On March 24, 2023, the Board of Governors of the U.S. Federal Reserve System (Board) published the text of its order (Order) denying the application of Custodia Bank, Inc. (Custodia), to become a member in the Federal Reserve System. Although the Order is specific to Custodia’s application and the Board’s assessment of Custodia’s ability to manage a variety of risks, it illustrates the serious concerns the Board has with bank involvement in crypto activities and servicing crypto clients and is likely to have ramifications far beyond the business of Custodia itself.
Custodia (formerly known as Avanti) is a Wyoming-chartered special-purpose depository institution (SPDI), a type of financial institution created by Wyoming state law in 2019. Among other things, Wyoming’s SPDI law requires SPDIs to maintain unencumbered assets valued at 100% of its depository liabilities (or more) and prohibits SPDIs from making loans but does not require SPDIs to obtain federal deposit insurance. Custodia’s proposed business model includes four business lines: “core banking,” including the offer of deposit accounts and access to ACH and wire payments and online banking services; custody of crypto assets; the issuance and redemption of “Avits,” a crypto asset the Board considers functionally equivalent to a stablecoin; and crypto asset “prime services,” which include facilitating the purchase and sale of crypto assets for fiat currency and other crypto assets, as well as facilitating the borrowing and lending of crypto assets, on behalf of customers. Custodia indicated that it intended to use Federal Reserve services in connection with both its “core banking” activities and with its crypto activities, such as holding balances in a Federal Reserve Bank account to support Avits.
The Board originally announced the denial of Custodia’s application on January 27, 2023, and publication of the Order follows a review to redact confidential information. Since the original denial, the Board has denied Custodia’s request for reconsideration of the application denial, and the Federal Reserve Bank of Kansas City has denied Custodia’s application for a master account (which application was submitted prior to Custodia’s application to become a member of the Federal Reserve System). Custodia has filed a lawsuit against the Board and Kansas City Reserve Bank in Wyoming District Court, requesting the Court to reverse the Kansas City Fed’s denial to grant Custodia a master account, which remains pending.1 On the same day as the Board’s denial of Custodia’s application, the Board approved a policy statement indicating that it intends to use its authority under Section 9(13) of the Federal Reserve Act (Act)2 to prevent state member banks from engaging as principal in activities other than those activities permissible for national banks unless expressly permitted to do so by federal statute or part 362 of Federal Deposit Insurance Corporation (FDIC) regulations.
State banks wishing to become a member of the Federal Reserve System may submit applications to the Board under Section 9 of the Act. Under the Act, the Board is directed to consider factors relating to the financial condition of the applying bank, the general character of its management, and whether the corporate powers exercised are consistent with the purposes of the Act, along with the needs of the community (Review Factors).3 In the Order, the Board expresses “fundamental concerns” with Custodia’s proposed business plan, particularly its “novel and unprecedented features” (generally referring to Custodia’s crypto asset business but also to Custodia’s status as a non-FDIC-insured depository institution).
Many of the Board’s findings are based on a premembership examination of Custodia conducted by examiners from the Kansas City Fed in October 2022, which focused exclusively on Custodia’s core banking business line because the crypto asset-related businesses were in early development or were not intended as “day one” activities. Nonetheless, the Board found that the proposed crypto activities resulted in extensive shortcomings with respect to the Review Factors, reiterating many of the concerns articulated in recent interagency risk statements regarding crypto activities and banking the crypto industry.4
Core Banking Deficiencies
The exam identified a number of deficiencies relating to Custodia’s core banking business, including “significant” gaps in Custodia’s anti-money-laundering (AML) and sanctions programs, information technology, internal audit, financial projections, and risk management practices (Order, p. 43). Importantly, the Board found that Custodia’s deficiencies related to the core banking services reflected negatively on Custodia’s capacity to offer future crypto-related services in a safe and sound manner, “given the heightened risks associated with those products,” and questioned whether a management team that failed to establish an effective risk management system for core banking activities could be expected to oversee novel, high-risk crypto activities.
Risks Related to Crypto Activities
The Board articulates a number of risks related to Custodia’s proposed crypto activities that resulted in adverse findings with respect to each of the Review Factors that incorporate broader policy concerns.
