US Regulators Issue Guidance for Banks Custodying Crypto Assets

The Office of the Comptroller of the Currency, Federal Reserve and Federal Deposit Insurance Corporation have confirmed that banks are permitted to custody crypto assets on behalf of clients.

In a joint statement, the regulators said banks can offer crypto safekeeping services, but must manage risks carefully and comply with all relevant laws and regulations.

For example, the regulators told banks to treat crypto custody as a service defined by exclusive control over private keys and sensitive data. They emphasize that banks must ensure no one, not even the customer, can move an asset without proper authorization once it is held in custody.

They also advised banks to consider the volatility of crypto assets and the fast pace of technological change when deciding how to allocate capital and staff for custody operations.

In addition, they recommend that bank regularly review each supported token’s software and ledger design to identify any vulnerabilities that could put safety and stability at risk.

Alongside risk management, the regulators also reminded banks that crypto custody must comply with the Bank Secrecy Act, anti-money laundering, counter-terrorism financing rules, and the Office of Foreign Assets Control regulations. This includes the “travel rule,” which requires attaching identifying information to transfers.

Banks that use sub-custodians for storage remain fully responsible for their performance. Therefore, the guidance urges firms to carefully review a sub-custodian’s key management, asset segregation, and insolvency protections before signing any agreements.

Additionally, institutions must establish clear notification procedures for any breaches or operational issues. Even banks that store assets in-house but rely on third-party software must apply the same rigorous vendor risk controls.