- The OCC’s letter confirms that national banks can buy and sell crypto assets held in custody at customers’ direction, with compliance to laws.
- Banks are permitted to outsource crypto-asset custody and execution services, provided they maintain strong risk management practices with third parties.
- The OCC clarifies that crypto-asset custody services are a modern form of traditional banking, with banks remaining responsible for security and compliance.
The Office of the Comptroller of the Currency has made it clear that national banks are allowed to participate in crypto-asset transactions at the direction of their customers and outsource those services to third parties under suitable risk management controls.
OCC Clarifies Banks’ Permitted Cryptocurrency Custodial Activities
In Interpretive Letter 1184, the OCC clarified that national banks and federal savings associations may engage in the purchase and sale of crypto assets that are held in custody, as long as they do so on a customer’s orders and pursuant to legal agreements. Permissible crypto functions—such as custody and execution—may also be outsourced by these banks to third parties.
This regulation is a followup to earlier OCC letters, namely 1170 and 1183. Interpretive Letter 1170 had earlier laid out the banks’ authority to provide crypto custody, both fiduciary and non-fiduciary, and had classified crypto custody as a new form of equivalent traditional bank custody services that have long been established under banking law.
The OCC made clear that sub-custodian duties could be applied to third parties, as long as third parties adopt stringent internal controls and risk management guidelines.
Crypto-asset custody services
Large financial institutions have a clear road map under federal bank regulation for crypto-asset custody services that could encompass record-keeping, asset pricing, tax reporting, and settlement of transactions. Fiat and exchange transactions involving crypto exchange and trade execution on behalf of customers may also be facilitated by banks.
Sub-custodians could be hired to provide the services as long as banks guarantee that they work within safe and sound levels, the OCC states. Any third-party arrangement should comprise proper control testing, oversight, and verification of compliance.
This framework allows banks to broaden their services without waiving their regulatory obligations. Banks are still responsible for upholding security and legal standards throughout the asset management cycle, even while using third parties.
Risk Management and Regulatory Compliance Requirements
While outsourcing is permitted, the OCC emphasized the necessity of stringent third-party risk management. Due diligence, evaluation of operating reliability, and regular monitoring of crypto-related activity service providers are required by banks.
When banks serve in a fiduciary capacity when dealing with crypto assets, they are required to comply with specific federal regulations under 12 C.F.R. part 9 or 150. These regulations cover fiduciary activity, standards of investments, and the compliance guidelines for federally regulated institutions.
All crypto-asset custody operations, the OCC restated, are to be carried out with a view to being compatible with national laws and regulations governing banks. This encompasses ensuring adherence to customer agreements and that the overall strategy is safe and legal at each step of the way.
