All FDIC-supervised institutions that intend to engage in, or that are currently engaged in, any activities involving or related to crypto assets (also referred to as “digital assets”) should notify the FDIC. FDIC-supervised institutions are requested to provide information described in this letter. The FDIC will review the information and provide relevant supervisory feedback.
A copy of the letter can be found on the FDIC’s website.
Statement of Applicability: The contents of, and material referenced in, this FIL apply to all FDIC-supervised financial institutions.
- While the FDIC supports innovations that are safe and sound, in compliance with laws and regulations, and fair to consumers, the FDIC is concerned that crypto assets and crypto–related activities are rapidly evolving, and risks of this area are not well understood given the limited experience with these new activities.
- Crypto–related activities may pose significant safety and soundness risks as well as financial stability concerns.
- Crypto–related activities present risks to consumers, and insured depository institutions face risks in effectively managing the application of consumer protection laws and regulations to new and changing crypto–related activities.
- Pursuant to Section 39 of the Federal Deposit Insurance Act (FDI Act), the FDIC has established in Part 364 (including Appendices A and B) safety and soundness standards for all FDIC–supervised institutions.
- An FDIC–supervised institution that engages, or intends to engage in, any crypto–related activities should notify the FDIC and provide any information requested by the FDIC that will allow the agency to assess the safety and soundness, consumer protection, and financial stability implications of such activities.
- The FDIC will review the relevant information submitted by the FDIC–supervised institution related to crypto-related activities and provide relevant supervisory feedback to the institution, as appropriate.
Notification and Supervisory Feedback Procedures for FDIC-Supervised Institutions Engaging in Crypto-Related Activities
Background and Scope1
The FDIC is issuing this letter to address the engagement by FDIC-supervised institutions in crypto-related activities.2 Crypto-related activities may pose significant safety and soundness risks, as well as financial stability and consumer protection concerns. Moreover, these risks and concerns are evolving as crypto-related activities are not yet fully understood.
The FDIC notes that there is little consistency in the definitions associated with many crypto assets and crypto-related activities, which makes it difficult to categorically identify these assets and activities. Further, the structure and scope of these activities are rapidly changing and expanding. As a result of the dynamic nature of crypto-related activities, it is difficult for institutions, as well as the FDIC, to adequately assess the safety and soundness, financial stability, and consumer protection implications without considering each crypto-related activity on an individual basis. Therefore, the FDIC is requesting all FDIC-supervised institutions that are considering engaging in crypto-related activities to notify the FDIC of their intent and to provide all necessary information that would allow the FDIC to engage with the institution regarding related risks. Any FDIC-supervised institution that is already engaged in crypto-related activities should promptly notify the FDIC. Institutions notifying the FDIC are also encouraged to notify their state regulator.
Below is a description (not all-inclusive) of some of the crypto-related risks about which the FDIC is concerned. Different risks may apply differently to various activities.
Safety and Soundness
Crypto-related activities present new, heightened, or unique credit, liquidity, market, pricing, and operational risks that could present safety and soundness concerns. For example, there are fundamental ownership issues, including whether it is possible for ownership to be clearly validated and confirmed. Further, there are significant anti-money laundering/countering the financing of terrorism implications and concerns related to crypto assets, including reported instances of crypto assets being used for illicit activities. Relatedly, there are implications to information technology (IT) and information security, including IT risk exposure and whether sufficient frameworks are available, in relation to the level of risk, to maintain the confidentiality, integrity, and availability of information systems.
There are concerns about the credit risk exposure posed by the crypto asset or the structure that the asset is held in, including whether it is possible to measure the degree of asset quality, credit risk, and counterparty risk exposure. This also includes whether it is possible to determine whether the asset is bankable3 and whether it is possible for insured depository institutions to manage those risks and exposures. Significant market risk is also evident, as it is uncertain whether adequate methods for pricing and valuation exist. Moreover, accounting, auditing, and financial reporting treatment of crypto assets and crypto-related activities is evolving. There are also significant liquidity implications for insured depository institutions, such as liquidity risk exposure (particularly when crypto assets with very volatile values are involved).
