Regulated Financial Institutions & Cryptocurrencies: Strategic, Risk Management & Regulatory Considerations

March 2021

Straight To The Point

Are banks prepared to take advantage of the opportunities offered by the use of blockchain and the expansion of the financial services they offer? What should they be doing to prepare? What are the attendant risks and regulatory expectations associated with banks’ expansion of activities in this space?


The growing acceptance and use of blockchain products, such as cryptocurrencies and stablecoins, continue to expand.1 Bank of New York Mellon’s recent formation of its Digital Assets unit was the latest in a series of initiatives announced by financial services firms to expand their activities in the cryptocurrency space.2

While financial institutions have not (yet) made a headlong, dramatic expansion into cryptocurrency activities, there has been a steady growth in the acceptance and use of blockchain products and related activities. The regulatory community – both globally and in the US – continues to pay close attention to these developments. US regulators have thus far maintained a generally positive stance on regulated firms’ use of cryptocurrencies though the new administration’s position is not yet clear.

It is unlikely that a regulatory framework for capital and liquidity requirements will be proposed in the near term. Instead, supervisory scrutiny of banks’ activities (enumerated below) will continue and will likely intensify.

Are banks prepared to take advantage of the opportunities offered by the use of blockchain and the expansion of the financial services they offer? What should they be doing to prepare? What are the attendant risks and regulatory expectations associated with banks’ expansion of activities in this space?

What is Cryptocurrency?

A cryptocurrency is a decentralized, digital form of money, store of value, and medium of exchange for the sale of goods and services and settlement of financial transactions. The use of cryptocurrency as a payment mechanism has become firmly entrenched in financial services and continues to grow.3 Such transactions post in real time and provide convenience and security.

When referring to blockchain-derived products such as Bitcoin or Ethereum, many – especially in the central banking community – prefer the term “cryptoassets” and generally avoid the term “cryptocurrency”. They maintain that such assets do not meet the definition of fiat currency – they are not legal tender and are not backed by any government or public authority. As such, they do not reliably provide the standard functions of money and are unsafe to rely on as a medium or exchange or store of value considering the volatility of their value, which is market derived.

Stablecoins, by contrast, seek to reduce the volatility exhibited by cryptocurrencies by anchoring their value to the referenced asset. Stablecoins are a type of cryptocurrency whose value is linked to another asset, like the US dollar or price of gold.

What about Central Bank Digital Currency (CBDC)?

Cryptocurrencies differ from CBDC. According to the Bank for International Settlements (the “central bank for central banks”), CBDC is potentially a new form of digital central bank money that can be distinguished from reserves or settlement balances held by commercial banks at central banks. It is used to refer to several concepts; however, it is generally envisioned to be a new form of central bank money (i.e., a central bank liability, denominated in an existing unit account, which serves as both a medium of exchange and a store of value).

How are Financial Institutions Exposed to Cryptocurrencies?

In addition to its growing use as a payment mechanism, cryptocurrency offers several opportunities for banks to expand their services and product offerings and to support customers.

In a 2019 discussion paper published by the Basel Committee on Banking Supervision (BCBS), some of the ways in which banks engage in cryptocurrency activities or are exposed to crypto include the following:4

  • Issuing Cryptocurrencies Directly
  • Validating Cryptocurrency Block Transactions 
    • E.g., “mining” transactions through “proof of stake” or “proof of work”
  • Owning Cryptocurrencies
    • Either directly (e.g., as an investment) or through owning products with underlying cryptocurrencies (e.g., taking a long position on an exchange-traded fund)
  • Lending
    • To individuals, corporates, or financial institutions to allow them to invest in cryptocurrencies
    • To other entities dealing directly with cryptocurrencies (e.g., cryptocurrency exchanges, fund managers of cryptocurrency exchange-traded funds, etc.)
    • By taking cryptocurrencies as collateral
  • Trading & Market Activities:
    • Proprietary trading of cryptocurrencies or cryptocurrency derivatives
    • Trading of cryptocurrencies or cryptocurrency derivatives on behalf of clients
    • Clearing cryptocurrency futures or cryptocurrency derivatives
    • Underwriting initial coin offerings
    • Undertaking securities financing transactions involving cryptocurrencies
  • Offering Custodial Services:
    • Providing custody/wallet services for cryptocurrencies
    • Acting as a custodian for or taking deposits from a reserve backing cryptocurrencies
    • Taking deposits of or extending loans denominated in cryptocurrencies
    • Exchanging cryptocurrencies for fiat currency, and vice-versa
    • Using cryptocurrencies for internal or inter-bank operational processes

Strategic & Risk Management Considerations

A bank’s participation in these activities presents opportunities for revenue generation and customer accommodation. It can also expose the bank to financial risks (e.g., credit, counterparty, market, and liquidity risks) and, perhaps of more immediate concern, non-financial risks (e.g., cyber and operational risks; legal risks; reputational risks; third-party risks).

The relative “newness” of crypto-related activities means there are few tools to help provide oversight, control, and compliance. There is likewise little experience in identifying, managing, and mitigating related risks. There is a dearth of skilled staff to carry out these functions. Customary and best practices, standardized rules and disclosures, and documentation have yet to be developed. As a result, financial institutions engaging in crypto-related activities may be subject to greater legal, operational, and reputational risks.

Key Considerations Before Offering Cryptocurrency Products or Services

Before offering cryptocurrency-related products or services, a key consideration is the bank’s due diligence.

