In our recent Alert, we discussed the limitations that Securities and Exchange Commission (SEC) Staff Accounting Bulletin No. 121 puts on banks that want to offer crypto custody services to their customers. SAB 121 is not the only regulation that could give pause to banks in engaging in cryptocurrency activities. The Office of the Comptroller of the Currency (OCC), the Federal Reserve Board (FRB) and the Federal Deposit Insurance Corporation (FDIC) regulate and supervise banks more directly. This Alert will discuss the rules and supervisory guidance that these agencies have provided to banks relating to cryptocurrency and how the guidance has evolved over the past several years.
Early OCC Guidance
Early guidance from the OCC indicated a generally permissive approach, subject to prudent risk and operational management.
On July 22, 2020, the OCC issued Interpretive Letter #1170 addressing whether a national bank may expand its existing custody services to include crypto custody. Citing the growing demand by customers to limit financial risk by having secure places to hold their cryptographic keys and manage their crypto assets, and the evolving technological nature of providing payment, deposit and loan services to enable an efficient flow of funds in the U.S. economy, the OCC stated that crypto custody is "a modern form of these traditional bank activities" that is permissible in both nonfiduciary and fiduciary capacities. As with other banking activities, a bank should employ sound risk management practices and have "adequate systems in place to identify, measure, monitor and control the risks of its custody services."
In connection with the issuance of stablecoins that are held in hosted wallets and backed on a one-for-one basis by a single traditional currency such as U.S. dollars, the issuer may want to hold the traditional currency in a reserve account at a bank. To enable the issuer to provide comfort as to the stability of the stablecoin, the bank would monitor the account balance on a daily basis to confirm that the reserve equals or exceeds the number of issued stablecoins. Similar to crypto custody, the OCC determined in Interpretive Letter #1172 that such banking activities are natural extensions of traditional banking activities. Subject to developing sound risk management practices, particularly relating to liquidity risk, and complying with all applicable laws, including the USA Patriot Act, the Bank Secrecy Act and anti-money laundering regulations, such activities are permitted under the letter.
On January 4, 2021, the OCC addressed the use by regulated banks of distributed ledgers and stablecoins to facilitate payment services. Compared to traditional wire transfers of funds, converting the money into a stablecoin and sending it from one wallet to another can be cheaper, faster and more efficient, especially in international transactions. Interpretive Letter #1174 permitted such activities but highlighted the heightened fraud and operational risks inherent in money transfers.
Early FDIC Initiatives
Around the same time, the FDIC was reportedly working on a three-part plan to provide guidance on (1) the way in which cryptocurrency assets are subject to the existing rules of the FDIC, (2) the extent to which banks can engage in cryptocurrency activities, and (3) the expectations of the FDIC in supervising such activities. This is a top-down approach under which crypto activities generally can be permissible as long as they fit within the existing regulatory framework.
Another area of concern to the FDIC was the challenges that cryptocurrency activities can pose in the case of a failing or failed institution (FFI). According to the FDIC Office of the Inspector General, the Division of Resolutions and Receiverships began developing a readiness and response plan for five potential use situations in January 2021:
- Holding and ownership of crypto by an FFI;
- Holding crypto as collateral for a loan;
- Holding custody of crypto for customers;
- Creation of a stablecoin by an FFI on a blockchain; and
- A payment system accessible by multiple banks.
The first part of this plan was completed in December 2022.
Agency Coordination Leads to Stricter Guidance
During this two-year period, as the agencies started to develop their approach toward cryptocurrencies, they began to coordinate their efforts. Gradually, they expressed concerns over the risks related to crypto and tightened their guidance.
On November 23, 2021, the FRB, the FDIC and the OCC issued a brief, two-page joint statement to outline the coordinated "policy sprints" that they conducted to get up to speed on cryptocurrencies, the potential use cases for banks (substantially similar to the ones described above) and the key risks posed by such activities. Importantly, they announced in general terms that they planned to provide clearer guidance to banks in the following year. In addition, they indicated that they would "evaluate the application of bank capital and liquidity standards to crypto-assets." As noted in our prior Alert, the imposition of capital requirements can have a significant impact on the viability of proposed banking activities.
