US: OCC issues groundbreaking interpretive letter on cryptocurrency custody services

Last week, the Office of the Comptroller of the Currency (OCC) issued an interpretive letter¹ concluding that national banks and federal savings associations have the authority to provide cryptocurrency custody services for customers. The letter, which uses the term "cryptocurrency" to encompass digital currencies, virtual currencies, and "digital assets that are not broadly used as currencies," is a strong show of support for responsible innovation within the national banking system and offers practical guidance for banks seeking a successful foray into crypto-related activities. Below are some of our key takeaways from the letter.

Recognition of growing demand for cryptocurrency custody services

The letter specifically acknowledges a growing demand for safekeeping of cryptographic keys and related custody services. The OCC cites several reasons for the demand, including (i) the irreplaceable nature of private keys and the risks associated with misplacing a key, (ii) the potential for banks to offer more secure storage services compared to existing options, noting the fact that some cryptocurrency exchanges have proven vulnerable to hacking and theft, and (iii) a potential appetite of investment advisers to manage cryptocurrencies on behalf of customers using banks as custodians.

Types of permissible services and custody models

The letter identifies several custody services that banks may provide with respect to cryptocurrency, including transaction settlement, trade execution, recordkeeping, valuation, tax services, reporting, and facilitation of a customer's cryptocurrency and fiat currency exchange transactions. The letter also expressly acknowledges that in most, if not all, circumstances, providing custody for cryptocurrency will not entail any physical possession of the cryptocurrency; rather, a bank "holding" a digital currency on behalf of a customer will actually be taking possession of the cryptographic access key to a particular unit of cryptocurrency. The letter indicates that various custody models may be appropriate, including models whereby a bank offers to store copies of customers' private keys while permitting the customers to retain their own copies, as well as a model whereby a bank permits customers to transfer their cryptocurrencies directly to control of the bank and thereby generate new private keys held by the bank on behalf of the customers.

Rationale for the OCC's position

In reaching its conclusion, the OCC reasoned that providing cryptocurrency custody services is a modern form of the traditional bank activities of safekeeping and custody services. The OCC explained that, because banks are authorized to perform safekeeping and custody services for physical assets, they are likewise permitted to provide those same services via electronic means. The OCC supported its decision by citing 12 C.F.R. § 7.5002, which authorizes national banks to perform through electronic means any activities that national banks are otherwise authorized to perform, and 12 C.F.R. § 155.200(a), which similarly authorizes federal savings associations to use electronic means to provide any service as part of an authorized activity, as well as a number of longstanding interpretive precedents.

Regulatory roadmap

General safety and soundness considerations

The OCC expects all of its regulated institutions to conduct their activities in a safe and sound manner and in compliance with all applicable laws, and the letter makes clear that banks engaging in cryptocurrency custody services would be subject to the same rigorous standards. For example, as with all other activities that national banks and federal savings associations conduct, the OCC would expect a bank that provides cryptocurrency custody services to:

• Have adequate systems in place to manage the risks of the activities, including policies, procedures, and management information systems specific to the bank's custody services;
• Maintain strong operational controls, including segregation of duties, dual control procedures, and accounting controls, to ensure that assets of each custody account are kept separate from the assets of the bank and are not lost, destroyed, or stolen by an internal or external party;
• Have an appropriate account acceptance process, including a process whereby the bank is able to address the risks associated with an individual account prior to acceptance, adequately review the customer's wants and operational needs of the account, and assess whether the contemplated duties are within the bank's capabilities and consistent with applicable law; and
• To the extent that the custody services represent a new, modified, or expanded service for a bank, develop and implement the services consistent with sound risk management practices, align them with the bank's overall business plan and strategy, and otherwise comply with applicable OCC guidance, including OCC Bulletin 2017-43, New, Modified, or Expanded Bank Products and Services: Risk Management Principles (Oct. 20, 2017).

Cryptocurrency-specific considerations

The letter also highlights unique issues and elevated risks associated with the provision of services in connection with cryptocurrencies. In light of these challenges, the letter indicates that the OCC would expect banks to:

• Consider whether certain controls need to be tailored for digital custody, including those with respect to settlement of transactions, physical access, and security servicing;
• Be aware that different cryptocurrencies may have different technical characteristics and therefore individualized risk management procedures;
• Consider whether a bank's custody agreement covers the treatment of "forks" or splits in the code underlying the cryptocurrency being held;
• Have effective information security infrastructure and controls in place to mitigate hacking, theft, and fraud;
• Review for compliance with anti-money laundering rules during the due diligence process;
• Conduct legal analysis to ensure that the crypto-related activities are conducted consistent with all applicable laws; and
• Consider the need for specialized audit procedures to ensure that the bank's controls are effective for digital custody activities, such as specific procedures for verifying that the bank maintains access controls for cryptographic keys.

