ARTICLE
30 July 2025

Banking Regulators Address Crypto Custody; Implications For Asset Managers

D
Dechert

Contributor

Dechert logo
Dechert is a global law firm that advises asset managers, financial institutions and corporations on issues critical to managing their business and their capital – from high-stakes litigation to complex transactions and regulatory matters. We answer questions that seem unsolvable, develop deal structures that are new to the market and protect clients' rights in extreme situations. Our nearly 1,000 lawyers across 19 offices globally focus on the financial services, private equity, private credit, real estate, life sciences and technology sectors.
Explore Firm Details
U.S. federal banking regulators issued a statement (the "Statement") on the safekeeping of "crypto-assets2" on July 14, 2025. The Statement highlights several legal, regulatory...
United States Technology
Brenden Carroll,Neel Maitra,Corey F. Rose
+3 Authors

Key Takeaways

  • U.S. federal banking regulators issued a joint statement for banking organizations that provide, or are considering providing, crypto-asset safekeeping for their customers.
  • Although the statement does not create any new supervisory obligations, it highlights the issues and risks that banking regulators expect banking organizations holding crypto-assets for their customers to mitigate.
  • Together with recent actions by the SEC and its staff, the statement seems likely to (i) encourage more traditional banking organizations to offer crypto-asset safekeeping and (ii) thereby offer asset managers more options for qualified custodians to custody crypto-assets for their clients.
  • As the universe of qualified custodians offering crypto-asset safekeeping expands, asset managers should consider the range of custodial solutions that may be available to safeguard client crypto-assets.

U.S. federal banking regulators issued a statement1 (the "Statement") on the safekeeping of "crypto-assets2" on July 14, 2025. The Statement highlights several legal, regulatory, and risk management considerations that U.S. banking organizations3 must consider if they hold these assets for customers (whether in a fiduciary or non-fiduciary capacity). The Statement, jointly issued by the Fed, the OCC and the FDIC (collectively, the "Agencies"), does not create any new supervisory obligations, but it highlights the issues and risks that the Agencies expect banking organizations holding customer crypto-assets to mitigate.

The Statement follows the withdrawal4 of a 2019 joint statement by the Securities and Exchange Commission ("SEC") and the Financial Industry Regulatory Authority ("FINRA") regarding broker-dealer custody of crypto-assets, the withdrawal of Staff Accounting Bulletin ("SAB") No. 121 and issuance of SAB No. 1225 as well as the SEC's release of Frequently Asked Questions6 addressing certain crypto-asset and blockchain-related activities of SEC-registered broker-dealers and transfer agents. Together with these recent actions, the Statement seems likely to encourage more traditional banking organizations to offer crypto-asset safekeeping and thereby offer asset managers more options for qualified custodians to custody crypto-assets for their clients.

Below, we discuss some of the key points raised by the Agencies and discuss their implications for banking institutions. We also discuss implications for asset managers, who may soon encounter a marketplace that offers a range of custodial solutions for crypto-assets with varying levels of risk.

General Risk Management and Legal Considerations

The Statement applies to banking organizations acting in either a fiduciary or non-fiduciary capacity. Banking organizations holding crypto-assets in fiduciary capacities must adhere to the requirements of 12 CFR 9, which covers fiduciary activities of national banks, or 12 CFR 150, which covers fiduciary powers of federal savings associations, as applicable, as well as other applicable state laws and regulations. For banking organizations holding crypto-assets in a non-fiduciary capacity, the Statement notes that the duties and responsibilities of a banking organization are governed by client contract.

Among other things, the Statement emphasizes that:

  • A banking organization's board, officers and employees should have the requisite knowledge and understanding of the crypto-asset safekeeping services to establish adequate operational capacity and appropriate controls to conduct the activity in a safe and sound manner and in compliance with applicable laws and regulations.
  • Banking organizations need to consider the evolving nature of the crypto-asset market, including the development of the underlying technologies behind individual crypto assets, and the new risks to which they will need their risk management programs to adapt.
  • Crypto-assets are susceptible to price volatility, which could affect the demand for safekeeping and the value of the assets.

Safekeeping of Cryptographic Keys

The loss of cryptographic keys is a primary risk for banking organizations safekeeping crypto-assets because it can lead to the loss or unauthorized transfer of crypto-assets. The Statement indicates that effective safekeeping of crypto-assets involves maintaining control of cryptographic keys, meaning that a banking organization should be able to demonstrate that no other entity, including the customer, has access to information "sufficient to unilaterally transfer the crypto-asset out of the control of the banking organization." The Agencies stated that this usually will require the asset to be transferred to the banking organizations on the asset's underlying distributed ledger. A banking organization that simply takes possession of existing cryptographic keys may not have control of the assets, since, for example, a customer may have retained copies of the keys or given them to others. The Agencies stressed that a banking organization also would be expected to apply these same standards to any sub-custodian used for these purposes by the banking organization.

The Agencies further noted that different types of crypto-assets may require different key management solutions. In addition, the Agencies stated that sound practices would typically include performing a comprehensive analysis of each crypto-asset before safekeeping that crypto-asset, including for example, by identifying vulnerabilities and dependencies that could create material risks to the banking organization's safety and soundness. The Agencies said that effective risk management may also include the secure generation of cryptographic keys and contingency planning for lost or compromised keys and expressed that a banking organization's cybersecurity environment should be a key focus of risk management.

