Carol Ann Warren

Carol Ann Warren
Associate General Counsel, Compliance Alliance

Cryptocurrency: safe or ‘sus?’

The banking world has been shifting from physical currency and safekeeping to virtual safekeeping for many years now.”

In today’s financial regulatory environment, two of the hottest topics are cryptocurrency and cybersecurity. Within the past year, multiple agencies have released various regulations and guidance regarding cryptocurrency, banking and cyber-security, both individually and collectively. 

As my teachers would say, if something is said more than once it is probably important and you will likely see the material again. Similarly, cryptocurrency and the threat of cybersecurity is likely here to stay and regulators are preparing for those implications. Banks are now put on the spot to adapt to the market shift and the regulations that will surely follow. 

What is cryptocurrency? 

The Merriam-Webster’s dictionary defines cryptocurrency as “any form of currency that only exists digitally, that usually has no central issuing or regulating authority but instead uses a decentralized system to record transactions and manage the issuance of new units, and that relies on cryptography to prevent counterfeiting and fraudulent transactions.”

How does cryptocurrency relate to banking? 

For bankers, the question of how cryptocurrency relates to banking is pressing and hard to answer. Cryptocurrency usage is typically stereo-typed between two different groups: underground-market transactions (i.e., drug market or selling a kidney online) and GameStop/Reddit kids that almost crashed the stock market in 2021. Volatility and illicit activity are two of the biggest regulatory fears for bankers; so how do banking and cryptocurrency relate? 

First, who are the individuals that actually invest or use cryptocurrency? 

According to a November 2021 article from Pew Research, 16% of Americans have used or are invested in cryptocurrency. Of those 16%, 52% of those individuals are between the ages of 18-49. The individuals in this age group are not the typical “in-person” banking customers. As the market is shifting and these individuals have more market power, banks are scrambling to advertise to this group. Cryptocurrency may be a way to successfully do that.  

The guidance from regulators is that banking — one of the most highly regulated industries in the country — is supposed to mix with cryptocurrency, one of the most unregulated commodities in the world. The two seem be like oil and water, but the OCC argues in Interpretive Letter #1170 that it is more like M&Ms and popcorn, an unlikely, yet satisfying combination. 

The OCC didn’t actually say that, but they did argue that for banks, providing custodial services related to cryptocurrency would be in line with a bank’s intended purpose — “safekeeping” of assets. 

The banking world has been shifting from physical currency and safekeeping to virtual safekeeping for many years now. Therefore, the argument is that providing services for cryptocurrency is not a far-fetched idea, but a natural progression. 

How does cryptocurrency relate to cybersecurity? 

Because cryptocurrency is so hot right now and because of its anonymity, it is a prime target for hackers and bad actors around the world. From what the banking industry is seeing with P2P activity in relation to Regulation E and the new Interagency Guidance on cyber-security, the question many bankers ask is “do we want to add cryptocurrency to this dumpster fire?” 

The answer: Maybe. 

The Interagency Guidance defines a “cybersecurity incident” that rises to the level of a “notification incident.” A cybersecurity incident “is an occurrence that: 

  • (i) Results in actual or potential harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits; or 
  • (ii) Constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.”

This new guidance is giving rise to new policies, procedures and safeguards that banks have to implement. Ultimately, this is giving time to prepare for the inevitable cybersecurity attack, but is not without cost to the bank. 

The next question is if a bank takes on servicing cryptocurrency customers, does this increase the risk of a cybersecurity incident? 

The answer: Probably. 

Ultimately, this will be more of a cost-benefit analysis for the bank. According to a recent CNN article, there were over $1.9 billon worth of cryptocurrency stolen in 2022 so far. According to FIN-CEN, ransomware attacks are at an all-time high and only continue to increase. 

There is an argument that combining banking with cryptocurrency will only lead to an increase in cyber attacks on banks, which is likely true.

Is it worth it? 

The answer: Maybe. 

Banks need to have safeguards in place to protect current assets, private information and to comply with the myriad of new guidance. There is an argument that the infrastructure is already there. 

Lastly, several agencies acknowledge the risk associated with servicing cryptocurrency and still push for banks to consider servicing this group. 

At the end of the day, a bank is one of the safest places to keep assets, virtually or physically. Therefore, banks may want to consider servicing this group, because banks have specialized in safekeeping from its existence. If they choose not to service this group, they may miss out on a lucrative market opportunity. 

Biz2X ad