On July 14, 2025, the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, and the FDIC (“banking agencies”) released a statement regarding the provision of crypto-asset safekeeping services. The statement did not introduce any new supervisory expectations. Rather, it reaffirmed how existing laws and regulations apply to the safekeeping of crypto assets and emphasized the importance of prudent risk management for this activity.
The banking agencies’ statement was, coincidentally, issued just prior to the passage of the Guiding and Establishing National Innovation for U.S. Stablecoins (GENIUS) Act, which creates a federal regulatory framework for payment stablecoins that is intended to promote financial stability, protects consumers, supports innovation, and reinforces the global role of the U.S. dollar in digital markets.
What Is Crypto-Asset Safekeeping?
Crypto-asset safekeeping refers to the custody service of holding a digital asset on a customer’s behalf in either a fiduciary or nonfiduciary capacity.1 The banking agencies noted that financial institutions may provide other crypto-asset-related custody service while safekeeping crypto assets.
When safekeeping a digital asset on behalf of a customer, the custodian agrees to control and keep safe the cryptographic keys associated with a customer’s crypto assets. As noted, safekeeping can be performed by the financial institution acting in either a fiduciary or nonfiduciary capacity depending on the nature of the contractual relationship between the financial institution and the customer. When safekeeping in a fiduciary capacity, financial institutions act as trustees in the agreement and are subject to compliance with strict federal and state regulations, e.g., 12 CFR 9 or 150. Although less burden is assumed by financial institutions acting under nonfiduciary agreements, cybersecurity and operational safeguards must still meet the high standards of the industry. To better understand the safekeeping of digital assets, we will take a deeper look into cryptographic keys and the storage methods of crypto assets.
A core principle of crypto assets is the concept of using public and private key pairs to transfer the asset between owners. A cryptographic private key is a randomly generated number that can be thought of as a highly complex password. Public keys are derived from the private key in such a way that it is computationally infeasible to reverse engineer the private key. In other words, it’s infeasible to derive the private key from the public key. To access the assets associated with a public key, the private key must match exactly.
Under safekeeping arrangements, financial institutions must maintain exclusive control over the customer’s private key in the same manner as specified by the current regulations for any other safekeeping asset. Meaning, the customer would not have direct access to the private key. Rather the customer would have to use custodian-managed interfaces and processes to indirectly access their crypto assets. Instead of the customer initiating an immediate transfer of their crypto assets, they would instead make a request for the custodian to move or sell their assets on their behalf. The custodian would then use the private key to execute the transaction.
Another practice used to ensure safekeeping is the use of predominantly “cold wallets.” Cold wallets are physical wallets that are stored completely offline, while their counterpart “hot wallets” are constantly online and connected to the internet. The thinking behind this is straightforward. If cold wallets are less accessible, they are less likely to be stolen or hacked. The trade-off comes with a potential reduction in liquidity with cold wallets being less convenient to access for timely transactions.
What Risks Do Banks Need to Consider?
As financial institutions explore safekeeping, issuing or supporting stablecoins or other digital assets, they must reassess traditional cybersecurity measures through the lens of digital assets. Security programs at financial institutions that are considering offering crypto-asset safekeeping or issuing stablecoins must account for blockchain specific threats such as smart contract vulnerabilities, targeted phishing for private keys, and wallet exploitation. Crafting effective policies for digital asset security means clearly identifying where and how cryptographic keys are stored, who has assets, and how these assets are monitored. The introduction of crypto-asset-related capabilities also requires evaluation of current identity verification procedures to help ensure customer protections remain robust in a more decentralized ecosystem.
Risk management programs and third-party vendor assessments must also evolve. Questionnaires and due diligence processes should be updated to capture risks specific to distributed ledgers and blockchain systems, as vendors may play key roles in wallet management, key custody, or smart contract operations. Many of these risk management practices already exist within organizations; the challenge lies in translating familiar control frameworks into this new context.
Organizations may need guidance to map known regulatory expectations to distributed ledgers or blockchain use cases. Financial regulators (including the banking agencies, SEC, CFTC, and Treasury) are expected to release updated guidelines to help institutions operationalize compliance in this space and offer more clarity on how traditional oversight mechanisms can be adapted; however, there is no known timeline for this information.
