On the first business day of the year, January 3, 2023, the Board of Governors of the Federal Reserve System (“the Fed”), the Federal Deposit Insurance Corporation (“FDIC”) and the Office of the Comptroller of the Currency (“OCC”), the nation’s primary banking regulators, came together to issue a Joint Statement on Crypto-Asset Risks to Banking Organizations. Striking in its tone and issued “given the significant risks highlighted by the recent failures of several large crypto-asset companies,” the purpose of the statement is to ensure that banks do what they can to ensure “that risks to the crypto-asset sector that cannot be mitigated or controlled do not migrate to the banking systems.” While the statement reassures that “banking organizations are neither prohibited nor discouraged from providing banking services to customers of any specific class or type,” the message is clear that whenever a bank chooses to engage with a client involved with the business of cryptocurrency, the prudential regulators will be watching closely through supervision protocols to assess whether the bank has put into place “appropriate risk management, including board oversight, policies, procedures, risk assessments, controls, gates and guardrails, and monitoring, to effectively identify and manage risks.”
The statement includes a list of specific risks that banks should be aware of, including: risk of fraud; custodial legal uncertainties; inaccurate or misleading representations by crypto-asset companies; significant volatility of crypto-asset markets and the impact that volatility may have on deposit flows at crypto-asset companies; susceptibility of stablecoin projects to create “potential deposit outflows for banking organizations that hold stablecoin reserves”; contagion risk among the broader crypto-asset sector as a result of things such as opaque lending, investing, funding, service and operational arrangements; a lack of maturity in risk management and governance practices among the crypto-asset sector; and heightened risks with “open, public, and/or decentralized networks” where there is a lack of governance mechanisms to oversee the systems (e.g., because of reliance upon digital asset organizations (DAOs), smart contracts or other artificial intelligence technology) and where there may be an absence of contracts or standards to clearly establish roles, responsibilities and liabilities with respect to such networks.
On the last point, in particular, the joint statement shows the regulators are beginning to reach some conclusions about cryptocurrency networks that are simply too risky. In other words, if the governance of a cryptocurrency network is driven only (or even mostly) by technology, and there is no or very limited ability for humans to intervene, then that network may be deemed too risky for any bank to be involved with. In addition, if the cryptocurrency network lacks clear rules about responsibility for compliance with the law (especially anti-money laundering laws) and what liabilities each party to a transaction may have, then that network may also be deemed too risky.