Federal Reserve Issues Final Rules for Banks to Offer Crypto Custody Services

The Federal Reserve, Federal Deposit Insurance Corporation, and Office of the Comptroller of the Currency have released final rules for banks on how to offer crypto custody services. These new instructions are designed to ensure that banks can handle crypto custody without violating any regulatory boundaries.

The agencies, under the administration of President Donald Trump, issued a joint statement explaining how traditional lenders should manage crypto holdings for their clients. This update replaces earlier warnings and restrictions that had made it more difficult for banks to enter the crypto market. The new guidelines come just months after regulators pulled back previous guidance on crypto-related risks in April and revoked the 2022 directive that required banks to notify regulators in advance before engaging in any crypto activity.

Under the new rules, crypto operations will be monitored as part of routine supervision, similar to any other banking business. The agencies emphasized that banks must understand the complexities of crypto custody and build systems capable of handling it. This includes having control of the cryptographic keys that give access to crypto assets, ensuring that this control meets all relevant laws and regulations.

Before launching custody services, banks are required to assess how these operations fit into their overall risk profile and strategy. They must stay updated on industry practices and be prepared for potential surprises. The agencies stated that an effective risk assessment should consider the banking organization’s core financial risks given its strategic direction and business model. Every employee, from the C-suite to IT, must have the necessary training and operational knowledge to run crypto custody services properly. The statement also highlighted the importance of having contingency plans in place to handle system failures or operational issues.

The guidelines allow banks to work with third-party companies for crypto safekeeping, such as sub-custodians or tech providers. However, the banks remain fully responsible for all activities performed by these third parties. This responsibility includes ensuring that the sub-custodian uses strong safeguards and that there are plans in place for what would happen to customer assets if the sub-custodian goes bankrupt or suffers operational problems. Banks are also expected to evaluate the risks associated with using third-party technology, whether it’s software, hardware, or any other tools.

Additionally, the agencies require banks to create audit programs specifically for their crypto custody operations. These audits should review key generation, storage, and deletion processes, verify transfer controls, and check that IT systems meet security standards. The audits should also assess whether staff have the skills to manage crypto-related risk, and if not, outside help must be brought in. The agencies stated that when audit expertise does not exist within the banking organization, management should engage appropriate external resources with sufficient independence to assess crypto-asset safekeeping operations.

These final rules represent a significant step forward in integrating crypto custody services into the traditional banking system. By providing clear guidelines and emphasizing the importance of risk management and contingency planning, the regulators aim to create a more stable and secure environment for banks to offer these services. This move is expected to encourage more banks to enter the crypto market, potentially leading to increased adoption and innovation in the industry.