Agencies Release Joint Statement on Crypto-Asset Safekeeping Risks

Adam Witmer
Regulatory Update

On July 14, 2025, the OCC, the Federal Reserve Board, and the FDIC issued a joint statement in their continued efforts to provide clarity on banks’ engagement in crypto-asset-related activities. The joint statement, which focuses on safekeeping crypto-assets, discusses how existing laws, regulations, and risk-management principles apply to the activity and does not create any new supervisory expectations.

The key points of the joint statement are as follows:

  • Banking organizations should consider potential risks prior to offering crypto-asset safekeeping. A banking organization that is contemplating providing safekeeping for crypto-assets should consider the evolving nature of the crypto-asset market, including the technology underlying the crypto-assets, and implement a risk governance framework that appropriately adapts to relevant risks.

  • One of the primary risks of crypto-asset safekeeping is the possible compromise or loss of cryptographic keys or other sensitive information that could result in the loss of crypto-assets or the unauthorized transfer of the crypto-assets out of the banking organization’s control. Thus, effective safekeeping involves maintaining control of cryptographic keys and related sensitive information. A banking organization’s cybersecurity environment should be a key focus of risk management.

  • Effective risk management also includes appropriate processes for determining the specific crypto-assets for which the banking organization will provide safekeeping and the  the maintenance of an effective control environment appropriate for the type of crypto-asset.

  • Crypto-asset safekeeping relationships are subject to applicable BSA/AML/CFT and and OFAC requirements. Before offering crypto-asset safekeeping, a banking organization should appropriately involve its BSA officer, board of directors (or designated committee), and senior management in assessing potential money laundering, terrorist financing, and other illicit financial activity risks.

  • When sub-custodians or other service providers are contracted for safekeeping crypto-assets, third-party risk management processes should be implemented, commensurate with the risk posed by the activity performed.

  • A banking organization’s audit program should provide appropriate coverage over the banking organization’s crypto-asset safekeeping activities, including third-party risk management as applicable. 

The agencies’ press release can be found here.

Read the full joint statement here.

Adam Witmer
Regulatory Update
Adam Witmer

Adam Witmer is a speaker, author, and founder of the Compliance Cohort. Adam has taught hundreds of seminars and training sessions to thousands of bankers throughout the United States and teaches on all areas of regulatory compliance. Adam has written five e-books that he never published, hit a grizzly bear while driving in a National Park, and is an award winning photographer and musician (though he no longer takes photos nor plays any instruments). In his spare time, Adam can be found kayaking on the lake, doing taekwondo with his kids, working on his (project) house, or spending time with his family.

Website

OCC Removes References to Disparate Impact from the Comptroller’s Handbook

HUD and OMB Streamline Home Appraisal Process