Skip to content

Bank's Bitcoin Activity Review

FDIC
DIVISION OF RISK MANAGEMENT SUPERVISION
Dallas Regional Office
600 North Pearl Street, Suite 700, Dallas, Texas 75201
(214) 754-0098 FAX (972) 761-2082

September 15, 2023

Board of Directors
XXXXX
XXXXX

Subject: September 19, 2022 Joint Visitation

Dear Members of the Board:

On December 30, 2021, President XXXXX advised the FDIC and the XXXXX XXXXX of the Bank's intent to offer bank customers the ability to buy, hold, and sell bitcoin through the Bank's online banking website and mobile application in conjunction with XXXXX and XXXXX. After issuance of Financial Institution Letter, FIL-16-2022, Notification of Engaging in Crypto-Related Activities, President XXXXX verbally notified FDIC Case Manager XXXXX on April 14, 2022 that the bank had launched the bitcoin facilitation activity on February 15, 2022. On May 13, 2022, the FDIC notified the bank’s Board via letter that the agency was reviewing these activities and would be providing supervisory feedback, and requested that the bank refrain from expanding the service to additional customers until the review’s completion.

On September 19, 2022, a FDIC joint Division of Consumer Protection (DCP) and Risk Management Supervision (RMS) examination team and XXXXX began a targeted visitation of the bank’s relationship with XXXXX. While finalizing visitation findings, on July 25, 2023, Bank management notified the FDIC that XXXXX terminated its agreement with the Bank effective immediately via a letter dated XXXXX. The FDIC and XXXXX are providing the following high-level comments which summarize key findings from the information reviewed during the visitation, and prior to the termination of the arrangement, that can help inform the board and management on the bank’s third-party risk management practices.

SCOPE OF THE REVIEW

The DCP review was led by Examiner-in-Charge (EIC) XXXXX and assessed the bank’s Compliance Management System (CMS) controls in place surrounding the XXXXX service and assessed the activity for potential consumer confusion and compliance with applicable consumer protection laws and regulations, including laws related to unfair and deceptive acts or practices, XXXXX.

Subject: XXXXX

misrepresentations regarding deposit insurance, and false advertising.

The RMS review was led by RMS EIC XXXXX and assessed the bank’s risk management framework, which included a review of Board and management oversight, due diligence and third-party risk management processes, policies, procedures, and controls in place surrounding this activity. Information Technology (IT) Examination Analyst XXXXX assisted. Examiner XXXXX participated in the review for XXXXX

BACKGROUND

Crypto-related activities may pose safety and soundness and consumer protection risks to the institution and its customers. The types and levels of risks are dependent on the type of activity, implementation of the activity, and controls designed to mitigate risks. Examples of risks that may be present include, but are not limited to, compliance, legal, operational, third party, and strategic. Facilitating customer crypto-asset trading alongside traditional banking products and services may also present heightened risk to the Bank's customers, such as:

  • Confusion about the role of the financial institution in crypto transactions;
  • Lack of understanding about the nature and risks associated with crypto-asset products;
  • Inability to differentiate between nondeposit products and traditional banking products, such as deposit accounts; and
  • Misunderstanding the applicability of Federal deposit insurance coverage.

SUPERVISORY FEEDBACK

The following supervisory feedback provides a high-level summary of the visitation findings:

  • The risk assessment is not commensurate with the potential risk exposure posed. Management approved a Bitcoin Program risk assessment prepared by XXXXX with minimal edits, which lacked independence, lacked a discussion of controls in key areas, or outlined controls / mitigants that did not exist or were inaccurate. Moreover, the specific terms and conditions detailed in the contract between the bank and XXXXX were not adequately assessed or factored into the risk assessment.
  • With regard to consumer protection risks, the risk assessment did not consider advertising risk or evidence compliance with the requirements and restrictions in FDIC Rules and Regulations Part 328 Advertisement of Membership, False Advertising, Misrepresentation of Insured Status, and Misuse of the FDIC’s Name or Logo (FDIC Part 328). For example, under Part 328 the bank should consider non-deposit product advertising requirements and the risk of misrepresenting Bitcoin being insured by the FDIC, or the misuse of the FDIC’s name or logo.
  • Customer facing disclosures did not reflect all terms and conditions of the service and did not always present consistent, clear, and conspicuous information on the nature and risks of the service. Examples include, but are not limited to:

Page 2

Subject: XXXXX

  • The language employed to limit customer confusion between insured and non-insured products is not consistent across the application platform. While some information is presented on the nature and risks related to the service throughout the online banking and mobile applications pages, this information is inconsistently presented and the placement, format, and timing of such language is not always clear and conspicuous. Risks associated with these products generally emanate from the fact that bitcoin is: 1) not insured by the FDIC, 2) not a deposit or other obligations of the institution and is not guaranteed by the institution, and, 3) is subject to risks, including possible loss of value. For example, The “XXXXX” page implies information about the potential benefits of Bitcoin but do not disclose the potential risks of purchasing this nondeposit product.

