The Custody of Cryptocurrencies: OCC Opens the Door for Banks to Take Part in the Fintech World

In 2017, journalist Nick Ortega chronicled the story of how his house-cleaning service threw away a slip of orange paper with the private key to his cryptocurrency funds scribbled on it, costing him $30,000. A private key is an alphanumeric cryptographic code, which is the only way for a user to access his cryptocurrency. A cryptocurrency user is generally given both a public and a private key to receive and send cryptocurrency. The public key is created from the private key by a complicated mathematical algorithm, and is where the funds are deposited or received, like a mailbox. Therefore, when Mr. Ortega’s house cleaners threw away his private key, they threw away his only means of access to his cryptocurrency.

Currently, there are two methods of storing these keys that are alternatives to simply writing it down on a slip of paper— “hot” and “cold” wallets.[i] A cryptocurrency “wallet” is a method of “storing” cryptocurrency by storing the private key necessary to access a user’s cryptocurrency. The need for secure private key storage is not limited to individual consumers; large cryptocurrency investment advisors may also want a safe place to securely store the cryptocurrency funds they manage.

On July 22, 2020, the Office of the Comptroller of the Currency (“OCC”) issued guidance in Interpretive Letter #1170, stating that national banks and Federal Savings Associations (“FSAs”) could “provide [] cryptocurrency custody services on behalf of customers, including by holding the unique cryptographic keys associated with cryptocurrency.”[ii] The then-Acting Comptroller of the OCC, Brian Brooks, previously served as the Chief Legal Officer of Coinbase, the largest US-based cryptocurrency exchange. Brooks’ short tenure as Comptroller was defined by an almost single-minded pursuit of bringing the cryptocurrency sector into the mainstream of financial services, as evidenced by new guidance clarifying the ability of national banks to hold stablecoin reserves and participate in independent node verification networks (“INVN” AKA Blockchain Networks) as well as an attempt to launch a new “crypto bank charter.”

Cryptocurrencies exist in digital form on a distributed ledge – meaning they have no physical representation – and are accessed via hot” or “cold” wallets. Therefore, it is fair to ask: Has the OCC overstepped its role as regulatory gatekeeper of the “business of banking” in expanding banks’ custody function to include cryptocurrency?

“The Business of Banking”

Federally chartered banks in the United States may only conduct activities that are permissible under the National Bank Act of 1863 (“NBA”).[iii] Under Section 24(Seventh), national banks are conferred with the following authority, known as the “bank powers clause”:

To exercise by its board of directors or duly authorized officers or agents, subject to law, all such incidental powers as shall be necessary to carry on the business of banking; by discounting and negotiating promissory notes, drafts, bills of exchange, and other evidences of debt; by receiving deposits; by buying and selling exchange, coin, and bullion; by loaning money on personal security; and by obtaining, issuing, and circulating notes according to the provisions of title 62 of the Revised Statutes.

The “business of banking” is typically the starting point for defining the scope of permissible banking activities. The current view of the “bank powers clause” separates the “business of banking” from the five enumerated powers, which are simply examples of the possible types of business activities included within the phrase “business of banking,” and provides that the OCC has ongoing discretion to decide what else falls within banks’ powers.[iv]  Under VALIC, the Supreme Court held that permissible activities may be “incidental” to the business of banking.[v] This decision, coupled with the significant deference allowed to executive agencies under Chevron provides the Comptroller with a significant amount of power to proclaim that activities fall within the “business of banking.”[vi] As former OCC Chief Counsel, Julie Williams noted, VALIC had the persistent effect of “contort[ing] interpretation of the scope of the incidental powers clause” because the OCC’s only restraint is to stay within “reasonable bounds”—a standard that is vague at best.[vii]

In fact, Chevron-deference, coupled with the vague VALIC standard, increasingly allowed the OCC to generalize and abstractly present proposed activities since the 1980’s.[viii] The OCC would find a new activity “functionally equivalent” to previously approved activities, and therefore allowable within, or a functional equivalent of, the “business of banking.” This allowed the OCC to “bootstrap” proposed activity B, to previously approved permissible activity A, without a full accounting of the risks. After VALIC in 1995, bootstrapping became conditioned on banks’ ability to engage in the proposed activities in a ‘safe and sound’ manner. As seen with Interpretive Letter #1170, this condition did little to curtail the OCC’s bootstrapping and broad risk associations.