On the same day as this relatively innocuous statement, the OCC issued a press release publishing Interpretive Letter #1179 clarifying its guidance in Interpretive Letters #1170, #1172 and #1174. In short, the press release stated that a bank may engage in the specified activities "after [it] notifies its supervisory office of its intent to engage in the activities, and after a bank receives written notification of the supervisory office's non-objection." In case that wasn't clear enough, the next sentence repeated that "[t]he bank should not engage in the activity until it receives a non-objection from its supervisory office." This is pointedly more restrictive than the permissive language of the original interpretive letters. Commenting on the new letter, then acting Comptroller of the Currency Michael J. Hsu stated, "Today's letter reaffirms the primacy of safety and soundness." He further cited the novel risks posed by cryptocurrencies and stated that "banks must be able to demonstrate that they have appropriate risk management systems and controls in place."
In March 2022, the FDIC formed a Crypto Asset Risks Interdivisional Working Group. This group changed the FDIC's approach from the one described above to a "bottom-up" approach to supervising banks focusing on (1) understanding the crypto activities of banks, (2) providing case specific feedback and (3) coordinating with other regulators to provide broader guidance to the finance industry. Rather than building a general framework under which various and developing activities may be permitted, this is more restrictive, similar to the updated OCC guidance―i.e., let us know what you want to do and we'll let you know if you can do it.
On April 7, 2022, the FDIC sent a publicly available Financial Institution Letter to supervised institutions instructing them to notify the FDIC if they "intend to engage in, or... are currently engaged in, any activities involving or related to crypto assets." The letter stated that based on the information provided, the FDIC will provide "relevant supervisory feedback."
This letter appears to be softer in tone than the OCC letter in that it contemplates that banks may already be engaged in crypto activities. However, the FDIC reportedly paired this letter with private, direct supervisory letters to numerous financial institutions requesting that they "pause, or not expand, planned or ongoing crypto-related activities" so that the FDIC can evaluate the financial stability, safety and soundness, and consumer protection ramifications and consider the appropriate supervisory feedback. The FDIC has not publicly disclosed how many such pause letters were sent, but the FDIC's Office of Inspector General reported that as of January 2023, at least 96 institutions notified the FDIC of proposed or active crypto-related activities.
To round out the coordinated agency approach, on August 16, 2022, the Division of Supervision and Regulation and the Division of Community Affairs of the FRB issued supervision and regulation letter SR 22-6/CA 22-6. Similar to the OCC and FDIC letters, the letter requires all supervised banks, including banks with less than $10 billion in assets, to notify its supervisory contact if it engages or plans to engage in activities related to crypto. Although the letter does not directly request that banks pause such activities, it achieves the same effect by noting that a bank must make sure that the activity is "legally permissible" and evaluate whether it has to make any filings under applicable laws, including the Federal Deposit Insurance Act and related regulations. The letter came out later than the other agency letters and displays a more comprehensive understanding of the challenges in engaging in crypto asset activities. It contains a litany of operational, risk management and regulatory considerations to address before engaging in such activities. In case a bank is subject to state regulation, the letter encourages banks to provide similar notifications to applicable state banking regulators.
Following these individual actions, the three agencies issued two more joint statements in early 2023. On January 3, 2023, the agencies set forth a detailed list of risks that banks face when engaging in crypto activities, including fraud, illicit activities, cyberattacks, outages, volatility, legal uncertainties, inadequate disclosures, governance and processes by crypto companies and risk of contagion due to the concentrated, interconnected nature of some crypto firms. The goal of the agencies in their case-by-case review of crypto activities by banks is to mitigate the risks that can be mitigated and to insulate the banking system from the risks that cannot. Although they stated in broad terms that banks "are neither prohibited nor discouraged from providing banking services to customers of any specific class or type," they expressed their belief that "issuing or holding as principal crypto-assets that are issued, stored, or transferred on an open, public, and/or decentralized network, or similar system is highly likely to be inconsistent with safe and sound banking practices."
On February 23, 2023, the agencies issued a more focused statement relating to liquidity risks when a crypto firm (such as a cryptocurrency exchange or stablecoin issuer) maintains bank deposits for the benefit of its customers. Although the crypto firm itself may be stable, there could be a run on the bank if the crypto market undergoes stress or volatility that causes the crypto firm's customers to withdraw funds. This statement was different from the others in that it went on to provide some banking practices that might be effective to address the potential risks, including obtaining a greater understanding of the market behaviors that can drive such actions, evaluating the interconnected nature of various crypto assets that can lead to a concentrated withdrawal of funds, taking such liquidity risks into account when modeling stress tests and liquidity reserves, and establishing procedures for robust monitoring and due diligence of such risks.
