Contact Us

Federal Guidance on Crypto Custody for Banks

,

On July 14, 2025, the Federal Reserve issued a joint statement in coordination with the Federal Deposit Insurance Corporation (FDIC) and the Office of the Comptroller of the Currency (OCC). It outlined key risk-management principles for banking organizations. These principles apply to those engaged in safekeeping crypto-assets on behalf of customers. The advisory aims to provide clarity for banks exploring or already offering crypto custody services.

Scope of the Guidance

The interagency statement focuses on safekeeping activities involving crypto-assets. It addresses whether banks serve as fiduciaries. It also considers if they offer custodial services under a non-fiduciary framework. Regulators emphasized that the statement does not introduce new requirements. It reiterates the importance of applying existing laws and supervisory expectations to crypto-related activities.

For banks acting in a fiduciary capacity, the safekeeping function is regulated under 12 CFR Part 9 or Part 150. It is also subject to applicable state fiduciary laws. Banks offering non-fiduciary custodial services must structure agreements that clearly define the scope of obligations and legal responsibilities.

Core Risk-Management Principles

The agencies outlined several key considerations for institutions seeking to custody digital assets:

  • Risk Assessment: Banking organizations must conduct comprehensive risk assessments prior to engaging in crypto safekeeping. These should account for legal, technological, financial, and operational risks.
  • Corporate Governance: Boards and senior management are expected to understand the nature and complexity of crypto-assets. They must also implement risk controls accordingly.
  • Key Management: The security and recovery of cryptographic keys is paramount. Banks must adopt industry standards and have contingency plans for key loss or compromise.
  • Cybersecurity: Given the digital and often decentralized nature of crypto-assets, banks must ensure their cybersecurity controls are robust. These controls should be continuously tested and tailored to the custody environment.
  • Asset Due Diligence: Institutions should conduct technical and legal analysis of the crypto-assets they intend to safeguard. They need to evaluate protocol risks, ledger functionality, and token behavior.

Third-Party Risk Oversight

The statement also stresses that banks remain fully responsible for any services outsourced to third-party vendors or sub-custodians. Institutions must perform thorough due diligence. They should regularly monitor outsourced providers. Additionally, they need to implement contractual protections for clients. This includes asset segregation and incident response protocols.

Controls and Audit

Banks must develop internal controls and audit programs specific to crypto-asset safekeeping. This includes:

  • Verifying cryptographic key procedures
  • Reviewing systems and transfer controls
  • Ensuring staff have appropriate expertise
  • Engaging independent or internal auditors with crypto-specific knowledge

A Conservative but Open Approach

The joint statement signals that federal regulators are cautiously supportive of crypto-related innovation. This support is contingent on existing risk, governance, and consumer protection frameworks being rigorously applied. For banks, the message is clear: crypto custody is permissible, but only with the right safeguards in place.

Staying informed and compliant in this evolving landscape is more critical than ever. Whether you are an investor, entrepreneur, or business involved in cryptocurrency, our team is here. We provide the legal counsel needed to navigate these exciting developments. If you believe we can assist, schedule a consultation here.

Ask for more

Share this article:

Discover more from Kelman PLLC

Subscribe now to keep reading and get access to the full archive.

Continue reading