U.S. regulators issued strict crypto custody guidance, emphasizing robust risk management, AML compliance, and legal adherence for banks.
The Federal Reserve, FDIC, and Office of the Comptroller of the Currency have jointly released new guidance regarding U.S. banks’ treatment of crypto custody services. The statement is intended for banks that are either currently involved or contemplating involvement in the custody of crypto-assets for customers.
Banks must adhere to stringent regulations before providing cryptocurrency custody services
The statement reiterates that banks must adhere to the current risk management practices and compliance requirements to safeguard digital assets. The primary focus is on safekeeping, which involves the storage of crypto custody on behalf of a consumer.
According to the joint statement, banks can provide crypto custody as trusted managers with legal obligations (fiduciary function). It may also be achieved through secure storage providers that do not have management responsibility (non-fiduciary function), contingent upon the service agreement and regulatory requirements.
The bank holds the liability if it possesses the cryptographic keys. This implies that the bank is entirely responsible and in control. The regulators declared that banks must guarantee that the keys are inaccessible to anyone else, including the customer. Regulators refer to this as the benchmark for “true control.”
The most significant hazards identified are cybersecurity breaches, market volatility, cryptographic key loss, and anti-money laundering obligations. Banks are anticipated to establish appropriate internal controls and remain informed about the latest developments in the crypto custody industry.
Before entering crypto custody safekeeping, banks must evaluate their technical capacity and compliance preparedness. Institutions will require updated technologies, personnel with crypto expertise, and robust operational frameworks to manage the changing risks associated with digital assets.
Banks are also accountable for third-party custody
There is also a provision for third-party crypto custody vendors, although the bank is accountable for any failure. Regulators emphasize that banks should conduct due diligence on these vendors, particularly in relation to private key storage. The arrangements should explicitly specify the consequences of vendor insolvency and asset compromise.
The statement also disclosed that compliance with anti-money laundering (AML), terrorism financing (CFT), and OFAC regulations is mandatory. Banks must verify their consumers’ identity and supervise any suspicious activities. In a blockchain-based context, where identity is not inherently transparent, fulfilling these requirements may be more challenging.
In addition, the official release emphasizes the importance of clarity in relation to the legal aspects of crypto custody management. Corporate agreements may be executed through on-chain votes, forks, or airdrops on behalf of all stakeholders. Banks should also address concerns regarding wallet management, independent of the storage method, and the utilization of smart contracts.
Additionally, regulators anticipate that banks will implement distinct audit programs. The audits should encompass personnel capability, crypto possession safekeeping controls, and crypto key management. Institutions may retain third-party auditors if they cannot employ internal experts.
The most recent development is a result of a report that indicated the reputational risk factor that institutions were experiencing before the termination of this administration by the Federal Reserve. The requirement impeded institutions’ provision of services related to crypto custody.
