Until the Letter was published, federal banking regulators had not issued formal guidance on the custody of digital assets. The lack of guidance by federal regulators, including the OCC, has been a hindrance to the development of the cryptocurrency industry. While prior to the Letter, the OCC had not explicitly prohibited national banks and federal savings associations from providing cryptocurrency custody services, the Letter provides clarity to federally chartered institutions to move forward with such services that, to date, have been provided only by state-charted trust companies. In removing the ambiguity with respect to custody services, the Letter emphasizes the continuing importance of national banks to the development of digital asset businesses.
Background
Cryptocurrencies are digital assets designed to act as a medium of exchange.3 There is no physical form of cryptocurrency – the assets are created and stored entirely in an electronic format. Cryptocurrencies rely on two underlying technologies to be exchanged between owners. The first is a “key,” which is a digital code created using advanced cryptography that generally cannot be altered without permission by the creator. These keys are used to protect the information relating to the cryptocurrency, and are stored in computer programs called “wallets.” Wallets can be connected to the internet (referred to as a “hot” wallet) or stored on a physical device completely offline (referred to as a “cold” wallet). If these keys or wallets are lost, the holder of the associated cryptocurrency generally will be unable to access its cryptocurrency and therefore will suffer a loss of such cryptocurrency. Thus, the Letter states, there is significant demand for a safe and secure way to store these keys. Because cryptocurrencies have no physical form, a bank “holding” cryptocurrency for a customer likely would be storing the wallet in which the cryptographic keys are held.
The second underlying technology on which cryptocurrencies rely is “distributed ledger technology,” which is a shared electronic database where information is recorded and stored across multiple computers. Blockchain is perhaps the most well-known example of distributed ledger technology. Information cannot be added to the blockchain unless a consensus is reached by the various computers hosting the ledger that information is valid, and tampering with the blockchain on one computer will not affect it on other computers. These two features of the blockchain are crucial security measures to ensure consumers have faith in the safety and value of their cryptocurrency.
The Letter notes that, since the first widely adopted cryptocurrency, Bitcoin, was created in 2008, the cryptocurrency industry has grown rapidly and become increasingly accepted by individuals, the private sector, and state and federal regulators. According to the Letter, 40 million private individuals own cryptocurrencies, thousands of merchants worldwide accept Bitcoin as a method of payment, and a majority of states have passed laws or issued regulations regarding cryptocurrencies.
Custody and Safekeeping of Cryptocurrency
The Letter discusses the authority of a national bank or federal savings association to offer custody and safekeeping services relating to cryptocurrencies. National banks may engage only in certain permissible activities as authorized by the OCC. The Letter notes that the OCC has long assessed permissible banking activities under the “transparency doctrine,” which provides that “a national bank may perform, provide, or deliver through electronic means and facilities any activities, function, product, or service that it is otherwise authorized to perform, provide, or deliver.”4 In that vein, the Letter notes that national banks have the authority to provide safekeeping and custody services “for a wide variety of customer assets, including both physical objects and electronic means.” The Letter concludes that “providing cryptocurrency custody services, including holding the unique cryptographic keys associated with cryptocurrency, is a modern form of these traditional bank activities.”
The Letter describes safekeeping services in the context of cryptocurrencies as when a bank holds the unique cryptographic keys or wallets associated with a cryptocurrency, either digitally (in the case of a “hot wallet”) or physically (in the case of a “cold wallet”). The Letter likens these activities to other traditional banking services. For example, holding a hard drive containing a customer’s “cold wallet” is akin to the bank holding a customer’s gold or jewelry in a safe deposit box. In the case of a “hot wallet,” the Letter notes that the OCC concluded in 1998 that a national bank may escrow an encryption key used in connection with a digital certificate. Moreover, national banks may provide secure web-based document storage to customers for files containing sensitive or confidential personal or business information.
In addition to safekeeping activities, the Letter describes other traditional custodial services that national banks may provide. A bank providing custody services for securities, for example, may “settle[] trades, invest[] cash balances as directed, collect[] income, process[] corporate actions, price[] securities positions, and provide[] recordkeeping and reporting services.” These services translate to the cryptocurrency space as well. Accordingly, the Letter states that, with respect to cryptocurrency, custody services also may include “facilitating the customer’s cryptocurrency and fiat currency exchange transactions, transaction settlement, trade execution, record keeping, valuation, tax services, reporting, or other appropriate services.”
While the Letter does not specifically address digital assets that are securities under the federal securities laws, the transparency doctrine would reasonably apply on account of the fact that a digital asset security is merely a security that is recorded electronically. Therefore, this would permit investment advisers to custody digital asset securities with national banks consistent with Rule 206(4)-2 under the Investment Advisers Act of 1940.
Legal and Risk-Management Considerations
The Letter notes that a bank or federal savings association engaging in new activities (e.g., acting as custodian of cryptocurrency) must implement those new services in a safe and sound manner. As with any new activity, cryptocurrency-related services must align with the bank’s overall business plan and strategy, and the bank must develop and implement a cryptocurrency custody services program consistent with sound risk-management practices. The bank also must understand the various cryptocurrencies and their differences, which may require different risk-management procedures and may be subject to different laws, regulations and guidance (some of which may be beyond those applicable to OCC-chartered institutions). In addition to typical policies and procedures relating to the safeguarding of assets under custody, the Letter notes that specialized audit procedures may be necessary to assess the effectiveness of a bank’s controls regarding its custody of digital assets. Given the risks inherent in the transfer and storage of cryptocurrencies, banks also should review their procedures for compliance with anti-money laundering laws, and should ensure they have sufficient information-security infrastructure to mitigate the risk of hacking, theft or fraud.
The Letter notes that banks may hold cryptocurrencies in either a fiduciary or non-fiduciary capacity. A bank wishing to act as custodian of cryptocurrency in a non-fiduciary capacity does not need trust powers to custody digital assets. When a bank holds cryptocurrency in a fiduciary capacity (e.g., when it acts as a trustee, executor of a will, or as an investment adviser), the bank must continually ensure that it is aware of best practices regarding custody of cryptocurrency to meet its heightened standards of care under applicable law. The bank’s activities also must comply with 12 CFR Part 9 (relating to the fiduciary activities of national banks) and applicable state law.
Conclusion
Cryptocurrency remains a rapidly evolving industry. As it gains widespread acceptance, banks may wish to engage in cryptocurrency custody services for their customers. The OCC’s Letter confirms that nationally chartered banks and federal savings associations have the authority under federal banking laws to engage in these activities as a natural extension of their traditional banking business. As with any new industry, however, providing services relating to cryptocurrency is not without risk. Banks may offer differing levels of services relating to cryptocurrency – from simple safekeeping activities to full fiduciary custody arrangements – depending on their expertise and appetite for risk. Banks wishing to engage in cryptocurrency custody also should be aware of other OCC regulations and relevant state law.
Footnotes
1) OCC, Authority of a National Bank to Provide Cryptocurrency Custody Services for Customers, Interpretive Letter #1170 (July 2020).
2) The OCC refers interchangeably to cryptocurrencies, digital currencies and virtual currencies.
3) While the Letter focuses on digital assets that are meant to act as a medium of exchange, the OCC noted that the Letter also would extend to digital assets that are not widely used as a medium of exchange.
4) See 12 C.F.R. 7.5002(a).