Crypto-assets: Handle with care
In January 2023, the federal banking agencies published “Joint Statement on Crypto-Asset Risks to Banking Organizations.” The statement cautions banks to be aware of — and, if applicable, mitigate — the risks associated with crypto-assets. According to the statement, these risks include:
- Fraud and scams,
- Legal uncertainties regarding custody practices, redemptions and ownership rights,
- Inaccurate or misleading representations or disclosures, including misrepresentations regarding FDIC coverage,
- Significant volatility, including potential impacts on deposit flows,
- Stablecoins’ susceptibility to run risk,
- Contagion risk resulting from interconnections among crypto-asset participants,
- Lack of mature, robust risk management and governance practices in the crypto-asset sector, and
- Heightened risks associated with open, public or decentralized networks (for example, lack of governance mechanisms, absence of contracts, or standards to clearly establish roles, responsibilities and liabilities).
The statement instructs banks to “ensure that crypto-asset-related activities can be performed in a safe and sound manner, are legally permissible, and comply with applicable laws and regulations,” including consumer protection laws. Notably, the statement opines that “issuing or holding as principal crypto-assets that are issued, stored, or transferred on an open, public, and/or decentralized network, or similar system is highly likely to be inconsistent with safe and sound banking practices.”
Be prepared to report computer security incidents
As concerns over cybersecurity intensify, banks should be prepared to report computer security incidents to federal regulators quickly. Under a rule that took effect last spring, banks must report computer security incidents that rise to the level of a “notification incident” within 36 hours. The rule defines “computer security incident” as an “occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.” These incidents aren’t limited to cyberattacks — they also can result from hardware or software failures, human error or other nonmalicious causes.
A computer security incident is deemed to be a notification incident if it’s reasonably likely to materially disrupt or degrade a bank’s 1) ability to carry out banking operations, activities or processes, or deliver products and services to customers, 2) business lines whose failure would result in a material loss of revenue, profit or franchise value, or 3) operations whose failure would pose a threat to U.S. financial stability. All banks should have procedures in place for identifying notification incidents and reporting them to their primary regulators on a timely basis.