The FDIC is concerned that certain crypto assets or crypto-related activities may pose systemic risks to the financial system. Systemic risks could be created as an unintended consequence resulting from the structure of a crypto asset or through the interconnected nature of certain crypto-related activities. For example, a disruption in crypto-asset transactions or crypto-related activities could result in a “run” on financial assets backing a crypto asset or crypto-related activity. Like other runs, this could create a self-reinforcing cycle of redemptions and fire sales of financial assets, which, in turn, could disrupt critical funding markets. Further, operational failures related to crypto assets or crypto-related activities could have a destabilizing effect on the insured depository institutions engaging in such activities.
The FDIC is concerned about risks to consumers related to crypto-related activities. For example, the FDIC is concerned about the risk of consumer confusion regarding crypto assets offered by, through, or in connection with insured depository institutions, as consumers may not understand the role of the bank or the speculative nature of certain crypto assets as compared to traditional banking products, such as deposit accounts. In addition, insured depository institutions face risks in effectively managing the application of consumer protection requirements, including laws related to unfair or deceptive acts or practices, to new and changing crypto-related activities.
Notification of Engagement in Crypto-Related Activities
Prior to engaging in, or if currently engaged in, a crypto-related activity, an FDIC-supervised institution promptly should notify the appropriate FDIC Regional Director. The FDIC will request that the institution provide information necessary to allow the agency to assess the safety and soundness, consumer protection, and financial stability implications of such activities. The information requested by the FDIC will vary on a case-specific basis depending on the type of crypto-related activity. However, the initial notification to the FDIC Regional Director should describe the activity in detail and provide the institution’s proposed timeline for engaging in the activity.
Upon receipt, the FDIC will review the notification and information received, request additional information as needed, and consider the safety and soundness, financial stability, and consumer protection considerations of the proposed activity. The FDIC will provide relevant supervisory feedback to the FDIC-supervised institution, as appropriate, in a timely manner.
Pursuant to Section 39 of the FDI Act, the FDIC has established in Part 364 (including Appendices A and B) safety and soundness standards for all FDIC-supervised institutions. 4 As noted, activities involving new and rapidly emerging technologies can amplify risk to the insured depository institutions themselves, consumers, and the Deposit Insurance Fund. FDIC-supervised institutions should be able to demonstrate their ability to conduct crypto-related activities in a safe and sound manner.
1 This FIL does not address the permissibility of any specific crypto-related activity that an FDIC-supervised institution may engage in under Section 24 or Section 28 of the Federal Deposit Insurance Act (FDI Act) or under Part 362 of the FDIC’s Rules and Regulations.
2 By “crypto asset,” the FDIC refers generally to any digital asset implemented using cryptographic techniques. The term of “crypto-related activities” for the purposes of this FIL includes acting as crypto-asset custodians; maintaining stablecoin reserves; issuing crypto and other digital assets; acting as market makers or exchange or redemption agents; participating in blockchain- and distributed ledger-based settlement or payment systems, including performing node functions; as well as related activities such as finder activities and lending. This listing is based on known existing or proposed crypto-related activities engaged in by FDIC-supervised institutions, but given the changing nature of this area, other activities may emerge that fall within the scope of this FIL. The inclusion of an activity within this listing should not be interpreted to mean that the activity is permissible for FDIC-supervised institutions.
3 See Section 3.2, FDIC Risk Management Manual of Examination Policies, at https://www.fdic.gov/regulations/safety/manual/section3-2.pdf
4 In addition to the requirements of Section 39 and Part 364, FDIC-supervised institutions engaged in or considering engaging in any crypto-related activities should consider the implications of other relevant statutes and regulations, including, among others, Sections 5 and 6 of the FDI Act, Section 18(a)(4) of the FDI Act, Part 333 of the FDIC’s Rules and Regulations, and Section 8 of the FDI Act.