  • The terms and conditions or terminologies used in XXXXX disclosures, the online banking or mobile app screens, and bank stated system parameters did not always align. For example, the information provided by Bank management states that there is a XXXXX minimum purchase amount and a proposed XXXXX daily transaction limit. However, the terms and conditions that are provided to customers only disclose the XXXXX buy limit per transaction.

  • Due diligence analysis was limited. There was no documented analysis of the due diligence documents that the bank obtained, as well as a lack of analysis of XXXXX’s financial position as part of the initial due diligence procedures as provided for by bank policy for new vendors.

  • Bank policies and procedures do not fully address the activity. For example, settlement and reconciliation procedures, as well as procedures for other bank responsibilities outlined in the contract, were not developed.

These findings reflect that Board and Executive Management could be more effective to ensure appropriate risk and compliance management frameworks are in place prior to entering into complex third-party relationships and offering new products to customers.

RESOURCES

The following Financial Institution Letters (FIL), along with their references and attachments, provide useful guidance to assist the Board and senior management related to considering offering crypto-related activities:

  • FIL-54-2014: Filing and Documentation Procedures for State Banks Engaging, Directly or Indirectly, in Activities or Investments that are Permissible for National Banks
  • FIL-16-2022: Notification of Engaging in Crypto-Related Activities
  • FIL-35-2022: Advisory to FDIC-Insured Institutions Regarding Deposit Insurance and Dealings with Crypto Companies
  • FIL-01-2023: Joint Statement on Crypto-Asset Risks to Banking Organizations
  • FIL-29-2023: Interagency Guidance on Third-Party Relationships: Risk Management

Page 3

Subject: XXXXX XXXXX XXXXX

Also, the February 15, 1994 Interagency Statement on Retail Sales of Nondeposit Investment Products may be a useful resource for Bank management when considering how to ensure clear and conspicuous language is provided to customers when offering nondeposit products.

ACTION REQUESTED

In order to assess the implementation of the XXXXX wind down plan, please provide the FDIC Dallas Regional Office with copies of the following records by October 31, 2023: 1) summary of key dates that termination benchmarks were completed, 2) account closure data and reconciliations reports, 3) a copy of the final XXXXX account closure notices provided to customers directly or posted on customer accounts, 4) copies of training material or general talking points provided to bank staff on the wind down process, and 5) information on customer complaints or inquiries received during the wind down process. After the FDIC’s review of the documents, the FDIC and XXXXX will determine if additional information is necessary to close this matter.

Further, the Board should review this Letter at their next meeting and document their review in the minutes.

This Letter is confidential and may not be disclosed or made public in any manner under Part 309 of the FDIC Rules and Regulations (12 CFR Part 309) and XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX. Please notify the FDIC and XXXXX immediately if you receive a subpoena or other legal process calling for the production of this Letter or a description of its content.

If you have any questions, please contact FDIC Case Manager XXXXX XXXXX at XXXXX XXXXX or XXXXX XXXXX or Financial Analyst XXXXX XXXXX at XXXXX XXXXX or XXXXX XXXXX. FDIC correspondence should be addressed to Kristie K. Elmquist, Regional Director, FDIC, Dallas Regional Office, and sent as a PDF document through the FDIC's Secure Email portal (https://securemail.fdic.gov/) using the following e-mail address: XXXXX@FDIC.gov. Information about how to use secure email and FAQs about the service can be found at https://www.fdic.gov/secureemail/. Written correspondence to the XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX should be sent to XXXXX XXXXX XXXXX at the XXXXX XXXXX address above.

Sincerely, Sincerely,

/s/ C. Scott Cynthia E. Scott Assistant Regional Director/RMS Dallas Regional Office Federal Deposit Insurance Corporation

Page 4

Subject: XXXXX

Sincerely,

MATTHEW ZAMORA

Matthew Z. Zamora
Assistant Regional Director/DCP
Dallas Regional Office
Federal Deposit Insurance Corporation

cc: Federal Reserve Bank of Atlanta