Over the last couple of years, the Office of the Comptroller of the Currency (OCC) has been busy issuing interpretive letters regarding the authority of a national bank and a federal savings association (FSA) to conduct various activities involving virtual currency (alternatively referred to as “cryptocurrency”). The OCC’s guidance has consistently advised national banks and FSA that they must conduct these activities in a safe and sound manner and manage and mitigate the risks inherent in these new technologies. While Interpretive Letters 1170, 1172, and 1174 advise on the legal permissibility of national banks and FSAs to engage in certain activities, the OCC has taken the stand in Interpretive Letter 1179 that prior to engaging in these activities, national banks and FSAs must notify the OCC and receive a letter of non-objection for the proposed activity.
Interpretive Letter #1170
In Interpretive Letter #1170, the OCC affirmed a national bank or FSA may provide these cryptocurrency custody services on behalf of customers. Custody services may include holding the unique cryptographic keys associated with cryptocurrency. The OCC expects a national bank or FSA planning to engage in new activities to develop and implement cryptocurrency custody services activities consistent with sound risk management practices and align them with the bank’s overall business plans and strategies.
To conduct these cryptocurrency custody services in a safe and sound manner, the bank must have adequate systems to identify, measure, monitor, and control the risks of its custody services. The OCC expects such systems to include policies, procedures, internal controls, and management information systems governing custody services. When looking at internal controls, an examiner looks at how the bank safeguards assets under custody, produces reliable financial reports, and complies with laws and regulations. The OCC expects custody activities to include dual control and segregation of duties and accounting controls. The bank’s accounting records and internal controls should ensure that assets of each custody account are segregated from the custodian’s assets and maintained under joint control to provide an asset is not lost, destroyed, or misappropriated by internal or external parties. Other considerations include settlement of transactions, physical access controls, and security servicing. The bank may need to tailor such controls in the context of digital custody.
Banks should also have adequate information security infrastructure and controls to mitigate hacking, theft, and fraud. Banks should be aware that different cryptocurrencies may have different technical characteristics and require risk management procedures specific to that particular currency. Banks offering cryptocurrency custody services should develop specialized audit procedures to ensure the bank’s controls are adequate for digital custody activities. The OCC provides the example that procedures for verifying that a bank maintains access controls for a cryptographic key will differ from those used for physical assets. The OCC will review these activities as part of its ordinary supervisory processes.
Different cryptocurrencies may also be subject to other OCC regulations and guidance outside of the custody context, as well as non-OCC regulations. A national bank should consult with OCC supervisors as appropriate before engaging in cryptocurrency custody activities. Banks seeking to engage in these activities should also conduct legal analysis to ensure they perform the activities consistent with all applicable laws. The bank’s due diligence process should include a review for compliance with anti-money laundering rules.
The OCC stresses that banks should assess and address the risks associated with an individual account before acceptance. A custodian’s acceptance process should include an adequate review of the customer’s needs and wants, as well as the operational needs of the account to ensure the bank can perform the contemplated duties.
Interpretive Letter #1172
In Interpretive Letter #1172, the OCC affirmed the ability of a national bank or FSA to accept deposits that serve as reserves for certain “stablecoins.” The interpretive letter is limited in scope to stablecoins backed on a 1:1 basis by a single fiat currency where the bank verifies at least daily that reserve account balances are greater than or equal to the number of the issuer’s outstanding stablecoins. A bank providing services supporting a stablecoin project must comply with all applicable laws and regulations and ensure that it has instituted appropriate controls and conducted sufficient due diligence commensurate with the risks associated with maintaining a relationship with a stablecoin issuer.
As with any deposit product, a national bank or FSA that accepts reserve accounts should be aware of the laws and regulations relating to deposit insurance coverage, including deposit insurance limits and the requirements for deposit insurance to “pass through” to an underlying depositor, if applicable. Stablecoin reserve accounts could be structured as deposits of the stablecoin issuer or as deposits of the individual stablecoin holder, assuming the individual stablecoin holder meets the requirements for pass-through insurance. Accordingly, a national bank or FSA should provide accurate and appropriate disclosures regarding deposit insurance coverage.
A national bank or FSA must ensure that it establishes and maintains procedures to comply with the Bank Secrecy Act (BSA) and its implementing regulations, including but not limited to the customer due diligence requirements under the BSA and the customer identification requirements under section 326 of the USA PATRIOT Act. A national bank or FSA must also identify and verify the beneficial owners of legal entity customers opening accounts.