Safekeeping and Custodial Services as part of the “Business of Banking”

Safekeeping and custodial services have long been offered by national banks for various customer assets, both physical and electronic. Traditionally banks provided safe deposit boxes for physical object storage, including valuables such as bullion.[ix] And since the 19th century, courts have explicitly stated that banks may engage in the safe-deposit business.[x] Yet, because there is no regulation governing such safekeeping activities, the objects being safely kept are not always “safe.”

Eventually, banks’ function as safe-keepers evolved into banks’ “custodial services” capacity, which the OCC describes in Interpretive Letter #1170 as “a broader term that may involve all aspects of bank services performed for customers in relation to items they are holding for them (i.e., processing, settlement, fund administration).” Over time, the concepts of safekeeping and custody evolved with the digital era.


As the world moved from physical to electronic goods and services, so did banks. In OCC Conditional Approval 267 (1998) and OCC Conditional Approval 479 (2001), the OCC found that the escrow of electronic encryption keys and secure-web based document storage were both permissible safekeeping activities for national banks, incidental to the business of banking. In Conditional Approval 267, the OCC explicitly allowed the certification authority (CA) to hold in escrow keys that would allow for a lost or abused private encryption key to be recovered, with the exception that “the company w[ould] not hold in escrow private keys used to create digital signatures.” Under a VALIC analysis, the OCC specifically noted that national banks already developed expertise in safeguarding this particular type of asset because they did so for their own encryption keys. Likewise, in Conditional Approval #479, the approval was limited to “storage, access, and retrieval,” and banks’ could “not process or manipulate the” stored information. Neither of these guidance decisions granted the subsidiaries fiduciary powers over the stored data.[xi]

The OCC utilized the “transparency doctrine” or “look-through approach” to reach these decisions, which was codified in 2002 in 12 C.F.R. § 7.5002(a). Under this analytical approach, the OCC ignores the means of a product’s delivery, and instead focuses on whether a national bank has the authority to offer the underlying product or service. In essence, these decisions directly expanded safekeeping (i.e., holding onto an asset) from physical to electronic objects.

Custodial Services

Custodial services developed from other recognized safekeeping and settlement services, and are viewed, often in conjunction with the delivery of fiduciary services, as permissible under 12 U.S.C. § 24 (Seventh).[xii] In the OCC’s Custody Services Handbook, the OCC describes custody services as an asset management service, done by contractual arrangement. The core custody services that banks typically provide are “settl[ing] trades, invest[ing] cash balances as directed, collect[ing] income, process[ing] corporate actions, pric[ing] securities positions, and provid[ing] recordkeeping and reporting services.” Recognized custodial services also include multiple types of assets that transfer electronically, provided that the bank can capably hold the assets in compliance with federal requirements and regulations and the assets are not illegal. The OCC’s Custody Services Handbook further provides that “[n]ational banks may hold assets off-premises if they maintain adequate safeguards and controls.” Assets may be “Unique and Hard-to-Value Assets”—such “assets include, real estate, closely held businesses, mineral interests, loans and notes, life insurance, tangible assets, and collectibles.” Like with safekeeping, the assets themselves may or may not be regulated.

