On January 3, the Board of Governors of the Federal Reserve (FRB), Federal Deposit Insurance Corporation (FDIC) and Office of the Comptroller of the Currency (OCC) issued a Joint Statement on Crypto-Asset Risks to Banking Organizations. As predicted in our previous client alert titled FTX Bankruptcy-What Could Be Next for the Industry, the new guidance confirms that the banking regulators will use their supervisory authority over banking organizations to prevent the perceived risk of contagion in the crypto industry from spreading to the banking sector. This jointly issued guidance comes on the heels of various statements made by other regulators and the Securities and Exchange Commission (SEC) guidance to publicly traded companies, advising them to disclose their exposure to and risk in the crypto markets to investors. Going forward, we expect that regulators will continue to use their existing authorities to protect customers and avoid further market contagion.

Key Crypto-Asset Risks

Previously issued letters by the FRB, FDIC and OCC instructed banks to provide prior notice and demonstrate adequate risk management before engaging in proposed crypto-asset-related activities (e.g., custody, facilitating customer transactions, or issuing or distributing stablecoins). As explained by the OCC, supervisors would evaluate the ability of the bank "to engage in the proposed activities on a safe and sound basis." The new guidance marks a development from previous regulatory guidance on the subject and further builds on concerns about risks to banks expressed previously. It describes a wide-ranging list of risks in the crypto-asset sector-including broad concerns regarding the risk associated with the crypto sector, sector participants and crypto companies generally-and promises robust review of entities seeking to become regulated banks that would engage in crypto-asset-related activities. The guidance refers to a "crypto-asset" as "any digital asset implemented using cryptographic techniques." Additional key takeaways include the following:

  • Limiting of balance-sheet risk to banking organizations: The guidance states "that issuing or holding as principal crypto-assets that are issued, stored, or transferred on an open, public, and/or decentralized network, or similar system is highly likely to be inconsistent with safe and sound banking practices." This is a firmer and clearer position than previous guidance. By including crypto assets "transferred on" such a network or system, the statement could be interpreted quite broadly to include tokenized representations of traditional assets in addition to crypto-native assets.
  • Systemic risk and contagion risk: The guidance continues the focus on the regulatory perimeter both by advancing the regulatory perimeter through expectations for third-party risk management to mitigate contagion risk within the regulated financial system and by warning that "[i]t is important that risks related to the crypto-asset sector that cannot be mitigated or controlled do not migrate to the banking system."
  • Concentration risk: The guidance also highlights concerns regarding banking organizations whose business models are based primarily on servicing firms involved in crypto assets. It states that "the agencies have significant safety and soundness concerns with business models that are concentrated in crypto-asset-related activities or have concentrated exposures to the crypto-asset sector."
  • Market risk: The guidance highlights areas of concern that are traditionally the province of market regulators as opposed to the prudential banking regulators, such as risks to retail and institutional investors, customers and counterparties.
  • Decentralized finance: The guidance expresses concerns about decentralized finance, which has at times been viewed by market participants as a less risky alternative to the use of centralized crypto-asset exchanges because of the lack of reliance on a single third party to manage funds and facilitate transactions.

An Evolving Regulatory Environment

As a whole, the guidance would seem to place a large thumb on the scale, at least for now, to keep crypto-related activities outside the regulatory perimeter. The guidance-which warns that "[i]t is important that risks related to the crypto-asset sector that cannot be mitigated or controlled do not migrate to the banking system"-is of a piece with the ongoing debate among stakeholders within the prudential regulatory community as to whether it is better to bring crypto-related activities within the regulatory perimeter to make them safer, sounder and risk-reducing or whether it is better to keep crypto-related activities outside the perimeter, albeit at the risk of furthering the development of a shadow crypto banking system. Clearly, in light of "recent failures of several large crypto-asset companies" and other "events of the past year," the prudential regulators coalesced around the former, that it is better to keep these perceived risks to safety and soundness outside the banking system. Moreover, this guidance is notable because it includes other risks that have traditionally been the province of other regulators such as the SEC, the Commodity Futures Trading Commission and the Consumer Financial Protection Bureau (for example, citing "practices that may be unfair, deceptive, or abusive, contributing to significant harm to retail and institutional investors, customers, and counterparties"). It therefore represents a statement by the banking regulators about the scope of the risks necessarily addressed in a potential comprehensive regulatory framework for crypto assets.

The guidance also would seem to strain relationships between regulated banking organizations and the crypto sector. Because the agencies are focused on "supervising banking organizations that may be exposed to risks stemming from the crypto-asset sector," the perceived risk could contribute to de-risking accounts of banks' crypto partners and customers. Likewise, by highlighting the concentration risk at banking organizations that are primarily focused on servicing crypto-related businesses, such banks could themselves be more susceptible to runs and deposit drains. This could have a wide-ranging impact on traditional banking institutions that have refashioned themselves as "fintech banks" as well as OCC's special purpose charters and state-chartered entities seeking to enter the federal regulatory perimeter, either through FDIC insurance, Federal Reserve membership or master account access, such as Wyoming Special Purpose Depository Institutions.

Finally, by seemingly pushing crypto-related activities further outside the federal regulatory perimeter, the guidance creates more opportunities for state regulators to lead with respect to crypto regulation. Although federal policymakers have continued to study the issues and publish some proposals, states have stepped in to fill the gap. In addition to Wyoming, states such as New York have developed regulatory frameworks for crypto companies, and the crypto sector has continued to operate under state regimes. As noted in our previous client alert, the New York Department of Financial Services (DFS) plans to issue new guidance to "bolster and broaden" regulation of crypto companies operating under DFS licenses in New York.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.