Financial regulators already assess the cybersecurity posture of regulated entities, and those existing controls can provide a baseline for crypto-asset-related risk management. These frameworks and guidelines will likely expand to include technical expectations around key management, wallet security, and blockchain network resilience. Financial institutions don’t need to reinvent their security programs, but they do need to extend them in a thoughtful manner to address more fully the realities of crypto-asset-related services and stablecoin issuance.
Legal concerns include fiduciary responsibility; loss liability; and the involvement of third parties to provide services in areas like hardware, software, and consulting. The use of third parties will require further internal controls such as vetting contractors and planning for operational disruptions. Since its origin, cryptocurrency has been seen as favorable for those in illicit businesses. Easy cross-border transactions benefit sanctioned individuals and entities as well as those in high-risk geographies. With crypto-specific Anti-Money Laundering / Countering the Financing of Terrorism (AML/CFT) guidance still under development, mistakes could lead to enforcement actions and criminal liability for the banks.
AML/CFT & Sanctions Considerations
Banks offering crypto-asset safekeeping must still adhere to Bank Secrecy Act/Anti-Money Laundering (BSA/AML) and sanctions obligations, most notably a Customer Identification Program (CIP), ongoing transaction monitoring, and related Suspicious Activity Reporting, i.e., SAR filings. Additional requirements include understanding the nature and purpose of the customer relationship and related customer due diligence (CDD) and, where required by the bank’s risk-based compliance program Enhanced Due Diligence (EDD).
Ongoing Office of Foreign Assets Control (OFAC) screening for sanctions obligations will be crucial, particularly when transactions involve foreign jurisdictions or counterparties who are difficult to identify through use of pseudonyms or otherwise. In establishing and maintaining procedures reasonably designed to assure and monitor compliance with BSA and sanctions requirements, financial institutions may struggle to comply with some or many of these requirements, especially in instances where compliance (say, CIP and related verification) requires reviewing certain identifying information related to a distributed ledger transaction, such as name and/or address.
Financial institutions offering the types of services discussed in this article should conduct a thorough review of their existing financial crimes compliance infrastructure to identify and remediate gaps where needed, and should ensure that the board, senior management, the BSA officer, and impact functions receive proper training to understand the risks presented by such activities. Besides AML/CFT compliance efforts, banks should review their third-party risk management (TPRM) infrastructure to understand the potential elevated risks posed by the use of sub-custodians and/or third-party technology providers.
In the context of issuing and safekeeping payment stablecoins, crucial AML/CFT and sanctions compliance requirements are not specifically defined in the GENIUS Act. These requirements will need to be determined at a future date through implementing regulations at both the state and federal levels (as a payment stablecoin issuer’s various regulatory obligations will be administered by its primary regulator). However, the GENIUS Act does indicate that stablecoin issuers will be “treated” as “financial institutions” under the BSA, and thus issuers should be prepared to comply with BSA and sanctions obligations, just as any bank, broker-dealer, mutual fund, or Money Services Business (MSB) would (to name a few). It is unclear at this time whether there will be a divergence in regulatory expectations at the state and federal levels or whether state regimes would have to comply with a “substantially similar” requirement. Potential stablecoin issuers could begin to conduct a review of existing compliance areas to identify any possible gaps in their critical risk and control frameworks, including:
- CIP & CDD/EDD. In developing regulations, it is currently unclear whether Treasury’s Financial Crimes Enforcement Network (FinCEN) will introduce separate requirements for CIP/CDD/EDD. Stablecoin issuers are required by the GENIUS Act to have “effective” customer identification programs which include identifying and verifying stablecoin account holders and “high-value” transactions. Affected issuers should begin to consider whether this requirement applies to both customers and counterparties, which could require significant investment in compliance infrastructure to meet the possible standards, once finalized.
- The BSA’s Pillars. Curiously, the GENIUS Act specifically mentions only two of the well-known five pillars of BSA compliance: a designated officer to supervise the compliance program, and a risk assessment.2 Although the remaining pillars (customer due diligence, training, independent testing, and a system of internal controls) were not specifically mentioned, we believe affected institutions should prepare to comply with all standard pillars, in addition to transaction monitoring and SAR filings, where required.
