A Line in the Ledger: Federal Banking Agencies Issue Joint Statement on Crypto-Asset Safekeeping
On July 14, 2025, the OCC, Federal Reserve Board, and FDIC quietly issued a joint statement that may one day be remembered as a foundational moment in the formal convergence of traditional banking oversight and crypto infrastructure. The Statement on Crypto-Asset Safekeeping Risk Management sends a clear signal: if your institution intends to hold digital assets for clients, the expectations are not experimental — they are bank-grade.
Though regulators emphasized that the Statement does not introduce new supervisory requirements, it decisively confirms what many of us have long advised: existing risk management, compliance, and audit frameworks are not optional in the digital asset space — they are the price of admission.
The Message: Know What You're Holding — and How
The Statement opens with what feels like a back-to-basics checklist for any institution considering crypto-asset safekeeping:
Do you understand the financial risks inherent in this activity?
Is your team technically competent to manage this environment?
Can your internal controls survive the volatility and velocity of this space?
Have you planned for what happens if things go wrong?
While these may sound like standard inquiries, their weight is far greater in a crypto context, where minor missteps can result in irreversible loss, and the velocity of market evolution can outpace even the most agile compliance programs.
Key Management
The most direct language in the Statement is reserved for cryptographic key management — and for good reason. Control over the private key means control over the asset. If that key is lost, compromised, or improperly duplicated, the bank may find itself not only exposed to loss, but also to liability.
The agencies expect banks to demonstrate that no third party can unilaterally transfer a client’s digital asset, and that key generation, storage, redundancy, and recovery protocols meet stringent internal and external standards. These expectations extend to sub-custodians and technology vendors. In other words, outsourcing does not outsource liability.
Customized Controls
In a nuanced but important section, the Statement makes clear that crypto-assets are not homogenous, and banks should not approach them with one-size-fits-all solutions. A thorough asset-level analysis is expected — including a review of:
Technical dependencies (e.g., blockchain protocol requirements),
Governance structures (including the implications of forks, airdrops, or staking),
Operational and market dynamics, and
Legal and regulatory treatment under both U.S. and international frameworks.
This is where legal and compliance teams will need to partner closely with technologists to develop asset-specific custody and safekeeping protocols that hold up under examination.
Legal, Compliance, and Disclosure Risk
Perhaps the most forward-leaning part of the Statement is its discussion of regulatory complexity and disclosure clarity.
The agencies underscore the challenge of applying legacy AML/OFAC compliance expectations — like identity verification, transaction monitoring, and travel rule compliance — to a decentralized environment. Permissionless blockchains and pseudonymous transactions do not mesh easily with traditional Bank Secrecy Act standards, and institutions must bridge that gap without excuse.
In parallel, the Statement cautions against misleading or incomplete customer communications, particularly around governance rights, voting, and asset recoverability. This point should not be overlooked — we are entering an era where failure to disclose the nuances of digital asset control may expose institutions to serious reputational and enforcement risk.
Sub-Custodians and Tech Vendors
Third-party risk is not new — but the Statement makes it abundantly clear that when crypto is involved, the stakes are higher.
Whether contracting with a sub-custodian or relying on external software, banks must conduct rigorous due diligence. This includes:
Evaluating the provider’s insolvency and contingency frameworks,
Assessing their key management protocols and service level agreements,
Ensuring consistent auditability and oversight.
Regulators will not accept finger-pointing if things go wrong. If you touch crypto — even indirectly — you’re expected to own the risk.
Audit Readiness
The agencies close by stressing the importance of robust, crypto-literate internal and third-party audit programs. This includes expertise in blockchain-specific processes like:
Key generation, storage, and deletion,
Wallet architecture and asset movement,
Custody models (omnibus vs. segregated),
Settlement mechanics and smart contract execution.
Firms lacking internal capability are advised to retain outside experts. Importantly, there’s no grace period for developing audit programs after the fact. Supervision in this space will be proactive, not reactive.
Final Thoughts
In recent years, many in the digital asset space have demanded regulatory clarity. The Statement delivers just that — not with new rules, but by reinforcing that crypto must meet the banking system where it is, not the other way around.
For regulated institutions, this is a roadmap. For fintechs looking to partner with banks, it’s a barometer of what "compliance-ready" now means. And for regulators, it's a firm reminder that prudential supervision applies even when the assets are digital, distributed, and decentralized.
Institutions that intend to offer crypto-asset safekeeping — or that already do — should take this Statement seriously. It is not merely guidance. It’s a warning shot — and an invitation to raise your game.
* * *
Attorney Advertising—Anderson P.C. is a U.S. law firm and provides this information as a service to clients, prospective clients, and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship.
Anderson P.C. is a boutique law firm dedicated to defending clients in government investigations and securities enforcement actions initiated by the SEC, FINRA, DOJ, and other regulatory bodies. We provide focused, strategic counsel and regulatory guidance across the full spectrum of federal laws and regulations affecting broker-dealers, investment advisers, banks, asset managers, private funds, public companies, senior executives, and digital assets. Our deep expertise allows us to navigate complex legal challenges and deliver results-driven solutions tailored to our clients' unique needs.
If you have any questions or need legal assistance related to government investigations, securities enforcement actions, or regulatory compliance, please don't hesitate to contact us. Our team at Anderson P.C. is here to provide the expert guidance and support you need to navigate these complex challenges.
