Skip to content

Feedback on Proposed Bitcoin Service

Board of Directors
XXXXX

September 18, 2023

RE: Review of XXXXX Potential Bitcoin Service

Members of the Board:

We have reviewed your response dated December 28, 2022, and the corresponding documents provided in response to the Additional Information Request letter dated September 28, 2022. Additionally, examiners conducted a limited scope visit on February 6, 2023. Pursuant to Financial Institution Letter (FIL) 16-2022, this letter provides supervisory feedback relative to the consumer protection and risk management considerations of the proposed crypto-related activity. Please note that the results of this review are subject to the confidentiality restrictions of Part 309 of the FDIC Rules and Regulations.

SCOPE OF THE REVIEW

The review focused on XXXXX plans to offer its clients the option to buy, hold, and sell bitcoin through its online banking platform XXXXX and XXXXX. Currently, XXXXX is in a pre-development phase for its specific risk management framework but continues to consider implementing the crypto asset service. Therefore, this review was limited in scope and the assessment of the proposed service considered only the information provided to the FDIC as of the date of this letter. The assessment focused on understanding the institution's risk and compliance management frameworks related to this service and steps taken by the institution to evaluate the crypto asset service.

BACKGROUND

Crypto-related activities may pose safety and soundness and consumer protection risks to XXXXX and its customers. The types and levels of risks are dependent on the type of activity, implementation of the activity, and controls designed to mitigate the risks. Examples of risks that may be present include compliance, legal, operational, third party, and strategic. Facilitating customer crypto asset trading alongside traditional banking products and services may also present heightened risk to the XXXXX customers, including:

  • Confusion about the role of the institution in the crypto transactions;
  • Lack of understanding about the nature and risks associated with crypto-asset products;
  • Inability to differentiate between the nondeposit products and traditional banking products, such as deposit accounts; and,
  • Misunderstanding the applicability of federal deposit insurance coverage.

SUPERVISORY FEEDBACK

The information provided to the FDIC on the proposed crypto-asset service through XXXXX highlights that various aspects of the institution’s risk and compliance management framework related to this service are in a development or pre-development phase, and have yet to be finalized. As such, the following items reflect high-level comments reflective of the review conducted on the information provided to-date:

  • Policies/Procedures: The documented risk management framework, including policies and procedures that outline the roles, responsibilities, potential limits for the activity, reporting requirements, and ongoing risk assessment, has not been developed.
  • Due Diligence Documentation: The due diligence documents did not provide sufficient detail or explanation to demonstrate management’s understanding of the associated risks and decision-making process.
  • Risk Assessments: The risk assessments, including a Vendor Risk Assessment, a FinTech specific review, and a contract review performed in March 2022, have not been updated to consider emerging risks from rapidly changing crypto market conditions. Documentation lacked support for key risk factors, the related controls, and the mitigating XXXXX.
  • Contracts: XXXXX has not yet entered a signed contract with XXXXX to provide the XXXXX Bitcoin Trading Platform. The bank’s ability to assess risks are limited by the lack of any draft contracts that outline the bank and vendor’s responsibilities.
  • Audit: The internal audit risk assessment and plan did not include crypto-related activities.
  • Anti-money Laundering and Countering the Financing of Terrorism (AML/CFT): XXXXX’s specific AML/CFT policies, procedures, or controls for crypto activities have not been developed, and the lack of a contract limits the bank’s ability to understand the roles of each party in monitoring and analyzing AML/CFT related risks.
  • Customer Interface/Disclosures: XXXXX provided draft screen images of the Bitcoin Trading Platform customer interface provided by XXXXX which would integrate into the banks existing online banking platform, but has not provided bank-specific screenshots, demonstrations of the interface, or customer disclosures.

RESOURCES

The following FILs, along with their references and attachments, may serve as useful resources for the Board and management regarding risks and concerns arising from crypto assets offered by, through, or in connection with insured depository institutions:

Board of Directors
Page 3

Also, the February 15, 1994 Interagency Statement on Retail Sales of Nondeposit Investment Products may be a useful resource for Bank management when considering how to ensure clear and conspicuous language is provided to customers when offering nondeposit products.

ACTION REQUESTED

The Board and management should ensure appropriate risk and compliance management frameworks are in place prior to implementation of the proposed crypto-asset service to enable safe and sound operations and compliance with appropriate laws and regulations. The Board must ensure the matters outlined in this Letter are fully addressed to effectively mitigate risk to the institution and consumers.

The FDIC requests that the institution notify this office of any material developments related to the proposed crypto-asset service. The FDIC intends to perform a more in-depth review as management moves further along in the due diligence process. If the institution is considering engaging in additional crypto-related activities, we request notification that describes the activity in detail and provides the institution's proposed timeline for engaging in the activity.

Please email the documents electronically as a PDF through the FDIC Secure Email portal at XXXXX@FDIC.gov. Information about how to use secure email and FAQs about the service can be found at fdic.gov/secureemail. A copy of your communication can be forwarded to Case Manager XXXXX and Review Examiner XXXXX.

Sincerely,

\s\ Paul Worthing

Paul P. Worthing
Regional Director

Cc: XXXXX