Bank Custodian’s Current Function in the Global Financial System

Custodial services have evolved to be a critical part of global financial markets, in particular the securities markets. According to the Clearing House, custodial services can be separated into multiple buckets—safekeeping, asset servicing, transaction processing and settlement, and banking services. “Safekeeping” custodial services require holding client accounts. There are generally two types of client accounts: (1) cash deposits held by institutional investor clients and (2) securities accounts. While securities accounts do not represent liabilities on custodians’ balance sheet because the clients retain the rights to these accounts, the cash accounts do represent liabilities like any regular cash deposit. “Asset servicing” by bank custodians requires a bank to provide income, tax, corporate action, securities valuation, and reporting services on a client’s securities account. Custodians also provide transaction processing and settlement, and finally banking services.

Bank custodians act as the intermediary between a client that invests (traditionally in securities), and the financial market utilities that provide the financial market infrastructure to settle and clear transactions. Like with custodial services for securities investors, potential cryptocurrency custody clients are varied (including crypto-investment advisors like Grayscale or wealthy individuals and families). Regardless, the custodial client makes all investment decisions regarding the assets. Custodians therefore act as just one tier in the securities system, which helps to facilitate efficient and diversified access to financial market utilities.

Current Risks to Bank Custodians

The arms-length nature of custodial services diminishes the risks to banks, but the Clearing House details how custodial services are not a completely risk-free enterprise. Looking at a custodian’s balance sheet, which is separate from the bank’s main balance sheet, custodial revenue comes from fees on the services provided, and the rest of their income generally comes from net interest. The custodial balance sheet is generally liability driven by cash deposits. Though custody services do not require the same maturity transformation that banks do, custodians will still engage in short-term lending activities, generally to facilitate trade settlement, which may expose the custodian to limited operational, liquidity, credit, and market risk. For securities custodians, operational risk is largely well-managed and understood because of banks’ other securities activities. The limited credit risk exposure occurs when overnight and intraday credit is extended to facilitate settlement of transactions and when there is an agreement to indemnify clients on the securities lending programs offered through the custodians against certain losses. The market risk that custodians are exposed to is generally limited because it is not related to the assets in custody – which goes to the owner of those assets – but rather to the nearly immaterial risk associated with trading assets and liabilities. Lastly, custodians are exposed to liquidity risk due to intraday maturity mismatches, which is generally managed by the custodian retaining highly liquid assets. These risks may be amplified by the volatile and highly technical nature of cryptocurrency.

The OCC Slides Into Fintech Territory

The guidance in Interpretive Letter #1170 (the Letter) provides that national banks and federal savings associations may provide custody services for cryptocurrencies and digital assets. The Letter explicitly notes that “national banks may provide permissible banking services to any lawful business they choose, including cryptocurrency businesses,” presenting the decision as a natural expansion or “modern form” of banks’ safekeeping and custodial capacities. The Letter indicates that banks may offer custodial services for cryptocurrency because (i) the new custodial services represent an “electronic corollary” to the escrow of encryption keys safekeeping-function, which were accepted as functional equivalent to banks’ physical safekeeping services, and (ii) custody naturally follows both as an expansion of banks’ safekeeping function and because the OCC has previously allowed custody services for electronically transferable assets.

The OCC posits that these cryptocurrency custody services are in demand because private cryptographic keys are irreplaceable if lost, banks are more secure than existing wallet options, and crypto-investment advisors may want to access banks as custodians.  The OCC believes that banks need to “leverage new technology and innovative ways to provide traditional services on behalf of customers” to successfully fulfil their function as financial intermediaries.

The guidance asserts, via footnote, that under 12 CFR 7.5002(a) the OCC may determine the permissible activities that “[a] national bank may perform, provide, or deliver through electronic means and facilities any activity, function, product, or service that it is otherwise authorized to perform, provide, or deliver . . ..” This provision rests on the “transparency doctrine,” otherwise known as the “look-through approach,” whereby the OCC ignores the means of a product’s delivery, and instead focuses on whether a national bank has the authority to offer the underlying product or service.  Under this authority, the OCC finds that national banks are permitted to provide custody of cryptocurrency because national banks are permitted to provide the same safekeeping and custody services available for physical assets “via electronic means.” The issue remains whether the jump to cryptocurrency asset custody is a “functional equivalent” or logical outgrowth of banks’ recognized electronic safekeeping or custodial services. In its discussion, the OCC lays out how (1) banks may hold cryptographic keys in safekeeping as an electronic safekeeping activity, and that (2) banks may provide custodial services for cryptocurrency in either a fiduciary, or non-fiduciary capacity.

