1.22 - Office of the Comptroller of the Currency (OCC)

Overview

The Office of the Comptroller of the Currency (the “OCC”) has so far released only interpretive letters and statements regarding digital assets. Although these publications are useful in determining how the OCC will enforce the rules it has promulgated and its statutory mandate, the letters and statements lack the force of law that a regulation that has gone through the public notice-and-comment period and is published in the Code of Federal Regulations does.

Interpretive Letters

The OCC has released four Interpretative Letters regarding crypto assets that apply to banks and savings associations. The first three address providing cryptocurrency custody services, holding stablecoin reserves, and using node verification networks and stablecoins for payment activities. See OCC, Interpretive Letter #1170, Authority of a National Bank to Provide Cryptocurrency Custody Services for Customers (2020.07.22); OCC, Interpretive Letter #1172, OCC Chief Counsel’s Interpretation on National Bank and Federal Savings Association Authority to Hold Stablecoin Reserves (2020.09.21); OCC, Interpretive Letter #1174, OCC Chief Counsel’s Interpretation on National Bank and Federal Savings Association Authority to Use Independent Node Verification Networks and Stablecoins for Payment (2021.01.04)

Each concludes that banks are permitted to engage in these activities so long as they meet safety and soundness requirements. The fourth clarifies the context in which banks are permitted to engage in these activities — namely, with advance notice to a given bank’s OCC supervisors and after receipt of a “no action” letter and review of the bank’s ability to safely and soundly engage in the proposed activity. OCC, Interpretive Letter #1179, Chief Counsel’s Interpretation Clarifying: (1) Authority of a Bank to Engage in Certain Cryptocurrency Activities; and (2) Authority of the OCC to Charter a National Trust Bank (2021.11.18).

Another interpretive letter that has generated significant controversy addresses what is necessary to charter a national trust bank. See OCC, Interpretive Letter #1176, OCC Chief Counsel’s Interpretation on National Trust Banks (2021.01.11).

A number of fintech companies, particularly those providing custody of digital assets, have sought to establish themselves as national trust banks. Although not mentioning cryptocurrency or digital assets specifically, this letter concluded that the OCC could charter a national trust bank even in the absence of the bank providing fiduciary responsibilities, opening the door for some of these fintech companies to seek and obtain a national charter. The OCC later clarified that this letter “did not expand or otherwise change existing banks’ obligations under the OCC’s fiduciary activities regulation.” OCC, Interpretive Letter #1179, Chief Counsel’s Interpretation Clarifying: (1) Authority of a Bank to Engage in Certain Cryptocurrency Activities; and (2) Authority of the OCC to Charter a National Trust Bank at 2 (2021.11.18).

Letter #1170: Custody Services

In this letter, the OCC opines that banks are permitted to engage in custody services related to digital assets, at least in the following three ways: (1) providing secure storage for private keys to either hot or cold wallets; (2) taking direct control of cryptocurrencies and providing the customer indirect access; or (3) serving in a fiduciary capacity (e.g., trustee, will executor, estate administrator, receiver). See OCC, Interpretive Letter #1170, Authority of a National Bank to Provide Cryptocurrency Custody Services for Customers at 7–9 & n.37 (2020.07.22). (Note that any activities approved by earlier interpretive letters must now also follow the guidelines set forth in Interpretive Letter #1179.) The OCC also noted that the services a bank may offer in connection with taking custody of cryptocurrency “may include services such as facilitating the customer’s cryptocurrency and fiat currency exchange transactions, transaction settlement, trade execution, recording keeping, valuation, tax services, reporting, or other appropriate services.” Id. at 8 n.39.

The OCC reasoned that each of these activities was a natural extension of “longstanding authorities [permitting banks] to engage in safekeeping and custody activities,” and was consistent with its prior regulations permitting banks to “escrow encryption keys used in connection with digital certificates” and to “provide secure web-based document storage, retrieval and collaboration of documents and files containing personal information or valuable confidential trade or business information,” interpretations it had codified at 12 CFR §§ 7.5002(a)(4) and 7.5005(a). Id. at 6–7 & n.28.

For fiduciary activities, banks must be careful to comply with the custody requirements of 12 CFR 9.13 and 12 CFR 150.230250, which govern the segregation of assets and layers of control to those assets. And for all activities, the OCC, conditioned engaging in them on complying with all applicable laws and doing so “consistent with sound risk management practices and align them with the bank’s overall business plans and strategies as set forth in OCC guidance.” Id. at 9. To comply with this requirement, please see below the OCC’s interpretation in Letter #1179.