AML and Office of Foreign Asset Control (OFAC) Compliance. The Order states that crypto assets present heightened risks for money laundering and terrorist financing (ML/TF) and elaborates on commonly identified risks relating to anonymity of crypto transactions in a manner that questions whether it is possible for any banking organization to sufficiently mitigate such risks. Notably, the Board suggests that certain risks related to ML/TF and sanctions compliance may be inconsistent with operating in a safe and sound manner, even if a bank is operating in technical compliance with the Bank Secrecy Act (BSA).
For instance, the Board suggests that the prevalence of stablecoins may facilitate the misuse of crypto assets for ML/TF by reducing the need for market participants to interact with regulated intermediaries in the traditional financial system (Order, p. 31-32). While “on-ramps” and “off-ramps” that exchange crypto assets for fiat currency are typically required to have effective AML programs, the Board states that crypto asset holders may use stablecoins as a preferred medium of exchange rather than fiat currency and therefore that transactions other than the original initial purchase and ultimate redemption of a stablecoin may be obfuscated to financial institutions, thereby making it difficult for financial institutions to identify and report suspicious activity and sanctioned parties. The Board also casts doubt on the efficacy of blockchain analytics companies in this regard (Order, FN 100, 109). Notwithstanding Custodia’s contention that the BSA does not require filing suspicious activity reports for transactions between noncustomers and notwithstanding the fact that neither the Financial Crimes Enforcement Network nor OFAC has addressed these specific issues in connection with well-established programs in the market (Order, p. 39-40), the Board suggests that this risk is inconsistent with operating in a safe and sound manner (Order, p. 40).
In addition, the Board highlights the specific risk of a financial institution’s “unknowingly but directly” engaging in illicit financial activity in the context of paying on-chain transaction fees (Order, p. 33). Without any assessment of the practical nature of the risk, the Board states that transaction fees on Ethereum may be paid to “unknown validators, which may include illicit actors or sanctioned entities.” Because it is impossible for a person initiating a transaction on Ethereum to choose a validator, it is impossible to screen the validator for sanctions and AML risks. This is an aggressive indictment of the entirety of the open public blockchain infrastructure solely on the basis that participant might otherwise unwittingly pay validator fees to an illicit actor. On the same theory, a state member bank might be criticized for failure to vet its food service or maintenance vendors before paying fees for such services.
Holding Crypto Assets as Principal. The Board states that even if it were to approve Custodia’s membership, it would exercise its authority under the Act to prohibit Custodia from holding bitcoin and ether as principal (Order, p. 67). Custodia asserts that its proposed custody services for crypto assets comports with Office of the Comptroller of the Currency (OCC) Interpretative Letter 1170 (stating that a national bank “may provide  cryptocurrency custody services on behalf of customers, including by holding the unique cryptographic keys associated with cryptocurrency”).
Custodia also asserts that it is required by Wyoming law to pay for customers’ transaction fees in connection with its custody services and therefore must also hold “a small amount of bitcoin and ether in a principal capacity” for such purposes, incidental to the offering of custody services (Order, p. 64). The Board does not believe the OCC letter supports the position that national banks are permitted to hold non-stablecoin crypto assets as principal in any amount or for any purpose (notwithstanding incidental powers language in Interpretative Letter 1170). Furthermore, the Board believes that holding crypto assets as principal is inconsistent with operating in a safe and sound manner because of difficulties banks are likely to face “engaging in prudent risk management based on the underlying value of most crypto assets, their anticipated discounted cash flows, or the historic behavior of the relevant markets,” a surprisingly superficial analysis given the limited amount of crypto Custodia sought to hold and the limited customer-driven purpose for which it sought to use that crypto.5
Stablecoin Issuance (Avits). The Board acknowledges that a national bank may be permitted to issue stablecoins (as it characterizes Avits) under OCC Interpretative Letters 1174 and 1179, provided the bank can demonstrate adequate controls to conduct such activity in a safe and sound manner. However, the Board goes on to identify a host of “broader concerns” about proposals to issue stablecoins on public, permissionless blockchain networks that are applicable to Avits (Order, p. 70-74).
