The last few months have been a very exciting time for the banking and cryptocurrency nexus.
In the marketplace, JP Morgan Chase announced their banking services to popular crypto exchanges Coinbase and Gemini. On the regulatory front, the Office of the Comptroller of Currency (OCC) is making headlines with its discussions around cryptocurrency.
The impetus of this advancement seems to be Brian Brooks taking the helm of the OCC when he was appointed acting comptroller in May 2020. However, if you know his background, this advancement comes as no surprise. Before coming to the OCC, Brian Brooks was the chief legal officer at Coinbase. Before that, he spent time as an early stage investor and advisor for a number of innovate fintech startups. He’s been quoted saying that innovation is a personal passion of his and has said that “crypto is the most perfect intersection of tech and finance.”.
The OCC published an interpretive letter in July that does two important things for crypto and banking:
1. It authorizes banks to provide crypto custody services and hold customers digital assets
2. Reaffirms the OCC’s position that national banks may provide permissible banking services to cryptocurrency businesses.
While some banks, like Silvergate and Chase have already been engaging in crypto banking activities, this is a significant development in the crypto space because it formally states the OCC’s acceptance of banks having crypto relationships. Additionally, it outlines specific, authorized banking activities including crypto safekeeping and custody services in both a non-fiduciary and fiduciary capacity.
One such custody service mentioned in the letter is the safekeeping of the unique keys associated with cryptocurrency.
The OCC’s position is that safekeeping and custody activities have been traditional banking activities, and while historically this has been of physical assets, these services should extend to electronic assets and digital activities. From a fiduciary standpoint, the letter authorizes “national banks holding cryptocurrencies in a fiduciary capacity … have the authority to manage them in the same way banks can manage other assets they hold as fiduciaries.”
These crypto custody services have typically been provided by exchanges or other companies that have obtained state banking licenses as trust banks, because many financial institutions have shied away due to the lack of regulatory guidance and the scrutiny that make come with crypto banking activities. The OCC hopes to change that through this letter, as it states that “banks are encouraged to manage customer relationships and mitigate risks based on customer relationships rather than decline to provide banking service to entire categories of customers.”
While this letter is a major step for crypto and banking, the notion of conducting these activities in a safe and sound manner should not be taken lightly.
Managing customer relationships and mitigating risk is a significant point of emphasis throughout the letter. As crypto brings a unique set of risks, legacy processes, procedures and controls need to be tailored in the context of digital assets and digital custody. Whether that’s simply taking on a customer relationship or engaging in custody activities, there are a number of factors that need to be considered.
Here are three different areas of consideration when discussing cryptocurrency banking activities:
- Assessing crypto risk: Crypto brings its own set of unique risks and having a full understanding of these is vital to your success in this space. Once you understand the risks associated with this asset class, you, as an executive team, need to make sure these crypto activities are within your risk appetite. If so, then a comprehensive, documented understanding of these risks by incorporation into your risk assessment is crucial. The risk assessment should identify the specific products, services, consumers, entities and geographic locations unique to your financial institution — and crypto needs to be incorporated in this. For an institution that maintains crypto relationships and engages in crypto activities, the risk assessment should clearly define the inherent risk, the controls implemented by the institution to mitigate the risk, and the resulting residual risk. This risk assessment will then drive your overall BSA/AML compliance program to address each of those identified risks. Developing an effective risk assessment for your institution can be challenging. If assistance is needed, consult resources who are familiar with the requirements and expectations.
- BSA/AML compliance: Your BSA/AML compliance program will need to be specific to address the risks of crypto identified by your risk assessment. Similar to your risk assessment, your customers and their activities bring about specific risks. Due diligence should be performed based on the specific customer and their needs and customer specific risks should be identified. These types of procedures and internal controls should be designed to manage crypto risks and ensure program continuity even when there are changes in key personnel. Ongoing independent testing, risk-based transaction testing, and training will be vital to ensure you are adhering to your institution’s compliance program to remain compliant. These acceptance and ongoing monitoring activities are unique to the space and there are companies out there that can help you manage your crypto risk through AML compliance software that helps automate the detection and investigation of higher risk transactions.
- Crypto banking activities: Beyond incorporating crypto into your risk assessment and developing crypto compliance procedures, actual crypto banking activities, like safekeeping and custody, bring their own set of requirements. If you already perform these safekeeping and custody activities over tangible assets, then the policies and procedures, controls and audit requirements are nothing new to you. However, safekeeping or custody of digital assets will be new, and you can’t apply these same activities for physical assets to crypto-assets. Activities and controls need to be tailored to digital assets and the unique risks they bring. The OCC points out that “specialized audit procedures may be necessary to ensure the banks’ controls are effective for digital asset custody.” These controls and related audits should have an emphasis on IT controls and review of management information systems based on the risks crypto-assets bring. Should you choose to go a partnership route to offer these services vendor management review will be crucial. For example, a SOC report is one such example custodians currently in the space use to highlight sound controls and should be something you look when choosing a service provider in this space. Strong security and systems controls will be vital and it is crucial organizations new to the digital asset scene consult with advisors familiar with these areas to ensure activities and controls are incorporated to address the appropriate risks.
Crypto has entered the banking world and regardless of your understanding or risk appetite for crypto, it’s important to stay informed of the events happening in the space. While there are risks you must understand and hurdles to clear, they are not impossible tasks. The industry continues to mature and pursuing crypto relationships and crypto banking activities can open up a new customer base, services and opportunities which can positively impact your bottom line.
How Wipfli can help
Our team of professionals is ahead of the curve on cryptocurrency and the regulations that go along with it. Our FinTech team can help you navigate the complex maze of competition, technology, financial reporting and tax, regulatory and operational environments. See more on our web page.