Regulators instructed boards and executives to view crypto custody as a service that relies on exclusive control of private keys and other sensitive data.
The Office of the Comptroller of the Currency (OCC), the Federal Reserve Board (Fed), and the Federal Deposit Insurance Corporation (FDIC) released a joint statement explaining how existing banking rules apply when institutions custody crypto for customers.
The guidance describes “safekeeping” as holding a digital asset on a client’s behalf, and it stresses that the act creates no new supervisory demands.
Cryptographic Keys: The Core of Risk Control
Regulators instructed boards and executives to view crypto custody as a service that relies on exclusive control of private keys and other sensitive data. They note that a bank must prove no other party, not even the customer, can unilaterally move an asset once it enters custody.
Management must assess how key-generation tools, wallet types, and contingency plans align with the institution’s broader control environment. Additionally, management must ensure staff possess the necessary technical skills to maintain these safeguards.
The statement also told banks to weigh the asset class’s volatility and the rapid pace of technological change when allocating capital and staffing for custody operations.
The agencies stated that good programs regularly check each token’s software and ledger for weaknesses that could harm security.
Strengthening Oversight: Compliance, Governance, and Vendors
The three agencies reminded institutions that crypto custody must satisfy Bank Secrecy Act, anti-money laundering, counter-terrorism financing, and Office of Foreign Assets Control rules, including the “travel rule” that attaches identifying information to transfers.
Boards must involve the BSA officer and senior managers early in any custody rollout to gauge illicit-finance exposure and document controls.
Additionally, banks that delegate storage to sub-custodians remain responsible for their vendors’ performance. The guidance instructed firms to examine a sub-custodian’s key management methods, asset segregation, and insolvency protections before signing contracts.
Firms will also be required to build notice requirements for any breach or operational event. Institutions that keep assets in-house but buy third-party software must have the same vendor-risk disciplines applied.
Finally, the agencies requested auditors expand their testing to include crypto-specific elements, such as key generation, wallet security, and on-chain settlement controls.
When internal teams lack expertise, management should hire independent specialists to validate safeguards and report directly to the audit committee.
The joint statement concluded that a framework for banks wishing to safeguard their crypto is already provided by existing fiduciary, custody, and information security regulations.
However, those banks must demonstrate they can control keys, manage vendors, and comply with federal financial crime statutes in real time.
