OCC Confirms the Authority of National Banks to Provide Cryptocurrency Custody Services

As with the custody of any other asset, the OCC acknowledges that the custody of cryptocurrency could entail a wide range of services, from pure safekeeping to non-fiduciary custody to fiduciary custody, depending on the bank’s expertise in the field, risk appetite, and business model. The most limited service, simple “safekeeping,” involves solely the basic service of holding an asset, in this case a cryptographic key, on behalf of a customer. “Custody” is a broader term that may involve a variety of services performed for customers in relation to items being held on behalf of the customer. In this regard, the Letter references some of the ancillary services that national banks and FSAs may provide in relation to the cryptocurrency that they keep under custody, such as “facilitating cryptocurrency and fiat currency exchange transactions, transaction settlement, trade execution, record keeping, valuation, tax services, reporting and other appropriate services.”³ However, note that the Letter reserves the question whether cryptocurrencies may be considered “exchange” under 12 U.S.C. §24 (seventh), which would be relevant to the authority of national banks and FSAs to buy and sell cryptocurrency as a principal activity.

The OCC also acknowledges that national banks and FSAs may conduct cryptocurrency custody services in both a fiduciary and a nonfiduciary capacity. While national banks without trust powers may engage in non-fiduciary trust activities, a national bank would require trust powers to engage in fiduciary custody activities and would then have the authority, and the obligation, to manage the cryptocurrency assets in the same way they would handle other financial instruments held in a fiduciary capacity. The OCC cautions, however, that given the evolving state of this sector, banks will need to keep abreast of best practice to satisfy their fiduciary responsibilities.

Of course the lawful provision of cryptocurrency custody services is subject to the effective management of risk and compliance with the applicable laws by the national banks and FSAs. The Letter lists the following measures that should be implemented to this end:

• design and adoption of appropriate risk management systems and control procedures in accordance with the institution’s business and OCC guidelines
• implementation of dual controls, segregation of duties, and accounting controls, which must be adapted to the specific nature of the assets under custody
• adoption of an effective information security infrastructure and controls to mitigate hacking, theft, and fraud
• implementation of a custodian’s acceptance process to assess (i) the risks associated with each individual account; (ii) the customer’s needs and the operational risks of the account; (iii) the capabilities of the bank to meet its custodian duties, and whether these are in compliance with the applicable law; and (iv) compliance with anti-money laundering rules.

The Letter also highlights that the different cryptocurrencies could be subject to different (OCC and non-OCC) requirements, and may have specific technical characteristics that might require risk management procedures to be tailored to that particular asset.

Finally, note that the Letter is driven by the growing demand for bank custody services from cryptocurrency users, including investment advisers, that want to protect their keys and/or the keys they manage for clients with the level of security and oversight that bank custodians historically have provided. Registered investment advisers are required to custody cryptocurrencies that are securities with a qualified custodian, subject to the Custody Rule.⁴ The Letter does not specifically mention broker-dealers, but does acknowledge that it is intended to apply to cryptocurrencies that may be considered securities under federal securities laws, and would be subject to regulations related to transactions in securities, as well as other custody principles.

Pursuant to SEC Rule 15c3-3(b)(1) (the Customer Protection Rule), a broker-dealer that is registered with the U.S. Securities and Exchange Commission (SEC) is required to promptly obtain, and thereafter maintain, the possession or “control” of all customers’ fully paid for (or excess margin) securities that the broker-dealer carries for the account of such customers. The Customer Protection Rule requires broker-dealers to maintain uncertificated digital asset securities in a good “control location” such as a “bank” under certain specified conditions, which includes certain national and state banks, as well as certain U.S. branches or agencies of foreign banks. On July 8, 2019, the SEC Division of Trading and Markets and the Financial Industry Regulatory Authority (FINRA) released a joint statement on the custody of digital asset securities by a broker-dealer that included an indication that banks may be viable good control locations.⁵ Even with the OCC’s oversight of this activity, broker-dealers will still need to seek approval from FINRA and the SEC to have a bank, including a national bank, be deemed to be a “good control location” in compliance with the Customer Protection Rule. 

In sum, the Letter is an important endorsement of the role of national banks and FSAs in the growing cryptocurrency space. Indeed, the OCC reiterates that risk management in this space should be tailored to the specifics of individual customer relationships and the national banks, and FSAs should not simply “declin[e] to provide banking services to entire categories of customers.”⁶ As a competitive matter, this means that national banks and FSAs will now be positioned to offer custody services similar to those currently being provided by a number of state-chartered entities and should be able to do so without concerns about the application of state licensing regimes. National banks and FSAs that wish to engage in cryptocurrency custody activities should consult with their OCC supervisors prior to implementation of such services.

¹ Letter, at 1.

² See, e.g., 12 CFR §§ 7.5002(a)(4), 7.5005(a); OCC Conditional Approval 267 (Jan. 12, 1998); OCC Conditional Approval 479 (July 27, 2001).

³ Letter at 8, n.39.

⁴ Investment Advisers Act Rule 206(4)-2.

⁵ Division of Trading and Markets, SEC Office of General Counsel, FINRA, Joint Staff Statement on Broker-Dealer Custody of Digital Asset Securities, July 8, 2019 (the Statement). The Statement represents views of the SEC and FINRA staffs and “is not a rule, regulation, guidance, or statement” of the SEC or FINRA and “does not alter or amend applicable law and has no legal force or effect.” A more detailed discussion of the application of SEC Rule 15c3-3 to a broker-dealer’s custody of digital assets may be found in Sidley’s Whitepaper, CUSTODY OF DIGITAL ASSET SECURITIES: A Proposal to Address Open Questions for Broker-Dealers Under the SEC’s Customer Protection Rule .

⁶ Letter at 1, n.2.