On May 7, 2025, the Workplace of the Comptroller of the Forex (“OCC”) issued a comply with up to its July 2020 Interpretative Letter 1170, which allowed nationwide banks to present cryptocurrency custody providers to their clients.[1] The May 7 letter (Interpretive Letter 1184)[2] additional clarified that banks should purchase and promote cryptocurrency on the custody buyer’s path and outsource cryptocurrency custody and execution providers.[3] But in distinction to the OCC’s clear affirmation that banks can present cryptocurrency custody providers, the steering for protected and sound practices for these providers stays murky.
Whereas the OCC first confirmed that banks might interact in cryptocurrency custody providers in July 2020, associated Comptroller’s Handbooks had been final up to date in 2019, earlier than the cryptocurrency modifications had been carried out.[4] Interpretive Letter 1170 offers essentially the most detailed steering for these providers, together with high-level necessities that banks ought to have an ample system to determine, measure, monitor, and management the dangers of custody providers. These embody the fundamentals comparable to twin controls, segregation of duties, accounting controls, a due diligence course of, and complying with anti-money laundering guidelines. As for accounting controls, the letter emphasised {that a} financial institution custodian’s accounting data and inner controls ought to make sure the property of every custody account are saved separate from the custodian’s property to make sure that an asset shouldn’t be misplaced, destroyed, or misappropriated by inner or exterior events. This high-level steering comes with the caveat that banks ought to tailor such controls within the context of digital custody. The letter additionally states that banks ought to perceive the totally different technical traits of cryptocurrencies and remember that every could possibly be topic to totally different OCC rules in addition to non-OCC rules. Interpretive Letter 1170 doesn’t, nevertheless, present additional steering on how the controls needs to be tailor-made or which rules banks should adjust to when appearing as a cryptocurrency custodian.
The Interagency Joint Assertion on Crypto-Asset Dangers to Banking Group issued on January 3, 2023, shed some gentle on the varieties of dangers related to cryptocurrency, together with fraud, volatility in cryptocurrency markets, decentralized networks, and authorized uncertainties associated to custody practices.[5] But that assertion doesn’t present additional steering on what protected and sound practices appropriately mitigate these dangers. The assertion mirrored that the businesses had been persevering with to construct information and experience by way of a case-by-case strategy—in different phrases, the businesses had been nonetheless within the strategy of setting requirements. To this point, no additional particulars on how the OCC would apply the standard security and soundness framework to cryptocurrency can be found.
Till OCC points extra detailed public steering, the most secure strategy to perceive the OCC’s view on protected and sound cryptocurrency custody practices is participating OCC straight. Starting these conversations early within the financial institution’s journey to set up its crypto-asset custody providers will finest place the financial institution to keep away from a probably expensive misunderstanding with its regulator. Whereas OCC rescinded Interpretive Letter 1179, which required banks to show their controls and search prior approval for its cryptocurrency enterprise,[6] OCC basically has been open to financial institution administration discussions. Though this strategy would possibly threat slowing down the method, it additionally mitigates the chance of surprising enforcement actions.
[1] OCC, Interpretive Letter #1170 (Jul. 2020), https://www.occ.gov/topics/charters-and-licensing/interpretations-and-actions/2020/int1170.pdf.
[2] OCC, Interpretive Letter #1184 (May 2025), https://www.occ.gov/topics/charters-and-licensing/interpretations-and-actions/2025/int1184.pdf.
[3] Whereas the OCC permits banks to outsource the service, financial institution administration will stay liable for assembly the necessities of security and soundness to the identical extent as if these actions had been carried out by the financial institution itself. See Fed. Rsrv. Sys., FDIC, OCC, Interagency Steerage on Third-Occasion Relationships: Threat Administration at 29 (June 6, 2023), https://occ.gov/news-issuances/news-releases/2023/nr-ia-2023-53a.pdf.
[4] See e.g., OCC, Comptroller’s Handbook – Financial institution Supervision Course of (Sep. 2019), https://www.occ.gov/publications-and-resources/publications/comptrollers-handbook/files/bank-supervision-process/index-bank-supervision-process.html; OCC, Comptroller’s Handbook –Asset Administration Operations and Controls (Jan. 2011), https://www.occ.gov/publications-and-resources/publications/comptrollers-handbook/files/asset-mgmt-ops-controls/index-asset-mgmt-ops-controls.html; OCC, Comptroller’s Handbook – Custody Service (Jan. 2002), https://www.occ.gov/publications-and-resources/publications/comptrollers-handbook/files/custody-services/index-custody-services.html.
[5] OCC, Joint Assertion on Crypto-Asset Dangers to Banking Organizations at 1 (Jan 23, 2023), https://occ.gov/news-issuances/news-releases/2023/nr-ia-2023-1a.pdf.
[6] OCC, Interpretive Letter #1179 (Nov 18, 2025), https://www.occ.gov/topics/charters-and-licensing/interpretations-and-actions/2021/int1179.pdf. (OCC required that banks keen to interact in cryptocurrency actions should search prior approval demonstrating that it has protected and sound controls over the actions. Banks weren’t allowed to interact in cryptocurrency actions till it acquired a non-objection letter).