Letter #1172: Stablecoin Reserves

This letter addresses the situation in which an issuer of a stablecoin wishes to place a significant amount of cash reserves on deposit with a national bank “to provide assurance that the issuer has sufficient assets backing the stablecoin in situations where there is a hosted wallet.” See OCC, Interpretive Letter #1172, OCC Chief Counsel’s Interpretation on National Bank and Federal Savings Association Authority to Hold Stablecoin Reserves at 1 (2020.09.21). The OCC approved national banks and FSAs taking on these deposits if the following conditions, largely designed to address compliance and liquidity risk, are met:

  • the stablecoins are in hosted wallets;

  • the stablecoin is backed on a 1:1 basis by a single fiat currency, and is redeemable on demand for the underlying fiat currency;

  • the bank verifies daily that reserve account balances are always equal to or greater than the number of the issuer’s outstanding stablecoins;

  • the bank has conducted due diligence to understand the risks, including a compliance review of the Bank Secrecy Act and customer identification requirements under the USA PATRIOT Act as applied to cryptocurrency;

  • the bank identifies and verifies beneficial owners of legal entity customers opening such accounts;

  • and the bank ensures it complies with federal securities laws; and

  • the bank has a risk analysis and plan to handle the liquidity risk of the deposits.

Id. at 2–3. The letter does not clarify if this is all of the issuer’s balances across all institutions, or if a stablecoin issuer is required to have reserves entirely on deposit with a single financial institution. The OCC cautions that insurance coverage will be an issue to take into account in how the deposits are structured, and that if done properly, pass through insurance may be available to underlying depositors. Id. at 4.

From an examination standpoint, the OCC cautions that banks should be careful to “identify, monitor, and control the risks” associated with accepting stablecoin reserve deposits, particularly paying attention to the “significant liquidity risks” that such deposits could create by, for example, having “a cushion of unencumbered highly liquid assets without legal, regulatory, or operational impediments that can be sold or pledged to obtain funds in a range of stress scenarios.” Id. at 5 & n.24.

Finally, the OCC contemplates that banks and FSAs accepting such deposits should enter into contracts with the stablecoin issuer that allow the bank “to verify and ensure that the deposit balances held by the bank for the issuer are always equal to or greater than the number of outstanding stablecoins issued by the issuer” and include “mechanisms to allow the bank to verify the number of outstanding stablecoins on a regular basis,” among other delineations of rights and responsibilities Id. at 5 & n.25.

In sum, the OCC will permit a bank to take on a stablecoin issuer as a customer, but significant due diligence work must be done upfront, the bank must obtain a no-action letter in advance (see Letter #1179 below), and the bank must demonstrate it has a plan to mitigate the risk of taking on the deposits of the issuer. On March 31, 2022, BNY Mellon announced that it would take reserve deposits for Circle Internet Financial’s USDC stablecoin, signaling it had satisfied the OCC’s requirements and received the required no-action letter, the first bank to do so. See Danny Nelson, Coin Desk, BNY Mellon to Custody Assets Backing Circle’s USDC Stablecoin (2022.03.31).

Letter #1174: Node Verification Networks & Stablecoins for Payments

This Letter focuses on one way that banks can remain financial intermediaries in blockchain and cryptocurrency — a role they have held for centuries, if not millennia — by participating in independent node verification networks (INVNs). See OCC, Interpretive Letter #1174, OCC Chief Counsel’s Interpretation on National Bank and Federal Savings Association Authority to Use Independent Node Verification Networks and Stablecoins for Payment at 2 & n.9 (2021.01.04).

The OCC concludes that INVNs are essentially a new way for banks to participate in the international payments infrastructure, and thus “a bank may validate, store, and record payments transactions by serving as a node on an INVN,” may convert stablecoins to fiat currency (and vice versa), and may “use INVNs and related stablecoins to carry out other permissible payment activities.” Id. at 4, 7–8.

It even goes so far as to opine that banks could even issue their own stablecoin and exchange that stablecoin for fiat currency, because it is essentially just a different mechanism for electronically stored value, which is permitted by 12 CFR § 7.5002(a)(3). Id. at 6.

This openness, however, is tempered by a caution that banks must undertake to understand the risks that accompany this new activity, including compliance, anti-money laundering, and fraud risk, and consumer protection laws and regulations. Id. at 8–9. Additionally, the bank must ensure it has the technological expertise to operate a node securely and “in a safe and sound manner.” Thus any “[n]ew activities should be developed and implemented consistently with sound risk management practices.” Id. at 9.

Letter #1176: National Trust Banks

This interpretive letter clarified the OCC’s chartering authority for national trust banks and the set forth its position on the scope of (and required) activities for a national trust bank to achieve a charter. See OCC, Interpretive Letter #1176, OCC Chief Counsel’s Interpretation on National Trust Banks (2021.01.11). The letter states that national trust banks can engage in the activities of a state trust bank that are not considered fiduciary in nature, concluding that “[i]f the state trust bank powers are permissible for national banks under 12 U.S.C. § 24(Seventh) . . . and are not fiduciary for purposes of 12 U.S.C. § 92a and 12 C.F.R. Part 9, any national bank can engage in those trust bank activities without fiduciary powers and without being subject to 12 C.F.R. Part 9.” Id. at 7 (emphasis added).

