U.S. Bank Regulators Give Guidance on How Banks Should Handle Crypto Custody
Three major U.S. regulators—the OCC, the Federal Reserve (Fed), and the FDIC—have issued a joint statement explaining how current banking rules apply when banks hold cryptocurrencies for their customers (known as crypto custody). They clarify that no new rules are being created, just guidance on how to apply existing ones.
Key Focus: Control Over Crypto Keys
The regulators emphasize that crypto custody mainly involves protecting private cryptographic keys (like secret passwords that control access to digital assets). Banks offering this service must make sure no one else—not even the customer—can move the crypto without the bank’s permission.
Banks must also make sure they have the right tools, technology, and trained staff to handle this securely. This includes proper wallet systems, backup plans, and internal controls.
Risk Management
Banks are advised to consider the risks of crypto, such as price swings and fast-changing technology, when deciding how much money and staff to dedicate to crypto custody.
They must also regularly check the software and blockchain systems of the cryptocurrencies they support, to look for weaknesses or bugs that could cause problems.
Compliance and Oversight
Crypto custody must follow laws related to:
- Anti-money laundering (AML)
- Counter-terrorism financing
- Customer identification (like the "travel rule")
- Sanctions from the Office of Foreign Assets Control (OFAC)
Banks need to involve their compliance officers and senior management early in the process to make sure these rules are followed.
If a bank uses a third-party company (a sub-custodian) to store crypto, it’s still responsible for ensuring that company does everything safely and legally. Banks must carefully check how these vendors protect private keys, keep assets separate, and prepare for possible bankruptcy.
Banks must also set up procedures for reporting any security breaches or system failures.
Even if the bank stores crypto itself but uses third-party software, it must still follow strict vendor-risk procedures.
Auditing and Expert Help
Regulators are asking banks’ internal and external auditors to check crypto-specific areas like key creation, wallet safety, and how crypto transactions are settled.
If a bank’s own staff isn’t experienced enough, they should bring in outside experts to review their systems and report directly to the audit committee.
Final Thoughts
The regulators say current banking rules already cover what’s needed for safe crypto custody. But banks must prove they can:
- Safely control private keys
- Manage vendors properly
- Follow all financial crime laws in real-time
