Skip to content

Feedback on Bank's Crypto Plans

FDIC
Federal Deposit Insurance Corporation
Division of Risk Management Supervision
Division of Depositor and Consumer Protection
300 South Riverside Plaza, Suite 1700, Chicago, IL 60606

Chicago Regional Office
Phone (312) 382-7500
Fax (312) 382-6901

March 3, 2023

Board of Directors
XXXXX

Subject: Review of XXXXX Third Party Crypto-Asset Activity

Dear Members of the Board:

This office has reviewed your letter dated January 25, 2023, and the corresponding documents provided in response to the FDIC Crypto Asset Activity Request List. Pursuant to Financial Institution Letter (FIL) 16-2022, Notification of Engaging in Crypto-Related Activities, issued on April 7, 2022, this letter provides supervisory feedback relative to the consumer protection and risk management considerations of the proposed crypto-related activity. Please note that this letter is confidential and may not be disclosed or made public in any manner under Part 309 of the FDIC Rules and Regulations (12 CFR Part 309).

SCOPE OF THE REVIEW

The scope of the review focused on the bank’s plans to work with XXXXX to develop an application programming interface (API) that would allow customers to buy, sell, and hold crypto assets through the bank’s digital banking platform. Currently, the bank stated it has not yet determined if it will offer this service and has only provided certain information available to-date from the FDIC documentation request dated December 23, 2022. Therefore, the scope of this supervisory feedback is limited to the proposed API development activities and does not reflect comprehensive feedback on all safety and soundness and consumer protection considerations that may be applicable to the proposed crypto-asset activity. The assessment focused on the bank’s third party due diligence and information security framework related to API development and the steps taken by the bank to evaluate and mitigate the risks of granting third-party access to banking systems. This letter provides supervisory feedback you should address as you continue to pursue and evaluate this product.

SUPERVISORY FEEDBACK

The information provided to the FDIC on the proposed third-party API development with XXXXX indicates management has completed minimal risk assessment and due diligence activities, which were limited to in-person conversations with XXXXX and a review of XXXXX Systems and Organization Controls 2 (SOC 2) audits. The Board and management should ensure comprehensive due diligence is performed and appropriate risk frameworks are in place prior to granting core banking system access to a third party. Ensuring that an appropriate

Board of Directors
XXXXXXXXXXXXXXXX

framework is in place that provides for a comprehensive assessment of the risks presented by the activity will help management better identify the risk to the institution and its customers, ensure those risks align with the bank's overall strategic plan and risk appetite, and inform the development of risk mitigation strategies.

In particular, the proposed API development activities should be considered within the context of the bank’s information security program. This includes understanding potential information security implications such as XXXXXX access to the banking organization’s systems and to its confidential information. Management should demonstrate how the proposed API development activities are appropriately addressed by the bank’s information security program prior to commencing the activity. As set forth in Appendix B to Part 364 of the FDIC Rules and Regulations, the Interagency Guidelines Establishing Information Security Standards require a bank, in part, to:

  • Ensure the security and confidentiality of customer information;
  • Protect against any anticipated threats or hazards to the security or integrity of such information;
  • Identify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems;
  • Assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of customer information;
  • Assess the sufficiency of policies, procedures, customer information systems, and other arrangements in place to control risks; and,
  • Design its information security program to control the identified risks, commensurate with the sensitivity of the information as well as the complexity and scope of the institution's activities.

In addition to performing a comprehensive risk assessment on the proposed crypto-asset activity, management should complete due diligence on XXXXXX in accordance with the bank’s vendor management policies and procedures. This due diligence should involve a review of all available information about the third party, focusing on the entity's financial condition, its specific relevant experience, its knowledge of applicable laws and regulations, its reputation, and the scope and effectiveness of its operations and controls. In addition, management should consider the extent to which the third party uses controls to limit access to the banking organization’s data and transactions, such as multifactor authentication, end-to-end encryption, and secured source code management.

We request that the bank provide a response to the above within 45 days. We also request that the bank notify this office of any material developments related to the proposed testing of the crypto-asset buy, sell, and hold service. In its September 12, 2022 notification letter to the FDIC, the bank stated it currently does not have plans to roll out any crypto services to customers. If, and when, the bank plans to offer crypto-asset buy, sell, and hold services to its customers, we request that you notify this office prior to implementation. As a result, we may request that the bank provide information necessary to allow us to assess the safety and soundness, consumer protection, and financial stability implications of that activity, as stated in FDIC FIL-16-2022. If the bank considers engaging in additional crypto-related activities, we

Board of Directors
XXXXX

request notification that describes the additional activity in detail and provides the institution’s proposed timeline for engaging in the activity, consistent with FDIC FIL-16-2022.

If you have any questions, please contact Case Manager XXXXX at XXXXX or Regional Examination Specialist XXXXX at XXXXX. Written correspondence should be addressed to my attention at the Chicago Regional Office, and sent as a PDF document through the FDIC’s Secure Email portal (securemail.fdic.gov) using the following email address: XXXXX@FDIC.gov.

Sincerely,
Gregory P. Bottone
Regional Director

cc: XXXXX

3

REL0000042372