Bank's Bitcoin Custody Concerns

July 13, 2022

MEMORANDUM TO: File

FROM: Case Manager XXXXX and XXXXX

SUBJECT: XXXXX Cryptocurrency Response

On July 1, 2022 management provided the following information for review: XXXXX (Policy), XXXXX Risk Assessment, XXXXX form, XXXXX BSA Risk Assessment, CDD Policy, and New Account CDD Questionnaire.

Additionally, on July 7, 2022 Case Manager XXXXX spoke with Trust Specialist XXXXX about the: Policy, XXXXX Risk Assessment, and XXXXX. The following concerns were noted.

1. While the Risk Assessment states that “XXXXX XXXXX,” the policy does not outline cryptocurrency custodian expectations or requirements.
2. Also, the Policy does not specify how/where the “keys” to the cryptocurrency wallet are maintained. And if they are maintained at the Bank, what controls are in place to ensure security. a) Without the keys, the bank cannot liquidate the cryptocurrency. As such, how will the bank comply with their Policy to “XXXXX XXXXX”?

The following additional commentary was provided by management regarding the account: 1. The Trust account was funded with XXXXX shares of Bitcoin (each share valued at XXXXX as of July 7, 2022). 2. The Trust document is drafted with the Bank serving exclusively as Trustee, and the Trust grantor, XXXXX, as the investment manager of the Trust. 3. The Bitcoin is custodied at the XXXXX cryptocurrency exchange. 4. The Grantor of the Trust transferred the Bitcoin from his personal “wallet” (held under private key) to the XXXXX custody account which now holds the cryptocurrency in “vault” formation. As Trustee, and owner of the XXXXX custody account, the Bank does not XXXXX.

---

1 Received July 6, 2022 since the information appears to have been mailed into the RO. 2 A XXXXX cryptocurrency exchange and custody platform based in San Francisco, CA.

---

---

not utilize the traditional “key” methodology associated with wallets. Instead, the Bank has a password to access the account.

1. The Bank has no plans for 3rd party partnerships related to cryptocurrency activity. The Bank does maintain a custody account agreement with XXXXX for the XXXXX.

Below are potential questions/documentation requests to consider: - Should the Policy outline controls over password security and testing access to the cryptocurrency account? - It appears that the bank is acting as custodian of the Bitcoin or is it only custodian of the account holding the Bitcoin? Should a copy of the custody agreement be obtained? - Obtain details about the Bank’s access to the cryptocurrency? Ex: What does the Bank’s password allow the bank to do (sell crypto or just monitor value)? - Is XXXXX going to be the Bank’s custodian of choice for any other Trust accounts that hold digital assets? - Should we request the XXXXX Risk Assessment for the XXXXX? - The XXXXX Risk Assessment notes that for accounts with a risk factor related to XXXXX, an additional questionnaire is necessary. Should the questionnaire be requested?

Lastly, on July 11, 2022 RMS ARD Hayes, DCP ARD Richardson, Regional Counsel Tynan, CM XXXXX, XXXXX, and Trust Specialist XXXXX met to discuss the items provided and items outlined in this memo. The memo was updated accordingly.