- Technology. Stablecoin issuers are required to maintain technology which allows the issuer to comply with the terms and conditions of any “lawful order, i.e., those orders which require a payment stablecoin issuer to seize, freeze, burn, or prevent the transfer of a stablecoin. Under this requirement, digital asset servicers cannot offer or sell stablecoin from a foreign jurisdiction unless that foreign issuer has the capability to comply with the terms and conditions of a lawful order. As a result, stablecoin participants wishing to conduct cross-border activity may have to consider additional compliance steps, including certification by the foreign issuer, third-party oversight, and other reassurances.
- Sanctions. Payment stablecoin issuers are expected to maintain a written and effective OFAC screening program in line with the issuer’s risk profile—products, customers, geographies—just as any other financial institution. Issuers should consider modeling their OFAC compliance programs using the expectations set for banks by the appropriate supervisory regulators, as separate sanctions regulations are not expected for stablecoin issuers at this time.
Why Would Banks Offer Crypto-Asset Safekeeping?
With the increased adoption of crypto assets within the financial system, especially as an alternative asset class for investments, the demand for crypto-asset safekeeping and other crypto-asset custodial services is on the rise. Many financial institutions, including smaller banks, have noted that crypto asset safekeeping is a service in which customers are becoming increasingly interested. Offering this service has the potential to bring new customers to a bank, and it has the potential to keep existing customers, as customers diversify their investment holdings to include crypto assets. Additionally, having crypto client accounts prepares financial institutions for the expansion of additional crypto services, which may lead to more revenue streams.
Another development enticing banks to participate in crypto safekeeping came in January 2025 with the issuance of SEC Staff Accounting Bulletin (SAB) No. 122. SAB 122 rescinded SAB 121, which required banks to record customer-owned crypto assets as a balance sheet liability with a corresponding asset at fair value. Opponents of SAB 121 argued that the issuance would inflate the balance sheet of banks and trigger new regulatory requirements based on capital thresholds. SAB 122 adopted a contingency-based model, requiring recognition of a liability if the risk of loss with safeguarding crypto assets is probable using recognition and measurement requirements under U.S. GAAP (ASC 450-20, Loss Contingencies) or IFRS (if applicable). Application of this treatment is retrospective for annual periods beginning after December 15, 2024, but can be adopted earlier.
Why Would Customers Be Interested in Crypto Asset Safekeeping?
The incentive for customers to seek crypto-asset safekeeping is more straightforward. Customers may be interested in the security that comes from institutional-grade risk management and cybersecurity. In addition, as the asset class rises in relevance, it will be more common in trusts, estates, and retirement funds. When held offshore or in loosely regulated exchanges, customers may not benefit from the protections that may be provided by banking laws. The bank providing tax documents and performance reports could simplify the burden on the customer as well.
Timeline of Related Regulatory Releases
2020
• Jul: OCC Interpretive Letter 1170
→ Banks can offer crypto custody (hold cryptographic keys)
• Oct: OCC Interpretive Letter 1172
→ Banks may hold stablecoin reserves for issuers
2021
• Jan: OCC Interpretive Letter 1174
→ Blockchain and stablecoin use permitted for payments
2022
• Mar: SEC SAB 121
→ Custodians must record liabilities + assets for crypto safekeeping
2025
• Jan: SEC SAB 122
→ Rescinds SAB 121; new loss assessment rules apply
• Mar: FDIC rescinds FIL-16-2022
→ Banks no longer need pre-approval for crypto-related activities
• May: OCC Interpretive Letter 1184
→ Crypto custody reaffirmed; outsourcing allowed with risk controls
• Jul: Joint OCC-Fed-FDIC Statement
→ Reaffirms banks may offer safekeeping; stresses risk and compliance
- 1 In the statement, the banking agencies defined a crypto asset as a digital asset that is implemented using cryptographic techniques.
- 2 Although risk assessments are not currently a compliance pillar, FinCEN proposed a rule in 2024 that would make risk assessments an additional pillar and establish associated standards but have not issued a final rule. Additionally, financial institutions are expected to have “risk-based” compliance programs, making effective risk assessments a regulatory expectation, nonetheless.