The office of the Current of the Currency (OCC), the Federal Reserve Board (FED) and the Federal Deposit Insurance Corporation (FDIC) have released a joint explanation explaining how existing bank rules apply when institutions the custody of Crypto for customers are guardian.
The guidance describes ‘custody’ if keeping a digital active on behalf of a customer and emphasizes that it does not create new supervisors requirements.
Risk management is all about cryptographic tests
Regulators instructed councils and managers to view crypto guardianship as a service that depends on exclusive control over private keys and other sensitive data. They note that a bank should not prove any other party, even the customer, can move an actively unilateral as soon as he enters the detention.
Management must assess how key generation tools, wallet types and unforeseen plans match the broader control environment of the institution and ensure that the staff has the necessary technical skills to maintain these guarantees.
The explanation also told banks to weigh the volatility of the activa class and the rapid pace of technological change when allocating capital and staff for detention activities.
The agencies said that noise programs include continuous reviews of the software depends on every supported token and the ledger design to recognize vulnerabilities that can threaten safety and reliability.
Compliance, governance and supervision of third parties
The three agencies reminded institutions that crypto guardianship must comply with Bank Secrecy Act, anti-money laundering practices, financing for the fight against terrorism and the Office of Foreign Assets Control Rules, including the ‘travel rule’ that confirms identifying information to transfers.
Boards must involve the BSA officer and senior managers early in every rollout of custody to gauge exposure to illegal finances and document controls.
In addition, banks that delegate storage to sub-requirements remain responsible for the performance of those suppliers. The guidelines have instructed companies to investigate the most important management methods, segregation of assets and insolvency protections of a sub-requirement before the contracts are signed.
Companies will also be obliged to build notification requirements for every infringement or operational event. Settings that keep assets in-house, but buy third-party software must apply the same supplier-risk disciplines.
Finally, the agencies asked auditors to expand their tests with crypto-specific elements, such as important generation, wallet security and settlements in chains.
If internal teams have no expertise, management must hire independent specialists to validate guarantees and report directly to the audit committee.
The joint statement concluded that existing regulations for fiduciary, detention and information security already offer a framework for banks that want to protect their crypto.
However, those banks must prove that they can control keys, manage suppliers and pay federal financial crime statutes in real -time.
