Interagency Crypto-Asset Safekeeping Statement is a U.S. federal banking-agency guidance profile for the July 14, 2025 statement issued by the Office of the Comptroller of the Currency (OCC), Board of Governors of the Federal Reserve System, and Federal Deposit Insurance Corporation (FDIC). The statement addresses banking organizations that provide, or are considering providing, safekeeping for crypto-assets. It is not a statute or formal rule, and the agencies state that it discusses existing laws, regulations, and risk-management principles without creating new supervisory expectations.
Scope of the Crypto-Asset Safekeeping Statement
The statement defines safekeeping as the service of holding an asset on a customer’s behalf and uses “crypto-asset” to mean a digital asset implemented using cryptographic techniques. The agencies distinguish safekeeping from broader custody services, noting that a banking organization may provide other custody services while safekeeping crypto-assets. For this profile, the key point is that the statement focuses on customer asset-holding arrangements, not trading, issuance, lending, stablecoin reserve management, or every crypto-related banking activity.
Covered banking organizations differ by agency. For the OCC, the term includes national banks, federal savings associations, and federal branches and agencies of foreign banks. For the Federal Reserve, it includes bank holding companies, state member banks, Edge and agreement corporations, and certain uninsured state-licensed foreign bank branches and agencies. For the FDIC, it includes insured state nonmember banks, insured state-licensed branches of foreign banks, and insured state savings associations.
Fiduciary and Non-Fiduciary Crypto Safekeeping
The agencies recognize that banking organizations may provide crypto-asset safekeeping in either a fiduciary or non-fiduciary capacity. A bank acting in a fiduciary capacity must comply with applicable fiduciary rules, including 12 CFR Part 9 or 12 CFR Part 150 where relevant, state law, and the governing instrument that created the fiduciary relationship. Non-fiduciary safekeeping is generally established by the client contract.
Risk Management and Cryptographic Key Control
The statement treats cryptographic-key control as a central safekeeping issue. It says effective safekeeping involves maintaining control over private keys and related sensitive information, and that a banking organization generally assumes control when no other party, including the customer, has access to information sufficient to transfer the crypto-asset outside the bank’s control. Initial control will usually require transfer of the asset to the bank on the asset’s underlying distributed ledger.
Risk assessment is framed as a prerequisite to offering the service. The agencies point to core financial risks, the organization’s ability to understand a complex and evolving asset class, its control environment, and contingency planning. They also highlight cybersecurity, secure key generation, lost-key and compromised-key contingency planning, and the need to adapt key-management systems as technology changes.
Compliance, Customer Communications, and Third Parties
The statement places crypto-asset safekeeping within ordinary banking legal and compliance frameworks, including BSA/AML, CFT, OFAC sanctions, recordkeeping, reporting, and the Travel Rule. It also notes that distributed-ledger design features may make some compliance processes more challenging where compliance depends on identifying transaction-related information such as names and addresses.
Customer agreements and disclosures are another focus. The agencies identify service-specific issues that agreements may address, including on-chain governance and voting, forks, airdrops, probabilistic settlement, hot/cold/hybrid storage, sub-custodian use, and smart contracts. The statement also notes the risk that customers may misunderstand the banking organization’s role and says clear, accurate, and timely information can help mitigate that risk.
For sub-custodians and other service providers, the agencies emphasize third-party risk management. A banking organization should understand the risks and benefits of sub-custodian use, evaluate key-management controls and recordkeeping, consider insolvency or operational-disruption treatment of customer assets, and maintain audit coverage over crypto-asset safekeeping activities.
Jurisdictional Impact
This profile is U.S. federal and applies to federally supervised banking organizations within the agencies’ respective scopes. It should be read as supervisory guidance and risk-management clarification, not a standalone licensing regime or a grant of authority beyond existing law. Related legal analysis may need to consider OCC interpretive letters, fiduciary regulations, BSA/AML obligations, sanctions rules, and state banking or trust-law requirements.