Weekly Focus

  • The OCC clarifies that banks can provide crypto custody services.
  • The FDIC seeks comments on developing a certification process for new technologies to be used by banks.
  • The UK looks at restricting crypto promotions.
  • A group of crypto exchanges is working together to comply with FATF travel rule standards.

US Developments

OCC Issues Interpretation that Banks Can Offer Crypto Custody Services

On July 22, 2020, the Office of the Comptroller of the Currency (OCC) issued an interpretive letter clarifying that national banks and federal savings associations have the authority to provide cryptocurrency custody services for customers. The OCC concludes that providing cryptocurrency custody services, including holding the unique cryptographic keys associated with cryptocurrency, is “a modern form of traditional bank activities.”

The unnamed bank seeking the interpretive letter proposed to offer cryptocurrency custody services to its customers as part of its existing custody business. In making its determination, the OCC notes that banks have long provided safekeeping and custody services for customer assets in a fiduciary and non-fiduciary capacity, and that providing these services for cryptocurrency assets fits with the historical practice of providing custody services for any asset so long as the bank has the capability to custody the asset and the asset is not illegal in the jurisdiction where the asset is held.

In prior interpretations, the OCC concluded that national banks may provide electronic safekeeping services, such as providing (i) escrow services for encryption keys used in connection with digital certificates or (ii) secure web-based document storage, retrieval and collaboration for documents and files. The OCC codified these interpretive rulings in 12 CFR §§ 7.5002(a)(4) and 7.5005(a).

The OCC understands that providing custody for cryptocurrencies is different than traditional custody services as it involves taking possession of the customer’s cryptographic access keys. However, the OCC concludes, providing custody of these keys is the same as providing custody services via electronic means for other assets. Just as there are different models for offering traditional custody services, banks may offer different methods of providing custody for cryptographic access keys depending on the bank’s expertise, risk appetite, and business models, with models ranging from (i) storing a customer’s private keys—with the customer retaining his/her own copy—to (ii) transferring the cryptocurrencies directly to the control of the bank—resulting in the generation of new private keys that the institution would hold on the customer’s behalf. If banks are acting as fiduciaries for the cryptocurrency, then the banks will also need to ensure that their custody models comply with additional regulatory requirements. In keeping with its discussion of the breadth of banks’ powers to provide custody services, the OCC also states that banks could engage a sub-custodian provided the sub-custodian’s operations have proper internal controls.

Finally, the OCC provides that banks may offer additional services to customers in relation to the cryptocurrency being custodied, including facilitating the customer’s exchange transactions, transaction settlement, trade execution, recordkeeping, valuation, tax services, reporting, or other appropriate services. In providing custody services or any other cryptocurrency services, banks should develop and implement these activities in accordance with OCC guidance. Further, banks should conduct due diligence on individual accounts to evaluate the risks, just as banks are required to do for any other type of account. The acceptance process for a new cryptocurrency custodial account should include a review for compliance with anti-money laundering rules, and a review of the customer’s needs and wants, as well as the operational needs of the account. The bank should also consider whether it is capable of providing the custody services requested operationally and under applicable law. In addition, different types of cryptocurrencies may have different technical characteristics that change the risk assessment for the custody services and may be subject to different OCC regulations and guidance. As such, consultations with OCC supervisors will be beneficial for any bank engaging in cryptocurrency custody activities.

FDIC Seeks Input on New Technology Certification

As part of its FDiTech initiative, Federal Deposit Insurance Corporation (FDIC) announced a notice and request for information (RFI) seeking input on a possible public/private partnership to set standards and create a voluntary certification program to promote the adoption of innovative technologies at FDIC-supervised financial institutions, particularly community banks. The RFI seeks input about how to use standards and certification to help financial institutions better assess the risks of fintech companies as third-party providers of technology and services to the financial institutions.

In the RFI, the FDIC describes how a fintech could build a product like a credit underwriting model and build it to meet certain standards or obtain certification under the proposed FDIC technology program. Then, financial institutions could speed up their third-party due diligence by relying on the fintech’s certification of its credit underwriting model to quickly onboard the third-party service into the financial institution.

The FDIC aims to promote the efficient and effective adoption of technology without increasing costs or regulatory burden. In addition to the proposed technology certification program, the FDIC seeks input on what other alternatives the FDIC should consider to support financial institutions’ efforts to efficiently and effectively assess risk when evaluating third-party providers.

International Developments

UK Seeking Comment on Restrictions of Crypto Promotions

On July 20, 2020, the UK’s HM Treasury published a consultation on cryptoasset promotions, proposing to expand the UK’s financial promotion regulatory regime to include unregulated cryptoassets. HM Treasury is not implementing this expanded regime currently but seeking comments on its proposed reforms.

HM Treasury proposes adding unregulated cryptoassets that are both fungible and transferable to the list of controlled investments and amending the list of controlled activities under the 2001 order specifying regulated financial services. This means unauthorized companies advertising cryptoasset investments must get an authorized company’s approval of their communication. The Financial Conduct Authority (FCA) could, then, regulate the content of cryptoasset promotions and ultimately fine companies for serious misconduct resulting in misleading or fraudulent promotions.

This consultation comes alongside other government efforts to mitigate the risks in cryptoasset investments as more UK retail investors own cryptoassets. Specifically, HM Treasury is also seeking comments on a new regulatory gateway that would complement the expanded financial promotion regime. Under the new gateway, authorized companies seeking to approve financial promotions of unauthorized companies would need the FCA’s consent first.

Both consultations will remain open for comments until October 25, 2020.

Industry Developments

Crypto Exchanges Coordinate to Comply with FATF Travel Rule

In June 2019, the Financial Action Task Force (“FATF”) published standards for crypto exchanges that included a “travel rule” designed to hinder money laundering and terrorist activity. This rule, which has long applied to traditional banks, requires crypto exchanges share identifying information about customers who move $1,000 or more between them.

Some crypto exchanges published their own solutions for how to comply with the FATF’s travel rule last fall. However, a working group of top cryptocurrency exchanges, including Coinbase and Bitgo, recently confirmed they are working together on a framework for complying with the mandate.

The current plan is to create a centralized virtual “bulletin board” where group members can list addresses. Once another member claims an address, the two will create a peer-to-peer connection for sharing the required information. Sending information directly from one crypto exchange to another prevents consumers’ identifying information from being stored in a central location and, ideally, helps protect the information from hackers.

The working group intends to release a white paper detailing its proposed solution in the upcoming weeks.