On Monday, July 14, 2025, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency issued a Joint Statement on Crypto-Asset Safekeeping by Banking Organizations (the "Joint Statement").
The Joint Statement makes clear that it "discusses how existing laws, regulations, and risk-management principles apply to this activity, and does not create any new supervisory expectations." (emphasis added) However, there are helpful nuggets of intel included in this Joint Statement as to what the banking agencies may look at as "appropriate" controls, processes, and risk mitigants.
For purposes of the Joint Statement, safekeeping for crypto-assets "entails controlling the cryptographic keys associated with a crypto-asset." The Joint Statement reminds banking organizations to consider potential risks prior to engaging in a new activity such as safekeeping for crypto-assets and includes guidance on conducting an effective risk assessment related thereto.
Since the banking agencies clarified that this Joint Statement does not create any new supervisory expectations, banking organizations can and should leverage existing guidance on supervisory expectations with respect to engaging in new activities, conducting risk assessments, effective third-party risk management, creating internal controls, and audit programs. The joint statement uses familiar language from prior guidance, including reminders that before engaging in this activity a banking organizations board management and staff should have the requisite knowledge and expertise to establish adequate oversight and controls to perform the safekeeping activities in a safe and sound manner and in compliance with applicable laws.
Additionally, as with prior guidance the banking agencies advised to consider the evolving nature of the risks in the crypto-asset market. Banking agencies note that a key risk (no pun intended) related to crypto-asset safekeeping is the risk that a cryptographic key (or other sensitive information) is compromised or lost, which may create exposure to the banking organization. Risk mitigation on this point requires a strong focus on cybersecurity.
Finally, banking organizations are reminded to consider: (i) contingency planning, (ii) drafting appropriate policies, procedures, and processes, (iii) maintaining an effective control environment with oversight and independent review, (iv) reviewing potentially elevated compliance and legal risks associated with crypto-asset activities, (v) developing strong customer agreements, which should be viewed as a critical tool for managing risk, (vi) reviewing third party risk management guidance as appropriate, (vii) including tailored auditing programs, and (viii) mitigate risk with clear, accurate and timely information provided to customers.
This Joint Statement is further evidence that the banking agencies have become much more open to banking organizations providing services to the digital asset community. Most importantly, the Joint Statement clarifies that the banking agencies plan to review such services through the lens of existing supervisory expectations.
We expect more to come on this and other digital-asset and cryptocurrency related topics in the near future, so stay tuned!
Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.