The letter states that banks "should consult with OCC supervisors as appropriate" prior to engaging in cryptocurrency custody activities and that the OCC will review the activities as part of its ordinary supervisory processes.

Fiduciary considerations

The letter explicitly encompasses custody services performed by banks in either a fiduciary or non-fiduciary capacity. It confirms that a bank holding cryptocurrencies in a fiduciary capacity—such as a trustee, an executor of a will, an administrator of an estate, a receiver, or as an investment advisor—would have the authority to manage them in the same way as other fiduciary assets. It also affirms that banks conducting cryptocurrency custody activities in a fiduciary capacity would need to conduct the activities in compliance with 12 C.F.R. Part 9 (national banks) or 12 C.F.R. Part 150 (federal savings associations), applicable state law, and the governing trust instrument. Notably, the OCC cautions banks managing cryptocurrency as fiduciaries to "keep abreast of best practices" given the continued evolution of the cryptocurrency sector and the heightened standards of care with which fiduciaries must comply.

Securities considerations

The letter suggests that some of the services that banks may provide with respect to cryptocurrencies may be akin to services that banks currently provide in connection with securities, such as transaction settlement and security servicing, and that banks should take into account similar considerations. The letter also cautions that certain cryptocurrencies may be considered securities for purposes of federal securities laws administered by the U.S. Securities and Exchange Commission (SEC) as well as the OCC's regulations on recordkeeping and confirmation requirements for securities transactions, which are set forth in 12 C.F.R. Part 12.

We note, however, that the letter is silent on whether bank custody of cryptocurrencies that are considered to be securities might satisfy applicable custodial requirements for digital asset securities under federal securities laws. For example, the letter does not address whether banks that custody such securities could be considered to be good control locations for purposes of the SEC's "Customer Protection Rule," Rule 15c3-3 (17 C.F.R. § 240.15c3-3), under the Securities Exchange Act of 1934. More specifically, the letter does not address custody-related concerns with respect to digital asset securities raised by staff of the SEC's Division of Trading and Markets in a joint statement with the Financial Industry Regulatory Authority's (FINRA) Office of General Counsel last year on broker-dealer custody of digital asset securities (Joint Statement).² While the maintenance of securities in the "custody or control" of a bank is generally treated as a good control location for purposes of the Customer Protection Rule, the Joint Statement asserted that a broker-dealer may face challenges in determining that a third-party custodian, such as a bank, maintains custody of digital asset securities in compliance with the Customer Protection Rule. In particular, the Joint Statement questioned whether a custodian's maintenance of a private key to a digital asset security would be sufficient evidence of "exclusive control" of the digital asset security to satisfy the Customer Protection Rule and also expressed concern about the possible inability of a custodian to reverse or cancel mistaken or unauthorized transactions.³

The concerns raised in the Joint Statement reflect the SEC's traditional focus on ensuring that customer securities are readily available in the event of a broker-dealer's bankruptcy, while in contrast, the letter's discussion reflects the OCC's focus on supporting innovation that promotes a strong federal banking system. For example, the letter indicates that the OCC is not especially concerned about whether a bank custodian always has exclusive control of a private key—indeed, the letter explicitly contemplates a bank custody model whereby a bank offers to store a copy of a customer's private key while permitting the customer to retain a copy—whereas the Joint Statement signals that non-exclusive control of a private key may be untenable for the SEC. Further, the letter implies that the OCC believes that it may be possible for banks to adequately manage the risks associated with mistaken or unauthorized cryptocurrency transfers, whereas the Joint Statement suggests that the SEC may view those risks as being too great to be sufficiently mitigated. Perhaps the letter will catalyze interagency discussion of issues regarding bank custody of cryptocurrencies and prompt the SEC to reconsider its position.

Looking forward

Although the letter confirms that national banks and federal savings associations have the requisite legal authority to provide cryptocurrency custody services to customers, time will tell the extent to which individual institutions are able to demonstrate to the OCC an ability to effectively manage the attendant risks and comply with all applicable laws. Time will also tell whether the controls described in the letter will alleviate concerns expressed by the SEC's staff in the Joint Statement, with the result that certain bank custody models may be deemed to satisfy custodial requirements under the Customer Protection Rule and other federal securities laws, rules, and regulations.

Based on the letter's line of reasoning, it seems likely that the OCC would find that banks are also authorized to conduct other types of crypto-related activities involving traditional banking services, such as lending and remittance of cryptocurrencies, which would offer banks additional opportunities to serve consumers and businesses. We also note that the letter is among several actions that the agency has taken to modernize its rules and support bank digital activities since Brian Brooks became Acting Comptroller in May. Mr. Brooks, the former Chief Legal Officer of the cryptocurrency exchange Coinbase Global, Inc., has been a vocal proponent of expanding the scope and relevance of the national charter, and we expect him to continue being a strong advocate for responsible innovation within the national banking system.