By Jonah Crane and Patrick Haggerty
Last week, the FDIC issued new guidance instructing all FDIC-supervised institutions to notify their Regional Office if they plan to engage in–or currently engage in–any activities “involving or related to crypto assets.” The guidance is similar to a letter issued by the OCC late last year requiring federally chartered banks to obtain written non-objection from their supervisory office before engaging in digital asset activities. The FDIC and OCC have now erected a regulatory gate that all banks under their supervision must pass through in order to offer crypto-related products or services. In practice, this will operate as a de facto licensing requirement.
What does this mean for banks that want to engage in crypto-related activities?
Taken together, these actions make clear that any bank planning to engage in crypto activities must be prepared to proactively demonstrate to their examiners that they understand the incremental risks and will manage them effectively. Banks already engaged in crypto-related activities that have not already done so should revisit their change management processes and documentation to ensure they have comprehensively identified and mitigated risks. The agencies have made it known that the bar is higher for these activities than other new initiatives, so it will require careful planning to prepare for supervisory review.
Banks should treat the notification process more like a regulatory application that will receive heightened scrutiny–akin in some respects to chartering a new bank or acquiring a subsidiary engaged in a novel or high risk business. Banks will need to build a compelling case for non-objection, including by developing a written business plan that demonstrates a comprehensive understanding of risks and includes plans to implement appropriate controls. A generic risk assessment will not suffice. Specialized performance metrics, risk limits, policies, and governance processes will likely be required. Management also must work closely with the board of directors to provide the appropriate level of information at the right time and solicit effective challenge and approvals.
What risks are regulators focused on and what can banks do to mitigate these risks?
For the most part, regulators are focused on risks that banks are already responsible for managing and understand well. For example:
Financial Crimes - Banks can limit their BSA/AML and sanctions compliance risks by carefully considering which products to offer, and how to structure those offerings. Most residual financial crime risks can be addressed using the same controls that are typically used in bank BSA/AML and sanctions compliance programs. However, regulators have placed great emphasis on these specific risks when it comes to crypto and will expect banks to pay commensurate attention.
Third-Party Risk Management - Banks offering crypto-related products and services will almost invariably rely on third-party partners to undertake execution, custody, technology integration and a variety of other critical roles. As a result, demonstrating knowledge of the risks posed by those third-parties’ activities and effective third-party selection, due diligence, contracting, and oversight will be mission critical.
Cybersecurity and InfoSec - Given the digitally native characteristics of crypto and the nascency of blockchain architectures, it is not surprising that regulators have emphasized IT risk as a key area of focus. The continued proliferation of high profile hacks and compromises of crypto environments underscores the need for strong controls to maintain the security and availability of information systems. Fortunately there are a growing number of experts in this field and best practices are already emerging.
Consumer Protection - Regulators have consistently cited concerns that consumers may not understand the risks of engaging with crypto assets. Banks will be expected to take steps to educate customers about the speculative nature and volatility of crypto assets and clearly distinguish such products from insured deposits. On this point, banks may consider the agencies’ long standing guidance on retail sales of nondeposit investment products as well as more recently-developed disclosure requirements under New York’s BitLicense rules. Management will need to work closely with compliance and legal to adapt disclosures, marketing materials, customer service scripts, and aspects of the bank’s CMS program to account for consumer protection risks unique to crypto.
Banks contemplating new crypto-related activities should consider a phased approach. They can begin by offering crypto services with lower inherent risks, such as closed loop payment activities or buy-sell-hold investment options. This approach can minimize exposure to BSA/AML and other high-risk areas as the bank gains experience and regulatory expectations become clearer.
What about banks that aren’t supervised directly by the FDIC or the OCC?
Although the Federal Reserve and NCUA have not issued similar directives, we expect them to apply similar standards to organizations they supervise. The same is true for most state banking agencies, which often also have statutory requirements to provide notice before engaging in novel activities (e.g., exercising incidental authorities under a state “wild card” statute). Regardless of whether a particular agency has issued a formal requirement for prior consultation, it is almost never advisable for a bank to surprise its examiners with a high risk activity after it launches.
Regulators are keenly aware of the growing demand for crypto-related products and services and they understand the important role banks can play in meeting that demand. However, they have been of two minds about bringing these activities within the banking system. On the one hand, they believe risky activities should be brought within the regulatory perimeter, but on the other have erected regulatory roadblocks for banks that want to engage in these activities. Reconciling this tension will require banks to proactively develop risk management programs designed to address regulators’ concerns, and will require regulators to resist the temptation to just say no.
Federally regulated banks have in general been slow to move into crypto in no small part due to this regulatory uncertainty. However, there is clear legal authority for banks to offer these services today. If they can prove to their regulator that they understand and are prepared to manage risks, they should be permitted to do so. This will require careful and deliberate planning but also presents opportunities for well managed, forward-leaning banks to move ahead of the competition. The federal banking agencies have jointly developed a “crypto-asset roadmap” that they will implement throughout 2022 in an effort to provide greater clarity on a range of legal and regulatory issues, which will likely hasten adoption among traditional financial institutions. For banks that want to meet the growing demand from their customers and respond to market competition, the time to act is now.