Another regulatory milestone! The three major agencies in the U.S. jointly released new guidelines for bank encryption accomplice services.

Banks providing encryption custody services must meet strict standards

The Federal Reserve, the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) recently jointly issued new regulations that clarify the compliance requirements and risk management standards that U.S. banks must adhere to when providing encryption custody services. According to the joint statement, if banks wish to offer encryption custody services, they must comply with existing compliance requirements and risk management practices, focusing on ensuring the secure storage of customers' digital assets. Banks can participate in custody in two roles:

1. Accomplice (Fiduciary Role): Undertakes legal obligations to manage clients' encryption assets.
2. Non-Fiduciary Role: Provides only secure storage services and does not involve asset management.

If a bank holds the private key of encryption assets, it must assume full responsibility and ensure that customers or other third parties cannot access the key. Regulators refer to this as the benchmark for "true control."

Key Risks and Compliance Requirements

Regulators have pointed out that banks need to be vigilant about the following risks when providing encryption accomplice services:

• Loss or theft of private keys (cryptographic key loss)
• Cybersecurity breaches
• Market Volatility Risk (market volatility)
• Anti-Money Laundering and Counter-Terrorism Financing Obligations (AML/CFT compliance)

Banks must establish a strong internal control system and continuously pay attention to the latest developments in the encryption custody industry. In addition, they need to assess whether they have technical capacity and compliance readiness, including:

• Complete operational framework
• Personnel with encryption expertise
• Advanced technology capable of addressing digital asset risks

Responsibility Attribution for Third-Party Accomplice Cooperation

Although banks can choose to cooperate with third-party encryption custody service providers, regulators emphasize that banks must still be responsible for any mistakes. When selecting partners, banks must conduct thorough due diligence, focusing on:

• Private Key Storage Solutions
• Emergency clauses in case of asset damage or service provider bankruptcy

Anti-Money Laundering and Identity Verification Requirements

Banks must comply with Anti-Money Laundering (AML), Counter-Terrorism Financing (CFT), and Office of Foreign Assets Control (OFAC) regulations, including:

• Customer Identity Verification (KYC)
• Suspicious Transaction Monitoring

Due to the anonymity of blockchain, these requirements may be more challenging in the encryption field.

Legal Clarity and Smart Contract Management

Regulatory authorities require banks to clarify the following legal issues when providing encryption accomplice services:

• Company agreements reached through on-chain voting, forks, or airdrops
• Responsibility for wallet management
• The Use and Risks of Smart Contracts

Independent Auditing and Expert Support

Banks need to establish independent audit procedures covering the following aspects:

• encryption accomplice security control
• Private Key Management Process
• Professional capabilities of personnel

If there is a lack of experts internally, banks can hire third-party auditors for evaluation.

Regulatory Shift: Bank Cryptocurrency Custody Restrictions Lifted

The release of this new regulation marks the termination of the Federal Reserve's previous policy on reputational risk factors that restricted banks from participating in encryption custody services. In the future, more compliant banks may enter the encryption custody market, providing safer digital asset storage solutions for institutional and individual users.