A Lesson in Volatility from Bitcoin
To provide some context to the growing caution of the agencies, it is instructive to look at the price of Bitcoin during this period. At the beginning of 2020, Bitcoin traded around $7,000. Then the COVID-19 pandemic happened, and investors sought alternative investments to hedge against a collapsing global economy. By the end of December 2020, the price of Bitcoin had climbed to almost $29,000. In April 2021, the Coinbase cryptocurrency exchange went public, and the price of Bitcoin was almost $65,000. Bitcoin became increasingly volatile after that, dropping more than half to roughly $31,000 three months later, then bouncing higher to about $53,000 in September, then down again to about $41,000 a few week later. By early November 2021, Bitcoin rallied to a new all-time high around $69,000, only to end the year around $46,000. By May 2022, the price was down to about $29,000. In November 2022, the widely used FTX cryptocurrency exchange collapsed due to fraud, mismanagement and thousands of customer withdrawals. The price of Bitcoin bottomed out close to $15,000.
OIG Report
Given the background above, warnings of contagion are not so far-fetched, and ring fencing the banking system from cryptocurrency risks seems sensible. Enforcing a pause in banks engaging in such activities is one way to minimize such risks. The difficulty with this approach is that it can stagnate. Other than general considerations and the limited banking practices described in the February 2023 joint statement, the agencies have not published detailed guidance for engaging in cryptocurrency activities. As the agencies have recognized, there can be significant benefits to the market and its participants from bank involvement with crypto. The few banks that started such activities prior to the pause are already exposed to such risks. The lack of clear guidance can deprive them of the tools they need to limit risks and undermine the FDIC's mission to stabilize the financial system.
The FDIC Office of Inspector General made this point in its evaluation report of October 2023. Moreover, the report indicated that the FDIC started to develop and implement strategies to address crypto risks, but cited its failure to complete a comprehensive risk assessment to determine if such risks can be addressed through actions such as supervision of banks. Although the public version of the report is redacted, it appears that the FDIC provided supervisory feedback only to a limited number of banks. According to the OIG, the FDIC did not say in the pause letters when it would review information provided by banks, when it would respond with guidance or when the process would be over. Based on its review, the OIG recommended that the FDIC (1) implement a timetable to finish its risk assessment and (2) communicate clearly its expected process with supervised banks, including a clear end point. The FDIC agreed with the recommendations and undertook to address them by January 30, 2024. Case closed.
Not quite. In Section 7 of its annual Risk Review published on May 22, 2024, the FDIC discussed its approach to cryptocurrency risks. The section is barely more than a page in length and mostly refers to the statements from 2022 and 2023 described above. There are no references to new guidance or statements. The section does refer generally to the supervisory feedback provided directly to specific institutions in 2023. It's possible that the FDIC's thinking and guidance have evolved and become more detailed, but it does not appear that the FDIC (or the FRB or OCC) has issued any new guidance for public consideration by banks, cryptocurrency companies or other financial market participants.
Coinbase FOIA Request
This omission has not gone unnoticed. On June 27, 2024, History Associates Incorporated, on behalf of Coinbase Inc., sued the FDIC in federal court to compel the FDIC to comply with its previous request under the Freedom of Information Act for copies of the pause letters that it issued to banks. History Associates Incorporated v. Federal Deposit Insurance Corporation, Case No. 1:24-cv-01857 (D.D.C.). History Associates made the initial request about a month after the OIG report came out. After several denials and appeals in early 2024, the FDIC ultimately decided on May 8, 2024, that the letters were confidential communications as part of its supervision of individual banks. History Associates maintained that the letters were form letters that could be redacted to address confidentiality concerns, but to no avail.
As of now, that is where things stand. Other than a few banks that are engaged in limited, legacy cryptocurrency activities, banks are generally on an indefinite pause, even if they are not expressly prohibited from doing otherwise. If the agencies have provided specific guidance to individual banks, it does not appear that such guidance has resulted in banks expanding or initiating significant new cryptocurrency activities. It remains to be seen how long this pause will last.
For More Information
If you have any questions about this Alert, please contact Roger S. Chari, any of the attorneys in our Banking and Finance Industry Group, any of the attorneys in our Financial Technology Group or the attorney in the firm with whom you are regularly in contact.
Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.