Federal regulators have started issuing more guidance to financial institutions on offering new and innovative financial products and services, such as cryptocurrencies, to customers in a safe and sound manner. The increased regulatory interest has become necessary as cryptocurrencies enter mainstream consumer use in the United States. Not only is there expanding institutional support for cryptocurrencies, but surveys estimate that as many as 40 million individual Americans own virtual currencies as well.
Federal banking regulators explicitly encourage financial institutions to leverage new technologies and industry innovation. Often, however, rules and regulations are not updated on time to keep pace with the changes. In an effort to address this issue, two recent Interpretive Letters (IL) issued by the Office of the Comptroller of the Currency and a Notice of Proposed Rulemaking (NPR) issued by the Financial Crimes Enforcement Network (FinCEN) and the Board of Governors of the Federal Reserve provide banks with guidance on cryptocurrency services and emphasize the need for regulations to be updated to address new forms of virtual currency. The regulators outline minimum control standards they expect from financial institutions that provide cryptocurrency services.
In IL 1170 and IL 1172, the OCC clarifies that current regulations allow financial institutions to engage in cryptocurrency-related activities for very specific reasons. IL 1170 states that national banks and savings associations have the ability to provide cryptocurrency custody services for customers. This IL allows financial institutions’ trust departments to hold and manage cryptocurrencies just like any other asset they maintain in a fiduciary capacity. IL 1172 discusses banks’ involvement in stablecoins, a type of cryptocurrency backed by an asset such as a fiat currency, usually in a one-to-one ratio. This IL clarifies that banks may hold depository reserves for stablecoins as long as the stablecoins are backed by a fiat currency. It also states that a financial institution that accepts stablecoin reserve deposits must ensure that it properly manages related risks such as liquidity and Bank Secrecy Act (BSA) and anti-money laundering (AML) threats.
In both ILs, banks are advised to follow sound risk management principles if they choose to participate in these financial instruments. The ILs also describe controls that examiners expect from a financial institution that is engaged in these activities, including appropriate due diligence and ongoing monitoring. For cryptocurrency custody services, examiners expect banks to follow all the standard processes for custody services, such as dual controls, segregation of duties and accounting controls. How those controls are implemented will be unique given the virtual nature of cryptocurrencies.
Banks are also expected to ensure that their information security controls are robust to mitigate the increased potential for hacking, theft and fraud that cryptocurrency custody arrangements would introduce to the bank and their customers. Regulators expect that when banks accept stablecoin deposits, they to enter into formal contracts with the stablecoin issuer, so that the roles and responsibilities are clearly defined. These contracts could include activities such as daily verifications of outstanding stablecoin values and/or procedures to verify that the appropriate party will be deemed as the issuer or obligor of the stablecoins. Banks must understand these products and adjust their risk frameworks appropriately before engaging in these types of transactions.
The recent FinCEN NPR on BSA reporting thresholds clarifies the term money to include cryptocurrency, for BSA reporting purposes. It proposes to redefine money to include all forms of virtual currency, expanding the types of transactions that should be reported. Currently, money is defined as a medium of exchange authorized by a domestic or foreign government. Since most cryptocurrencies are not backed or authorized by a government, financial institutions currently do not need to report these transactions. The NPR states that FinCEN has been monitoring the illicit financial risks posed by cryptocurrencies and believes that the current narrow definition of “money” should be expanded to close this loophole. It cites examples of criminal organizations that specifically use cryptocurrencies to avoid BSA reporting requirements. FinCEN believes that explicitly including cryptocurrencies in the regulation will help track illicit money movement across the globe.
Federal banking regulators acknowledge that financial markets and their customers already use new and innovative products like cryptocurrencies. The industry should expect that they will continue to rewrite, clarify and expand guidance and regulations to support the provision of these products as well as financial institutions’ ability to provide consistent reporting to enforcement agencies. The regulators want to make sure financial institutions remain competitive in the broader financial services industry and offer the products demanded by their customers. While regulators like the OCC have explicitly encouraged financial institutions to look for ways to provide innovative products and services to their customers, they have also emphasized that those products should be offered consistent with safe and sound banking principles. Regulators will continue to expect enhanced due diligence, risk assessments and ongoing end-to-end monitoring of cryptocurrency services, whether the financial institution offers these products directly or through third-party fintech companies.