December 5, 2025

Vol. XLII, No. 14

Crypto-Asset Safekeeping Risk-Management Considerations

I. Introduction
The federal banking industries recently issued a joint statement on the risk-management considerations for banking organizations engaged in crypto-asset safekeeping. The joint statement addresses potential risk-management considerations under existing laws and regulations related to banks holding crypto-assets (i.e., controlling the cryptographic keys associated with the crypto-asset) on a customer's behalf in a fiduciary or non-fiduciary capacity. The joint statement reminds banking organizations to consider potential risks prior to engaging in a new activity such as safekeeping for crypto-assets and includes guidance on conducting an effective risk assessment related thereto.

The joint statement makes clear that it "discusses how existing laws, regulations, and risk-management principles apply to this activity, and does not create any new supervisory expectations." Since the banking agencies clarified that this joint statement does not create any new supervisory expectations, banking organizations can and should leverage existing guidance on supervisory expectations with respect to engaging in new activities, conducting risk assessments, effective third-party risk management, creating internal controls, and audit programs. Before engaging in this activity, a banking organization's board management and staff should have the requisite knowledge and expertise to establish adequate oversight and controls to perform the safekeeping activities in a safe and sound manner and in compliance with applicable laws​.

II. General Risk Management Considerations
Safekeeping for crypto-assets entails controlling the cryptographic keys associated with the crypto-asset in a manner that complies with applicable laws and regulations. As with all new products, services, and activities, banking organizations should consider potential risks prior to offering crypto-asset safekeeping.

An effective risk assessment would consider such things as the banking organization's (1) core financial risks given the strategic direction and business model; (2) ability to understand a complex, evolving, and potentially unfamiliar asset class, including by keeping abreast of industry leading practices; (3) ability to ensure a strong control environment; and (4) contingency plans to address any unanticipated challenges in effectively providing services.

Given the complexities of crypto-asset safekeeping, a banking organization's board, officers, and employees should have the requisite knowledge and understanding of crypto-asset safekeeping services to establish adequate operational capacity and appropriate controls to conduct the activity in a safe and sound manner and in compliance with applicable laws and regulations.

A banking organization that is contemplating providing safekeeping for crypto-assets should consider the evolving nature of the crypto-asset market, including the technology underlying the crypto-assets, and implement a risk governance framework that appropriately adapts to relevant risks. Providing crypto-asset safekeeping services may entail significant resources and attention, such as developing or procuring new technology, establishing a strong control environment, and ensuring staff have appropriate technical expertise. In addition, crypto-assets may experience price volatility, which could affect the demand for safekeeping services and the value of assets held. Furthermore, rapid evolution in the market could affect the technology used to provide safekeeping services.

In addition, banking organizations should consider:

• ​establishing practices for determining the specific crypto-assets for which it will provide safekeeping;
• understanding any unique features of such crypto-assets that may require special solutions;
• for each crypto-asset to be held in safekeeping, identifying the vulnerabilities and dependencies that could create material risks to the bank's safety and soundness;
• for each crypto-asset to be held in safekeeping, "analyzing relevant technical, operational, strategic, market, legal, and compliance considerations...as well as staying apprised of material developments specifically related to supported crypto-assets and their underlying ledgers"; and
• the potential risks associated with the different types of account models for safekeeping crypto-assets (e.g., omnibus versus separate accounts).

III. Cryptographic Key Management
One of the primary risks of crypto-asset safekeeping is the possible compromise or loss of cryptographic keys or other sensitive information that could result in the loss of crypto-assets or the unauthorized transfer of the crypto-assets out of the banking organization's control. In such cases, the banking organization faces the risk of being held liable for its customers' losses. Thus, effective safekeeping involves maintaining control of cryptographic keys and related sensitive information.

In general, a banking organization assumes "control" for purposes of safekeeping a crypto-asset when it can reasonably demonstrate, consistent with the standard of care established by applicable law, that now other party - including the customer - has access to information sufficient to unilaterally transfer the crypto-asset out of the control of the banking organization. To establish initial control of a crypto-asset, a banking organization will usually require the asset to be transferred to the banking organization on the asset's underlying distributed ledger. A banking organization would apply these same control standards to any sub-custodian used to perform crypto-asset safekeeping functions on the banking organization's behalf.

​Additional risk management issues related to cryptographic key management may include the secure generation of cryptographic keys and contingency planning for lost or compromised keys. Effective risk management includes determining whether the banking organization's key management systems continue to be sufficient in light of technological developments, resulting in the need for ongoing and dynamic product development and risk management programs. This may result in additional investment in technology to provide continued service.