Anti-Money Laundering and Other Compliance Risks

The Agencies noted that, like any other banking activity, crypto-asset safekeeping activities by banking organizations are also subject to applicable anti-money laundering, countering the financing of terrorism, and Office of Foreign Assets Control requirements. These laws require banking organizations to, among other obligations, verify customer identity, conduct ongoing monitoring to identify and report suspicious activity and block transactions in accordance with sanctions.

The Agencies stated that the features of distributed ledger technology pose additional challenges for banks when it comes to the review of identifying information. Before safekeeping crypto-assets, the Agencies will expect banking organizations to engage their Bank Secrecy Act officers. The Agencies said that well-written customer agreements outlining parties' responsibilities can also help manage the risk of crypto-asset safekeeping. Specific issues that the Statement identifies as meriting further discussion through a customer agreement include:

  • On-chain governance and voting.
  • Forks and airdrops.
  • Probabilistic settlement that may be characteristic of permissionless blockchains.
  • The method of holding the assets (cold/hot/hybrid storage).
  • The use of a sub-custodian(s).
  • The use of smart contracts.

Third-Party Risk Management and Audits

The Statement notes that banking organizations are responsible for the activities of their sub-custodians, who may be employed for crypto-asset safekeeping, subject to the terms and conditions of customer agreements. This may include the selection of crypto-assets for which custodial services will be offered.

The Agencies stated that banking organizations should evaluate the effectiveness of sub-custodians' cryptographic key maintenance procedures and analyze the potential treatment of customers' assets held by the sub-custodian in the event of insolvency or other disruptions.

The Statement also suggests that banking organizations engage outside auditors with expertise in crypto-asset safekeeping if such auditors do not exist within their own organizations.

Implications for Banking Institutions

While the Statement does not create any new supervisory requirements for entities, it is a sign that regulators across the board are monitoring how financial institutions are holding crypto-assets, and it reflects financial institutions' broader interest in holding these assets. Further, the Statement appears to normalize risk management for crypto-assets in a manner generally consistent with banking requirements for safeguarding other types of assets, which is consistent with the current administration's broader efforts to treat crypto-assets like other assets classes.

Implications for Asset Managers

The Statement itself is not applicable to registered investment advisers or registered investment companies ("funds"). Finding appropriate custodians for crypto-assets, however, has been a significant hurdle to many funds and advisers that seek to gain exposure to these assets for themselves or their clients, respectively.7 The Statement, along with the FDIC's and the OCC's recent statements on crypto asset custody8 and the SEC's withdrawal of SAB No. 121, however, seems likely to encourage more traditional banking organizations to offer crypto-asset safekeeping, expanding the ability of funds and advisers to find custodians to hold crypto-assets.

Moreover, as the Statement indicates, different crypto-assets may require different custodial solutions, and thus different custodians with different custodial practices. To date, many crypto asset managers have had few alternatives when selecting custodians. Faced with a growing number of real alternatives presenting varying levels of risk, crypto asset managers may want to consider assessing the specifics of custodial practices and procedures before deciding which custodian or custodians to entrust with their or their clients' crypto-assets. We note that the SEC appears to be positioning itself to address more directly the obligations of investment advisers with respect to the safekeeping of their clients' crypto-assets, either through rule amendments or guidance.9

Footnotes

1. Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation and Office of the Comptroller of the Currency, Crypto-asset Safekeeping by Banking Organizations(July 14, 2025) (the "Statement").

2. The Statement refers to crypto-assets as any digital assets "implemented using cryptographic techniques." This differs from the SEC's definition of crypto-assets as "any asset issued and/or transferred on the blockchain." It is yet to be determined whether the difference in definition will give rise to any material difference in the scope of the assets covered.

3. "Banking organization" has the following meaning to the Federal Reserve Board of Governors (the "Fed"), Office of the Comptroller of the Currency ("OCC") and Federal Deposit Insurance Corporation ("FDIC"): for the Fed, the definition includes all U.S. bank holding companies, state member banks, edge and agreement corporations and uninsured state-licensed branches and agencies of foreign banks; for the OCC, the definition includes national banks, federal savings associations and federal branches and agencies or foreign banks; for the FDIC, the definition includes all insured state nonmember banks, insured state-licensed branches of foreign banks and insured state savings associations.

4. SEC Division of Trading and Markets and FINRA Office of General Counsel, Withdrawal of Joint Staff Statement on Broker-Dealer Custody of Digital Asset Securities, (May 15, 2025).

5. Staff Accounting Bulletin No. 122, SEC (Jan. 23, 2025).

6. Division of Trading and Markets: Frequently Asked Questions Relating to Crypto-asset Activities and Distributed Ledger Technology, (May 15, 2025).

7. Although crypto-asset custodians exist today that meet the definition of "bank" under the Investment Company Act of 1940 and the Investment Advisers Act of 1940, there is still a relative scarcity of custodial options as compared to custodians for more traditional asset classes.

8. FDIC, FDIC Clarifies Process for Banks to Engage in Crypto-Related Activities (FIL-7-2025) (Mar. 28, 2025). The FDIC supervises state-chartered banks that are not members of the Federal Reserve System. OCC, Clarification of Bank Authority Regarding Crypto-Asset Custody Services (May 7, 2025).

9. SEC Crypto Task Force Roundtable, Know Your Custodian: Key Considerations for Crypto Custody (April 25, 2025).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Brenden Carroll
Brenden Carroll
Photo of Neel Maitra
Neel Maitra
Photo of Mark D. Perlow
Mark D. Perlow
Photo of Corey F. Rose
Corey F. Rose
Photo of Robert S. H. Shapiro
Robert S. H. Shapiro
Photo of Cornelius Haggerty
Cornelius Haggerty
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More