In a coordinated effort to provide clarity on banks' involvement in the crypto-asset sector, three U.S. federal agencies have jointly issued a statement outlining key risk-management considerations for banks contemplating offering crypto custody services. The document, released by the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC), and the Board of Governors of the Federal Reserve System, serves as a reminder of existing obligations and emphasizes the need for strong risk controls when handling digital assets on behalf of customers.

The statement highlights that while it doesn't introduce new supervisory expectations, it provides a framework for banks considering entering the crypto space. It underscores that banks should approach crypto custody with the same level of diligence and attention to risk as they would with any new product or service.

According to the document titled “Crypto-Asset Safekeeping by Banking Organizations,” a bank's risk assessment should encompass several critical areas. These include the ability to understand the complex and evolving nature of crypto assets, the potential for liability if crypto assets are lost, and the legal and compliance responsibilities associated with the Bank Secrecy Act and Anti-Money Laundering regulations. The agencies emphasize that providing crypto-asset safekeeping services may demand significant resources and attention.

The agencies highlight the importance of robust risk management and compliance frameworks for banks offering crypto custody services. This includes implementing stringent security protocols, conducting thorough due diligence on customers, and maintaining transparent records of all transactions. They also mandate that banks maintain adequate insurance coverage to protect against potential losses from crypto theft or hacking.

A key aspect of the guidance concerns the custody of cryptographic keys. The regulators state that if a bank holds private cryptographic keys on behalf of customers, it carries full liability. To maintain full control, no customer should have access to those keys. This approach ensures accountability and avoids shared control models that could compromise security standards.

The statement also addresses the use of third-party vendors for custody services. Banks may use these vendors, but this does not diminish their responsibility. Institutions must conduct thorough due diligence and continuously monitor vendors, ensuring they meet the same risk and compliance standards, including key security, anti-money laundering, sanctions compliance, and market risk exposure.

Furthermore, the agencies stress that safekeeping Bitcoin and other crypto-assets, primarily through the control of customers' cryptographic keys, necessitates strong cybersecurity, operational expertise, and full legal compliance. Banks offering these services must be prepared to protect against risks such as key loss, cyberattacks, and unauthorized asset transfers. They also note that crypto safekeeping may require specialized staff, secure infrastructure, and constant monitoring of evolving technologies.

The joint statement confirms that banks can act as custodians of crypto assets in both fiduciary and non-fiduciary roles. However, institutions must apply the same regulatory frameworks used for traditional financial products, reinforcing risk management, legal compliance, and operational accountability across all crypto services.

This guidance arrives amidst a broader shift in Washington's approach to crypto. Federal agencies have recently issued a series of clarifications regarding how banks can engage with crypto markets. For instance, the OCC has stated that U.S. banks can buy and sell digital assets for their customers. The FDIC has also removed its previous requirement for banks to notify the agency before engaging in crypto services. The Federal Reserve has eliminated "reputational risk" from its supervision framework for banks, a move that could ease pressure on lenders to avoid crypto clients.