At the time of the premembership exam, Custodia had not yet developed a risk management and control program for issuing Avits, and as a result, the Board indicates that it would presumptively prohibit Custodia from issuing Avits until an adequate control framework is in place. Yet it is not clear that any framework could sufficiently mitigate the risks the Board identifies, which are inherent in the activities approved in the applicable OCC precedents.
As noted above, the Board believes the payment of network transaction fees to unknown validators (such as on Ethereum) presents significant illicit finance risks. The Board also expects banks to obtain and verify the identity of all transacting parties, including those using unhosted (or self-custodied) wallets, a position not presently taken by the Financial Crimes Enforcement Network.6
The Board believes that using a public, permissionless blockchain not controlled by a bank (or its contracted vendors) presents significant operational and cybersecurity risks. For example, a bank “would have little ability to hold validators or governance bodies accountable for activity that may adversely affect the bank or its customers.” In addition, the Board expresses concern that malicious actors could access private keys controlling Avits or compromise the smart contracts used to issue Avits.
Because Avits can be freely traded “away” from Custodia, the Board also states that Avits holders may not have adequate consumer protections when trading Avits on unregulated or noncompliant exchanges, or decentralized finance protocols, effectively suggesting that a bank issuing a stablecoin somehow incurs responsibility for the entirety of the stablecoin ecosystem.
Securities Law Considerations. Custodia did not provide the Board with details about the operation of its proposed crypto asset prime services business, through which Custodia would facilitate trading and lending of crypto assets on behalf of customers. However, the Board generally noted it has similar concerns to other proposed offerings regarding operational, compliance, and illicit finance risks. Additionally, the Board explicitly expressed interest in Custodia’s compliance procedures for determining that crypto assets eligible for these services are not securities, citing a recent enforcement action brought by the Securities and Exchange Commission against the issuer of a crypto asset for the offer of an unregistered security and noting potential liability against sellers of unregistered securities (Order, p. 78).
Contagion, Run Risk, and Insolvency. While not necessarily related to crypto activities, the Board expressed serious concerns with admitting an uninsured deposit-taking institution to the Federal Reserve System and the potential financial stability implications. The Board believes Custodia, as a crypto bank, could be subject to heightened run risks. This risk, according to the Board, stems not only from the volatility in the crypto sector (according to the Board, as evidenced by recent market events) but also from the fact that transaction activity on public blockchains is publicly viewable and therefore the public would know if Avits were being redeemed in unusually high quantities. The Board goes on to say that even if Custodia had sufficient liquidity to manage higher-than-usual redemption requests (Custodia proposes maintain at least 108% of customer deposits in a Reserve Bank master account), the Board implies this public visibility could lead to panic and contagion that spreads to other banks and financial institutions, notwithstanding that holding funds in the Reserve Bank master account would provide precisely the type of liquidity needed to forestall such panic and contagion effects (Order, p. 73).
Without federal deposit insurance, Custodia would not be subject to a number of requirements tied to insured depository institution status. Among other things, Custodia would not be placed in FDIC receivership in the event of a bank failure. Rather, the Wyoming banking commissioner would act as receiver and resolution official. The Board implies that the resolution of complex depository institutions is a task better-suited to the FDIC, especially in light of the potential for novel interpretations of commercial and property law applied to crypto assets. The Board concedes that it is legal under the Act for a state member bank to be an uninsured depository institution and acknowledges that other non-FDIC-insured depositories could potentially submit acceptable applications but does not believe Custodia’s business plan justifies creating a “bespoke” regulatory and supervisory framework.
Financial Dependency on Crypto Markets. Echoing recent guidance from the federal banking agencies, the Board “generally disfavors business plans that ‘result in a concentration of assets, liabilities, product offerings, customers, revenues, geography, or business activity without effective mitigants.’ ” Because Custodia’s proposed business is exclusively focused on customers in the crypto industry, the Board does not believe Custodia’s revenue model is adequately diversified. Moreover, the Board points to recent bankruptcies of crypto exchanges as evidence that instability in the crypto asset sector can result in stress at banks focused on serving that sector. In addition, because Custodia’s medium- and long-term financial projections assumed engaging in crypto-related activities that the Board would prohibit (discussed above) even if Custodia’s application were approved, the Board does not believe Custodia adequately demonstrated its financial viability due to limited future earnings prospects resulting from the Board’s own prohibitions.
