Blog
OCC Confirms Authority of Banks to be Custodians of Crypto Assets
Blog
July 28, 2020
On July 22, 2020, the Office of the Comptroller of the Currency (OCC), the primary regulator of national banks and federal savings associations, published an interpretive letter (#1170) clarifying that such depository institutions have the authority to hold cryptocurrency in custody, which primarily includes holding the unique cryptographic keys associated with cryptocurrency. The OCC letter is not limited to digital or virtual currencies, but also encompasses digital assets that are not broadly used as currencies.
KEY TAKEAWAYS:
- National banks are authorized to provide custody services for cryptocurrencies and other digital assets.
- Before doing so, the bank must develop sound risk management policies and should consult with its OCC supervisors.
Ownership of cryptocurrencies is represented by cryptographic keys. The OCC understood there to be growing demand for safe places to hold cryptographic keys and for related custody services. Such keys are irreplaceable, and if the keys are lost, owners of cryptocurrency may experience significant losses. Banks may be more secure than some cryptocurrency exchanges that have been vulnerable to hacking and theft. Further, investment advisers wishing to manage cryptocurrencies for customers may wish to use banks to hold custody of those assets.
Historically, banks have intermediated exchanges of payments, and have long (since at least 1872) provided safekeeping and custody services. The OCC recognizes a need for banks to leverage technology to provide traditional services. Twenty-two years ago, the OCC concluded that a national bank may escrow encryption keys used in connection with digital certificates, as that is the functional equivalent of physical safekeeping. The OCC concluded that providing custody services for cryptocurrencies is an extension of these “long standing authorities.”
A bank engaging in new activities always is expected to develop sound risk management practices and align the new activities with the bank’s business plan and strategies. Risk management systems should include policies, procedures, internal controls (safeguarding assets under custody, producing reliable financial reports, and compliance with laws and regulations), and management information systems that address the unique characteristics of cryptocurrencies. Custody agreements for cryptocurrency should clearly set forth the custodian’s duties, including such issues as the treatment of “forks” or splits in underlying code. The OCC further suggests that there should be dual controls, segregation of duties, and accounting controls that are tailored for cryptocurrencies. Of course, the custodied assets are to be segregated from the assets of the custodian. The custodied assets need to be kept under joint control to prevent loss, destruction, or misappropriation. Special audit procedures also may be necessary in the case of digital assets because procedures for verifying that a bank maintains proper access controls of cryptographic keys will be different than procedures for other assets. Risks associated with an individual account should be addressed prior to acceptance. The due diligence process should include a review for compliance with anti-money laundering rules. A national bank is advised to consult with its OCC supervisors before engaging in this activity.
This entry has been created for information and planning purposes. It is not intended to be, nor should it be substituted for, legal advice, which turns on specific facts.