Skip to content

New FDIC rules will help banks manage crypto risks

In April, the US banking regulator FDIC issued Financial Institution Letter 16-2022 on crypto-related activities to the banks that it supervises.

The letter advises banks who are currently involved with crypto assets or have plans around crypto assets in the future to notify the FDIC and provide all requested information regarding crypto activities. The FDIC will review the information and provide supervisory feedback to help banks engaging in crypto activities stay legally compliant and protect their depositors.

Although complying with the letter will increase administrative complexity, the actions that it requires around data collection will help banks to manage crypto risk better – both for themselves and for their customers.

What’s covered by the letter?

For banks, crypto activities could include

  • Acting as crypto-asset custodians
  • Maintaining stablecoin (cryptocurrency backed by a reserve asset) reserves
  • Issuing crypto and other digital assets
  • Participating in blockchain- and distributed ledger-based settlement or payment systems
  • Performing similar crypto-related roles

Crypto assets are undergoing constant change, and so don’t have a track record that can help banks and regulatory agencies reduce the uncertainty associated with their risk profile. As a result, engaging in crypto activity may threaten the safety and soundness of financial institutions and other markets. Further, banks may struggle with ensuring compliance to existing laws, such as consumer protection regulation.

With respect to safety and soundness, the FDIC is concerned about new risks posed by digital assets. For example, the distributed ledger technology may obscure how crypto assets are used, opening banks to the liability of facilitating illicit acts such as laundering money or financing terrorism. It’s also difficult to assess and manage the quality, credit risk, and counterparty risk exposure for digital assets. It’s not clear, for example, that a reliable method for pricing and evaluation exists today.

If crypto activity undermines the stability and soundness of an institution, it may harm the financial system. If there’s a major change in the value of crypto markets, like we’ve seen in the last few weeks, major losses by large institutions could disrupt critical funding markets and destabilise insured depository institutions in general.

The FDIC is also concerned about protecting consumers as their banks explore crypto options. Like many complicated investment vehicles, crypto assets may confuse banking customers who don’t understand the speculative nature of digital assets, the role of the bank in asset sales, or the risks they represent. While the Biden administration has issued an executive order that consumer protection laws apply equally to digital assets as to any other financial transactions, it may not be clear how banks can ensure compliance. For example, what counts as unfair or deceptive acts or practices in the constantly evolving crypto world?

Banks will need to pay close attention to data and trends as they seek to gain a better understanding of evolving risks related to digital assets.

Collecting audit data

In order to satisfy regulators in this new territory, banks need the ability to collect and access data around crypto ventures. The right information helps a bank review and analyse risk with respect to digital assets and gives regulatory agencies like the FDIC the visibility they need to offer meaningful support.

Transforming individual data points into trends and insights requires that banks have a way to consolidate and display risk data so decision-makers can analyse it and make intelligent decisions. And because crypto risk is constantly shifting, banks should conduct data collection continuously and track changes over time.

Reviewing risk assessment and controls

Banks are in a tricky stage with crypto assets, where regulations and legislation haven’t kept up with the technology, but rules written for more established markets still apply to new products and services. The FDIC’s letter is an acknowledgement of this problem and an attempt to help banks navigate new waters.

While there’s little clarity about how regulations apply to crypto, banks should review their current risk assessment and controls and tighten up areas where crypto may introduce excessive uncertainty. For example, banks should examine their anti-money laundering (AML) and anti-fraud programs to mitigate the possibility of facilitating illegal transactions.

When embarking on new crypto services, bank should ensure they operate within the banks overall appetite and effectively manage introduced risk. Risk efforts should acknowledge the nature of cryptocurrency transactions by identifying red flags unique to the market.

Planning for constant change

While banks must deal with crypto-related risks now, they can count on a shifting landscape for some time to come. 2021 saw more than 20 crypto-related bills introduced in the House of Representatives and the Senate, and state governments are busy with their own versions. While the FDIC letter is aimed at helping banks adhere to current regulations, the data they collect will inform future rules.

Change is nothing new to bank risk managers, but risk control systems needs to be especially flexible with technology as unsettled as digital assets. Banks should keep their risk management nimble by implementing simple and clear processes, infusing staff with awareness and understanding of crypto assets, and defining roles and responsibilities for governance of crypto activities.

Most experts believe crypto currencies, digital assets, and distributed-ledger technology are here to stay, in one form or another. This opens new business opportunities for banks, but the market is still experiencing growing pains. Smart financial institutions will review, revise, and leverage risk management to make the most of recent innovations while protecting their businesses and customers.

We live in a world of rules. Compliance with those rules is critical, not only to protect your organisation from regulatory actions, fines and reputation damage but also because it’s the right thing to do to protect our stakeholders from risk we bring to them. Download our free Complete Guide to Compliance and Compliance Risk Management eBook today to understand and manage the compliance obligations across your business.

About the author

Terence Lee is the Vice President of Sales for North America. Terence ("Terry") joined Protecht in 2022 to facilitate the growth of the NA market, bringing extensive experience in governance, risk, compliance, and incident management. Terry has led sales, product, and marketing teams at risk and compliance software vendors in the past, and is a recognized expert in ERM, vendor risk, business continuity, regulatory change management, and resilience.