Client Alert: Banking Crypto: Obtaining Regulatory Permission
In its Interpretive Letter #1179, the Office of the Comptroller of the Currency recently affirmed its prior interpretive letters that allow banks to custody cryptocurrencies (#1170), custody the dollar reserves for stablecoin issuers (#1172), and serve as an independent node and use blockchain technology to facilitate payments (#1174). Similar to national banks, state-chartered banks in states with national bank parity (so-called wildcard) provisions likely can do the same.
There is just one catch—national banks that seek to provide crypto products or services must now first obtain the OCC’s written permission (or confirmation of non-objection) to do so. Similarly, state banks likely will need to obtain their respective regulators’ written permission. To obtain that permission, banks must demonstrate that they have adequate systems to identify, measure, monitor, and control the risks and understand the laws that apply to the proposed activities, including the Bank Secrecy Act and related anti-money laundering requirements, the Commodity Exchange Act, and consumer protection laws.
Although there are myriad issues that banks interested in crypto must address, banks should consider: (1) existing, relevant guidance from other financial regulators; (2) whether additional AML training, tools, or resources are required; and (3) the securities and other laws that may complicate transacting with certain coins or tokens.
1. Custody Controls
Banks that want to custody digital assets should consider preparing or implementing a number of plans, policies, procedures, or controls including:
- General Risk Management Plans, such as an operational risk management program or a business continuity plan;
- Crypto-Focused Policies and Procedures, such as procedures to provide customers with perpetual access to digital assets, mechanisms to assess liquidity needs, a methodology for digital asset valuations, and a private key storage policy;
- Enhanced Fraud Detection and Due Diligence Procedures, including vendor due diligence checklists, training programs, and tailored anti-money laundering, sanctions and beneficial ownership requirements; and
- Cybersecurity Programs, Access Controls, and Other Technical Controls, including cybersecurity audits, penetration testing, procedures to ensure that digital assets are securely created, stored, and maintained (including the use of seeds, passphrases, and backups), access management safeguards, and procedures for the immediate revocation of a signatory’s access.
Likewise, banks should address policies around cryptocurrency forks, the verbiage of customer disclosures, and the treatment of each asset under the Uniform Commercial Code.
The Wyoming Division of Banking mandates that prospective Special Purpose Depository Institutions (SPDIs) implement or adopt these very controls and policies before receiving an SPDI charter. Wyoming’s rules and regulations are the most detailed requirements issued by any state financial regulator. Banks looking to self-custody would be wise to start with this guidance when evaluating their own operations. Similarly, when performing diligence on potential sub-custodians, banks should use this guidance to evaluate their options.
2. AML Training, Tools & Resources
If you are a bank looking to offer crypto products and services, your board, management, and legal team all should understand the applicable legal and regulatory landscape and issues. Banks, for example, must address whether their desired crypto activities will necessitate modifications to its AML operations. Cryptocurrency transactions are often pseudonymous, and criminals utilize cryptocurrencies for terrorist financing and to launder the proceeds of criminal transactions. To combat these criminal activities, banks should read guidance on crypto-specific red flags, such as FinCEN’s 2019 Advisory on Illicit Activity Involving Convertible Virtual Currency. In addition, a number of on-chain forensics firms offer enhanced tools to detect criminals that utilize cryptocurrencies. Depending on the bank’s specific products or services and how those offerings are designed, these firms may offer useful tools for know your customer (KYC) and know your transaction (KYT) evaluations.
3. Tokens: Which Ones Are “Safe”
No two tokens are the same. Many, including certain stablecoins—cryptocurrencies pegged to purportedly stable assets, such as the U.S. dollar—present securities and other legal risks. Bitcoin (BTC) and ether (ETH) are considered relatively safe compared to other cryptocurrencies. Speaking in his individual capacity while still at the SEC, former SEC Director of Corporation Finance William Hinman said that he believes BTC and ETH do not violate securities laws. The Ethereum protocol, Director Hinman opined, was “sufficiently decentralized” and therefore ETH tokens were “no longer” a security.
As demonstrated by the SEC’s ongoing lawsuit against Ripple, related to the cryptocurrency XRP, however, many tokens present securities or other legal risks. Banks will need to carefully consider these issues before offering products and services related to certain tokens. Will the bank, for example, allow customers to obtain and custody certain tokens? That determination should depend on an analysis of the legal issues presented by the specific token, and the accompanying protocol.
Although Interpretive Letter #1179 is a boon for banks interested in cryptocurrencies, they need to do their homework, plan ahead, and seek regulatory permission before launching crypto products and services. Put differently, the OCC has encouraged banks to crypto with caution.
We Can Help You
Barack Ferrazzano’s Financial Institutions Group attorneys have advised clients on cryptocurrency and blockchain issues for over 6 years. Our team advises bank boards of directors and management who are interested in new FinTech products and services, including cryptocurrency. We help our clients seek and secure regulatory approvals and routinely help our clients minimize the risks of cryptocurrency offerings.