On January 3, 2023, the Board of Governors of the Federal Reserve System (Federal Reserve), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) issued a Joint Statement on Crypto-Asset Risks to Banking Organizations. The joint statement enumerates risks and vulnerabilities associated with cryptoassets and the cryptoasset sector that the three agencies believe were revealed over the past year, and discusses how these risks and vulnerabilities have impacted the agencies’ supervisory approach.
The joint statement does not purport to change the agencies’ established frameworks with respect to supervision of institutions engaged in cryptoasset activities. It does signal, though, that the agencies are proceeding with extreme caution in light of the potential risks that cryptoassets pose to banks, consumers and the broader financial system. It refers to “events of the past year” and says that the “recent failures of several large cryptoasset companies” have highlighted the risks. Those include fraud-related risk, the potential for significant volatility in the cryptoasset market, and the contagion and concentration risk presented by the interconnectedness of participants in the cryptoasset space.
The joint statement also expresses concern about the heightened risks associated with permissionless public blockchains and decentralized networks, including: lack of governance mechanisms establishing oversight of the system; the absence of contracts or standards to clearly establish roles, responsibilities and liabilities; and vulnerabilities related to cyberattacks, outages, lost or trapped assets, and illicit finance.
Banks that are currently dealing in cryptoassets or offering cryptoasset-related services to their customers, and those that may be considering entering the space, should expect even greater regulatory scrutiny of these activities and heightened expectations regarding the banks’ risk management programs.
The agencies list several risks presented by cryptoassets and caution banking organizations that any risk that cannot be effectively mitigated or controlled cannot be permitted to migrate to the banking system. The enumerated risks include, among others:
- risk of fraud and scams among cryptoasset participants;
- inaccurate or misleading representations and disclosures to consumers regarding the availability of federal deposit insurance for cryptoasset products and other unfair, deceptive or abusive acts or practices;
- significant volatility in cryptoasset markets;
- contagion and concentration risks created by interconnections among cryptoasset participants, such as through opaque lending, investing, funding, service, and operational agreements by and among such parties; and
- immature or weak risk management and governance practices in the cryptoasset sector.
This is not the first time these risks have been identified. Each of the agencies has highlighted these or similar risks in the cryptoasset context previously. The joint statement emphasizes, however, that the agencies are “continu[ing] to build knowledge, expertise, and understanding of” these risks. As a result, and given the significant crypto-related events of 2022, the joint statement signals that the agencies will adopt a “careful and cautious” and individualized approach going forward to any cryptoasset activities and risk exposures at regulated banking organizations.
Updated Regulatory Outlook on Cryptoasset Activities by Banking Organizations
The Federal Reserve, FDIC and OCC have each published guidance that establishes a framework for supervised institutions to follow before engaging in cryptoasset activities or offering products and services to their cryptoasset sector customers.1 See our article, “The Fed Aligns With the OCC and FDIC on Banks’ Cryptocurrency Activities as Senators Question the OCC’s Approach, Citing Risks,” in Skadden’s August 2020 Distributed Ledger newsletter, which explores these frameworks — and the Federal Reserve’s guidance specifically — in greater detail.
In general terms, under each of the agencies’ existing guidance, supervised banking institutions must:
- ensure that their existing or proposed cryptoasset activities are legally permissible and can be performed safely and soundly;
- provide prior notification to their regulator(s) before engaging in such activities — or prompt notification in the case of ongoing activities; and
- have in place adequate risk management frameworks, including systems and internal controls, to monitor and manage the risks presented by cryptoassets.
In our experience, even before the issuance of the joint statement, the agencies have taken a cautious and deliberate approach to their review and consideration of notices submitted by banks, including having robust discussions with banks.
The joint statement references these existing processes, and, as noted above, it does not amend or augment them. It states that banking organizations are neither prohibited nor discouraged from providing services to any specific class or type of customer, provided the services are legally permissible. At the same time, however, the joint statement warns that “issuing or holding as principal cryptoassets that are issued, stored, or transferred on an open, public, and/or decentralized network, or similar system is highly likely to be inconsistent with safe and sound banking practices.”
Most notably, the joint statement goes on to articulate that the agencies have “significant safety and soundness concerns with business models that are concentrated in cryptoasset-related activities or have concentrated exposures to the cryptoasset sector.” The joint statement does not provide examples of any such activities or define what the agencies consider to be “concentrated” in or “related” to cryptoassets, which could create uncertainty among supervised institutions that offer cryptoasset-related products or services. However, based on our experience, we expect the federal banking agencies will take a relatively broad view of these terms and what types or levels of activities implicate the agencies’ procedural frameworks and the concerns articulated in the joint statement.
Although the joint statement reiterates several aspects of the agencies’ prior guidance concerning the risks posed by cryptoassets and the importance of robust risk management frameworks, it also signals an even more conservative approach by the agencies to activities and business models they view as particularly risky. The language used in the joint statement provides the agencies with broad latitude to assess what this means and, therefore, could lead to more confusion in the near term regarding the permissibility of particular cryptoasset-related activities for banks.
The joint statement may also impact non-banking organizations operating in the cryptoasset space that rely on banking partners for custody, payment and other services. Both banking and non-banking organizations should be prepared to demonstrate that they have considered the risks outlined in the joint statement — and any other risks identified through a thorough risk assessment — and that such risks are appropriately mitigated and controlled by a “robust and mature” risk management and governance program.
The agencies said they will issue additional guidance on the subject as warranted, and the joint statement highlights the current framework through which banking organizations provide notice and engage in robust dialogue with their regulators regarding existing and proposed cryptoasset-related activities. The precise impact of the joint statement on the cryptoasset ecosystem — and how continued volatility and exposure of vulnerabilities in the cryptoasset market in 2023 could further impact the agencies’ regulatory and enforcement approach — remains to be seen.
1 Federal Reserve, SR 22-6/CA 22-6, “Engagement in Cryptoasset-Related Activities by Federal Reserve-Supervised Banking Organizations” (Aug. 16, 2022); FDIC, FIL-16-2022, “Notification and Supervisory Feedback Procedures for FDIC-Supervised Institutions Engaging in Crypto-Related Activities” (Apr. 7, 2022); OCC, Interpretive Letter 1179, “Chief Counsel’s Interpretation Clarifying: (1) Authority of a Bank to Engage in Certain Cryptocurrency Activities; and (2) Authority of the OCC to Charter a National Trust Bank” (Nov. 18, 2021).
This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.