Given the virtual nature of crypto-assets, and the potentially increased operational risks associated with crypto-asset safekeeping, a banking organzation's cybersecurity environment should be a key focus of risk management.

IV. Legal and Compliance Risk
Like all other banking activities, crypto-asset safekeeping relationships are subject to applicable Bank Secrecy Act/anti-money laundering (BSA/AML), countering the financing of terrorism (CFT), and Office of Foreign Assets Control (OFAC) requirements. These laws and regulations require banking organizations to verity customer identity, perform due diligence to understand the nature and purpose of the customer relationship, perform ongoing monitoring to identify and report suspicious activity, block transactions in accordance with OFAC sanctions, and follow the "Travel Rule." The design features of distributed ledger technology may present challenges for achieving or maintaining compliance with certain of these requirements if compliance depends on review of the identifying information (for example, name and address) related to a transaction. Before offering crypto-asset safekeeping, a banking organization should appropriately involve its BSA officer, board of directors (or designated committee), and senior management in assessing potential money laundering, terrorist financing, and other illicit financial activity risks.

Crypto-asset safekeeping may involve elevated levels of compliance and legal risks due to the evolving regulatory landscape. Banking organizations seeking to engage in these activities should ensure the activities are conducted consistent with all applicable laws and regulations. A well-written customer agreement, outlining clearly defined duties and responsibilities of the parties, is an important tool to manage the risks of crypto-asset safekeeping and may be used to address issues specific to this service, such as on-chain governance and voting, forks, airdrops, probabilistic settlement that may be characteristic of permissionless blockchains, the method of holding the assets (cold/hot/hybrid storage), the use of a sub-custodian(s), and the use of smart contracts.

​Crypto-asset safekeeping activities present a risk that the customer could be misinformed of the banking organization's role in the arrangement. Banking organizations may be able to mitigate this risk by providing clear, accurate, and timely information to customers about their crypto-asset safekeeping activities, including the banking organization's role in any governance or other voting matter related to the crypto-asset. A banking organization providing crypto-asset safekeeping must follow applicable recordkeeping and reporting requirements. Evolving tax laws may also affect customer obligations in relation to crypto-asset safekeeping.

V. Third Party Risk Management
In certain circumstances, a banking organization may choose to contract with one or more third-party sub-custodians or other service providers (e.g., technology providers, cash management) to provide safekeeping for crypto-assets. A banking organization employing a sub-custodian for crypto-asset safekeeping should understand the benefits and risks associated with engaging sub-custodians, applicable laws and regulations, and relevant third-party risk management guidance.

Third-party risk management processes should be commensurate with the risk posed by the activity performed. Subject to the terms and conditions in the customer agreement, a banking organization is responsible for the activities performed by the sub-custodian. This responsibility includes decisions around selecting the crypto-assets for which custodian services will be provided, even if the sub-custodian assists in analyzing the crypto-assets and their underlying ledgers on the banking organization's behalf. Conducting due diligence before selection of a sub-custodian is an important part of sound risk management, and includes evaluating the effectiveness of the sub-custodian's cryptographic key-management solution, including policies, processes, and internal controls, as well as its adherence to standard safekeeping risk management practices. Appropriate risk management may include analyzing the potential treatment of customer assets held at the sub-custodian in the event of insolvency or operational disruptions and evaluating the appropriateness of the sub-custodian's risk management and recordkeeping practices.

A banking organization that opts to provide crypto-asset safekeeping directly without using a sub-custodian may still choose to use third parties in other ways, including through the use of third-party technology. Effective risk management of third-party technology in this context will generally include weighing the risks of purchasing third-party software or hardware versus maintaining such software or hardware as a service.

VI. Audit
Audit programs are essential to effective risk management and internal control systems. As such, a banking organization's audit program should provide appropriate coverage over the banking organization's crypto-asset safekeeping activities, including third-party risk management as applicable. A crypto-asset safekeeping audit should address the nuances of crypto-assets, including an assessment of cryptographic key generation, storage, and deletion; controls related to transfer and settlement of customer assets; and the sufficiency of relevant information technology systems. Audits may assess management and staff expertise, including the ability to identify and control the unique risks associated with crypto-asset products and services, as well as the implementation of safekeeping controls. When audit expertise does not exist within the banking organization, management should engage appropriate external resources, with sufficient independence, to assess crypto-asset safekeeping operations.

Full-Text PDF

---

The foregoing Compliance Update is for informational purposes only and does not constitute legal advice. As a reminder, the NBA general counsel is the attorney for the Nebraska Bankers Association, not its member banks. The general counsel is available to assist members with finding resources to help answer their questions. However, for specific legal advice about specific situations, members must consult and retain their own attorney.