The Safekeeping of Cryptocurrency Keys

The OCC guidance provides that the safekeeping of the electronic access key (private cryptographic key) for cryptocurrency assets is an “electronic corollary” of traditional safekeeping. “[T]raditional safekeeping” refers to the OCC’s extension of physical safekeeping to electronic safekeeping in Conditional Approval #267 (escrow of digital encryption keys) and Conditional Approval #479 (secure web-based document storage). Yet there are differences between the previous grants of authority and cryptocurrency custody that the OCC fails to highlight.

First, Conditional Approval #267 was granted only for key recovery safekeeping. The OCC explicitly noted that “the company will not hold in escrow private keys used to create digital signatures.”  And Conditional Approval #479 stipulated that the subsidiary company could “not process or manipulate” stored information. In contrast, in Interpretive Letter #1170, the OCC failed to distinguish between “active” and “inactive” safekeeping of private keys for cryptocurrency. The private key(s) held in bank safekeeping may have multiple copies elsewhere that are in active use, and the OCC made no distinction nor provided any guidance on what measures banks must take to ensure that these keys (or any potential copies) are safe. If it is anything like millions of dollars’ worth of watches that mysteriously disappeared from a Wells Fargo safe deposit box, this “safekeeping” is not remotely “safe.” For example, if a customer’s private key is lost or stolen while in safekeeping, there is no guarantee that the customer will get those funds back because safekeeping is not strictly regulated. Likewise, if there are multiple copies of the customer’s key, the customer may try to hold the bank liable if their cryptocurrency is “stolen”, and it may be difficult to discern where the hack or breach occurred.

The OCC’s Analysis

The OCC utilized the “look-through” approach, or “transparency doctrine” and “looked-through” to claim that the transition to private keys for cryptocurrency was largely in line with previous guidance because banks were previously authorized to offer safekeeping for other electronic valuables including private encryption keys and documents.  But the OCC bypassed the need for a “functional equivalency” analysis directly linking cryptocurrency safekeeping to the “business of banking” by utilizing the same generalization tactic that was used to expand derivatives banking activities before the Global Financial Crisis. The guidance broadly asserts that safekeeping for cryptographic cryptocurrency keys is an “electronic corollary” of previously approved electronic safekeeping activities and is therefore permissible. This contrasts with the analysis in Conditional Approval #267, which rested upon the “functional equivalency” theory (i.e., the purpose of the encryption keys, identity certification, was a functional equivalent “of notary and other authentication services already provided by banks”). Still, the safekeeping expansion, whether for “active” or “inactive” private keys, is unlikely to be deemed an inappropriate expansion of banks’ safekeeping powers due to Chevron deference provided to the Comptroller’s decisions. However, a future Comptroller can rescind or amend the guidance within Interpretive Letter #1170.

The Custody of Cryptocurrency

Interpretive Letter #1170 provides that:

Providing such [custodial] services is permissible in both non-fiduciary and fiduciary capacities. A bank that provides custody for cryptocurrency in a non-fiduciary capacity would essentially provide safekeeping for the cryptographic key that allows for control and transfer of the customer’s cryptocurrency. In most, if not all, circumstances, providing custody for cryptocurrency will not entail any physical possession of the cryptocurrency. Rather, a bank “holding” digital currencies on behalf of a customer is actually taking possession of the cryptographic access keys to that unit of cryptocurrency. . .. Holding the cryptographic access key to a unit of cryptocurrency is an electronic corollary of these traditional safekeeping activities.

