National Banks Allowed to Provide Cryptocurrency Services

Methods of Providing Cryptocurrency Custody Services

The OCC’s letter lists three methods a bank can utilize to provide cryptocurrency custody services depending on the bank’s expertise, risk appetite, and business model. First, a bank can take possession of the cryptographic access keys to a customer’s cryptocurrency. Second, a bank may offer to store copies of the customer’s cryptographic access keys while the customer retains their own copy. Third, a bank may permit a customer to transfer his or her cryptocurrencies directly to the control of the bank, thereby generating new cryptographic access keys which would be held by the institution on behalf of the customer. A bank acting as a fiduciary must ensure its custody model complies with requirements stipulated in 12 C.F.R. 9.13 and 12 C.F.R. 150.230-250.

Fiduciary and non-fiduciary services

According to the OCC, national banks acting as non-fiduciary cryptocurrency custodians are authorized to do so as part of the incidental powers related to the business of banking. See, e.g., Conditional Approval 267 (agency services such as custody that do not involve fiduciary powers are performed by banks as part of their incidental powers); OCC Interpretive Letter 1078 (April 19, 2007) (authority of national banks to engage in custody activities derives from general business of banking, and from incidental powers language in 12 U.S.C. § 24 (Seventh)). The OCC also stated that national banks are authorized to act as fiduciary cryptocurrency custodians from their authority to manage other assets they hold as fiduciaries. See 12 U.S.C. § 92(a). If a national bank with trust powers conducts cryptocurrency custody services in a fiduciary capacity, it must comply with 12 C.F.R. Part 8, state law, and other applicable laws. Additionally, federal saving associations are granted these same capacities if they comply with 12 C.F.R. Part 150.

Recommended Procedures

The letter ends by noting procedures national banks should implement to engage in cryptocurrency custody services. In sum, a national bank should:

• Develop and implement sound risk management practices and align them with the bank’s overall business plans and strategies as set forth in OCC guidance;
• Maintain adequate systems in place to identify, measure, monitor, and control the risks of the bank’s custody services. Such systems should include policies, procedures, effective internal controls, and management information systems governing such services;
• Include dual controls, segregation of duties, and accounting controls that ensure assets of each custody account are kept separate from the assets of the custodian maintained under joint control. Such measures should ensure that an asset is not lost, destroyed or misappropriated by internal or external parties;
• Create specialized audit procedures that may be necessary to ensure the bank’s controls are effective for digital custody activities;
• Conduct legal analysis to ensure the activities are executed consistent with all applicable laws;
• Address risks associated with an individual account prior to accepting a request to provide cryptocurrency custody services. The acceptance process should provide an adequate review of the customer’s needs and wants, and the operational needs of the account;
• Assess whether the duties contemplated in a request to provide cryptocurrency custody services are within the bank’s capabilities and are consistent with all applicable laws;
• Investigate compliance with anti-money laundering rules during the due diligence process;
• Create or maintain effective information security infrastructure to mitigate hacking, theft, and fraud;
• Understand the risk management procedures and OCC and non-OCC regulations and guidelines that govern different cryptocurrencies;
• Consult with OCC supervisors as appropriate before engaging in cryptocurrency custody activities.