Background

On July 14, 2025, the Federal Reserve, the OCC, and the FDIC issued a joint statement addressing risk management and legal expectations applicable to banking organizations engaging in crypto-asset safekeeping. The Statement follows the Agencies’ coordinated rescission earlier this year of interpretive guidance requiring advance supervisory non-objection for crypto activities.¹ While the Statement does not impose new regulatory requirements, it provides important guidance regarding how the Agencies expect banking organizations to manage the legal, operational, technological, and compliance risks associated with crypto-asset safekeeping.

The Statement reflects a regulatory pivot towards a more principles-based oversight regime for crypto activities that focuses on institution-specific risk assessments and supervisory follow-up. In this context, banking organizations are expected to independently assess and mitigate the unique risks posed by crypto-asset safekeeping in accordance with established safety and soundness principles and applicable legal standards.

Applicability: Which Banking Organizations and Crypto-Asset Activities Are Covered?

The Statement applies to banking organizations supervised by one or more of the Agencies and addresses activities in which a banking organization holds crypto assets on behalf of customers, either directly (e.g., by controlling private keys) or through arrangements with sub-custodians or other third-party service providers. The Statement is applicable regardless of whether a banking organization acts in a fiduciary² or non-fiduciary capacity.

Risk Management Considerations for Crypto-Asset Safekeeping by Banks

The Agencies note that crypto-asset custody presents novel risks that are not present in traditional custody activities, including difficulty validating ownership and transfer rights through distributed ledger technologies, elevated fraud and cyber risks, lack of established legal frameworks to define customer rights in the event of bank failure, and challenges ensuring that customer assets are legally and operationally segregated from the bank’s own assets.

Accordingly, sound governance is a prerequisite to safe and sound participation in crypto-asset safekeeping activities. Banking organizations must demonstrate effective governance and subject-matter expertise across all levels of the enterprise, ensuring that the board of directors, senior management, and relevant personnel possess sufficient expertise and understanding of crypto technologies, custody models, and associated risks.

The loss of cryptographic control in a crypto-asset environment often results in irretrievable customer losses, which raises elevated operational and reputational risks for fiduciary and non-fiduciary crypto-asset safekeeping alike. Banking organizations must tailor internal controls and information security frameworks to the unique characteristics of the crypto assets that are held for safekeeping, including irreversibility and sensitivity to technical compromise. Well-developed contingency planning and incident response protocols are key, particularly given the irreversibility of crypto transactions and the evolving nature of attacks.

Risk assessments should cover the full lifecycle of crypto-asset safekeeping operations, including wallet management, key generation and storage, loss and theft scenarios, and asset recovery protocols. Robust cybersecurity frameworks must be in place, including protections against private key compromise, system vulnerabilities, insider threats, and service disruptions.

Legal and Compliance Risks: Regulatory Requirements for Crypto-Asset Safekeeping

The Statement reminds banking organizations that crypto-asset safekeeping must be conducted in accordance with all applicable legal and regulatory requirements.

Crypto-asset safekeeping activities remain subject to Bank Secrecy Act/Anti-Money Laundering (BSA/AML) obligations, including customer identification, transaction monitoring, and suspicious activity reporting. OFAC screening and sanctions compliance, particularly where blockchain transactions involve foreign jurisdictions or pseudonymous counterparties, is critical.

Banking organizations must ensure compliance with state and federal fiduciary standards when acting in trust or custodial capacities. Additionally, banking organizations must be cognizant of contractual obligations under state commercial law, including perfection of security interests and digital control principles. Banking organizations should remain diligent in disclosure and customer protection duties, particularly as courts and regulators continue to evolve standards for the enforceability of digital asset agreements.

Third-Party Risk Management: Oversight of Sub-Custodians and Vendors in Crypto Safekeeping

The Agencies caution that the use of sub-custodians or other third-party vendors in connection with crypto safekeeping does not absolve the banking organization of responsibility for effective risk management. Banking organizations must perform robust due diligence prior to engaging vendors. Contractual arrangements with crypto custodians, sub-custodians, and technology vendors must ensure legal enforceability and clarity regarding responsibilities, rights, liabilities and risk allocation. Adequate controls over third-party performance and data access should be instituted, as well as contingency plans for service disruptions, insolvency, or loss of access to customer assets. These expectations regarding third-party risk management oversight are consistent with the Interagency Guidance on Third-Party Relationships: Risk Management issued in 2023.

Looking Forward: Next Steps for Banks Considering Crypto-Asset Safekeeping Activities

The Statement reflects a more permissive regulatory posture but reaffirms that banking organizations must demonstrate compliance with core principles of safety, soundness, and consumer protection when engaging in crypto-asset safekeeping activities. This development presents a more meaningful opportunity for institutions with appropriate governance, risk, and related internal infrastructure to engage in crypto-asset safekeeping activities or, alternatively, provides principles that an institution must consider as it looks to build a crypto-asset safekeeping product offering and related capabilities.

It also increases the importance of conducting a rigorous pre-launch risk analysis and maintaining defensible documentation of the institution’s risk controls, legal authority, and compliance posture.

Banking organizations currently engaged in or considering engaging in crypto-asset safekeeping may consider evaluating the board and senior management’s understanding of crypto-asset safekeeping and related risks, including reviewing and updating or otherwise presenting specific crypto-related reporting to the bank’s board and senior management. Internal policies and procedures may also need to be adjusted to reflect crypto-specific safekeeping risks and compliance obligations. For example, institutions may wish to consider establishing new committees or expanding the responsibilities of pre-existing committees to consider crypto-specific safekeeping and the risks presented by the asset class and client base. Banking organizations may also wish to review customer and vendor agreements to ensure clarity, risk allocation, and compliance alignment. Cybersecurity protocols, key management systems, and loss recovery procedures may also have to be addressed or implemented and regularly tested.  

Banking organizations should approach crypto-asset safekeeping with elevated care and rigor, particularly given ongoing uncertainties in the regulatory and legal landscape (both state and federal). For state regulated banking institutions, while the Statement provides some clarity, continued engagement with state regulatory authorities is still required with respect to crypto-asset safekeeping, as merely satisfying the elements of the Statement may not meet state regulator requirements. Banking organizations contemplating entry into crypto-asset safekeeping should expect rigorous supervisory review and be prepared to justify the legal, operational, and financial soundness of their proposed frameworks.