Banks that engage in custodial cryptocurrency services may provide a wide range of services for their customers. For example, banks may generate new keys for customers, or “facilitate[e] the customer’s cryptocurrency and fiat currency exchange transactions, transaction settlement, trade execution, recording keeping, valuation, tax services, reporting, or other appropriate services.” This breadth of services may be provided in a fiduciary or non-fiduciary capacity; in a fiduciary relationship, bank-custodians would have higher standards of care, and could actively manage the assets in custody like banks may manage assets as a trustee, receiver, or investment advisor.

The OCC suggests that the expanded custodial services neatly fit into the category of “unique and hard to value assets,” but the OCC Handbook on Unique and Hard-to-Value Assets provides that these assets include “real estate, closely held businesses, mineral interests, loans and notes, life insurance, tangible assets, and collectibles.” The difference between these enumerated assets and cryptocurrency is not merely that cryptocurrency is more complicated, or “hard-to-value,” but rather the assets listed above differ from crypto in their very essence. Bitcoin’s express intent, per Satoshi’s white paper, is to be a non-sovereign currency that bypasses third-party intermediaries—notoriously, banks. On the other hand, other “hard-to-value” assets are denominated in fiat currency and thus already rely upon, or easily fit into the structure of, banks as third-party intermediaries.

Here, the OCC fails to address the fact that the core of the ideology undermining cryptocurrency is in direct contrast to the stated purpose of the OCC, which is “charter[ing], regulat[ing], and supervis[ing] national banks.” The opposition to this statement may be that banks provide custodial services for the securities industry and banks may not purchase or deal in stock, but this industry, and other “hard-to-value” assets, that are denominated in fiat currency are intended to exist within and alongside the banking industry, not to completely bypass or undermine the banking system.

The OCC was established under the National Currency Act of 1863 (later known as the NBA), and is responsible for the creation, organization, and administration of a system of nationally chartered banks to promote a uniform national currency (fiat currency). In the time since its inception, the OCC has been the line-drawing authority on permissible and impermissible banking activities. Therefore, it is paradoxical that the OCC has recently been such a proponent of merging the banking and cryptocurrency industries.

In addition to the ideological differences in the origins of cryptocurrency and the OCC (as well as banking writ large), the OCC’s analysis that banks may provide safekeeping and custodial services to cryptocurrency because banks may provide those services to other electronic assets does not necessarily hold true for cryptocurrency assets. In Interpretive Letter #1170, the OCC determined that safekeeping and custody of cryptocurrency assets is similar to safekeeping and custody of other electronic assets—particularly assets like securities, which evolved into an electronic form. On that basis, the OCC concluded that banks may provide custody services to electronic assets (i.e., cryptocurrency) as banks have been permitted to do with other electronic assets. This is based on a flawed premise. Interpretive Letter #1170 explicitly states that banks may provide certain electronic safekeeping services “because these services are the electronic expression of traditional safekeeping services provided by banks,” and that these rulings (e.g., Conditional Approval 479) are codified in 12 CFR Part 7 (at 12 CFR §§ 7.5002(a)(4), 7.5005(a) (2019)). The OCC then concludes that because custodial services evolved from traditional safekeeping, custody of electronic assets is likewise permitted. The major flaw in the OCC’s reasoning is that holding a cryptographic access key to cryptocurrency in custody or safekeeping is not an “electronic expression” or “electronic corollary” of traditional activities because there is not any “traditional banking activity” from which cryptocurrency evolves. For example, securities, which constitute much of the custody industry, started as a physical asset and evolved into a wholly electronic industry. Cryptocurrency exists exclusively online.

