On July 14, the OCC, Federal Reserve, and FDIC announced the release of a joint statement clarifying how existing laws and regulations apply to crypto-asset safekeeping services offered by banking organizations. The statement does not impose new supervisory expectations but reinforces how banking organizations must apply established fiduciary duties, risk management standards, and third-party oversight frameworks when holding crypto-assets on behalf of customers.

The guidance provides an overview of crypto-asset safekeeping standards, defining “safekeeping” as the service of holding a crypto-asset on a customer’s behalf. Importantly, the guidance emphasizes that safekeeping involves maintaining exclusive control over the cryptographic keys required to transfer or manage digital assets. A banking organization is considered to have “control” for safekeeping purposes when it can demonstrate that no other party, including the customer, has access to information that would allow them to unilaterally transfer the crypto-asset out of the bank’s control.

The agencies outline a series of risk management and compliance standards that must be satisfied prior to and during the provision of crypto-asset safekeeping services:

• Operational Expertise: Bank boards and management must have the necessary understanding of the technical and legal complexities associated with crypto-asset safekeeping.
• Key Management and Cybersecurity: The secure generation, storage, and management of cryptographic keys is critical. Banks must ensure proper internal controls, such as dual control procedures, secure wallets, and contingency plans for lost or compromised keys.
• Asset-Specific Risk Reviews: Before accepting any crypto-asset for safekeeping, banks should analyze its unique technical and operational characteristics. This includes considering risks associated with forks, airdrops, smart contracts, and on-chain governance.
• AML/CFT and OFAC Compliance: Crypto-asset safekeeping is subject to full Bank Secrecy Act obligations. Institutions must conduct customer due diligence, monitor for suspicious activity, and ensure compliance with the Travel Rule and sanctions screening.
• Legal Clarity: Customer agreements must clearly define the bank’s and the customer’s responsibilities, including how the bank handles forks, voting rights, and sub-custodian arrangements.
• Third-Party Oversight: Banks remain fully responsible for any sub-custodians or technology providers they engage. A banking organization must conduct due diligence on these parties’ risk management frameworks, particularly their cryptographic key safeguards and contingency planning.

Putting It Into Practice: The guidance makes clear that crypto-asset safekeeping is subject to the same rigorous risk, cybersecurity, and compliance standards as traditional custody. Banks must be fully prepared—operationally, legally, and technologically—to control client assets and manage related risks. This guidance builds on earlier OCC positions on crypto custody (previously discussed here) and reflects a continued effort by federal regulators to articulate guardrails for banks operating in the digital asset space. Crypto custodial activity is receiving growing regulatory attention, particularly in relation to consumer protection and operational risk. Banks and their fintech partners should continue to monitor evolving regulatory expectations in the digital asset space.

Listen to this article