The letter had an interesting timing, coming only several weeks after BitPay National Trust Bank and Paxos National Trust, two digital asset focused entities, submitted applications to the OCC for a national trust bank charter, and just days before the end of the President Trump’s administration. (The OCC granted Paxos conditional approval for a charter in April 2021.)

It was also subject to significant criticism from traditional financial institutions, who saw the letter as a major departure from the OCC’s past precedent. See American Bankers Association, Joint Trades Letter to OCC re: Trust Charter Application (2021.01.08). The letter was signed by the American Bankers Association, Credit Union National Association, Consumer Bankers Association CBA, Independent Community Bankers of America ICBA, National Association of Federally Insured Credit Unions, and The Clearing House. According to the trade groups, the significance of this position by the OCC was that traditionally, by OCC interpretation, trust banks could only engage in the fiduciary activities set forth in 12 U.S.C. § 92a, and could not perform traditional non-fiduciary activities such as taking deposits or performing non-fiduciary custody services. Id. But by opening the door for trust banks to also perform custody services if permitted under state law, the OCC signaled that new entities could seek charters as national trust banks, perform no fiduciary services, and also engage in traditional banking activities — without being subject to the normal regulations for conducting those activities. Id.

The objection from the trade groups did not, however, stop the OCC from granting Paxos National Trust a conditional charter. See OCC, News Release 2021-49, OCC Conditionally Approves Chartering of Paxos National Trust (2021.04.23).

In Letter #1179 the OCC clarified that the scope of Letter #1176 was limited to its chartering authority, not the ability of existing national banks to expand the scope of their activities, or of any change of the applicable regulations to banks already granted fiduciary powers.

Simultaneously with a joint statement with the FDIC and the Fed (see below), the OCC issued its fourth interpretive letter regarding the authority of banks to engage in crypto-asset activities. See OCC, News Release 2021-121, OCC Clarifies Bank Authority to Engage in Certain Cryptocurrency Activities and Authority of OCC to Charter National Trust Banks (2021.11.23); OCC, Interpretive Letter #1179, Chief Counsel’s Interpretation Clarifying: (1) Authority of a Bank to Engage in Certain Cryptocurrency Activities; and (2) Authority of the OCC to Charter a National Trust Bank (2021.11.18).

This letter clarified that although the OCC had previously stated banks and FSAs could engage in the foregoing cryptocurrency related activities, the banks must “demonstrate, to the satisfaction of its supervisory office, that it has controls in place to conduct the activity in a safe and sound manner” before actually engaging in the activity, and should not engage in the activity “until it receives written notification of the supervisory office’s non-objection.” The letter notes that banks that had already engaged in the activity before issuance of the letter do not need to obtain supervisory non-objection, but should provide notice to its supervisory office. Letter #1179 at 1 and n.3.

In order to obtain a non-objection letter from its supervisory office, the bank must be able to demonstrate “that it has established an appropriate risk management and measurement process for the proposed activities.” Id. at 4. Specifically, banks should address the following cryptocurrency related risks:

  • operational risk (e.g., the risks related to new, evolving technologies, the risk of hacking, fraud, and theft, and third party risk management);

  • liquidity risk;

  • strategic risk; and

  • compliance risk (including but not limited to compliance with the Bank Secrecy Act, anti-money laundering, sanctions requirements, and consumer protection laws).

Id. Making such a demonstration should involve preparing written documentation of the bank’s “understanding of any compliance obligations related to the specific activities the bank intends to conduct,” including the distinctions between different types of cryptocurrency the bank intends to use, how those differences may change compliance requirements, and how the bank intends to manage compliance. Id.

Statements

In November 2021, the OCC indicated that in 2022 it, in conjunction with the Federal Deposit Insurance Corporation (FDIC) and the Federal Reserve (the “Fed”), plans to “provide greater clarity on whether certain activities related to crypto-assets conducted by banking organizations are legally permissible, and expectations for safety and soundness, consumer protection, and compliance with existing laws and regulations.” The Fed, FDIC, & OCC, Joint Statement on Crypto-Asset Policy Sprint Initiative and Next Steps (2021.11.23).

That clarified guidance will include statements on the following categories:

  • Crypto-asset safekeeping and traditional custody services.

  • Ancillary custody services.

  • Facilitation of customer purchases and sales of crypto-assets.

  • Loans collateralized by crypto-assets.

  • Issuance and distribution of stablecoins.

  • Activities involving the holding of crypto-assets on balance sheet.