Instead of directly addressing the above issues, the OCC utilized the “transparency doctrine” to “look-through” to the underlying product or service to conclude that custodial services for cryptocurrency are within banks’ permissible activities. The OCC broadly categorized the underlying service as banks’ ability to provide safekeeping and custodial services for electronic assets, and thus concluded that the new cryptocurrency activities were within already recognized permissible banking activities. This analysis, coupled with the ideological and practical differences inherent in cryptocurrency and other safekeeping/custodial services discussed above, is both deeply flawed and ironic. By encompassing cryptocurrency safekeeping and custody with previously approved electronic safekeeping services, the OCC uses a tactic it has used before – bootstrapping. By presenting the new cryptocurrency activities “in a highly generalized and abstract way,” it “bootstraps” Interpretive Letter #1170 to previously approved activities, specifically Conditional Approvals #479 and #267, and find cryptocurrency custody to be a “functional equivalent” to the “business of banking” because the previously approved activities were a “functional equivalent” to the “business of banking.” Using this analytical technique, the only real condition on this overly broad interpretation of Section 24(Seventh) is that  bank activities are conducted in a “safe and sound” manner.

Overall, what the OCC misses by its oversimplified analysis is that providing custodial services for cryptocurrency and other similar digital assets differs vastly from previously expanded custody services. It glosses over the fact that the evolution from “pure” safekeeping to custody services was an evolution from simply holding onto a customer’s valuables for a fee, to managing, administering, and engaging with those valuables for a fee. Therefore, the OCC has not simply opened the door to a safe space for cryptocurrency enthusiasts to hold their Bitcoin; they have also exposed the banking sector to the myriad of risks that come from engaging with the cryptocurrency sector.

It is too early to assess the impact of Interpretive Letter #1170 on banks’ willingness to provide cryptocurrency custody services. However, legacy banks are not the only entities that may be interested in providing such services. On January 13, 2021, the OCC granted conditional approval for a national trust bank charter to Anchorage Digital Bank (f/k/a Anchorage Trust Company), a crypto-firm which previously provided digital asset custody under South Dakota law. A national trust bank charter differs from a national bank charter in that it is limited to fiduciary operations, it may or may not be insured by the Federal Deposit Insurance (FDIC), and it may not take deposits. As Interpretive Letter #1170 specifies in footnote 31, national banks do not need fiduciary or trust powers to conduct cryptocurrency custody activities. The conditional approval came on the last day of  Brooks’ tenure as Comptroller and is yet further proof of his desire to bring cryptocurrency under  the OCC’s regulatory umbrella.

The Risks

A national bank seeking to custody cryptocurrency must provide the services in a safe and sound manner, including:

[P]erform adequate pre-acceptance reviews before accepting a fiduciary account; implement due diligence processes; review accounts for compliance with anti-money laundering rules; have adequate systems in place to identify, measure, monitor, and control risks; implement policies, procedures, internal controls, and management information systems specific to custody services; maintain effective internal controls; safeguard assets under custody; ensure that assets held in custody are kept separate from the assets of the custodian and maintained under joint control to ensure that an asset is not lost, destroyed, or misappropriated by internal or external parties; maintain effective information security infrastructure and controls to mitigate hacking, theft, and fraud; determine if specialized audit procedures are needed for cryptoasset custody; produce reliable financial reports; comply with all applicable laws and regulations.

In general, custodial services for securities expose banks to four different types of risk: operational risk, credit risk, market risk, and liquidity risk. Though the custody agreement itself accounts for risk control, the risks present are still unlike any other that the banking sector has interacted with (the Basel Committee on Banking Supervision highlights such risks in “A Prudential Treatment for Crypto-Assets”). In terms of operational risk, there are many risks that banks will need to account for, including: implementation risks resulting from the necessary internal changes, uncertain legal risks arising from the current patchwork regulatory landscape, risks of technological vulnerabilities, network governance (i.e., forks in any given blockchain), and the increased risk of cyber-attack. Liquidity risks arise when banks cannot convert crypto-assets into fiat currency with little or no loss of value. Market risk arises because of the volatility in the pricing and valuation of crypto-assets, which is in sharp contrast to the minimal market risk a custodian normally faces. Further, if a bank in a custodial capacity acts as an investment advisor to cryptocurrencies that are labeled as securities, it may be exposed to significant credit and counter-party credit risk because it may be difficult to assess the risk of the trade being legitimate, and the banks could be on the hook via indemnity provisions in the custodial arrangement. These risks will all be new to chartered banks, and it will take overcoming significant technological and managerial hurdles for banks to provide custody in a “safe and sound manner.”


