U.S. Banking Authorities Issue Joint Statement Clarifying Cryptocurrency Custody Practice
**U.S. Regulators Offer Guidance on Crypto Asset Custody for Banks**
In a significant move towards integrating digital assets into the traditional banking system, the Office of the Comptroller of the Currency (OCC), the Federal Reserve, and the Federal Deposit Insurance Corporation (FDIC) have jointly issued guidance on July 15, 2025, providing clarity for banks engaging in the custody of crypto assets such as Bitcoin and Ethereum [1][3][5].
The guidance does not introduce new regulations, but rather reaffirms that banks must apply existing risk management, legal, and compliance frameworks to crypto custody activities [1][5]. Banks are expected to adhere to the same rigorous standards applied to traditional assets, including fiduciary responsibilities and compliance with federal regulations such as those in Title 12 of the Code of Federal Regulations [5].
Robust risk management is emphasized, with banks required to implement controls for cybersecurity, operational resilience, anti-money laundering (AML), and compliance with the Bank Secrecy Act (BSA) [1]. Banks must conduct thorough risk assessments before entering the crypto safekeeping space, given the volatility and unique risks associated with digital assets [5].
Crypto custody is defined as the safekeeping of crypto assets for a customer’s benefit, and may include additional related services. The guidance clarifies that banks can offer these services in both fiduciary and non-fiduciary capacities, but must manage the assets in accordance with existing laws governing such arrangements [5].
A critical requirement is that banks must maintain full control over cryptographic keys associated with the crypto assets they custody. Customers—and any third parties—must not have access to these keys while the assets are under the bank’s custody, placing full liability on the bank [1].
The guidance underscores that banks bear full liability for the secure handling of crypto assets, including protecting against theft, loss, or unauthorized access, reinforcing the necessity for stringent operational controls [1]. Banks remain responsible for activities performed by any sub-custodian they engage.
The joint statement is seen as a step toward greater institutional adoption of crypto assets by providing regulatory clarity and encouraging safe, sound, and compliant crypto custody services [3]. The OCC’s Acting Comptroller, Michael J. Hsu, noted that this guidance enables banks to engage in crypto custody in a “safe and sound manner” [3].
Key aspects of the guidance include: - Regulatory Scope: OCC, Federal Reserve, FDIC joint guidance—no new rules, just clarification [1][5] - Risk Management: Apply and enhance existing frameworks; robust cybersecurity, AML, BSA compliance [1][5] - Custody Definition: Safekeeping of crypto assets for customer benefit; may include additional services [5] - Control of Keys: Banks must maintain full, exclusive control of cryptographic keys [1] - Liability: Banks bear full liability for security and loss prevention [1] - Institutional Impact: Guidance aims to foster safe institutional crypto adoption [3]
This guidance is a milestone in the formal integration of crypto assets into the U.S. banking system, balancing innovation with rigorous risk management and regulatory compliance [1][3][5]. Banks offering these services must adhere to relevant legal standards, including those outlined in Title 12 of the Code of Federal Regulations (CFR). The regulators' statement defines "safekeeping" as the act of holding an asset for a customer's benefit. The guidance encourages banks to have knowledgeable staff for crypto-asset safekeeping.
Banks engaged in the custody of cryptocurrencies such as Bitcoin and Ethereum must adhere to existing risk management, legal, and compliance frameworks, just as they would do with traditional assets, as stipulated in the July 15, 2025 joint guidance from the Office of the Comptroller of the Currency (OCC), the Federal Reserve, and the Federal Deposit Insurance Corporation (FDIC). Furthermore, banks are expected to implement robust risk management controls, including cybersecurity measures, compliance with anti-money laundering (AML) regulations, and the Bank Secrecy Act (BSA), as they explore the cryptocurrency business within the realm of technology.
