FDIC Letter on Bank's Crypto Activities Plan

Board of Directors

XXXXX

December 23, 2022

Subject: Third-Party Crypto-Asset Activity

Dear Members of the Board:

In response to Financial Institution Letter (FIL), FIL-16-2022, Notification of Engaging in Crypto-Related Activities, on September 12, 2022, Executive Vice President (EVP) XXXXX submitted a notification of the Bank’s intent to work with XXXXX to develop an application programming interface (API) that would allow customers to buy, sell, and hold crypto assets through the Bank’s digital banking platform. Case Manager XXXXX also held a discussion with CEO XXXXX and EVP XXXXX on November 22, 2022, regarding the proposed crypto-related activities. As discussed during the call, the Bank has created test accounts to assist XXXXX in API development, but management does not intend to offer this type of service to customers.

As stated in FIL-16-2022, the FDIC may request that institutions provide information necessary to allow the FDIC to assess the safety and soundness, consumer protection, and financial stability implications of crypto-related activities. Accordingly, the FDIC requests the Bank provide the information in the attached list by January 23, 2023. If the requested information has not yet been developed, include the status and timeline for developing each item in the response, as applicable. Once the FDIC has completed its review of the requested information, we will determine whether additional information is necessary to complete the review of the activity. When we have completed our review, the FDIC will provide the institution with relevant supervisory feedback, as appropriate.

This letter is confidential and may not be disclosed or made public in any manner under part 309 of the FDIC Rules and Regulations (12 CFR part 309). If you have any questions, please contact Case Manager XXXXX at XXXXX, or Regional Examination Specialist XXXXX at XXXXX. Written correspondence should be addressed to my attention at the Chicago Regional Office, and sent as a PDF document through the FDIC’s Secure Email portal (securemail.fdic.gov) using the following email address: XXXXX@FDIC.gov.

Sincerely,

Gregory P. Bottone
Regional Director

Enclosure – Crypto-Asset Activity Request List

cc: XXXXX

Crypto-Asset Activity Request List

  1. Risk assessment of the planned activities.
  2. Documentation of Board and committee discussions and/or approvals.
  3. Information on which entities will perform trade execution and custody.
  4. Due diligence performed on all third parties involved.
  5. Written agreements or contracts with XXXXX, any crypto asset exchange, and crypto asset custodian, as well as any documentation noting the Bank’s contract review.
  6. If not detailed in contracts, details regarding costs and fees associated with the project.
  7. Any policies governing these activities and development activities, including any new or draft policies or procedures.
  8. Detailed description of the bank’s involvement and role in development and testing.
  9. Detailed description of the nature of the test accounts, their location within the Bank’s IT environment, supporting controls, which users will perform testing, whether customers will be included in testing, and any transactions executed through these accounts.
  10. Description of any third party’s role in development and testing.
  11. Detailed description of connectivity to bank systems, including data flows to/from banks systems and any third parties. Detail the information or functionality being leveraged by the API, including read and write functions.
  12. Description on how funds would flow between various third parties.
  13. Project plan and relevant project management documentation. Include detailed description and information on what is being developed, development progress, and expected completion date.
  14. Bank policies and procedures to assess development measures (such as secure design, static and/or dynamic code scanning, quality assurance, and testing) and API configurations.
  15. Description of how APIs are included in the bank’s security framework.
  16. Any documentation to support how the Board or committee monitors the project’s budget and schedule.
  17. A description of how the product/service would be made available to customers (e.g. through the bank’s mobile application/online banking platform or through a customer interface with XXXXX) and whether and how customers or customer funds are or will be involved in test accounts and testing.
  18. Drafts of any disclosures that will be provided to customers relating to the activity and plans on where/when disclosures will be presented to customers.