U.S. Regulators Allow Banks to Custody Crypto Assets Under Existing Rules

The U.S. Office of the Comptroller of the Currency (OCC), Federal Reserve, and Federal Deposit Insurance Corporation (FDIC) jointly issued a set of instructions on July 14, 2025, allowing banks to custody crypto assets under existing risk management regulations. This guidance does not introduce new regulations but reinforces the application of current laws to the custody of digital assets.

This move signifies a tentative integration of the $2.1 trillion cryptocurrency market with traditional finance, marking a notable shift in regulatory stance towards crypto. Banks are now permitted to custody crypto assets, a task previously handled through self-custody. The new rules emphasize the importance of banks managing cryptographic keys to mitigate cybersecurity risks. According to a study by the National Institute of Standards and Technology (NIST), 70 percent of crypto thefts are linked to poor key management.

The trend aligns with a broader U.S. policy shift, as evidenced by the March 2025 executive order issued by the Trump administration. This order established the Strategic Bitcoin Reserve, indicating a growing recognition of crypto assets as strategic investments. The new guidance contradicts previous accounts of regulatory hostility towards crypto, suggesting a more open approach to integrating digital assets into the financial system.

The interagency regulation confirms a changing position of the U.S. government regarding cryptocurrency. While previous regulatory efforts were seen as restrictive, this document indicates a more inclusive approach. By regulating crypto assets under existing frameworks, banks can enter the booming market with reduced exposure to risks. The guidance outlines two primary roles for banks in crypto custody: as trusted managers with legal duties (fiduciary role) or as secure storage providers without management responsibility (non-fiduciary role). The choice between these roles depends on the service agreement and regulatory requirements.

One of the key points highlighted in the guidance is the concept of "true control," where the bank holds the cryptographic keys and, consequently, the liability. This means that the bank must ensure that no one else, including the customer, can access the keys. The statement also addresses the responsibilities of banks when using third-party custody vendors, stressing the need for due diligence and clear agreements regarding the handling of compromised assets and vendor insolvency.

The regulators have also underscored the importance of compliance with anti-money laundering (AML), terrorism financing (CFT), and Office of Foreign Assets Control (OFAC) regulations. Banks must verify the identity of their customers and monitor suspicious activities, which can be challenging in a blockchain-based context where identity transparency is not always guaranteed. The guidance also covers legal aspects such as corporate agreements, wallet management, and the use of smart contracts, ensuring that banks have a clear understanding of their responsibilities in these areas.

In addition to these requirements, the regulators expect banks to have separate audit programs that include controls for crypto custody safekeeping, the management of crypto keys, and the assessment of personnel capabilities. Banks lacking internal expertise can hire third-party auditors to meet these requirements. This development follows the termination of a previous reputational risk factor that prevented banks from offering crypto custody-related services, paving the way for greater integration of digital assets into the banking sector.