(Published in ABA Bank Compliance magazine, Nov/Dec 2020 issue)
While investors and practitioners grappling with virtual currency compliance have gradually seen increased tax and other regulatory guidance over time, there had been little or no guidance from federal bank and financial institution regulators with respect to virtual currency custody issues. However, the release by the Office of the Comptroller of the Currency (OCC) of Interpretive Letter #1170 (the Letter) on July 22, 2020, permitted OCC-regulated banks to provide custody services for virtual assets, provided other conditions specified in the Letter were met.
Regulators tend to tread cautiously when issuing guidance that encompasses new technologies, and virtual currencies have been no exception. The Letter, however, demonstrates an in-depth understanding of how virtual currencies function and clearly delineates both the benefits and the potential challenges virtual currency might create in the traditional banking system. Custody services provided by traditional national banks could impute these institutions’ legitimacy, trust and easy access with their customers to virtual currencies that are so custodied.
Regulatory endorsements, such as the Letter, seem likely to broaden the pool of virtual currency investors to investors who prefer to access virtual currency markets through existing banking relationships as well as large institutional investors with much more rigorous custody requirements.[i] Indeed, the increased air of legitimacy provided by large banks is warranted; most virtual currency exchanges today are either offshore or organized as trust companies, generally under significantly less regulatory scrutiny than banks.
The duty of safeguarding money and property represents a basic, core banking function. Historically these services have involved the safekeeping of physical assets. Such custody arrangements typically involved safe deposit boxes and other special types of deposits; more recently, such services have also encompassed the safekeeping of intangible assets that necessitated the escrow of encryption keys, secure storage of electronic documents, and safekeeping of other purely electronic items. In addition to these traditional custody services, banks generally provide a suite of corollary services such as trade settlement, pricing, and assorted recordkeeping services, among others.
The Letter concludes that, under existing OCC guidance and interpretation, national banks are unequivocally permitted to custody virtual assets.[ii] Indeed, the Letter explicitly states that the “OCC generally has not prohibited banks from providing custody services for any particular type of asset,” including electronic assets (given that certain capability and legality questions are satisfied). These custody services are permissible for banks to offer, either as fiduciary or non-fiduciary, through either traditional or electronic means.
This conclusion is a direct result of a synthesized application of prior OCC guidance covering various issues, including the custody of digital certificates. Banks are permitted to escrow encryption keys for such digital certificates only if their technological solutions are sufficient to guarantee the digital keys’ safety. While the challenges presented by virtual currency custody are in some ways novel, in other ways they are readily analogous to custody of such encryption keys.[iii] Because existing digital key escrow services are functionally equivalent to physical custody, the OCC will apply broadly similar authorization to custody of virtual currencies. This implies that a host of specific, existing regulatory requirements will be imported into virtual currency custody analysis, such as the specific new asset risk management framework outlined in OCC Bulletin 2017-43. However, custody of virtual currency assets may require new, unique solutions unnecessary for other asset types.
Furthermore, the application of existing custody practices or any new, unique solutions must remain in compliance with not only the applicable OCC guidance, but any applicable state law or other statutory and regulatory requirements. These requirements might include, for example, state banking laws (or other applicable state laws) and any other specific legal or contractual framework governing the relationship between the custodian and the owner. If the virtual asset is a security, other relevant considerations may include securities law custodial requirements.[iv]
The Letter makes clear that the OCC expects national banks and federal savings associations to conduct all their business in compliance with applicable federal and state laws, OCC guidance, and other regulatory or contractual requirements. Traditional “banking” activities, such as lending, deposit and payment services, are already subject to numerous established federal and state laws and regulations that continue to evolve in the age of technological advancements. In addition, many U.S. jurisdictions have already adopted or proposed laws and regulations that specifically relate to virtual currencies or other intangible digital assets.
The OCC cites Blockchain & Cryptocurrency: State Law Roundup, by Dale Werts and Lathrop GPM, a 2019 report on recent legislative developments dealing with emerging technologies (www.jdsupra.com/legalnews/blockchain-cryptocurrency-state-law-59816/). Wyoming, for example, has enacted digital asset legislation (effective July 1, 2019) that applies to cryptocurrency assets. Recent amendments to Wyoming’s Uniform Commercial Code expressly let banks provide digital asset custodial services and address other issues, such as security interests in digital assets and perfecting those security interests. Several other states have adopted laws dealing with treatment of virtual currency under their applicable money transmitter and securities laws and regulations. Financial institutions must be aware of continued developments and remaining uncertainty in the legal and regulatory framework concerning virtual currencies.
Virtual custody solutions also are tested appropriately against standards for existing practices. The Letter lists a variety of these requirements, such as dual controls, accounting controls, segregation of duties, settlement concerns, and physical access controls, among others. The list is deliberately non-exhaustive, noting that applicable controls must be “tailored in the context of digital custody.”
The Letter closes with two specific, targeted notes. First, it stresses the importance of compliance with anti-money laundering (AML) rules when entering into this space. The Letter is clear that bank custody of virtual currency assets will explicitly be subject to the same AML regulatory framework and due diligence requirements as with any other banked asset. Second, the Letter specifies any bank seeking to expand into cryptocurrency custody should have appropriate data security in place. In addition, the bank should consult with the OCC before undertaking cryptocurrency activities.
Potential impact of the guidance
The guidance set forth in the Letter is key for several reasons. First and foremost, it provides unambiguous confirmation that national banks have the legal capacity to provide virtual currency custody services, although various requirements must be satisfied. Furthermore, the Letter states that there is a growing need for custody services in the expanding virtual currency markets and suggests that “banks may offer more secure storage services compared to existing options.” The letter further suggests that investment advisors “may wish to utilize national banks as custodians for the managed assets.”
