Skip to content

Bitcoin Service Risk Management Guidance

FDIC
Federal Deposit Insurance Corporation
300 South Riverside Plaza, Suite 1700
Chicago, IL 60606

November 17, 2022

Board of Directors
XXXXX

RE: Review of XXXXX Potential Bitcoin Service

Members of the Board:

This office has reviewed your letter dated August 10, 2022, and the corresponding documents provided in response to the FDIC Crypto Asset Facilitation Request List. Pursuant to Financial Institution Letter (FIL) 16-2022, this letter provides supervisory feedback relative to the consumer protection and risk management considerations of the proposed crypto-related activity. Please note that the results of this review are subject to the confidentiality restrictions of Part 309 of the FDIC Rules and Regulations.

SCOPE OF THE REVIEW

The review focused on the bank’s plans to offer clients the option to buy, hold, and sell Bitcoin through its online banking platform, XXXXX and XXXXX. Currently, the bank has no board-approved plans but continues to consider XXXXX. Therefore, this review was limited in scope and the assessment of the proposed service considered only the information provided to the FDIC as of the date of this letter. The assessment focused on understanding the bank’s risk and compliance management frameworks related to this service and steps taken by the bank to evaluate the crypto asset service. This letter provides supervisory feedback for your consideration as you continue to evaluate this service offering.

SUPERVISORY FEEDBACK

Crypto-related activities may pose safety and soundness and consumer protection risks to the institution and its customers. The types and levels of risks are dependent on the activity, implementation of the activity, and controls designed to mitigate the risks. Examples of risks that may be present may include compliance risk, legal risk, operational risk, third party risk, and strategic risk. Facilitating customer crypto asset trading alongside traditional banking products and services may present heightened risk to the bank’s customers, such as:

  • Confusion about the role of the financial institution in the crypto transactions;
  • Lack of understanding about the nature and risks associated with crypto asset products;
  • Inability to differentiate between the nondeposit products and traditional banking products, such as deposit accounts; and
  • Misperceptions about federal deposit insurance coverage.

The FDIC’s Advisory to FDIC-Insured Institutions Regarding FDIC Deposit Insurance and Dealings with Crypto Companies issued on July 29, 2022, through FIL 35-2022 may serve as a useful resource for the Board and management regarding risks and concerns arising from crypto assets offered by, through, or in connection with insured depository institutions. For example, Part 328, Subpart B of the FDIC’s Rules and Regulations, titled “False Advertising, Misrepresentation of Insured Status, and Misuse of the FDIC’s Name or Logo,” can apply to non-banks, such as crypto companies. Accordingly, the bank should determine if its third-party risk management policies and procedures effectively manage crypto-related risks, including compliance risks related to Part 328, Subpart B.

The information provided to the FDIC on the proposed crypto asset service through XXXXX highlights that various aspects of the bank’s risk and compliance management framework related to this service are in a development or pre-development phase, including:

  • due diligence;
  • contract, contracting process, and contract review and analysis;
  • legal permissibility analysis;
  • project and implementation plan;
  • policies and procedures that will govern the activity;
  • customer facing materials such as the online banking platform, marketing materials, press releases, internal scripts, educational materials, or other publicly distributed information related to the activity; and,
  • internal training.

The Board and management should ensure appropriate risk and compliance management frameworks are in place prior to implementation of this activity to enable safe and sound operations and compliance with appropriate laws and regulations. In addition to the items noted above that remain in development, this includes performing a comprehensive assessment of the proposed service that includes a detailed and documented assessment of the risks and mitigating controls. The vendor risk assessments conducted on XXXXX were limited in scope and were largely limited to information security and data access. These risk assessments do not contemplate the nature and new, heightened, or unique risks of this particular service. For example, the risk assessments did not consider the risks and responsibilities associated with the draft contract provisions, or adequately consider anti-money laundering/countering the financing of terrorism risk implications, potential legal risks related to permissibility, or risk of customer confusion that could result from offering a nondeposit product alongside traditional banking, among other things.

Once fully developed, the Board’s review and approval of the risk assessment and vendor due diligence should be documented in the Board minutes. While the institution continues to develop a

Board of Directors
XXXXX
Page 3

risk and compliance management framework to identify, assess, and control for the types of risks presented by this crypto asset service, the Board and management should consider the following:

  • Disclose information in simple plain language statements that fully inform customers about the nature and risks of the crypto asset service offered through the institution, which customers must read and affirmatively acknowledge separate from other terms and conditions or disclosures embedded within the online banking platform. The placement, format, and timing of any such information in public facing materials, such as the online banking platform, customer disclosures, trade confirmation, and accounts statements, should be clear and conspicuous. The Interagency Statement on Retail Sales of Nondeposit Investment Products may serve as a useful resource for bank management to enhance the risk assessment process and ensure clear and conspicuous language is provided to customers in a manner that:
  • Neither misleads, nor confuses, or is likely to mislead, the institution’s customers about the role of the institution in facilitating its customers’ transactions with crypto asset provided XXXXX or the institution’s endorsement of such products or services.
  • Minimize the possibility of customer confusion between the protections afforded to the institution’s FDIC-insured and non-insured products.
  • Provide clear and complete information on the possible loss of value associated with the XXXXX service.

  • Clearly and conspicuously disclose any transaction limitations and restrictions associated with the crypto asset service.

  • Develop and maintain an effective compliance management system that is commensurate with the financial institution’s crypto asset service and allows the institution to effectively identify, measure, monitor, and address consumer protection risks, including those related to unfair or deceptive acts or practices.

  • Ensure relevant personnel at the institution have sufficient knowledge and resources to effectively respond to questions, concerns, inquiries, and complaints related to this service. According to the documents provided to the FDIC, customers are expected to contact the bank’s customer service team for support regarding the crypto asset service.

  • Identify the ongoing monitoring, performance criteria, and reporting needs that will assist the Board and management with the ongoing governance and risk management over this service.

The FDIC requests that the bank notify this office of any material developments related to the proposed crypto activity. The FDIC intends to perform a more in-depth review as management moves further along in the due diligence process. Additionally, please submit the items previously requested on July 19, 2022, once fully developed, including complete risk and compliance management control documentation applicable to this service, prior to implementing the proposed activity. If the bank is considering engaging in additional crypto-related activities, we request notification that describes the activity in detail and provides the institution’s proposed timeline for

Board of Directors
XXXXXXXXXXXXXXXXXXXX
Page 4

engaging in the activity. This includes notification if the bank plans to engage in expansion services offered through XXXXX such as the XXXXX Program or XXXXX.

As a reminder, written correspondence can be sent to this office as a PDF document through the FDIC’s Secure Email portal (securemail.fdic.gov) using the following e-mail address: XXXXX@FDIC.gov. Information about how to use secure email and FAQs about the service can be found at fdic.gov/secureemail. If there are any questions about this correspondence, please contact Case Manager XXXXX at XXXXX.

Sincerely,
Gregory P. Bottone
Regional Director

cc: XXXXX
Federal Reserve Bank of St. Louis