So far in 2022 neither the Fed, the FDIC, nor the OCC have issued further guidance. The Acting Comptroller, Michael Hsu, however, has made some public remarks on digital asset regulation. Most recently, Hsu provided remarks at the DC Blockchain Summit in the wake of the collapse of the algorithmic stablecoin TerraUSD. Michael J. Hsu, Remarks at the DC Blockchain Summit 2022: "Crypto: A Call to Reset and Recalibrate" (2022.05.24). There he focused on the fragmentation of the industry and the cross-chain bridges that appear "highly prone to being hacked,"; the risk of contagion in market panic, which happened in the case of TerraUSD; and the lack of fully developed custody and ownership rights (noting in particular Coinbase's disclosure that if it filed bankruptcy, users could become unsecured creditors). He again stressed the need for cautious progress, citing back to Interpretive Letter 1179, and the need for banks to focus on "safety and soundness" before engaging in crypo assets. He warned that if crytpo remains a "hype-driven economy" it will create "challenges for those interested in truly productive innovation and in protecting consumers" despite the "real potential for positive and transformative change with digital assets."

Those remarks follow up Hsu's remarks on stablecoins and their parallels to how people generally treat bank deposits: as available on demand without risk. See Michael J. Hsu, Remarks before the BritishAmerican Business Transatlantic Finance Forum Executive Roundtable: “The Future of Crypto-Assets and Regulation” (2022.01.13). Hsu noted there, however, that the firms responsible for stablecoins are not currently subject to comprehensive regulatory oversight. As a result, Hsu noted (what now appears quite presciently) that a sudden loss of trust in a given stablecoin could result in the equivalent of a bank run, without any current equivalent requirements for reserves, access to federal reserve liquidity, or FDIC insurance for “depositors.”

Just two months earlier, Hsu addressed similar issues. See Michael J. Hsu, Acting Comptroller, Remarks before the American Fintech Council Fintech Policy Summit 2021, Leveling Up Banking and Finance (2021.11.03). In those earlier remarks, Hsu noted that crypto firms are operating partially in regulatory territory and partially outside of it, leaving the regulators with an incomplete risk profile of the firm. Id. at 3–4, 8–9. In his view, though, no single agency should have oversight — rather, a cooperative effort among regulatory agencies is necessary. The absence of comprehensive oversight makes it all too easy, Hsu argues, for firms to facilitate money laundering, obfuscate their financial condition, and encourage excessive risk taking. Id. at 9–10.

Coordination with PWG and FDIC

In November 2021, the OCC coordinated with the President’s Working Group on Financial Markets and the Federal Deposit Insurance Corporation (FDIC) to release a report on the uses, risks, and opportunities for stablecoins. See President’s Working Group on Financial Markets, the FDIC, and the OCC, Report on Stablecoins (2021.11). The report outlines the various current use cases for stablecoins, documents their explosive growth over recent years, details the perceived risks (to users, to the payments system, and to the greater financial system), and issues a call to action to Congress to enact a “consistent and comprehensive regulatory framework” for stablecoins.

The key aspects of that regulatory framework, as requested by the report, are:

  • limiting stablecoin issuers (and those offering redemption and maintenance of reserve assets) to entities that are insured depository institutions, and making them subject to supervision at the depository and holding company levels;

  • requiring custodial wallet providers for stablecoins to be subject to federal oversight, including restrictions on lending, compliance obligations for risk management, liquidity, and capital requirements;

  • limits on custodial wallet providers’ affiliation with commercial entities or on use of users’ transaction data; and

  • ensuring the federal supervisor of a stablecoin issuer has examination and enforcement authority to require issuers to meet risk-management standards, and also has the authority to implement standards to promote interoperability among stablecoins.

Id. at 16–17. The report also notes that the OCC “will seek to ensure that applicants [for a banking charter] address the risks outlined by this report, including risks associated with stablecoin issuance and other related services conducted by the banking organization or third-party service providers.” Id. at 18.

The report also notes that other federal regulatory agencies may have a role to play in oversight of stablecoins, including the Consumer Financial Protection Bureau, the Securities Exchange Commission, the Commodities Futures Trading Commission, Office of Foreign Assets Control, and the Financial Crimes Enforcement Network. Id. at 15, 18, 20. The reference to FinCEN is of particular note, because FinCEN’s regulations require registering with it as a money services business (MSB), establishing an anti-money laundering program, reporting cash transactions of $10,000 or more, and filing suspicious activity reports (SARs). Id. at 20. Doing so may cause downstream compliance issues because, as the report notes, “[c]urrent [Bank Secrecy Act] regulations require the transfer of certain specific information well beyond what can be inferred from the blockchain resulting in non-compliance.” Id.

Index of Sources

Sources are listed in reverse chronological order.

Authors

This article was drafted by @Lawtoshi.

Previous1.21 - Financial Crimes Enforcement Network (FinCEN)Next1.24 - Office of Foreign Assets Control (OFAC)

Last updated