OCC Issues Guidance on Safekeeping and Custody Services for Cryptocurrency

It has been extremely difficult for crypto-focused companies and investors to secure baking services for crypto assets. In fact, there are very few institutions that provide banking services to the crypto industry. Many have argued that this situation has slowed the growth of the crypto industry, increased the risks companies in the industry face, and amplified fraud concerns with respect to crypto transactions from investors. The OCC's Interpretive Letter sets the stage for banks to enter the crypto custody markets confident that they do so with a stamp of regulatory approval.

The Interpretive Letter specifically sets forth the OCC's position that national banks and federal savings associations are authorized to provide cryptocurrency custody services for their clients. Such services could include holding the unique cryptographic keys associated with cryptocurrencies on behalf of their customers and providing related custody services. This interpretation of a bank's authority to hold crypto assets was designed to allow banks to meet the growing market demand for safe spaces (such as banks) to hold the irreplaceable cryptographic necessary to transact cryptocurrency. In addition, the Interpretive Letter reiterates that these institutions may also provide permitted banking services to cryptocurrency businesses, so long as they effectively manage the risks and comply with applicable laws (such as anti-money laundering requirements).

To that end, the OCC lists various procedures that banks should implement if they plan to engage in cryptocurrency custody services, including:

• develop and implement new activities consistent with sound risk management practices and align them with the bank's overall business plans and strategies;
   
• have adequate systems in place to identify, measure, monitor and control the risks of its custody services, including policies, procedures, internal controls and management information systems governing custody services;
   
• include dual controls, segregation of duties and accounting controls to ensure that an asset is not lost, destroyed or misappropriated;
   
• consider developing specialized audit controls for digital custody activities;
   
• assess and address the risks associated with an individual account prior to acceptance, including determining the needs of the customer/account and whether the contemplated duties are within the bank's capabilities and consistent with applicable law, and reviewing compliance with anti-money laundering rules;
   
• maintain an effective information security infrastructure and controls to mitigate hacking, theft and fraud; and
   
• consult with OCC supervisors as appropriate prior to engaging in cryptocurrency custody activities (the OCC will review these activities as part of its ordinary supervisory processes).

With this Interpretive Letter, the OCC has promulgated a fairly progressive view of traditional banking services in increasingly digitized financial markets. In addition to providing an overview of how crypto assets work, the OCC specifically recognized that technology will further infuse the financial markets. As a result, banks and other service providers will need to leverage new technology and innovation to provide traditional services on behalf of customers.

It remains to be seen whether this guidance will be enough to push many financial institutions into providing these services. Indeed, skeptics believe that the Interpretive Letter does not go far enough. Some have argued that additional steps need to be taken. These steps include formalizing consistent terminology and regulatory treatment of these assets and transactions by different regulators and across jurisdictions. In any event, the Interpretive Letter represents a step toward normalization of cryptocurrency as a factor in the financial markets.

If you need assistance with developing your institution's policies, procedures or practices surrounding cryptocurrencies, or if you have any other data protection, privacy or cybersecurity needs, please contact the authors of this article, or any member of Baker Donelson's Data Protection, Privacy, and Cybersecurity team.