Crypto-Asset Risk Management Findings
FDIC
Federal Deposit Insurance Corporation
10 10th Street NE, Suite 900
Atlanta, Georgia 30309-3849
Atlanta Regional Office
Division of Risk Management Supervision
Division of Depositor and Consumer Protection
(678) 916-2200
July 26, 2023
Board of Directors
XXXXX
Dear Board of Directors:
Enclosed for your consideration is a copy of the report of examination of XXXXX prepared by Corporation Examiner XXXXX. The examination commenced on September 26, 2022, utilizing financial information as of June 30, 2022. The examination report includes the composite and component ratings assigned under the Uniform Financial Institutions Rating System. The examination report also includes the findings of a concurrent off-site review by the FDIC Division of Depositor and Consumer Protection (DCP) to review the proposed crypto-asset related activity. The contents of this letter and the examination report, including these ratings, are subject to the confidentiality restrictions of Part 309 of the FDIC Rules and Regulations. Refer to the front cover of the report of examination for further details.
The purpose of Matters Requiring Board Attention is to focus the Board’s attention on material matters that require timely resolution. Matters Requiring Board Attention are discussed on page 1 of the report of examination and require the Board’s attention and corrective action. The severity of these items necessitates regulatory review prior to your next examination, and ongoing monitoring until these matters are resolved. If not resolved, these issues may adversely impact the institution. Matters Requiring Board Attention include:
CRYPTO-ASSET SERVICE
Management notified the FDIC and the XXXXX that the bank intends to “XXXXX” the bank’s core service provider, and XXXXX. The risk management framework, including policies, for assessing, monitoring, and managing the XXXXX third party relationship needs improvement. Due to limited risk assessment and vendor due diligence undertaken by management, the Board has not ensured management properly assessed and measured the risks associated with the proposed new service. To ensure risks are appropriately identified, evaluated, and mitigated, the Board should take the following actions.
Board of Directors
XXXXX
Page 2 of 4
Risk Assessment - The Board should ensure that management implements a comprehensive framework and controls that provide for effective risk assessment over the XXXXX services. The Board should ensure that the framework is commensurate with the nature of existing and evolving safety and soundness and consumer protection risks specific to crypto-assets. The Board should ensure that management performs a comprehensive risk assessment for the XXXXX services. The risk assessment should appropriately identify potential enterprise-wide risks, as well as the risk of consumer harm, to ensure that such risks are sufficiently mitigated.
Vendor Due Diligence - The Board should ensure that management conducts appropriate due diligence prior to entering into any contracts. Moreover, as policy issues continue to change, and given recent volatility in crypto assets, the Board should ensure that management continues to periodically monitor the third party and any impacts on the bank and its customers.
Board Oversight - The Board should ensure appropriate policies, procedures, and controls are in place for management to effectively identify, assess, manage, and control risks. The framework should include Board oversight that ensures management has fully assessed the risk associated with the new services as they relate to the institution’s overall strategic plan and risk appetite; performed appropriate due diligence to assess third parties and the relationship; performed appropriate contract reviews to understand roles and responsibilities, as well as risks and liabilities to the bank; and developed processes to perform appropriate ongoing monitoring. The Board’s review and approval of the risk assessment, vendor due diligence, and contract should be documented in the Board minutes.
Compliance Management System (CMS) - The Board should ensure that sufficient controls are in place to account for and mitigate the applicable consumer compliance risks associated with facilitating customer crypto asset trading alongside traditional banking products and services. The Board should enhance its CMS to ensure the risks of consumer harm relative to the crypto asset service are appropriately identified and mitigated. Failure to implement an enhanced CMS could result in customer confusion about the nature and risks associated with crypto assets, including potential consumer harm.
The Board should implement corrective action to address Matters Requiring Board Attention. Your corrective action or proposed corrective action will be initially assessed through your written response to the examination report as further discussed below. Once the determination is made and communicated that the Matters Requiring Board Attention are resolved, the Board may move forward with offering the new crypto-asset service to the extent consistent with applicable laws and regulations.
Board of Directors
XXXXX
Page 3 of 4
OVERALL CONDITION
The bank’s overall condition is XXXXX. Management and Board oversight are XXXXX; however, efforts are necessary to address weaknesses related to the proposed crypto asset services prior to implementation.
XXXXX
XXXXX.
Earnings are XXXXX
XXXXX
XXXXX
Asset quality is XXXXX
XXXXX
Capital is XXXXX Sensitivity to market risk is XXXXX. Liquidity and funds management practices are XXXXX.
The Information Technology function is XXXXX
XXXXX
XXXXX
The bank remains XXXXX
XXXXX
Please review and discuss this letter and the examination report at your next regularly scheduled Board meeting, and record the ensuing discussion in the associated minutes. Sign the Signatures of Directors/Trustees page and retain a copy for your records.
Board of Directors XXXXX
Page 4 of 4
Please provide this office and the XXXXX a written response to the examination findings. Your written response should describe the corrective action that the Board and management will implement to resolve the examination findings, with additional emphasis and support for the Matters Requiring Board Attention. Your written response should be received by this office within 45 days of this letter’s date.
SUBSEQUENT EVENTS
On July 18, 2023, members of the bank’s management team held a call with this office to inform us that the bank received notice that XXXXX is terminating the services agreement with the bank. At the time of this call, management was preparing to present XXXXX’s notification to the Board. The above findings, as well as those presented in the report of examination, are from the point-in-time examination. We realize that this recent development will alter the required corrective action for examination findings. Please provide additional details with the above requested written response, including information from the Board meeting where XXXXX’s notice is discussed. Following review of your written response, we will communicate any needed changes to the supervisory strategy, including potentially XXXXX XXXXX
As a reminder, all official correspondence to the FDIC should be submitted as a PDF file to XXXXX@FDIC.gov using the secure message center at https://securemail.fdic.gov. Should you have any questions, please contact Case Manager XXXXX at XXXXX or XXXXX.
Sincerely,
John F. Vogel Acting Regional Director
cc: XXXXX XXXXX
Enclosure: Report of Examination Post Examination Survey