The recent joint statement released by the Office of the Comptroller of the Currency (OCC), the Federal Reserve Board (Fed), and the Federal Deposit Insurance Corporation (FDIC) provides guidance on how existing banking rules apply to institutions that offer crypto custody services for customers.
According to the statement, “safekeeping” in the context of crypto custody refers to holding digital assets on behalf of clients without creating new supervisory demands. The key focus of risk control in crypto custody services lies in the secure management of cryptographic keys. Regulators emphasize the importance of exclusive control of private keys and sensitive data to prevent unauthorized access or movement of assets.
Management of financial institutions offering crypto custody services must assess key-generation tools, wallet types, and contingency plans to ensure the security of assets. They must also take into consideration the volatility of the asset class and the rapid technological advancements in the crypto space when allocating capital and staffing for custody operations.
In terms of compliance, governance, and third-party oversight, institutions must adhere to regulations such as the Bank Secrecy Act, anti-money laundering laws, counter-terrorism financing rules, and the Office of Foreign Assets Control requirements. Boards and senior management are advised to involve the BSA officer early in the custody rollout to assess illicit-finance risks and establish controls.
Additionally, banks that delegate storage to sub-custodians are responsible for the performance of these vendors. It is crucial for institutions to thoroughly evaluate a sub-custodian’s key management methods, asset segregation practices, and insolvency protections before entering into contracts. Notice requirements for breaches or operational events should also be established.
Auditors are urged to expand their testing to include crypto-specific elements such as key generation, wallet security, and on-chain settlement controls. In cases where internal expertise is lacking, independent specialists should be hired to validate safeguards and report directly to the audit committee.
The joint statement emphasizes that existing fiduciary, custody, and information security regulations already provide a framework for banks to safeguard their crypto assets. However, financial institutions must demonstrate their ability to control keys, manage vendors, and comply with federal financial crime statutes in real-time to ensure the security and integrity of crypto custody services.