ARTICLE
22 July 2025

Federal Banking Agencies Issue Joint Statement On Crypto-Asset Safekeeping Risk Management

SJ
Steptoe LLP

Contributor

Steptoe LLP logo
In more than 100 years of practice, Steptoe has earned an international reputation for vigorous representation of clients before governmental agencies, successful advocacy in litigation and arbitration, and creative and practical advice in structuring business transactions. Steptoe has more than 500 lawyers and professional staff across the US, Europe and Asia.
Explore Firm Details
On July 14, 2025, the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation...
United States Technology
Benjamin Saul and Vito Arethusa

On July 14, 2025, the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation (collectively, the federal banking agencies) issued a joint statement related to risk management for crypto-asset1 safekeeping2 by banking organizations (the Statement).3 The federal banking agencies clarify that the Statement "discusses how existing laws, regulations, and risk-management principles apply to" crypto-asset safekeeping, but "does not create any new supervisory expectations."

The Statement begins by providing general risk management considerations. It then dives into several more specific categories of risk or risk management considerations that a bank organization providing safekeeping services should address, including cryptographic key management, additional risk management considerations, legal and compliance risk, third-party risk management, and audits.

Statement Details

General Risk Management Considerations

The Statement first provides the general recommendation that banking organizations should consider potential risks prior to offering crypto-asset safekeeping. The Statement recommends that such risk assessments should consider the banking organization's:

  • core financial risks;
  • ability to understand the asset class;
  • ability to ensure a strong control environment; and
  • contingency plans.

Likewise, the banking organization's staff should maintain the requisite knowledge and understanding of crypto-asset safekeeping to establish adequate operational capacity and controls, ensuring safety, soundness, and compliance while providing safekeeping services. The Statement also notes a few other general risk considerations arising from crypto-assets, including resource intensity, price volatility, and rapid market evolution affecting crypto technology.

Cryptographic Key Management

The Statement highlights possible loss or compromise of cryptographic keys or other sensitive information as a primary risk of crypto-asset safekeeping, making management of such keys pivotal to effective risk management. Bank organizations should be able to reasonably demonstrate that no other party has information that would allow unilateral transfers of the crypto-asset out of their control, often by having the crypto-asset transferred to them on the underlying distributed ledger or blockchain. Such control standards should also apply to any sub-custodians acting on behalf of the bank organization.

Likewise, a bank organization should also consider how to address secure cryptographic key generation and contingency planning for lost or compromised keys. Given technological developments, a banking organization should ensure that its management systems continue to be sufficient and effective for risk management.

Additional Risk Management Considerations

The Statement also notes that bank organizations should consider identifying specific crypto-assets for which they will provide safekeeping. Different crypto-assets require different key management solutions, or may have software or hardware requirements that the bank is either inexperienced with or not equipped to handle. Bank organizations should perform a comprehensive analysis of each crypto-asset before safekeeping the asset. Such analysis may include identifying the crypto-asset's vulnerabilities and dependencies, as well as analyzing relevant technical, operational, strategic, market, legal, and compliance considerations related to the crypto-asset and the underlying ledger.

Risk may also vary across different account models (omnibus accounts compared to separate accounts) for safekeeping purposes. In all the above cases, standard custodial risk management practices apply, but will need to be tailored to the specific crypto-asset safekeeping services provided.

Legal and Compliance Risk

The Statement identifies a number of different legal and compliance risks. Broadly categorized, these include:

  • AML/OFAC. Anti-Money Laundering (AML) and Countering the Financing of Terrorism (CFT) regulations present significant compliance risks. Under the Bank Secrecy Act (BSA) and the guidelines set forth by the Office of Foreign Assets Control (OFAC), banking organizations are required to verify customer identity, perform customer due diligence, monitor and report suspicious activity, block certain sanctioned transactions, and follow the travel rule. However, the design features of a distributed ledger may pose issues for compliance with these requirements. As such, a banking organization should assess potential risks of money laundering, terrorist financing, and other financial activities before offering crypto-asset safekeeping.
  • Evolving Regulation. The evolving crypto-asset regulatory landscape may result in higher legal risks, implicating considerations like on-chain governance and voting, forks, airdrops, probabilistic settlement in permissionless blockchains, asset holding methods, sub-custodians, and smart contracts. Well-written customer agreements, outlining clearly defined duties and responsibilities of the parties, may help mitigate these risks.
  • Accurate and Transparent Disclosures. Customers may be misinformed about the banking organization's role in the safekeeping arrangement. Banks should provide clear, accurate, and timely information to customers about their safekeeping activities, including their governance or voting roles related to the crypto-asset, to mitigate this risk. Likewise, banking organizations should abide by applicable recordkeeping and reporting requirements.

Third-Party Risk Management

The Statement highlights the risks arising from third-party service providers, especially including sub-custodians. Before contracting with third-party sub-custodians and other service providers, banking organizations should take care to understand the relevant laws, regulations, and third-party risk management guidance.

A banking organization will be responsible for the activities performed by its sub-custodians, subject to terms and conditions. Banks should, therefore, conduct adequate due diligence, which includes evaluating the sub-custodian's key management solutions, its adherence to standard safekeeping risk management practices, its potential treatment of held customer assets in the event of insolvency or operational failures, its policies, processes, and internal controls, and its risk management and recordkeeping practices.

Other service providers may also be a source of third-party risk. Here, banks should weigh the risks of purchasing third-party software or hardware versus maintaining such software or hardware as a service.

Audit

The Statement considers audit programs essential to effective risk management and internal control. Therefore, a banking organization's audit program should appropriately cover its crypto-asset safekeeping services, including third-party risk management. It should address, among other things, crypto-asset-specific risks, such as key generation, storage, and deletion, as well as the transfer and settlement of crypto-assets, and IT systems, including staff expertise in crypto-asset risk identification and safekeeping control implementation. Where a banking organization lacks audit expertise, it should engage appropriate independent third-party audit resources.

Takeaways

The Statement follows prior federal banking agency statements and letters clarifying that financial institutions need not seek supervisory non-objection to engage in certain crypto-related activities. It is, in this sense, part of an ongoing shift at the federal banking agencies toward embracing supervision and regulation of crypto. Financial institutions providing or looking to provide crypto-asset safekeeping services should benchmark their compliance and audit programs against the Statement as a starting point.

Footnotes

1. "Crypto-asset" refers to "any digital asset implemented using cryptographic techniques."

2. "Safekeeping" refers specifically to the service of holding a crypto-asset on behalf of a customer, not to any other custodial services a banking organization might offer.

3. "Banking organization" includes entities supervised by the federal banking agencies, including national and state banks, national and state savings associations, and bank holding companies.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Benjamin Saul
Benjamin Saul
Photo of Vito Arethusa
Vito Arethusa
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More