On January 3, 2023, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency (the “Federal Banking Regulators” or “Agencies”) issued a Joint Statement (“Joint Statement”) highlighting key risks for banking organizations associated with crypto-assets and the crypto-asset sector.
The Joint Statement notes the marked volatility of crypto-assets and crypto-related exposure in 2022, and highlights, among others, the following risks banking organizations should be aware of:
- Risk of fraud and scams among crypto-asset sector participants;
- Legal uncertainties related to custody practices, including ownership rights of crypto-assets, which the Federal Banking Regulators note is an issue currently subject to litigation;
- Inaccurate or misleading representations, including about federal deposit insurance, and other unfair or deceptive practices that could substantially harm retail and institutional investors, customers, and counterparties;
- Stablecoin run risk, which could create deposit outflows for financial institutions holding stablecoin reserves;
- Contagion risk in the crypto-asset sector resulting from interconnectedness among various participants through “opaque lending, investing, funding, service, and operational agreements.” Such risks may also present concentration risks for financial institutions with exposure to the crypto-asset sector; and
- “Heightened risks associated with open, public, and/or decentralized networks,” including but not limited to, “lack of governance mechanisms establishing oversight of the system, the absence of contracts or standards to clearly establish roles, responsibilities, and liabilities,” cyber-risks, and illicit finance risks.
The Agencies stress the importance of ensuring that crypto-asset sector risks “that cannot be mitigated do not migrate to the banking system.” The Agencies emphasize that they will continue to take a cautious approach to current and proposed crypto-asset related activities and exposures at banking organizations. This includes assessments of financial institutions on how crypto-related activities may be conducted in ways that addresses safety and soundness, anti-money laundering and illicit finance statutes, consumer protection, and compliance with laws and regulations.
While the Joint Statement notes that federally-regulated banking organizations, generally speaking, “are neither prohibited nor discouraged from banking” any specific type or class of customers, the Agencies express an ominous view of crypto-assets in the banking system. Specifically, they note that based on their current understanding and experience, they believe that “issuing or holding as principal crypto-assets that are issued, stored, or transferred on an open, public, and/or decentralized network, or similar system is highly likely to be inconsistent with safe and sound banking practices.” The Federal Banking Regulators also highlight “significant” safety and soundness concerns associated with business practices that are concentrated in crypto-asset related activities, or have concentrated exposure to the crypto-asset sector.
Given the risks highlighted by the Agencies and their doubts as to safety and soundness of certain crypto-related activities, federally-regulated financial institutions may wish to review their crypto-asset exposure. This could include a review of their own activities or customer base, and assess whether the Agencies’ highlighted risks are present, and how to manage such risks, including through board oversight, policies, procedures, and monitoring. For example, recent events, including regulatory enforcement actions, have highlighted the importance of heightened due diligence on crypto-market participants, particularly around issues of custody, anti-money laundering (AML) and sanctions compliance, and cybersecurity.
Conversely, crypto-market participants, particularly newer entrants, should assess their policies, procedures, and controls, as appropriate, around crypto custody, AML and sanctions compliance, and cybersecurity. Such areas, including compliance with stated terms of service, may be subject to increased diligence by federally-regulated financial institutions as they consider onboarding such participants, maintaining existing relationships, or otherwise transacting with them, consistent with such institutions’ risk management practices and procedures, and potential regulatory notification obligations.