  • Has the bank fully assessed the risks? Has it adequately considered the costs and benefits of its entry into cryptocurrencies?
  • How does the bank’s cryptocurrencies activities or exposures align with its risk appetite statement?
  • Have the bank’s board, senior management, and chief risk officer considered and documented the impact of the planned new activities, considering the competitive and regulatory landscape and the bank’s long-term interests, risk exposure, and ability to manage risk effectively?
  • Does the bank have in place an adequate risk management process to support the introduction of new cryptocurrency products, services, business lines, or third-party relationships?

Regulation in the Crypto Space

Since cryptocurrency and related activities continue to evolve and are still in the nascent stages of development, another challenge for banks will be navigating among the many regulatory authorities having a remit in the crypto space. Additionally, banks need to develop controls to comply with rules and regulations issued by the US banking regulatory authorities – the Federal Reserve System, FDIC, and OCC. Banks may also be subject to requirements set out by other U.S. regulatory bodies including:

  • Commodity Futures Trading Commission (CFTC)
  • Financial Crimes Enforcement Network (FinCen)
  • Internal Revenue Service (IRS)
  • Office of Foreign Assets Control (OFAC)
  • Securities and Exchange Commission (SEC)
  • State banking authorities (e.g., NY State Department of Financial Services)

Of course, banks with international operations will be required to comply with local jurisdictions’ rules and regulations, which may differ – perhaps dramatically – from US requirements.

Regulatory & Supervisory Considerations

Cryptocurrencies have exhibited a high degree of volatility and are not considered a fully mature asset class considering the lack of standardization and ongoing evolution. There is at present no regulatory framework specifically for the prudential treatment of cryptocurrencies, though the BCBS has taken initial steps in this direction. In its 2019 discussion paper, the BCBS invited public comment on a range of issues that will help inform its development of a prudential framework. Assuming that US regulators and those from other jurisdictions will follow the international standard-setting process as the basis for the national rulemaking process, we do not believe a prudential framework will be in place before 2023.

The US regulatory authorities have thus far taken a measured approach that has been generally favorable toward cryptocurrencies. For example, in December 2020 the SEC issued a statement and request for comment regarding the custody of digital asset securities by broker-dealers5. The SEC also published (February 2021) staff guidance on risks and issues associated with digital assets to assist firms in developing and enhancing their compliance practices.6 The guidance covers areas such as disclosure, valuation, due diligence, conflicts of interest, and custody.

The OCC has also been active in the cryptocurrency arena, publishing interpretive letters that clarify the agency’s position on the permissibility of national banks engaging in certain cryptocurrency activities. Interpretive Letter 1170 permits regulated banks and financial institutions to provide cryptocurrency custody services, provided certain conditions are met. Interpretive Letter 1174 grants permission to national banks and federal savings associations to (i) participate in the independent node verification networks (INVN) as “nodes” and (ii) use stablecoins to facilitate payment activities and other bank-permissible functions, consistent with applicable law and safe and sound banking practice.7

While a regulatory treatment is not likely in the near term, supervisory oversight and scrutiny of banks’ cryptocurrency activities and exposures will continue and intensify.

Financial sector supervisors will expect at a minimum the following from banks:

  • A rigorous process for assessing the risk profile for their cryptocurrency exposures
  • A clear risk management framework to mitigate the risks stemming form cryptocurrencies, including under stress situations
  • Active involvement of a bank’s board and senior management
  • Informing supervisory authorities on a timely basis of actual and planned cryptocurrency exposures or activities and provide assurance that they have fully assessed the permissibility of such activities, the associated risks, and how the risks have been mitigated


Cryptocurrencies and related activities have gained broader acceptance and their use continues to expand. This represents an opportunity for financial institutions but is accompanied by risk and heightened regulatory scrutiny. As firms seek to take advantage of the many opportunities offered by crypto, they must be aware of the related risks and the areas on which the regulatory community will focus.

Things to Keep in Mind

  • How can we best prepare to offer cryptocurrency services to our clients?
  • What kind of due diligence do we need to conduct? What are the risks associated with cryptocurrency activities? What will it mean for our overall risk appetite and risk profile? What type of risk management policies and procedures will be required to control and mitigate these risks? What should be the role of the board and senior management?
  • What will it mean from a human resources perspective? Do we have or can we hire the necessary talent?
  • How is the regulatory/supervisory picture shaping up? What will the agencies expect of us? What are the most important regulatory roadblocks we might encounter?


  1. There is no standard definition of digital currency and the terms “cryptocurrency”, “cryptoasset”, “virtual currency”, “digital tokens” are often used interchangeably.
  2. See BNY Mellon. Other recent announcements from financial services firms were made by Mastercard, PayPal, Square.
  3. The total value of all cryptocurrencies passed $1 trillion in early January 2021. See Coindesk.
  4. See the BCBS’s Designing a prudential treatment for crypto-assets.
  5. See SEC Press Release. The statement defines a digital asset as an asset that is issued and/or transferred using distributed ledger or blockchain technology, such as a cryptocurrency.
  6. SEC’s Division of Examination’s Risk Alert.
  7. OCC Interpretive Letter 1170 and Interpretive Letter 1174.
  • Bill Coen

    Bill Coen Vice Chair, Risk & Regulatory Compliance

Download PDF

Table of Contents

    About Reference Point

    Reference Point is a strategy, management, and technology consulting firm focused on delivering impactful solutions for the financial services industry. We combine proven experience and practical experience in a unique consulting model to give clients superior quality and superior value. Our engagements are led by former industry executives, supported by top-tier consultants. We partner with our clients to assess challenges and opportunities, create practical strategies, and implement new solutions to drive measurable value for them and their organizations.

    About Us Media Center