Banking organizations should ensure appropriate risk management, but regulators are skeptical of certain crypto activities as principal.

By Arthur S. Long, Pia Naib, and Deric Behar

On January 3, 2023, the Board of Governors of the Federal Reserve System (Federal Reserve), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) (collectively, the agencies) issued a concise joint statement on crypto-asset risks to banking organizations.

Relatedly, on January 7, 2023, Mark Van Der Weide, the Federal Reserve general counsel, and Benjamin McDonough, the OCC general counsel, delivered remarks to the Banking Law Committee of the American Bar Association’s Business Law Section, reiterating that their agencies were staying the course on their “careful and cautious” approach to crypto.

With the safety and soundness of the US banking system in mind, the statement addresses the various risks that the agencies view as being associated with crypto-assets and crypto-asset sector participants. According to the statement, “banking organizations should ensure that crypto-asset-related activities can be performed in a safe and sound manner, are legally permissible, and comply with applicable laws and regulations, including those designed to protect consumers.”

Banking organizations should be aware of (and when applicable, mitigate) the following risks associated with crypto-assets:

  • Fraud and scams
  • Custody practices, redemptions, and ownership rights
  • Inaccurate or misleading representations and disclosures
  • Misrepresentations regarding FDIC coverage
  • Unfair, deceptive, or abusive practices
  • Volatility and deposit flows
  • Run risks associated with stablecoins
  • Contagion risks associated with interconnectivity among market participants
  • Concentration risks due to overexposure or interconnected exposures
  • Inadequate risk management and governance practices
  • Lack of governance mechanisms for open, public, or decentralized networks
  • Lack of clearly established roles, responsibilities, and liabilities
  • Cybersecurity, hacking, technology, and service outages

The agencies expect that such risks should be mitigated or controlled, and should be prevented from spilling over into the banking system. Appropriate risk management is prescribed for banking organizations to identify and manage cryptoasset risks (including board oversight, policies, procedures, risk assessments, controls, gates and guardrails, and monitoring).

Of particular importance to token issuers, custodians, and decentralized finance protocols, the statement asserts that “issuing or holding as principal crypto-assets that are issued, stored, or transferred on an open, public, and/or decentralized network, or similar system is highly likely to be inconsistent with safe and sound banking practices.” Mr. Van Der Weide reiterated this statement in his remarks, while noting that the Federal Reserve was still considering non-principal activities, such as acting as a finder between customers and crypto firms.

In his remarks, Mr. McDonough stated that the OCC’s Semiannual Risk Perspective report for the fall of 2022 had accurately predicted three key risks that had recently emerged:  that crypto risk management practices lacked maturity, that stablecoins were still susceptible to run risk, and that there was a high risk of contagion among industry participants.

The agencies’ statement is very much aligned with that of the New York State Department of Financial Services (NYDFS) in its recent guidance to covered institutions engaging in (or seeking to engage in) virtual currency-related activity (see this Latham post for more information).

The agencies note that they will continue to monitor for current and emerging crypto-asset risks on the one hand, and banking sector engagement and exposure on the other.