The Office of the Comptroller of the Currency (OCC), the Federal Reserve Board (Fed), and the Federal Deposit Insurance Corporation (FDIC) released a joint statement explaining how existing banking rules apply when institutions custody crypto for customers.
The guidance describes “safekeeping” as the act of holding a digital asset on a client’s behalf and stresses that it does not create new supervisory demands.
Risk control centers on cryptographic keys
Regulators instructed boards and executives to view crypto custody as a service that relies on exclusive control of private keys and other sensitive data. They note that a bank must prove no other party, even the customer, can unilaterally move an asset once it enters custody.
Management must assess how key-generation tools, wallet types, and contingency plans align with the institution’s broader control environment and ensure that staff possess the necessary technical skills to maintain these safeguards.
The statement also told banks to weigh the volatility of the asset class and the rapid pace of technological change when allocating capital and staffing for custody operations.
The agencies said sound programs include continuous reviews of each supported token’s software dependencies and ledger design to spot vulnerabilities that could threaten safety and soundness.
Compliance, governance, and third-party oversight
The three agencies reminded institutions that crypto custody must satisfy Bank Secrecy Act, anti-money laundering, counter-terrorism financing, and Office of Foreign Assets Control rules, including the “travel rule” that attaches identifying information to transfers.
Boards must involve the BSA officer and senior managers early in any custody rollout to gauge illicit-finance exposure and document controls.
Additionally, banks that delegate storage to sub-custodians remain responsible for the performance of those vendors. The guidance instructe
Go to Source to See Full Article
Author: Gino Matos