US Regulators Approve Bank Custody for Bitcoin and Crypto Assets

Key Insights:

• Banks cleared to custody Bitcoin and crypto under existing legal and risk frameworks
• Joint statement stresses cybersecurity, compliance, and control over cryptographic keys
• Sub-custodian use is permitted but banks remain fully accountable

US federal banking regulators have formally allowed banks to offer custody services for Bitcoin and other crypto-assets. The joint decision from the Federal Reserve, OCC, and FDIC outlines compliance obligations rather than new rules. It marks a significant expansion in regulated crypto access for financial institutions.

Banks Must Comply With Risk and Security Standards

The new guidance confirms that banks can offer safekeeping of crypto in fiduciary or non-fiduciary capacities under current laws. According to the statement, banks must meet all requirements under 12 CFR 9 or 150, state law, and applicable fiduciary provisions. They must also maintain strong cybersecurity, operational readiness, and internal controls.

The agencies emphasized that control over customers’ cryptographic keys is central to custody responsibilities. Banks must implement effective key management, monitor unauthorized transfers, and secure infrastructure. Anti-money laundering (AML), counter-financing of terrorism (CFT), and OFAC sanctions rules apply in full.

Before offering services, banks must conduct a full risk review of crypto custody operations. This includes evaluating asset types, technologies used, and legal obligations. Every bank must also ensure compliance with the Bank Secrecy Act (BSA) and internal control standards.

Sub-Custodian Use Permitted but Accountability Remains

The statement allows banks to work with third-party sub-custodians but states they remain fully responsible. It reads, “Subject to the terms and conditions in the customer agreement, a banking organization is responsible for the activities performed by the sub-custodian.” This includes oversight of key generation, storage, and deletion procedures.

Regulators require banks to perform due diligence before engaging sub-custodians. Evaluation must include policies, internal controls, and adherence to safekeeping standards. Banks must also prepare contingency plans for tech failure or third-party collapse.

Banks using external hardware or software must weigh the risks of outsourcing versus in-house infrastructure. The agencies state, “Effective risk management… will generally include weighing the risks of purchasing third-party software or hardware.” They must also build internal audit systems for crypto-specific operations.

“When audit expertise does not exist within the banking organization, management should engage appropriate external resources,” the joint statement said. This includes reviewing safekeeping controls and ensuring staff are trained for crypto-asset risk management. These audits are required and must remain independent of routine financial audits.