Skip to content

Frustration-Free Risk Management

Simplify cybersecurity risk management and tackle your cybersecurity challenges with ease. TRAC automates the tedious risk assessment process and produces customized results that align with regulations, best practices, and your strategic goals.

gold bitcoin coins
Cole PontoJune 02, 20233 min read

Regulators Release Joint Statement on Crypto-Asset Risk to Banking Organizations

The Risks

Cryptocurrency has gotten a lot of attention in the past year, and for a good reason. Volatile prices can have a significant impact on not only individuals holding and trading cryptocurrencies but also any business associated with such assets. On top of this, one of the largest crypto exchanges in the world, FTX, has been all over the headlines with talk about its catastrophic collapse and founder and CEO being indicted for fraud, money laundering, and campaign finance offenses.

It's not surprising, then, that the Federal Reserve, FDIC, and OCC released a “Joint Statement on Crypto-Asset Risks to Banking Organizations” in early 2023. With this joint statement, they included a listing of key risks to not only crypto-assets but also “crypto-asset sector participants,” these key risks, as identified in the joint statement, are listed below:

  • Risk of fraud and scams among crypto-asset sector participants.
  • Legal uncertainties related to custody practices, redemptions, and ownership rights, some of which are currently the subject of legal processes and proceedings.
  • Inaccurate or misleading representations and disclosures by crypto-asset companies, including misrepresentations regarding federal deposit insurance and other practices that may be unfair, deceptive, or abusive, contributing to significant harm to retail and institutional investors, customers, and counterparties.
  • Significant volatility in crypto-asset markets, the effects of which include potential impacts on deposit flows associated with crypto-asset companies.
  • Susceptibility of stablecoins to run risk, creating potential deposit outflows for banking organizations that hold stablecoin reserves.
  • Contagion risk within the crypto-asset sector resulting from interconnections among certain crypto-asset participants, including through opaque lending, investing, funding, service, and operational arrangements. These interconnections may also present concentration risks for banking organizations with exposures to the crypto-asset sector.
  • Risk management and governance practices in the crypto-asset sector exhibiting a lack of maturity and robustness.
  • Heightened risks associated with open, public, and/or decentralized networks, or similar systems, including, but not limited to, the lack of governance mechanisms establishing oversight of the system; the absence of contracts or standards to clearly establish roles, responsibilities, and liabilities; and vulnerabilities related to cyber-attacks, outages, lost or trapped assets, and illicit finance.


The statement notes that while banks are not prohibited or discouraged from providing services for customers in any particular asset class, the risks related to the crypto-asset sector that cannot be controlled or mitigated should be prevented from entering the banking system. Additionally, the statement noted significant safety and soundness concerns with business models concentrated in crypto-assets or exposure to the crypto-asset sector.


What Now?

The joint statement included information on what banks should be doing regarding crypto-asset-related activities, and this information was not shocking. The expectation was that banks ensure that crypto-asset-related activities can be done safely, legally, and in compliance with legal and regulatory requirements. In addition, organizations are expected to utilize appropriate risk management practices, as with any service, relationship, or technology a bank is looking at using in the future. Specific risk management practices include board oversight, policies, procedures, risk assessments, controls, gates and guardrails, and monitoring.

As previously noted, regulators expressed the need for caution and proper risk management practices, but nowhere did they prohibit banks from engaging in crypto-related activity. However, with this expressed concern from regulators, it is well worth ensuring that any organization expanding into this area is well-versed and has adequately performed its due diligence before doing so. It is also safe to assume that if cryptocurrency continues to see the activity it has in previous years, regulators will start to lay out more expectations for those organizations that have exposure to the cryptocurrency market.

Notably, the statement mentioned monitoring crypto-asset-related exposures moving forward and issuing new statements when warranted. With the concern for organizations, their customers, and the financial system as a whole stressed within the release, these assumptions are a safe bet.


Cole Ponto

Cole Ponto is a Senior Information Security Consultant at SBS CyberSecurity. He is also an instructor for the SBS Institute, leading the Certified Banking Business Continuity Professional (CBBCP) course.