A shift in how the world sees cryptocurrency is influencing how the US government sees it. Here’s what’s in OCC Interpretive Letter #1170, and how automation can help you stay on course in this ever-evolving tech landscape
It’s been quite a while since we’ve covered cryptocurrencies in this space. First introduced to the world in 2008 with the emergence of Bitcoin, through many public ups and downs this wild west of digital dollars is slowly but surely being tamed. The proof of this taming may in part be the Interpretive Letter released by the Office Of The Comptroller Of The Currency over the summer. The OCC, of course, charters, regulates, and supervises all national banks, federal savings associations, as well as federal branches and agencies of foreign banks.
Interpretive Letter #1170 addresses the authority of a national bank to provide cryptocurrency custody services for customers, now concluding a national bank may provide cryptocurrency custody services on behalf of customers; this includes the holding of the unique cryptographic keys associated with cryptocurrency. This is a significant change in policy direction on the part of the US government, and indicative in general of how cryptocurrencies are increasingly being viewed, i.e., as less of an outright oddity and potentially dangerous disruptor of fiat currencies, and more of an accepted, neutral, mainstream player in the global game of money flows, trade, and related banking services.
For the banks and federal savings associations that choose to handle cryptocurrencies, and work with the customers that come with them, this blog lays out the central themes presented by the OCC, including the guidance related to compliance that will accompany this new business activity.
WHAT THE OCC IS SAYING IN SHORT
- The OCC concludes a national bank may provide certain cryptocurrency custody services, including holding the unique cryptographic keys associated with cryptocurrency.
- National banks may provide permissible banking services to any lawful business, including cryptocurrency businesses, so long as banks soundly manage the risks and comply with the law.
WHAT CRYPTOCURRENCY IS AND ISN’T
- Cryptocurrencies are also known as digital or virtual currencies and don’t exist in physical form. They’re designed to work as a medium of monetary exchange and are created and stored completely electronically. They exist only on the distributed ledger on which they’re recorded.
- Fiat currencies are currencies issued by a government. They don’t have intrinsic value, but people use them as a medium of exchange because they’re issued by a government.
- Some cryptocurrencies have similar characteristics to fiat money because they’re not backed by any other assets. Others may be backed by assets, such as a commodity.
CRYPTOCURRENCY AS A MAINSTREAM MEDIUM
- Bitcoin, introduced in 2008, was the first widely-adopted cryptocurrency. Since its creation, hundreds of virtual currencies have been created, all with different characteristics and uses.
- Bitcoin remains the most widely used and valuable cryptocurrency. It is now accepted as payment by thousands of merchants worldwide. It may even be purchased with traditional cash.
- Contracts on Bitcoin futures have been established, and options on Bitcoin futures are now trading. The SEC recently approved a Bitcoin futures fund.
- Cryptocurrencies are also traded on online exchanges. Parties trade one cryptocurrency for another or trade for fiat currencies such as the US dollar.
- Some cryptocurrency exchanges have obtained state banking licenses as trust banks. A majority of states have adopted laws and regulations pertaining to cryptocurrencies.
- Recent survey evidence suggests that almost 40 million Americans own cryptocurrencies. Institutional investors also have invested in cryptocurrencies.
- A unit of cryptocurrency is assigned to a party through the use of a set of unique cryptographic keys. Those keys allow that party to transfer the cryptocurrency to another party.
- If the keys are lost, a party will be unable to access its cryptocurrency. If a third party gains access to the keys, it can use the keys to transfer the cryptocurrency to itself.
WHY THE OCC IS EXPANDING ALLOWED CRYPTO ACTIVITIES
- The OCC understands there’s a growing demand for banks to hold cryptographic keys associated with cryptocurrencies on behalf of customers and to provide related custody services.
- Banks may offer more secure storage services compared to existing options. Some exchanges that store access assets on behalf of customers have proven vulnerable to hacking and theft.
- Some investment advisers may wish to manage cryptocurrencies on behalf of customers and may wish to utilize national banks as custodians for the managed assets.
FURTHER INTERNAL OCC DISCUSSION SURROUNDING ITS DECISION
- Bank customers have traditionally used safe deposit boxes for the storage and safekeeping of a variety of physical objects, such as valuable papers, rare coins, and jewelry.
- As the banking industry entered the digital age, the OCC recognized the permissibility of electronic safekeeping activities, like escrowing encryption keys used for digital certificates.
