Search
Choose a style
Dark
Light
Time to read: 4 min

US regulators issue joint warning on crypto safekeeping risks for banks

Image of US regulators (FDIC) office
Image: Shutterstock

As interest in digital asset custody builds among banks, US regulators have issued a joint reminder: compliance, not innovation, must lead the way.

The Federal Reserve, the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) have issued a fresh warning to US banking organisations considering or currently offering crypto-asset safekeeping services. 

In a joint statement published July 14, the agencies reiterated that banks must conduct such activities in a “safe and sound manner” and in full compliance with existing laws and regulations.

While the release does not establish any new rules, it marks a clear intervention amid growing institutional appetite for crypto custody, particularly among banks seeking to service asset managers and corporate clients exploring digital assets. 

It also arrives during a week in which digital asset legislation is front-of-mind in Washington, with several crypto-related bills up for debate in Congress.

Control of keys remains a core requirement

The statement focuses specifically on safekeeping: the act of holding crypto-assets on a customer’s behalf, typically by managing access to private cryptographic keys. This may be done either in a fiduciary role, such as acting as a trustee or executor, or on a non-fiduciary basis through a client service agreement.

In either case, regulators caution that safeguarding crypto-assets brings with it heightened operational, legal, and compliance risks. Key among these is the management of cryptographic keys, the compromise of which can lead to unauthorised transfers and significant liability for the custodian bank. 

To lawfully claim control of a crypto-asset, a bank must demonstrate that neither the customer nor any third party has retained access sufficient to move the asset independently—a standard that requires robust controls and clear governance.

The agencies highlight that while traditional custodial principles still apply, crypto-assets introduce new challenges, such as managing assets across incompatible blockchains, mitigating risks from software forks or airdrops, and establishing custody of assets governed by smart contracts.

AML and sanctions compliance still apply

The regulators also remind banks that standard compliance obligations still apply in the digital asset space. Safekeeping activities must adhere to the Bank Secrecy Act (BSA), anti-money laundering (AML) rules, sanctions screening under OFAC, and the so-called Travel Rule, which requires identifying information to accompany certain transactions. 

The agencies acknowledge that the design of distributed ledger technology can complicate these requirements, particularly when transaction counterparties are pseudonymous. Nonetheless, banks are expected to maintain effective monitoring and reporting practices.

Banks cannot outsource accountability

Another major focus is third-party risk. Many banks looking to enter crypto custody do so through partnerships with specialised custodians or technology providers. But the agencies are unequivocal: outsourcing does not offload regulatory responsibility.

Banks are still accountable for sub-custodians’ key management practices, security standards, recordkeeping, and operational resilience.

 The statement advises that financial institutions conduct thorough due diligence and maintain clear contractual terms that specify responsibilities, especially in the event of key compromise, insolvency, or service disruption.

Internal audits and technical capacity under scrutiny

The guidance also emphasises the need for appropriate internal oversight and audit capability. Safekeeping programmes should be supported by experienced staff who understand the nuances of crypto-asset technology, as well as by independent internal or external audits that evaluate cryptographic key storage, asset transfer controls, and system integrity. 

Banks without adequate in-house expertise are encouraged to engage third-party experts to review systems and ensure controls meet supervisory expectations.

Throughout the document, the agencies refrain from discouraging banks from entering the crypto-asset custody market, but they do set a high bar. Providing safekeeping services requires significant investment in technology, cybersecurity infrastructure, legal analysis, and governance frameworks. 

With no margin for error when private keys are lost or compromised, the risks are material and unforgiving.

The timing of the statement is notable. While the document makes no mention of current legislation, it arrives just as Congress considers a trio of bills that could reshape digital asset policy in the US. 

“Banking organizations that provide or are considering providing safekeeping of such assets must do so in a safe and sound manner and in compliance with applicable laws and regulations,” the agencies wrote.

For banks weighing entry into the digital asset custody space, the guidance may serve less as a red light than as a flashing yellow: proceed, but only if your controls, capabilities and compliance posture are up to the task.

Subscribe to our newsletter