Regulators Redraw Crypto-Custody Rules

Financial regulators in the U.S. and globally are shifting the landscape for crypto-asset custody and bank involvement, opening the door for broader institutional capital inflows into the digital-asset ecosystem. The changes signal a move away from earlier cautionary stances toward a more permissionless banking model for crypto-custody services.

What’s changed?

• On May 7, 2025, the Office of the Comptroller of the Currency (OCC) clarified that national banks and federal savings associations are authorised to engage in crypto-asset custody and execution services, without needing specific prior approval from the regulator.
• On July 14, 2025, U.S. federal banking regulators (the OCC, Federal Deposit Insurance Corporation – FDIC, and Federal Reserve Board of Governors) issued a joint Statement on crypto-asset safekeeping. While not creating new supervisory obligations, the statement emphasises that banks must manage key risks (cryptographic key control, AML/OFAC compliance, sub-custodian oversight) when providing custodial services for crypto-assets.
• Separately, regulators worldwide (e.g., in the UK via the Financial Conduct Authority or FCA) are consulting on new rules for crypto-asset custody and safeguarding, aligning crypto firms more closely with conventional financial services firms.
• In effect, these regulatory shifts reduce the “advance permission” barrier that once discouraged banks from providing crypto-custody services.

Why this matters and the capital-inflow angle

1. Traditional banks can now more easily offer custody of crypto-assets.
Previously, many banks shied away from holding or servicing crypto-assets because of unclear regulatory status, high provisions under accounting bulletins (e.g., SAB 121), and supervisory caution. With the regulatory green light, banks can onboard crypto-custody clients (asset managers, HNW investors, crypto native firms) more readily.

2. More custodial infrastructure means broader access to institutional capital.
Asset managers, pension funds, and endowments often require regulated custodians before investing in digital assets. With banks poised to serve as qualified custodians, the path to allocating capital into crypto-assets and tokenised structures is smoother. For example, the regulators’ July safekeeping statement is expected to “encourage more traditional banking organisations to offer crypto-asset safekeeping”.

3. Permissionless doesn’t mean unregulated; banks still face risk-management, legal, and operational obligations.
The regulators stress the importance of cryptographic key control, sub-custodian oversight, governance of on-chain forks/airdrops, AML/CFT compliance, and aligning crypto safekeeping with existing fiduciary or non-fiduciary frameworks.

4. Global competitive dynamics favour jurisdictions that clarify custody rules.
As regulatory regimes mature (e.g., the UK’s crypto custody consultation) and banks gain access to crypto services, jurisdictions with clearer, consistent regulatory frameworks may attract larger capital inflows, tokenisation projects, and fintech innovation.

What to watch going forward

• Will banks hold crypto-assets on their balance sheets, or only act as custodians on behalf of others? The line will shape risk-weighting, capital treatment, and exposure limits.
• How will regulators treat tokenised assets, DeFi custody, and “permissionless” infrastructure (smart contracts, decentralised custody) in the banking context? The Project Crypto initiative by the U.S. Securities and Exchange Commission (SEC) suggests forthcoming guidance.
• How quickly will banks expand crypto custody offerings, and how will that translate into real capital flowing into digital-asset funds, tokenised real-world assets, and institutional platforms?
• What complementary regulation (licensing, consumer protection, global coordination) will accompany the custody shift, particularly given the international and cross-border nature of crypto-assets?

Takeaway

In summary, the regulatory climate for crypto-custody is rapidly evolving. The permissionless model for banks, where they no longer need explicit pre-approval to offer crypto custody services, opens a significant gateway for institutional capital inflows into the crypto-asset ecosystem. That said, the shift comes with a parallel emphasis on risk management, controls, and compliance. As banks deepen their involvement, the digital-asset industry may witness a meaningful uptick in institutional participation, tokenisation initiatives, and integration with legacy finance.

FAQs

Q1: What does “permissionless bank holdings” mean in this context?
A1: It refers to the regulatory shift allowing banks (especially U.S. national banks and federal savings associations) to engage in crypto-asset custody and execution services without needing to obtain specific advance permission or a new charter just for that purpose. For example, the OCC clarified that banks may buy and sell assets held in custody at the customer’s direction, and outsource custody services, subject to risk controls.

Q2: Are banks now totally free to hold crypto-assets on their own books?
A2: Not exactly. While custody and execution services are easier to offer, many regulatory, accounting, and prudential issues remain unresolved, for example, whether banks holding crypto for their own account must treat those assets as trading inventory, how capital requirements apply, and how exposures are risk-weighted. The banking regulators’ July statement does not create new supervisory obligations but underscores that existing banking laws still apply.

Q3: Why is custody such an important piece for institutional capital?
A3: Institutional investors typically require that assets (including digital assets) be held by a regulated, trustworthy custodian that meets regulatory, legal, operational, and audit standards. If banks step in as credible custodians for crypto-assets, it removes a major hurdle for funds, pension plans and other large investors to allocate to crypto or tokenised assets.

Q4: Does this mean crypto regulation is now friendly everywhere?
A4: No. While U.S. regulators are easing some barriers for banks, other jurisdictions may be stricter. For example, the European Insurance and Occupational Pensions Authority (EIOPA) has proposed punitive capital rules for insurers holding crypto-assets in the EU, showing that global regulatory approaches remain divergent.

Q5: What risks should investors and banks still be aware of?
A5: Key risks include: cryptographic key compromise, custody-provider insolvency, regulatory ambiguity (especially for non-fiduciary capacities), AML/CFT compliance gaps, volatility of crypto-assets, smart-contract vulnerabilities (for tokenised or DeFi assets), and cross-border legal uncertainty. The regulators’ statements emphasise the need for banks to have robust controls and governance in place.

Q6: How soon will we see major capital inflows as a result of these changes?
A6: It’s still early. While the regulatory groundwork is being laid, actual capital flows depend on banks implementing custody solutions, asset managers and institutional investors gaining comfort, and derivative, tokenisation, and infrastructure ecosystems scaling. The directional signal is positive, but timing and scale are uncertain.