Existing virtual currency custody solutions may be perceived as generally being subject to far less rigorous regulatory controls than national banks. Although rare, failures in procedure or bad actors have caused catastrophic losses for customers, such as the losses from the 2014 failure of the Mt. Gox bitcoin exchange that were valued at nearly half a billion dollars at the time. The Letter states, in part, that bank custody facilitates the flow of funds and provides important financial risk management.
Coupled with this recognition of increasing demand, the Letter also demonstrates a thorough understanding of the technological challenges presented by virtual currency custody. Traditional assets, even digital ones, do not require the same protections as virtual assets, either in kind or in depth. Unlike more traditional assets, it is impossible to effect (or undo) transfers of most virtual currencies without a unique access code referred to as the “private key.” As noted in the Letter, banks already escrow certain encryption keys; this digital safekeeping capacity should logically extend to virtual currencies.
The Letter also demonstrates OCC recognition that as technology changes, the compliance rules governing the most basic and traditional of bank functions (keeping its customers’ assets safe) are also able to adapt and change. The OCC did not issue new rules to reach its conclusion; instead, it relied on interpreting existing rules to note that virtual currency custodial services are, in the end, “a modern form of these traditional bank activities.”
The custody of virtual currencies by national banks may prove to be a critical step in the expansion of the virtual currency markets in the United States. For example, as noted above, custodial services by traditional banks may provide investment advisors a direct track to investment in virtual currency. Similarly, the fact that the Letter relies on existing guidance may serve as a pathway to authorization of a more comprehensive suite of virtual currency services, such as virtual currency payment processing or lending.[v]
Steps for compliance
Compliance personnel, especially those providing information about the Letter to colleagues, should keep in mind that the Letter provides significant guidance concerning steps to take before offering virtual currency custody services. First, the Letter notes that banks should open a discussion with the OCC about their plans and controls prior to offering such services. Banks are familiar with the potential costs associated with even minor regulatory compliance violations, so requiring this sort of pre-offering conference to ensure initial understanding between the bank and the OCC seems reasonable.
Similarly, since national banks and federal thrifts must comply with existing OCC regulatory guidance, risk management principles and anti-money laundering rules will apply to virtual currency custody initiatives, such as those outlined in OCC Bulletin 2017-43. Certain other controls emphasized by the letter include thorough analysis of all systems impacting the bank’s custody services, including protections such as dual controls, segregation of duties, and strict separation of assets held in custody. Transaction settlement procedures, physical access controls, and other security issues also may need to be reexamined through the lens of virtual currency issues. And the custody of virtual currencies raises new issues concerning the tracking of virtual currency “forks” or similar events that banks should consider.[vi]
Moreover, in most circumstances, national banks acting in a non-fiduciary capacity would provide safekeeping (but not management) for the cryptographic key that allows for control and transfer of the customer’s cryptocurrency. In this context, the bank is essentially just taking possession of the access keys to the cryptocurrency. In contrast, a national bank with trust powers holding cryptocurrencies in fiduciary capacity would have the authority to manage them in the same way they manage other assets they hold as fiduciaries. Of course, this also means that those acting in a fiduciary capacity remain subject to heightened standards of care and will need to manage the virtual assets in the best interest of the principal.
One of the great unknowns is that there remains a level of uncertainty about how enthusiastic core virtual currency advocates will prove to be about interacting with banks. One stated reason for the creation of Bitcoin was a lingering distrust of the centralized financial system following 2008; virtual currency enthusiasts remain extremely privacy-focused. While bank custody of virtual assets is likely to provide additional security, the perception of increased regulatory burden may work against banks to some degree, at least for core virtual currency enthusiasts.
As it was issued by the OCC, the Letter is unable to answer one key question: While this guidance is applicable to national banks, will the FDIC issue guidance with respect to banks chartered under the various state laws? And what steps will other regulators take?
Overall, the Letter is an important development that should facilitate the custody of virtual currencies by national banks and other financial institutions regulated by the OCC. Although it frames additional requirements that eligible banks must meet, including compliance with controls and procedures under the Letter and related OCC guidance, as well as other applicable federal and state laws, it is a favorable development for banks, retail and institutional customers and the virtual currency market.
[i] One week before the Letter, on July 15th, 2020, one Bitcoin was worth approximately $9,200 USD. By a week after the Letter, on July 29th, one Bitcoin was worth over $11,000 USD, per coinmarketcap.com. While prices are always a combination of numerous market forces, the Letter almost certainly played some role in this increase.
[ii] Letter at 7, “Providing custody services for cryptocurrency falls within these longstanding authorities to engage in safekeeping and custody activities. As discussed below, this is a permissible form of a traditional banking activity that national banks are authorized to perform…”
[iii] Letter at 8. “Rather, a bank “holding” digital currencies on behalf of a customer is actually taking possession of the cryptographic access keys…”
[iv] See, e.g., Andrew Shipe, Custody of Blockchain Securities Under the Federal Securities Laws, 21 FinTech Law Rep. 4, 5 (July/Aug. 2018).
[v] See Letter at 8 listing such potential additional services as including “services such as facilitating the customer’s cryptocurrency and fiat currency exchange transactions, transaction settlement, trade execution, recording keeping, valuation, tax services, reporting, or other appropriate services.”
[vi] Note discussion in Note 45 of the Letter which provides in relevant part: “The handling, treatment, and servicing of cryptocurrencies held in custody may raise unique issues that should be addressed in the agreement, such as (for example) the treatment of “forks” or splits in the code underlying the cryptocurrency being held.”