In its attempt to push the banking business into the crypto-future, the OCC may have put the cart before the horse. In fact, banking regulators themselves continue to struggle with how to categorize and regulate cryptocurrency. For example, Bitcoin and Ether have been labeled commodities by the CFTC, yet the SEC has given little to no guidance on which cryptocurrencies are securities.[xiii] The IRS taxes cryptocurrencies as property, and the Financial Crimes Enforcement Network within the Treasury Department decided to treat cryptocurrency the same as fiat currency for anti-money laundering and sanctions enforcement purposes. And this is just within the United States. Cryptocurrency regulation differs wildly across jurisdictions.

It will be difficult for banks to custody cryptocurrency when the broader regulatory treatment of crypto-assets is so uncertain and in flux. For example, when a Consumer Financial Protection Bureau (CFPB) task force recently recommended the CFPB issue  licenses to non-depository institutions that provide lending, money transmission, and payments services, the then Acting-Comptroller Brooks responded with a not-so-subtle statement that the OCC has the sole authority to designate national charters to such institutions.

Furthermore, a bank may be exposed to potential enforcement actions if it decides to take advantage of this guidance and provides custody for a cryptocurrency that is eventually ruled to be a security by the SEC, as evidenced by the SEC’s recent case against XRP creator Ripple Labs.[xiv] Would a bank have to ensure its custody functions are aligned with SEC regulations? Would they be subject to enforcement actions for failure to comply? It seems too early to answer these questions, and therefore too early for banks to confidently make the call on whether to provide custodial services for cryptocurrency.


Lindsay Cooper is a J.D. candidate at Duke Law




[i] A “cold” wallet is entirely offline, and can store private keys on a hard drive, computer, phone app that is not connected to the internet. A “hot” wallet is available online through various platforms that store and manage private and public keys, but it may be vulnerable to hacking.

[ii] Office of the Comptroller of the Currency, Interpretive Letter #1170 on Authority of a National Bank to Provide Cryptocurrency Custody Services for Customers (Jul. 22, 2020).

[iii] National Bank Act, 12 U.S.C. § 38.

[iv] 12 U.S.C. § 24(Seventh); Id. Courts acknowledged the elusive and evolving nature of the business of banking as early as 1857 in Curtis v. Leavitt, 15 N.Y. 9 (1857), where the New York Court of Appeals ruled that the New York Act’s powers clause, the banking clause incorporated into the National Bank Act, were not restrictive to the business of banking at the time. Curtis v. Leavitt, 15 N.Y. 9, 157 (1857) (noting in a concurring opinion that “the implied powers . . . are not enumerated and defined, because no human sagacity can foresee what implied powers may . . . be required”).

[v] NationsBank of N.C., N.A. v. Variable Annuity Life Ins. Co., 513 U.S. 251, 258, 258 n.2 (1995).

[vi] Chevron, U.S.A., Inc. v. Natural Resources Defense Council, Inc., 467 U.S. 837, 842–3 (1987).

[vii] Julie L. Williams & James F. E. Gillespie Jr., The Business of Banking: Looking at the Future—Part II, 52 Bus. Law 1279, 1284 (1996); VALIC, 513 U.S. at 252.

[viii] See generally Saule T. Omarova, The Quiet Metamorphosis: How Derivatives Changed the Business of Banking, 63 U. Miami L. Rev. 1041 (2009) (chronicling the OCC’s series of decisions allowing banks to engage increasing complex derivatives activities leading up to the Global Financial Crisis, which utilized the “bootstrapping” mechanism and failed to take into account many of the complex risks for banks).

[ix] Oulton v. German Savings & Loan Soc’y, 84 U.S. 109, 118 (1872).

