On August 16, 2022, the Board of Governors of the Federal Reserve System (“Federal Reserve”) issued guidance for banking organizations engaging or seeking to engage in crypto-asset-related activities (“August 2022 Guidance”).1
The August 2022 Guidance is the latest step by US federal banking regulators to define and limit the regulatory perimeter for crypto-asset-related activities of banking organizations. Most importantly, the August 2022 Guidance requires banking organizations regulated by the Federal Reserve to notify their supervisory point of contact prior to crypto-asset-related activities and have in place adequate controls and systems around these activities. Further, banking organizations are instructed to provide notice of any crypto-asset-related activities currently engaged in by the banking organization. The August 2022 Guidance adopts a broad definition of crypto-asset-related activity and includes activities that involve the “facilitation” of customer purchases and sales of crypto-assets without explaining what constitutes “facilitation.”
In this Legal Update, we provide background on the regulation of crypto-asset-related activities by banking organizations, summarize the August 2022 Guidance, and discuss its implications for banking organizations.
On November 23, 2021, the federal banking regulators released a roadmap for a joint effort to clarify the legal authority for banking organizations to engage in crypto-related activities.2 It indicated that the federal regulators had determined that there are a number of issues surrounding banking organizations’ participation in crypto-related activities that warranted further supervisory guidance. Therefore, the regulators planned to release regulatory materials throughout 2022 that would provide (i) greater clarity on whether certain activities related to crypto-assets conducted by banking organizations are legally permissible and (ii) expectations for safety and soundness, consumer protection, and compliance with existing laws.
On the same day, the Office of the Comptroller of the Currency (“OCC”) separately pulled back its prior crypto-related interpretations by stating that an OCC-regulated bank may engage in the activities addressed in the earlier letters only if it “can demonstrate, to the satisfaction of its supervisory office, that it has controls in place to conduct the activity in a safe and sound manner.”3 The revised guidance went on to instruct OCC-regulated banks to notify their OCC supervisory office in writing prior to engaging in crypto-related activities and receive written non-objection from the agency. Subsequently the Federal Deposit Insurance Corporation (“FDIC”) released guidance instructing FDIC-regulated banks to notify the agency prior to engaging in any activities involving or related to crypto-assets.4 However, banking organizations regulated by the Federal Reserve were not covered by either the OCC or FDIC actions.
August 2022 Guidance
The August 2022 Guidance is similar to the earlier actions by the OCC and FDIC in that it establishes a prior notice requirement and emphasizes the need for robust risk management practices and compliance controls. It instructs banking organizations regulated by the Federal Reserve to notify their lead supervisory point of contact at the agency prior to engaging in any crypto-asset-related activity. Banking organizations that currently engage in crypto-asset-related activity also must promptly notify the Federal Reserve of this if they have not already done so. For these purposes, crypto-asset-related activity includes, but is not limited to, crypto-asset safekeeping and traditional custody services, ancillary custody services, facilitation of customer purchases and sales of crypto-assets, loans collateralized by crypto-assets, and issuance and distribution of stablecoins. This prior notification requirement runs counter to typical regulatory approaches to expansions of financial activities by banking organizations but is similar to the approach taken by the OCC and FDIC regarding crypto-related activities.5
Prior to engaging in a crypto-asset-related activity, a banking organization regulated by the Federal Reserve also must (i) assess the permissibility of the activity; (ii) determine whether any filings are required under applicable federal or state laws; and (iii) have in place adequate systems, risk management, and controls to conduct the activity in a safe and sound manner and consistent with all applicable laws.
The August 2022 Guidance does not explicitly state that any specific crypto-asset-related activity is permissible for a banking organization regulated by the Federal Reserve. Instead it indicates that a banking organization must analyze the permissibility of such activities under relevant state and federal laws and determine whether any filings are required under federal banking laws. For example, a bank holding company would need to analyze a proposed activity under section 4 of the Bank Holding Company Act of 1956, as amended, and the Federal Reserve’s Regulation Y. The August 2022 Guidance also encourages state member banks to consult with their state regulators regarding any state filings, notify their state regulator prior to engaging in any crypto-asset-related activity, and consider the application of the Federal Reserve’s change in business approval process to the activity. Regulators may second-guess permissibility determinations by banking organizations, and the August 2022 Guidance suggests that banking organizations consult with the Federal Reserve if they have questions regarding the permissibility of a crypto-asset-related activity.
If a crypto-asset-related activity is determined to be permissible, the August 2022 Guidance instructs banking organizations to put in place adequate systems, risk management, and controls. These measures should allow the organization to identify, measure, monitor, and control the risks associated with the activity on an ongoing basis and cover operational risk, financial risk, legal risk, compliance risk, and any other risk that is necessary to ensure the activity is conducted in a manner that is consistent with safe and sound banking and in compliance with applicable laws. The Federal Reserve explicitly calls out consumer protection, anti-money laundering and economic sanctions, cybersecurity, and financial stability laws as being applicable to crypto-asset-related activity. While all activities of a banking organization are subject to these risk management and compliance requirements, regulators often emphasize these obligations when they have concerns with how organizations are conducting particular activities.6 Therefore, banking organizations should expect heightened scrutiny from examiners and explicitly document how they are identifying, monitoring, measuring, and managing the risks and compliance issues associated with crypto-asset-related activities.
The August 2022 Guidance will require banking organizations engaged in crypto-asset-related activities to notify their Federal Reserve supervisors of their activities and will likely result in certain restrictions on these activities. Accordingly, as part of any such notice, banking organizations should be prepared to explain to their supervisors how they currently or will in the future manage the risks associated with their crypto-asset-related activities and otherwise address the management and compliance matters set forth in the August 2022 Guidance.
The August 2022 Guidance adopts a prior notice requirement for future crypto-asset-related activities that is similar to the earlier actions by the OCC and FDIC. A notice requirement arguably does not require an agency to approve a banking organization’s participation in a crypto-asset-related activity. However, notice requirements often can be as restrictive as an approval requirement if a regulator uses the notice as an opportunity to raise supervisory or legal concerns with the banking organization’s contemplated action. Accordingly, banking organizations should be prepared to address in any notice the risks, management, and compliance matters raised in the August 2022 Guidance and should expect a waiting period following the submission of the notice.
Lastly, the August 2022 Guidance illustrates the Biden administration’s reluctance to permit banking organizations to engage in crypto-asset-related activities without the enactment of a specific statutory regulatory scheme for crypto-asset markets. Although the administration has signaled its willingness to allow banking organizations to issue stablecoins in its negotiations over potential stablecoin legislation, financial regulators appointed by President Biden have expressed concerns about the risks of crypto-asset-related activities to banking organizations and have indicated that their restrictive approach has protected banking organizations from the recent volatility in crypto-asset markets.7 Therefore, for the foreseeable future, banking organizations will likely continue to face significant pushback from financial regulators on efforts to enter crypto-asset markets and to provide crypto-asset-related services to their customers.
1 Federal Reserve, SR 22-6 (Aug. 16, 2022), https://www.federalreserve.gov/supervisionreg/srletters/SR2206.htm.
2 Please see our Legal Update on the roadmap: https://www.mayerbrown.com/en/perspectives-events/publications/2021/11/us-banking-regulators-release-roadmap-for-cryptorelated-activities-by-banks.
3 OCC, Bull. 2021-57 (Nov. 23, 2021), https://occ.gov/news-issuances/bulletins/2021/bulletin-2021-57.html.
4 FDIC, FIL-16-2022 (Apr. 7, 2022), https://www.fdic.gov/news/financial-institution-letters/2022/fil22016.html.