US Regulators Clarify Crypto Custody Rules for Banks

The Office of the Comptroller of the Currency (OCC), the Federal Reserve Board (Fed), and the Federal Deposit Insurance Corporation (FDIC) have jointly released a statement outlining how existing banking regulations apply to institutions that offer crypto custody services. The guidance emphasizes that the act of holding digital assets on behalf of clients, referred to as "safekeeping," does not introduce new supervisory demands.

Regulators have instructed boards and executives to view crypto custody as a service that relies on the exclusive control of private keys and other sensitive data. Banks must ensure that once an asset enters custody, no other party, including the customer, can unilaterally move it. Management is required to assess how key-generation tools, wallet types, and contingency plans align with the institution’s broader control environment. Additionally, staff must possess the necessary technical skills to maintain these safeguards.

The statement also advises banks to consider the volatility of the asset class and the rapid pace of technological change when allocating capital and staffing for custody operations. The agencies highlight that sound programs include continuous reviews of each supported token’s software dependencies and ledger design to identify vulnerabilities that could threaten safety and soundness.

The three agencies have reminded institutions that crypto custody must comply with Bank Secrecy Act, anti-money laundering, counter-terrorism financing, and Office of Foreign Assets Control rules, including the “travel rule” that attaches identifying information to transfers. Boards must involve the BSA officer and senior managers early in any custody rollout to gauge illicit-finance exposure and document controls.

Banks that delegate storage to sub-custodians remain responsible for the performance of those vendors. The guidance instructs firms to examine a sub-custodian’s key management methods, segregation of assets, and insolvency protections before signing contracts. Firms will also be required to build notice requirements for any breach or operational event. Institutions that keep assets in-house but buy third-party software must apply the same vendor-risk disciplines.

Finally, the agencies request that auditors expand their testing to include crypto-specific elements, such as key generation, wallet security, and on-chain settlement controls. When internal teams lack expertise, management should hire independent specialists to validate safeguards and report directly to the audit committee. The joint statement concludes that existing fiduciary, custody, and information security regulations already provide a framework for banks that wish to safeguard their crypto. However, those banks must demonstrate that they can control keys, manage vendors, and comply with federal financial crime statutes in real time.

This joint guidance from the OCC, Fed, and FDIC provides a clear framework for banks to offer crypto custody services while adhering to existing regulations. By emphasizing the importance of key control, vendor management, and compliance with financial crime statutes, the agencies aim to ensure the safety and soundness of crypto custody operations within the banking sector. The guidance also highlights the need for continuous reviews and the involvement of senior management in assessing and mitigating risks associated with crypto custody.