On May 7, 2025, the Office of the Comptroller of the Currency (“OCC”) issued a follow up to its July 2020 Interpretative Letter 1170, which allowed national banks to provide cryptocurrency custody services to their customers.[1] The May 7 letter (Interpretive Letter 1184)[2] further clarified that banks can buy and sell cryptocurrency at the custody customer’s direction and outsource cryptocurrency custody and execution services.[3] But in contrast to the OCC’s clear confirmation that banks can provide cryptocurrency custody services, the guidance for safe and sound practices for those services remains murky.
While the OCC first confirmed that banks may engage in cryptocurrency custody services in July 2020, related Comptroller’s Handbooks were last updated in 2019, before the cryptocurrency changes were implemented.[4] Interpretive Letter 1170 provides the most detailed guidance for these services, including high-level requirements that banks should have an adequate system to identify, measure, monitor, and control the risks of custody services. These include the basics such as dual controls, segregation of duties, accounting controls, a due diligence process, and complying with anti-money laundering rules. As for accounting controls, the letter emphasized that a bank custodian’s accounting records and internal controls should ensure the assets of each custody account are kept separate from the custodian’s assets to ensure that an asset is not lost, destroyed, or misappropriated by internal or external parties. This high-level guidance comes with the caveat that banks should tailor such controls in the context of digital custody. The letter also states that banks should understand the different technical characteristics of cryptocurrencies and be aware that each could be subject to different OCC regulations as well as non-OCC regulations. Interpretive Letter 1170 does not, however, provide further guidance on how the controls should be tailored or which regulations banks must comply with when acting as a cryptocurrency custodian.
The Interagency Joint Statement on Crypto-Asset Risks to Banking Organization issued on January 3, 2023, shed some light on the types of risks associated with cryptocurrency, including fraud, volatility in cryptocurrency markets, decentralized networks, and legal uncertainties related to custody practices.[5] But that statement does not provide further guidance on what safe and sound practices appropriately mitigate these risks. The statement reflected that the agencies were continuing to build knowledge and expertise through a case-by-case approach—in other words, the agencies were still in the process of setting standards. Thus far, no further details on how the OCC would apply the traditional safety and soundness framework to cryptocurrency are available.
Until OCC issues more detailed public guidance, the safest approach to understand the OCC’s view on safe and sound cryptocurrency custody practices is engaging OCC directly. Beginning those conversations early in the bank’s journey to establish its crypto-asset custody services will best position the bank to avoid a potentially costly misunderstanding with its regulator. While OCC rescinded Interpretive Letter 1179, which required banks to prove their controls and seek prior approval for its cryptocurrency business,[6] OCC in general has been open to bank management discussions. Although this approach might risk slowing down the process, it also mitigates the risk of unexpected enforcement actions.
[1] OCC, Interpretive Letter #1170 (Jul. 2020), https://www.occ.gov/topics/charters-and-licensing/interpretations-and-actions/2020/int1170.pdf.
[2] OCC, Interpretive Letter #1184 (May 2025), https://www.occ.gov/topics/charters-and-licensing/interpretations-and-actions/2025/int1184.pdf.
[3] While the OCC allows banks to outsource the service, bank management will remain responsible for meeting the requirements of safety and soundness to the same extent as if those activities were performed by the bank itself. See Fed. Rsrv. Sys., FDIC, OCC, Interagency Guidance on Third-Party Relationships: Risk Management at 29 (June 6, 2023), https://occ.gov/news-issuances/news-releases/2023/nr-ia-2023-53a.pdf.
[4] See e.g., OCC, Comptroller’s Handbook – Bank Supervision Process (Sep. 2019), https://www.occ.gov/publications-and-resources/publications/comptrollers-handbook/files/bank-supervision-process/index-bank-supervision-process.html; OCC, Comptroller’s Handbook –Asset Management Operations and Controls (Jan. 2011), https://www.occ.gov/publications-and-resources/publications/comptrollers-handbook/files/asset-mgmt-ops-controls/index-asset-mgmt-ops-controls.html; OCC, Comptroller’s Handbook – Custody Service (Jan. 2002), https://www.occ.gov/publications-and-resources/publications/comptrollers-handbook/files/custody-services/index-custody-services.html.
[5] OCC, Joint Statement on Crypto-Asset Risks to Banking Organizations at 1 (Jan 23, 2023), https://occ.gov/news-issuances/news-releases/2023/nr-ia-2023-1a.pdf.
[6] OCC, Interpretive Letter #1179 (Nov 18, 2025), https://www.occ.gov/topics/charters-and-licensing/interpretations-and-actions/2021/int1179.pdf. (OCC required that banks willing to engage in cryptocurrency activities must seek prior approval demonstrating that it has safe and sound controls over the activities. Banks were not allowed to engage in cryptocurrency activities until it received a non-objection letter).
