Navigating the New Era of Crypto Custody and Regulation

Main Points :

• Joint guidance by FRB, OCC, and FDIC clarifies compliance for bank-based crypto custody services
• Emphasis on robust key management, internal controls, and technical infrastructure
• Strengthened anti–financial crime measures, including BSA, AML/CFT, OFAC, and Travel Rule compliance
• Requirements for rigorous sub-custodian oversight and vendor risk management
• Expanded audit and evaluation protocols with specialized crypto focus
• Broader regulatory landscape: SEC’s crypto ETF disclosure guidance, House “Crypto Week,” and EU MiCA licensing

1. Joint Guidance by U.S. Bank Regulators on Crypto Custody

On July 15, 2025, the Federal Reserve Board (FRB), the Office of the Comptroller of the Currency (OCC), and the Federal Deposit Insurance Corporation (FDIC) released joint guidance for banks offering cryptocurrency custody services. The guidance does not introduce new supervisory requirements but clarifies how existing bank regulations apply to “safekeeping” of digital assets. Its key objective is to ensure that banks manage crypto assets “in a safe and sound manner consistent with traditional fiduciary and custodial activities,” reducing legal uncertainty for institutions contemplating such services.

Banks must treat customer private keys and related digital asset records as highly confidential, enforcing exclusive control such that no transfer can occur without bank authorization. Additionally, institutions are reminded that the current regulatory framework—covering capital adequacy, liquidity, and operational risk—extends fully to crypto custody operations.

2. Reinforcing Key Management and Technical Infrastructure

A central pillar of the guidance is rigorous private key management:

• Key Generation and Storage: Banks must assess and document wallet types (e.g., hardware security modules, multi-party computation solutions), key-generation tools, and backup mechanisms.
• Access Controls: Only authorized personnel with documented need should handle key material.
• Continuity Planning: Regular drills and recovery plans must confirm that even in a bank’s absence, crypto assets remain immovable without proper multi-party authorization.

Management is expected to allocate adequate capital and personnel to account for the high volatility and rapid innovation of the crypto market. Ongoing reviews of supported tokens’ protocol updates and ledger designs are mandatory, ensuring custody platforms adapt swiftly to technical changes.

3. Strengthened Anti–Financial Crime and Travel Rule Compliance

The guidance reiterates that existing financial crime statutes apply fully:

• Bank Secrecy Act (BSA): Customer identification, recordkeeping, and suspicious activity reporting must encompass crypto custody transactions.
• Anti-Money Laundering (AML) / Combating the Financing of Terrorism (CFT): Risk-based monitoring and transaction screening are essential.
• OFAC Sanctions: Crypto wallets and transactions must be screened against sanctions lists.
• Travel Rule: Banks must transmit originator and beneficiary information on crypto transfers as prescribed.

Early involvement of the BSA compliance officer and senior executives in custody product planning is stressed, with all risk assessments and mitigation strategies documented.

4. Vendor Oversight: Sub-Custodians and Third-Party Risks

When outsourcing custody to sub-custodians, banks retain ultimate responsibility. Contracts must detail:

1. Key-Management Practices: Selection criteria, audit reports, and incident-response obligations.
2. Asset Segregation: Mechanisms to prevent commingling of bank, customer, and sub-custodian assets.
3. Bankruptcy Protections: Legal frameworks ensuring customer assets remain protected in sub-custodian insolvency.
4. Notification Triggers: Immediate reporting of security breaches or system failures.

Similarly, any external wallet software providers are subject to equivalent vendor risk management standards, including periodic on-site reviews or independent assessments.

5. Expanded Audit and Evaluation Framework

Audit functions must be tailored for digital assets:

• Specialized Audit Items: Key-generation processes, wallet security, nodal transaction reconciliations, and smart-contract validations.
• External Experts: Where in-house expertise is lacking, independent crypto-savvy auditors should be engaged to evaluate controls.
• Board Oversight: Regular reporting to the audit committee on custody service performance, risk exposures, and audit findings.

The conclusion of the guidance reiterates that traditional trust and custody regulations—augmented by modern information security standards—are fully applicable to crypto custody, expecting banks to demonstrate they can “self-manage private keys, oversee external providers, and comply in real time with financial crime requirements”.

6. SEC’s Crypto ETF Disclosure Guidance

In parallel, on July 7, 2025, the U.S. Securities and Exchange Commission issued a 12-page disclosure guidance for proposed cryptocurrency ETFs, detailing requirements around custody arrangements, volatility risks, and fund governance. This represents the first formal step toward integrating altcoin ETFs—covering assets like Solana (SOL) and XRP—into regulated markets, potentially reducing launch times from 240 to 75 days.

7. “Crypto Week” in the U.S. House of Representatives

Beginning July 14, 2025, the U.S. House Financial Services Committee designated the week as “Crypto Week,” considering three landmark bills:

• Digital Asset Market Clarity (CLARITY) Act: Defines roles of SEC and CFTC in crypto oversight.
• Guiding and Establishing National Innovation for U.S. Stablecoins (GENIUS) Act: Establishes the first federal framework for payment stablecoins, requiring 1:1 reserves and dual federal–state supervision.
• Anti-CBDC Surveillance State Act: Restricts the Federal Reserve from issuing a CBDC.

Bitcoin’s price surged from approximately $117,313 on July 7 to over $123,000 by July 15—coinciding with regulatory momentum.

Figure 1: Bitcoin Price Trend during Crypto Week
(See above chart)

8. EU MiCA Licensing and Global Regulatory Trends

In Europe, MiCA (Markets in Crypto Assets) came into force in December 2024. On June 20, 2025, Coinbase secured its MiCA license from Luxembourg’s CSSF, enabling unified service across all 27 EU member states (450 million potential users) under a single regulatory framework. Other major exchanges—Bybit, OKX, and Crypto.com—had previously obtained MiCA licenses, highlighting a competitive landscape for crypto hubs.

Conclusion

The combined effect of U.S. banking agencies’ joint guidance, the SEC’s ETF disclosure rules, Congressional “Crypto Week” legislation, and Europe’s MiCA framework signals a watershed moment for institutional crypto adoption. Banks now have a clear blueprint for offering custody services, underpinned by stringent key-management, vendor oversight, and anti-financial crime controls. Concurrently, the emergence of regulated crypto ETFs and stablecoin lawmaking promises to deepen market liquidity and mainstream investment channels. As regulatory certainty crystallizes across jurisdictions, financial institutions, asset managers, and service providers are well-positioned to innovate, driving the next wave of blockchain’s practical applications—from digital asset safekeeping to tokenized financial products—all within robust compliance guardrails.