- The OCC generally hasn’t prohibited banks from providing custody services, as long as the bank has the capability to hold the asset and the asset isn’t illegal in the jurisdiction it will be held.
- Providing cryptocurrency custody services is in the longstanding tradition of banks to engage in safekeeping activities, and is permissible in both fiduciary and non-fiduciary capacities.
FIDUCIARY AND NON-FIDUCIARY CRYPTO CUSTODY SERVICES
- A bank that provides crypto custody in a non-fiduciary capacity would provide safekeeping for the cryptographic key that allows for control and transfer of the customer’s cryptocurrency.
- In most circumstances, providing custody would not entail any physical possession. Rather, a bank is taking possession of the cryptographic access keys to that unit of cryptocurrency.
- A bank with trust powers could provide crypto custody in a fiduciary capacity if conducted in compliance with 12 CFR Part 9 or any applicable law that created the fiduciary relationship.
- A bank holding cryptocurrencies in a fiduciary capacity—such as a trustee, an executor of a will, an administrator of an estate, a receiver, or an investment advisor—would have the authority to manage them in the same way banks can manage other assets they hold as fiduciaries.
- All of these conclusions apply equally to federal savings associations (FSAs). Like national banks, FSAs may provide custody services in either a fiduciary or non-fiduciary capacity.
GENERAL COMPLIANCE REQUIREMENTS RELATED TO CRYPTO CUSTODY SERVICES
- A national bank or FSA should develop any new activity consistent with sound risk management practices, and align them with bank business plans and strategies as set forth in OCC guidance.
- As with all other activities performed by national banks and FSAs, cryptocurrency custody services must be conducted in a safe manner, including having adequate systems in place to identify, measure, monitor, and control the risks of its custody services.
- Such systems include policies, procedures, internal controls, and management information systems governing custody services. Effective internal controls include safeguarding assets under custody, producing reliable financial reports, and complying with laws and regulations.
- Custody activities should include dual controls, segregation of duties, and accounting controls.
- Accounting records and internal controls should ensure that assets of each custody account are kept separate from the assets of the custodian, and maintained under joint control to ensure that an asset is not lost, destroyed, or misappropriated by internal or external parties.
- Other considerations include settlement of transactions, physical access controls, and security servicing. Such controls may need to be tailored to the context of digital custody.
- Specialized audit procedures may be necessary to ensure the bank’s controls are effective for digital custody activities. For example, procedures for verifying that a bank maintains access controls for a cryptographic key will differ from the procedures used for physical assets.
FINAL WORDS OF WARNING FROM THE OCC
- Banks seeking to engage in crypto custody activities should also conduct legal analysis to ensure the activities are implemented consistent with all applicable laws.
- The due diligence process should include a review for compliance with AML rules. Banks should also have effective information security infrastructure and controls in place to mitigate hacking, theft, and fraud.
- Banks should also be aware that different cryptocurrencies may have different technical characteristics, and may therefore require risk management procedures specific to that particular currency.
- Different cryptocurrencies may also be subject to different OCC regulations and guidance outside of the custody context, as well as non-OCC regulations.
- Banks should consult with OCC supervisors as appropriate prior to engaging in crypto custody activities. The OCC will review these activities as part of its ordinary supervisory processes.
HOW TECHNOLOGY CAN HELP
The shift towards technology in the realm of money and finance has been going on for a long time. Money increasingly moves through the banking system and the economy electronically. Cryptocurrency may be the ultimate expression of this phenomenon. Bitcoin, for example, has never existed in physical form and never will. And as money and finance become increasingly technologically sophisticated—and regulators follow suit—the processes firms use to manage their own related data and information flows must become similarly technologically sophisticated. This is where software solutions come in.
Compliance software solutions like Star’s can help firms automate important processes, streamline data flows, and—via easy integrations—centralize dispersed information. They can create comprehensive audit trails, intuitively present previously unavailable levels of data, and allow firms to evidence compliance to regulators. They can surface critical data points—and therefore potential conflicts—banks might otherwise miss.
Financial institutions can’t keep using manual compliance processes forever, particularly as the markets and the regulators who oversee them become increasingly tech savvy themselves. Star offers a range of solutions that makes staying compliant simple and easy in the age of data. For an overview of Star’s technical approach—and key insights into how it might dovetail with your own changing technical needs—check out our solutions page.