Cryptoasset Service Risk Concerns
Federal Deposit Insurance Corporation
Divisions of Risk Management Supervision and
Depositor and Consumer Protection
300 South Riverside Plaza, Suite 1700
Chicago, IL 60606
Telephone: (312) 382-7500
FAX: (312) 382-6901
September 16, 2022
Board of Directors
XXXXX
Subject: April 25, 2022 Report of Examination (Report)
Members of the Board:
We have enclosed the subject Report prepared jointly by the Federal Deposit Insurance
Corporation (FDIC) and the XXXXX. The Report
includes the findings of the concurrent Information Technology, Anti-Money Laundering and
Countering the Financing of Terrorism (AML/CFT), and Trust examinations, as well as the
findings from the concurrent visitation by the FDIC Division of Depositor and Consumer
Protection (DCP) to review the new cryptoasset service. Each director should thoroughly review
the Report and acknowledge this review by signing the Signature of Directors page form
included at the end of the Report. Please keep the signature page with the Report and record the
Board’s review in the minutes.
The Examination Conclusions and Comments page contains the bank's component and
composite ratings. The composite rating is described on the inside front cover of the Report.
The ratings, the contents of the Report, and this letter are subject to the confidentiality
restrictions of part 309 of the FDIC Rules and Regulations, and of XXXXX.
The Report indicates the bank's condition is XXXXX. However, the bank’s risk profile
has increased due to the implementation of a new cryptoasset service that allows customers to
buy, sell, and hold Bitcoin through a third party. The bank’s risk management program did not
appropriately identify, quantify, and mitigate the risks associated with the new service. The
Report includes a Matter Requiring Board Attention (MRBA) related to the cryptoasset service.
The following MRBA contains material issues and recommendations that warrant the Board and
management's immediate action, as these weaknesses could increase the bank's risk profile or
adversely affect its financial condition if not corrected.
- Cryptoasset Service: The Board should ensure that management conducts a robust
assessment of the customer cryptoasset service to appropriately identify, quantify, and
document potential risks, particularly the risk of consumer confusion. Without a robust
risk management framework, the Board may fail to provide sufficient attention to ensuring the adequacy of mitigating controls to address risks related to this service. An effective risk management framework needs to include a comprehensive risk assessment that appropriately identifies potential enterprise-wide risks, including the risk of consumer harm; a thorough vendor due diligence analysis; appropriate Board oversight; and a comprehensive compliance management system (CMS) to account for and mitigate the consumer compliance risks.
The Board needs to ensure that these matters are fully addressed to effectivity mitigate risk to the institution and consumers. The Board also needs to remain vigilant for evolving interpretations of or changes in laws, regulations, and policies relating to cryptoassets, including evolving regulatory interpretations. The FDIC and XXXXX will monitor the Board and management's actions towards addressing the MRBA until they are satisfactorily resolved. Once the determination is made and communicated that the MRBA are resolved, the Board may move forward with offering the new cryptoasset service beyond its current base of customers using the service, to the extent consistent with applicable laws and regulations.
Enclosed is an invitation to participate in the FDIC’s post-examination survey process. Please refer to the invitation for details and instructions.
Please provide a written response to the addressees above within 45 days of the date of this letter as to the actions taken or planned with respect to the MRBA and other examination findings contained in the Report. Alternatively, the response to the FDIC may be sent to XXXXX@FDIC.gov via the FDIC Secure Email Portal. If you have any questions contact XXXXX FDIC Case Manager XXXXX or XXXXX.
Sincerely,
Sincerely,
Michelle Ogren
Acting Deputy Regional Director
Federal Deposit Insurance Corporation
Enclosures
cc: Federal Reserve Bank of Chicago