Crypto Law Profile
Joint OCC/Fed/FDIC statement on existing risk-management principles for banking organizations providing or considering crypto-asset safekeeping services.
Interagency Crypto-Asset Safekeeping Statement is a U.S. federal banking-agency guidance profile for the July 14, 2025 statement issued by the Office of the Comptroller of the Currency (OCC), Board of Governors of the Federal Reserve System, and Federal Deposit Insurance Corporation (FDIC). The statement addresses banking organizations that provide, or are considering providing, safekeeping for crypto-assets. It is not a statute or formal rule, and the agencies state that it discusses existing laws, regulations, and risk-management principles without creating new supervisory expectations.
The statement defines safekeeping as the service of holding an asset on a customer’s behalf and uses “crypto-asset” to mean a digital asset implemented using cryptographic techniques. The agencies distinguish safekeeping from broader custody services, noting that a banking organization may provide other custody services while safekeeping crypto-assets. For this profile, the key point is that the statement focuses on customer asset-holding arrangements, not trading, issuance, lending, stablecoin reserve management, or every crypto-related banking activity.
Covered banking organizations differ by agency. For the OCC, the term includes national banks, federal savings associations, and federal branches and agencies of foreign banks. For the Federal Reserve, it includes bank holding companies, state member banks, Edge and agreement corporations, and certain uninsured state-licensed foreign bank branches and agencies. For the FDIC, it includes insured state nonmember banks, insured state-licensed branches of foreign banks, and insured state savings associations.
The agencies recognize that banking organizations may provide crypto-asset safekeeping in either a fiduciary or non-fiduciary capacity. A bank acting in a fiduciary capacity must comply with applicable fiduciary rules, including 12 CFR Part 9 or 12 CFR Part 150 where relevant, state law, and the governing instrument that created the fiduciary relationship. Non-fiduciary safekeeping is generally established by the client contract.
The statement treats cryptographic-key control as a central safekeeping issue. It says effective safekeeping involves maintaining control over private keys and related sensitive information, and that a banking organization generally assumes control when no other party, including the customer, has access to information sufficient to transfer the crypto-asset outside the bank’s control. Initial control will usually require transfer of the asset to the bank on the asset’s underlying distributed ledger.
Risk assessment is framed as a prerequisite to offering the service. The agencies point to core financial risks, the organization’s ability to understand a complex and evolving asset class, its control environment, and contingency planning. They also highlight cybersecurity, secure key generation, lost-key and compromised-key contingency planning, and the need to adapt key-management systems as technology changes.
The statement places crypto-asset safekeeping within ordinary banking legal and compliance frameworks, including BSA/AML, CFT, OFAC sanctions, recordkeeping, reporting, and the Travel Rule. It also notes that distributed-ledger design features may make some compliance processes more challenging where compliance depends on identifying transaction-related information such as names and addresses.
Customer agreements and disclosures are another focus. The agencies identify service-specific issues that agreements may address, including on-chain governance and voting, forks, airdrops, probabilistic settlement, hot/cold/hybrid storage, sub-custodian use, and smart contracts. The statement also notes the risk that customers may misunderstand the banking organization’s role and says clear, accurate, and timely information can help mitigate that risk.
For sub-custodians and other service providers, the agencies emphasize third-party risk management. A banking organization should understand the risks and benefits of sub-custodian use, evaluate key-management controls and recordkeeping, consider insolvency or operational-disruption treatment of customer assets, and maintain audit coverage over crypto-asset safekeeping activities.
This profile is U.S. federal and applies to federally supervised banking organizations within the agencies’ respective scopes. It should be read as supervisory guidance and risk-management clarification, not a standalone licensing regime or a grant of authority beyond existing law. Related legal analysis may need to consider OCC interpretive letters, fiduciary regulations, BSA/AML obligations, sanctions rules, and state banking or trust-law requirements.
Applies to covered banking organizations providing or considering crypto-asset safekeeping and discusses existing law without creating new supervisory expectations.
Defines safekeeping as holding an asset on a customer’s behalf and distinguishes it from the broader set of custody services.
Banks acting as fiduciaries must follow applicable fiduciary rules, state laws, and governing instruments; non-fiduciary safekeeping is contract-based.
Risk assessments should consider financial risks, asset-class complexity, control environment, operational capacity, technical expertise, and contingency plans.
Emphasizes control of private keys and sensitive information, secure key generation, cybersecurity, and contingency planning for lost or compromised keys.
States crypto safekeeping remains subject to BSA/AML, CFT, OFAC, Travel Rule, recordkeeping, reporting, monitoring, and suspicious activity obligations.
Highlights clear customer information and agreements addressing roles, governance, voting, forks, airdrops, storage models, sub-custodians, and smart contracts.
Calls for sub-custodian due diligence, third-party risk management, asset-treatment analysis, recordkeeping review, and audit coverage of safekeeping controls.
OCC reaffirmed certain permissible crypto activities and withdrew participation in earlier interagency crypto-risk statements.
OCC clarified crypto custody and execution services, including outsourcing with appropriate third-party risk management.
OCC, Federal Reserve, and FDIC issued the joint crypto-asset safekeeping statement.
OCC transmitted the joint statement to supervised national banks, federal savings associations, branches, and agencies.
Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, Office of the Comptroller of the Currency
Crypto assets, Digital assets
This profile covers an interagency supervisory statement, not a statute or formal rule. The agencies state that it does not create new supervisory expectations.