Reserves associated with stablecoins could entail significant liquidity risks. The OCC expects all banks to manage liquidity risk with a sophistication equal to the risks undertaken and complexity of exposures. A bank may also enter into appropriate contractual agreements with a stablecoin issuer governing the terms and conditions of the services that the bank provides to the issuer. Such contracts may include contractual restrictions or requirements concerning the assets held in the reserve account. The agreement may also specify the parties’ respective responsibilities, such as the steps the parties will take to ensure the appropriate party will be deemed the issuer or obligor of the stablecoin. For example, the bank should have appropriate agreements with an issuer to verify and ensure that the deposit balances held by the bank for the issuer are always equal to or greater than the number of outstanding stablecoins issued by the issuer. Such agreements should include mechanisms to allow the bank to verify the number of outstanding stablecoins regularly. In the analogous context of prepaid cards distributed and sold by third-party program managers, interagency guidance specifically contemplates banks would enter into contracts with third-party program managers permitting banks to audit the third-party program managers.
Interpretive Letter #1174
In Interpretive Letter #1174, the OCC affirmed the ability of a national bank or FSA to use new technologies, including independent node verification networks (INVNs) and related stablecoins, to perform bank-permissible functions, such as payment activities. The OCC reasoned that as banks are “the recognized intermediaries between other, non-bank participants in the financial markets and the payment systems, banks possess the expertise to facilitate the exchange of payments and securities between, and settle transactions for, parties and to manage their own intermediation position.” As such, “a bank may validate, store, and record payments transactions by serving as a node on an INVN. Likewise, a bank may use INVNs and related stablecoins to carry out other permissible payment activities. A bank must conduct these activities consistent with applicable law and safe and sound banking practices.”
The OCC cited the statement by the President’s Working Group on Financial Markets to remind banks that if they are participating in stablecoin arrangements, they “should have the capability to obtain and verify the identity of all transacting parties, including for those using unhosted wallets…. The stablecoin arrangement should have appropriate systems, controls, and practices in place to manage these risks, including to safeguard reserve assets. Strong reserve management practices include ensuring a 1:1 reserve ratio and adequate financial resources to absorb losses and meet liquidity needs.” In addition to understanding the risks generally associated with virtual currencies, banks must have the technical know-how to manage the risks in a safe and sound manner and conduct the activities in compliance with applicable law.
The OCC also highlighted the heightened BSA/AML compliance risk. The OCC expects banks that “engage in providing cryptocurrency services to customers to adapt and expand their BSA/AML compliance programs to assure compliance with the reporting and recordkeeping requirements of the BSA and to address the particular risks of cryptocurrency transactions.”
Interpretive Letter #1179
In its previous interpretive letters, the OCC has stated that while certain activities surrounding cryptocurrency may be legally permissible for banks to engage in, “provided the bank can demonstrate, to the satisfaction of its supervisory office, that it has controls in place to conduct the activity in a safe and sound manner.” In Interpretive Letter #1179, the OCC has clarified that to demonstrate this, the bank must “notify its supervisory office, in writing, of its intention to engage in any of the activities addressed in the interpretive letters.” The OCC will then provide a letter of non-objection if it approves the activity.
Prior to seeking supervisory non-objection, the bank should consider all applicable laws, ensure that the proposed structure of the activity is consistent with such laws, and that the compliance management system will be sufficient and appropriate to ensure compliance. To obtain supervisory non-objection, the bank should demonstrate that it has “established an appropriate risk management and measurement process for the proposed activities, including having adequate systems in place to identify, measure, monitor, and control the risks of its activities, including the ability to do so on an ongoing basis.” The bank’s request should demonstrate its understanding of and preparedness for the operational risk liquidity risk, strategic risk, and compliance risk of the proposed activity.
The OCC will “evaluate the adequacy of a bank’s risk measurement and management information systems and controls to enable the bank to engage in the proposed activities on a safe and sound basis. The supervisory office will also evaluate any other supervisory considerations relevant to the particular proposal, consulting with agency subject matter experts as appropriate. As part of that review, and in coordination with the Chief Counsel, as needed, the supervisory office will assess whether the bank has demonstrated that it understands and will comply with laws that apply to the proposed activities.”
After a bank receives supervisory non-objection, the bank may conduct the activities as outlined. The OCC will review these activities as part of its ordinary supervisory processes.
Expect more updates from the OCC and the other prudential regulators over 2022. In November, the financial regulatory agencies released Joint Statement on Crypto-Asset Policy Sprint Initiative and Next Steps that provides a roadmap of where the agencies expect regulatory policy announcements. The areas highlighted in the roadmap are: crypto-asset safekeeping and traditional custody services; ancillary custody services; facilitation of customer purchases and sales of crypto-assets; loans collateralized by crypto-assets; issuance and distribution of stablecoins; and activities involving the holding of crypto-assets on balance sheet. The OCC has released the interpretive letters outlined above to discuss some of these areas, but we should expect more announcements in this space in the coming year.
Compliance Alliance is committed to helping you navigate the evolving landscape of regulatory expectations of banks adopting and working with new technologies. Members can find summaries of the OCC’s Interpretive Letters and other helpful tools in our Cryptocurrency and Digital Assets Toolkit. As always, our Hotline advisors are here to help answer specific questions.