[x] See e.g., Bank of California v. Portland 69 P.2d 273, 276–77 (Or.), cert. denied, 302 U.S. 765(1937) (holding that the safe deposit box business was within the business of banking and that “it is proper to refer to the history of banking” or “the universal custom of bankers” when determining what is “within the scope of the business of banking”); Colo. Nat’l Bank v. Bedford, 310 U.S. 41, 49–50 (1937) (noting that the safe-deposit business was part of the business of banking).

[xi] In Conditional Approval #267, the OCC explicitly stated that “digital signature certification authority and key escrow services do not require trust powers under Section 92a because those activities are not fiduciary activities under Part 9” of 12 C.F.R. § 9. Conditional Approval #267 at 18. Specifically, the OCC found that because escrow services are the functional equivalent of an activity that does not need trust powers because “escrow, safekeeping and custody” “do not involve the exercise of discretion or similar fiduciary responsibilities.” Id. at 19; Comptrollers Handbook for Fiduciary Activities ¶ 9.2600.

[xii] See e.g., Off. of the Comptroller of the Currency, Interpretive Letter #1078 (Apr. 19, 2007) (noting that national banks authority to provide custodial services derives from both the incidental powers within 12 U.S.C. § 24 (Seventh) and the general business of banking). The OCC may grant banks fiduciary powers under Section 12 U.S.C. 92a, and thus banks may offer custodial services in a fiduciary or non-fiduciary capacity. If assets are held custody in a fiduciary capacity, as is often the case, there are other requirements the bank must comply with under 12 CFR 9.13.

[xiii]  The SEC Chairman ambiguously stated that “It has been asserted that cryptocurrencies are not securities and that the offer and sale of cryptocurrencies are beyond the SEC’s jurisdiction.  Whether that assertion proves correct with respect to any digital asset that is labeled as a cryptocurrency will depend on the characteristics and use of that particular asset.” And the SEC has provided little clarification since. Chairman Jay Clayton, Statement on Cryptocurrencies and Initial Coin Offerings, SEC (Dec. 11, 2017),

[xiv] XRP is the cryptocurrency from Ripple. Ripple, (last visited Nov. 13, 2020). There is currently significant debate from various actors in the fintech space about whether XRP should be a labeled as a security, and multiple lawsuits against Ripple for failing to register as a security. See e.g., Helen Partz, SEC Should Declare XRP A Security, Says Peter Brandt, Cointelegraph (Nov. 11, 2020),; cf. Paddy Baker, Former CFTC Chair Giancarlo Lays Out Why He Thinks XRP Isn’t A Security, Coindesk (June 18, 2020, 9:22AM),; see also Nikhilesh De, SEC Guidance Gives Ammo To Lawsuit Claiming XRP Is Unregistered Security, Coindesk (Aug. 14, 2019, 7:07AM). Despite this, the SEC has yet to take a stand on whether XRP should be labeled a security or not.

One thought on “The Custody of Cryptocurrencies: OCC Opens the Door for Banks to Take Part in the Fintech World

  • I cannot imagine any major bank acting as custodian for cryptocurrencies. At least not anytime soon.

    I did want to also note some relationship with CFTC Letter No 20-34 from last October. In it the CFTC outlines requirements for an FCM to accept virtual currencies from customers. The advisory is extremely onerous, and I don’t know why any FCM would want to do it. The letter notes a number of risks including misappropriation or hacking (it cites some historical cases) as well as the lack of available insurance coverage for these sorts of losses. The advisory also mentions a lack of federal or state regulation and oversight of custodians of virtual currencies. I wonder if the new OCC guidance will affect that. Still I really doubt any major FCM will accept virtual currencies anytime soon; however, there are products out there that settle in physical, and I guess there will eventually be pressure from clients to accept it…

    Maybe once institutional clients start feeling pressure from their clients to accept bitcoin and insurance becomes more widely available and for higher amounts, there will be enough pressure on major banks to offer custodial services. Probably. Idk. I’m not looking forward to when the desk comes around asking for it…

Leave a Reply

Leave a Reply

Your email address will not be published. Required fields are marked *