In an April 2025 speech at the Exchequer Club, Acting Comptroller of the Currency Rodney Hood identified “expanding responsible bank activities involving digital assets” as one of the OCC’s top four strategic priorities. “National banks and federal savings associations are well positioned to engage in this space responsibly,” Hood noted—underscoring both the agency’s evolving posture and its confidence in the readiness of the banking sector to participate in the digital asset ecosystem.
The following month, the OCC took a concrete step in that direction with Interpretive Letter 1184, which reaffirmed that banks may custody cryptocurrency and engage in related services without prior supervisory approval—so long as those activities comply with applicable law, and meet key regulatory expectations around safety and soundness.
This letter removes a significant procedural hurdle, but it does not diminish regulatory expectations. In practice, it also raises important operational questions for banks: What does “appropriate third-party risk management” entail in a crypto context? How should financial institutions align their existing policies and processes around cybersecurity, compliance, and capital treatment to address the crypto-specific activities on their roadmaps?
In this post, I explore these questions and outline key considerations for banks seeking to engage with digital assets in a manner that aligns with regulatory standards and institutional best practices.
New Product Approvals and Third-Party Risk
OCC Interpretive Letter 1184 clarifies that banks may launch crypto-related services if they comply with customer agreement and applicable law. But the letter also reinforces that such activities must align with broader OCC expectations. Consider, in particular, those outlined in its New Product Bulletin and third-party risk management guidance.
The OCC has guiding principles that banks should consider, but areas where additional granularity may be warranted. Through these bulletins, banks have a roadmap on expectations related to service providers to support their cryptocurrency journey.
This includes:
- Conducting comprehensive due diligence on crypto-native vendors
- Developing detailed risk and control frameworks tailored to blockchain operations and related control processes
- Ensuring clear governance and oversight structures are in place for new services
As the Administration continues to shape its regulatory agenda, and once Jonathan Gould is confirmed to lead the OCC, we should anticipate further developments that build on these principles, tailored to the unique nuances of crypto-related activities.
Operations and Cybersecurity: A Shift in Control Paradigms
The OCC has overseen custody services, and provided related requirements, since its inception. However, best practices for digital asset operations—such as transaction processing, key management, and business continuity and disaster recovery—diverge significantly from typical banking operations.
The OCC’s 2023 Cybersecurity Supervision Work Program addresses relevant safeguards against exposures presented by incidents like the Bybit hack, including supply chain risk, response and recovery planning, and testing.
However, aligning the specific components of crypto operations to these obligations will be critical. Notably, many of the largest hacks to date have involved entities building in-house solutions.
Banks should focus on:
- Crypto-native key management practices, including multi-layer security architectures leveraging best-in-class cryptography such as MPC
- Tailored transaction processing controls and reconciliation processes across blockchain networks
- Resilient incident response and business continuity / disaster recovery planning for decentralized, 24/7 infrastructure
Illicit Finance and Sanctions Evasion: Raising the Bar
Although the OCC has had limited cryptocurrency exposure among its supervised banks, its 2022 consent order against Anchorage Digital Bank may be instructive for supervisory focus, including around customer due diligence, suspicious activity monitoring, and governance.
Compare those findings to the recent consent order levied against Block, Inc. by NYDFS, which includes an extended analysis around blockchain analytics and cryptocurrency-specific monitoring failures, as well as cybersecurity and consumer protection deficiencies.
These actions underscore the need for institutions to enhance their risk detection capabilities in crypto contexts by focusing on:
- Onchain transaction monitoring and blockchain analytics integration
- Tailored suspicious activity reporting processes
- Governance structures designed to oversee crypto compliance
Here’s how banks are tackling these risks head-on: What’s Next for Banks Entering Crypto? Navigating the Risks.
Capital Requirements and Accounting Treatment
Banks entering the crypto space will need to address how new business lines align with capital and liquidity requirements. These issues also connect to broader Basel Committee debates and proposals to update global banking capital rules—which the Administration has, to date, put on pause.
As a result, U.S. policymakers have an opportunity to create a new global template for capital reserves that is truly proportionate to the novel risks that cryptocurrencies and tokenized real-world assets pose, along with their corresponding safety and soundness considerations.
Institutions should be actively considering:
- How crypto custody, stablecoin issuance, and tokenization initiatives will affect balance sheets and capital planning
- How to evaluate capital and liquidity treatment for these activities under current rules—even in the absence of crypto-specific regulatory clarity, including wind down and resolution planning
Coordination across compliance, finance, and product teams to ensure capital adequacy remains aligned as offerings evolve
Repealing SAB 121 opened the gates. Here’s how that’s reshaping the playing field: The Repeal of SAB 121: A New Chapter for U.S. Leadership in Crypto.
Final Thoughts: The Real Opportunity
We are now turning the page to a new chapter where banks are beginning to adopt this technology and accelerate the pace of change. While Letter 1184 removes a key procedural hurdle, it reinforces the need for purpose-built operations, compliance frameworks, and risk management systems.
This builds on the foundation laid in my earlier blog on OCC Interpretive Letter 1183, which reestablished permissibility for activities like custody and stablecoin networks. Together, these developments mark a meaningful shift in regulatory posture—enabling innovation within a defined supervisory perimeter.
Policymakers and market participants now have a window to act. The opportunity is clear: harness blockchain innovation to strengthen the financial system and deliver lasting value to institutions and their clients.