Public Policy and Macroeconomic Concerns. Perhaps most significant to the broader crypto industry, the Order evidences extreme wariness of attempts to integrate crypto with traditional financial markets. For example, the Board writes that “the volatility of the crypto-asset ecosystem has not led to financial stability issues in other sectors — largely because interconnections between the crypto asset sector and the traditional financial sector have been relatively limited. But Custodia is attempting to make it easier for institutional investors to use the crypto asset ecosystem, which would increase such connections” (Order, p. 59). Recent developments in the banking industry following the denial of Custodia’s application seem likely to reinforce the Board’s view of this issue.
Among other things, the Board raises concerns that the issuance of a stablecoin by a member bank could undermine the ability of the Board to effective manage national monetary policy and maintain financial stability. Because Avits would be backed with deposits in a master account at a Federal Reserve Bank, the Board states that external parties could view Avits as implicitly backed by the Federal Reserve System and Avits could “become a tool for persons around the world to access the stability of the U.S. dollar instantly and anonymously,” which could result in pronounced and volatile demand for Federal Reserve Bank liabilities. Even if demand for Avits could be managed, the Board states that approving the issuance of Avits “could set a precedent of allowing similar products at other banks and result in a new, meaningful, and volatile source of demand for Federal Reserve liabilities” (Order, p. 76). In other words, if a digital asset is going to be perceived as equivalent to a central bank digital currency, it will need to be issued by the central bank.
Although recent guidance issued by the federal banking agencies suggests that providing traditional banking services to crypto companies and engaging in related crypto activities is theoretically permissible so long as risks are sufficiently mitigated, the Order casts doubt on whether it is practically possible to sufficiently mitigate such risks, at least where Federal Reserve membership is concerned. At a minimum, a “crypto bank” narrowly focused on crypto sector customers faces seemingly insurmountable hurdles in light of the banking agencies’ concerns with concentration risk, especially in the wake of recent bank failures. In addition, the Order calls into question the ability of a member bank to hold crypto assets in a principal capacity, even in de minimis amounts or for purposes incidental to permitted activities, and raises the potential for a significant expansion of BSA obligations if the theories espoused in the Order are adopted and enforced by the regulatory and enforcement community. The Board is careful to couch its positions in terms of the ability of Custodia to address a variety of risks, leaving open the possibility that some other institution would have the wherewithal to do so, but the industry is left a distinct sense that such a possibility is slim indeed.
2 12 U.S.C. § 321(13).
3 12 U.S.C. § 322; 12 C.F.R. § 208.3(b).
4 See Joint Statement on Crypto-Asset Risks to Banking Organizations (Jan. 3, 2023); Joint Statement on Liquidity Risks to Banking Organizations Resulting from Crypto-Asset Market Vulnerabilities (Feb. 23, 2023).
5 The Board position stands in contrast to the express acknowledgement by the New York Department of Financial Services of the need for New York licensed entities to make such payments. See Guidance on Custodial Structures for Customer Protection in the Event of Insolvency (Jan. 23, 2023), n.7.
6 Custodia represented to the Board that it would have the ability to screen secondary transactions in Avits against a sanctions “blacklist” and that it would monitor transactions one step in either direction (i.e., the transaction before or after a Custodia customer obtains or disposes the crypto asset) but that it would monitor transactions “across the blockchain” only on a risk-based basis to ensure that Custodia customers are not engaging in money laundering or other suspicious activity either downstream or upstream of the transactions directly involving Custodia.
Sidley Austin LLP provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship. Readers should not act upon this information without seeking advice from professional advisers.
Attorney Advertising—Sidley Austin LLP, One South Dearborn, Chicago, IL 60603. +1 312 853 7000. Sidley and Sidley Austin refer to Sidley Austin LLP and affiliated partnerships, as explained at www.sidley.com/disclaimer.
© Sidley Austin LLP