The letter addresses the following notable topics:
- Scope of permissible custodial activities. The letter primarily addresses the activity of a bank holding cryptographic keys associated with a customer’s cryptocurrency assets. It notes that digital currencies exist only on the blockchain or a distributed ledger, meaning that no party has physical possession of the asset. As such, a bank “holding” digital currencies on behalf of a customer will actually be taking possession of the cryptographic access keys to a unit of cryptocurrency, either through “hot” wallets (i.e., internet-connected devices) or “cold” wallets (i.e., non-internet connected devices such as paper or hardware wallets that can be stored in a physical vault). The letter also states that a bank may provide “related” custodial services, and in a footnote, lists the examples of facilitating a customer’s cryptocurrency and fiat currency exchange transactions, transaction settlement, trade execution, recording keeping, valuation, tax services, reporting, or other appropriate services.
- Types of charters covered. The letter describes the authority of a bank to engage in cryptocurrency custody services as being within both the business of banking and incidental powers (with respect to non-fiduciary custody) and fiduciary powers (with respect to fiduciary-related custody). Accordingly, the letter concludes that providing cryptocurrency custody services is permissible for a bank acting in both non-fiduciary and fiduciary capacities, meaning that a national trust company or trust-only federal savings association should likewise have authority to provide such services to fiduciary clients pursuant to its fiduciary powers. The letter notes that a bank would be subject to the OCC’s fiduciary regulations when providing cryptocurrency custody services in a fiduciary capacity.
- Risk management processes and controls. The OCC expects a bank to conduct its activities pursuant to appropriate risk management processes and controls. For example, the letter directs banks to OCC Bulletin 2017-43, which addresses risk management principles in the context of offering new, modified, or expanded products and services.
- Use of custody agreements. The letter notes that custody agreements are an important risk management tool and should clearly establish the custodian’s duties and responsibilities. Additionally, the handling, treatment, and servicing of cryptocurrencies held in custody may raise unique issues that should be addressed in the agreement, such as the treatment of “forks” or splits in the code underlying the cryptocurrency being held.
- Use of sub-custodians. The letter also permits a bank acting as custodian to engage a sub-custodian for cryptocurrency it holds on behalf of customers, but states that the custodian bank should develop processes to ensure that the sub-custodian’s operations have proper internal controls to protect the customer’s cryptocurrency.
- Supervisory consultation. The letter does not require a bank to make a filing with the OCC to engage in cryptocurrency custody activities, but states that a national bank should consult with OCC supervisors “as appropriate” prior to engaging in the activities.
- Other laws and regulations. The letter notes that cryptocurrencies that are considered “securities” under the federal securities laws may be subject to the OCC’s regulations governing recordkeeping and confirmation requirements for securities transactions, 12 C.F.R. Part 12, as well as the federal securities laws.