific considerations. Events like forks, airdrops, and on-chain governance voting in Web3 projects should be addressed in client agreements.

The document strongly recommends banks to:

• ensure proper key custody, e.g., through cold wallets and multisignature setups;
• implement internal control systems, including regular internal or independent audits;
• consider the specific characteristics of each asset, including blockchain differences, open-source status, and project maturity;
• carefully select sub-custodians, evaluating their control measures and asset segregation practices.

Banks must conduct technical, operational, legal, and market analyses of each asset before offering custody services. They should also clearly inform clients about the bank’s role, custody mechanisms, and possibilities for asset governance participation, such as involvement in decentralized autonomous organizations (DAO).