Understanding the True Scope of a Financial Firm’s Exposure to Crypto

With crypto winter fully upon us, most regulated financial institutions understand that if they want to engage directly in cryptocurrencies—i.e., operating exchanges, providing custody services, issuing tokens—they may have to obtain approval from a US state or federal regulator. Indeed, the New York Department of Financial Services (“NYDFS”) recently announced that any NY-regulated entity must submit a business plan 90 days before getting involved in certain specified crypto activities. (For more on that, read our coverage of the NYDFS guidance and takeaways).

But the ongoing fallout from bankruptcies of prominent crypto firms such as FTX, BlockFi, Voyager Digital, and Celsius Network has brought into focus a new set of crypto-related risks for financial institutions to consider. For example, on December 7, 2022, in letters sent to the Federal Reserve, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency, Senators Elizabeth Warren and Tina Smith raised concerns that “crypto firms may have closer ties to the banking system than previously understood.” Concerned with possible contagion from future firm collapses, the letter highlights exposure by traditional banks to the crypto system beyond handling crypto itself, including investments by crypto firms and making loans to crypto ventures or in connection with margin trading. (These risks are, of course, in addition to other risks that come along with any financial institution doing business with a company accused of impropriety, including litigation by private plaintiffs.) According to the letters, these activities raise possible safety and soundness concerns, and the senators asked the regulators for a range of information regarding the crypto and crypto-related activities of institutions under supervision.

This focus on potential crypto contagion likely will persist. Given the high profile of the FTX collapse, financial institutions should expect that regulators—both federal and state—will continue their close look at the crypto industry, potentially looking beyond actual crypto services and into the sorts of second-order connections highlighted in the Warren-Smith letter, as regulators are doing with respect to bank partnerships with fintechs in pandemic-related programs such as the Paycheck Protection Program. As with any regulator priority, firms should consider whether to get ahead of their regulators and investigate their own ties to crypto firms, a process similar to the data mapping many companies did to prepare for implementation of the EU’s GDPR. In addition to understanding your own business risks, an already-made analysis can help build confidence with long-term regulators that your financial institution is on top of this area of recent focus.