The OCC issued a letter last week stating that “a national bank [and a federal savings association] may provide . . . cryptocurrency custody services on behalf of customers, including by holding the unique cryptographic keys associated with cryptocurrency.” The letter also reaffirms the OCC’s position that “national banks [and federal savings associations] may provide permissible banking services to any lawful business they chose, including cryptocurrency business, so long as they effectively manage the risks and comply with applicable law.”
The key phrase above is “any lawful business.” When a financial institution deals with crypto clients, whether the institution is actually dealing with a customer engaged in lawful activity is literally the question. Oddly, therefore, the OCC’s letter is simultaneously groundbreaking and yet also nothing new.
The letter, which is 11 pages long, first describes cryptocurrencies and the related distributed ledger technology, and then explains at length that providing fiduciary and non-fiduciary customer services for cryptocurrency (here, “holding” a digital currency on behalf of a customer typically would mean taking possession of the cryptographic access keys to the cryptocurrency units) merely falls within banks’ longstanding authority to provide all forms of safekeeping and custody activities. The letter states that the OCC
. . . . recognizes that, as the financial markets become increasingly technological, there will likely be increasing need for banks and other service providers to leverage new technology and innovative ways to provide traditional services on behalf of customers. By providing such services, banks can continue to fulfill the financial intermediation function they have historically played in providing payment, loan and deposit services. Through intermediated exchanges of payments, banks facilitate the flow of funds within our economy and serve important financial risk management and other financial needs of bank customers.
So, although the medium of value may be “new fangled,” the role of banks here is nothing new.
However, the letter’s last paragraph is likely the most instructive. It makes the “suggestion” to confer first with the OCC before onboarding any cryptocurrency clients. The letter states:
Consistent with OCC regulations and guidance on custody activities, the risks associated with an individual account should be addressed prior to acceptance. A custodian’s acceptance process should provide an adequate review of the customer’s needs and wants, as well as the operational needs of the account. During the acceptance process, the custodian should also assess whether the contemplated duties are within it’s capabilities and are consistent with all applicable law.
Just in case the message is not sufficiently clear, the letter continues (with emphasis added):
Understanding the risks of cryptocurrency, the due diligence process should include a review for compliance with anti-money laundering rules. Banks should also have effective information security infrastructure and controls in place to mitigate hacking, theft, and fraud. Banks should also be aware that different cryptocurrencies may have different technical characteristics and may therefore require risk management procedures specific to that particular currency. Different cryptocurrencies may also be subject to different OCC regulation and guidance outside of the custody context, as well as non-OCC regulations. A national bank should consult with OCC supervisors as appropriate prior to engaging in cryptocurrency custody activities. The OCC will review these activities as part of its ordinary supervisory processes.
Translation: providing custody services for digital currency assets is not inherently wrong. However, a bank’s compliance obligations will still be significant, because financial institutions must satisfy their AML obligations when dealing with an industry, form of value, and customer base that, historically at least, often has resisted full transparency, the cornerstone value of any AML system.
Because it clearly signals the growing acceptance of digital currency by regulators and the global financial system, the letter is significant. But the letter also makes clear that traditional financial institutions must still be very careful when dealing with digital currency, which contains many potential AML traps in practice. “Not inherently wrong” does not equate to “safe at all times.”