OCC-Approved Crypto Custody: What Institutions Should Know

Key Takeaways: 

• The Office of the Comptroller of the Currency (OCC) has affirmed that national banks may safeguard digital assets as part of their existing custodial authority, provided activities are conducted in a safe and sound manner.

• Regulatory clarity has increased, but operational readiness remains uneven, as many institutions still lack the key management architecture, governance processes, and compliance frameworks required for digital asset custody.

• Banks pursuing crypto custody must demonstrate strong controls, supervisory alignment, and ongoing oversight across technology, risk management, and operations.

• OCC crypto custody is now treated as a regulated banking activity under evolving OCC guidance, requiring institutions to translate policy permission into defensible execution.

Why Banks Are Moving Toward Regulated Digital Asset Custody

Institutional investors are increasingly looking for bank-supervised digital asset custody as a safer alternative to exchange-based solutions. With Office of the Comptroller of the Currency (OCC) guidance confirming that custody of digital assets is permissible when supported by strong controls, banks have a clear regulatory path forward. The challenge now is execution.

Digital asset custody introduces new technical and operational risks that traditional systems were not designed to manage. OCC supervisors expect institutions to demonstrate clear command of private key protection, transaction governance, and audit visibility across every step of asset movement. Meeting that bar requires updated frameworks, refined controls, and infrastructure built for digital assets rather than adapted from legacy models.

Understanding how the OCC evaluates these programs is the foundation for building custody services that meet institutional and regulatory expectations.

Understanding OCC Guidance on Crypto Custody

The OCC has emphasized that crypto custody is treated as a custodial activity under existing banking authority, rather than a new line of business. OCC interpretive letters 1170, 1172, and 1174 clarify that national banks and federal savings associations may custody digital assets, including by safeguarding private keys, when programs operate in a safe and sound manner. The agency also recognizes that banks may hold reserves for stablecoin issuers if risks are controlled. Recent OCC crypto guidance establishes crypto custody as a permissible banking activity when supported by appropriate governance and controls.

Under current OCC expectations, banks must notify the OCC in writing before launching crypto custody services and undergo supervisory review of their proposed controls, governance, and operating model. Approval is activity-specific and contingent on the institution’s ability to demonstrate sound operations, with the OCC retaining authority to impose conditions or require additional controls over time.

All crypto custody activities are evaluated under the OCC’s longstanding banking standards, rather than a separate or novel regulatory framework.

These letters set the boundaries but do not grant automatic approval. Institutions must show how their custody program operates, how risks are mitigated, and how supervisory expectations will be met over time. The OCC reviews digital asset custody with particular attention to technical controls, cybersecurity posture, staffing, and documentation. Permission is only the starting point. Readiness must be demonstrated.

In practice, supervisory feedback may limit supported asset types or counterparties, and permissions can evolve as the OCC evaluates the institution’s ongoing performance.

What Banks Must Build to Meet OCC Expectations

The OCC assesses digital asset custody based on the strength of an institution’s controls. Banks must show that their environment protects private keys, enforces segregation of duties, and supports predictable, traceable transaction governance.

OCC expectations extend beyond technology into governance. Banks are expected to adopt board-approved digital asset policies supported by internal risk assessments that address legal, operational, reputational, and compliance risks associated with crypto custody.

Key management is foundational. Institutions need hardened signing environments, strict access compartmentalization, and safeguards that prevent unilateral asset movement.

The OCC also evaluates the consistency of transaction controls. Banks must enforce approval rules, whitelists, limits, and monitoring processes that produce reliable outcomes. Clear logs help supervisors and audit teams confirm that governance is functioning as designed.

Cybersecurity and resilience expectations reflect the high-risk nature of digital asset custody. Institutions need to maintain SOC reporting, penetration testing, incident response procedures, and continuity planning that protect against irreversible loss.

Documentation is equally critical. Banks are also required to provide permissible activity analyses, risk-control mappings, workflow descriptions, and evidence that each component of the program supports safe and sound operations.

These programs must also ensure that BSA and AML obligations extend fully to digital assets, including SAR monitoring, sanctions screening, and customer due diligence specific to on-chain activity.

Finally, vendor management plays a central role. Institutions have to apply rigorous third-party risk oversight to any external infrastructure supporting custody functions.

A Practical Path to Digital Asset Readiness

Banks that succeed in digital asset custody follow a readiness arc that aligns internal processes with supervisory expectations. The path typically begins with a risk assessment that identifies supported assets, customer segments, and the custody model the institution intends to operate. This analysis frames both internal program design and early supervisory dialogue.

Institutions then prepare their regulatory foundation. This includes drafting permissible activity memos, documenting control frameworks, and assembling the materials that demonstrate alignment with OCC expectations.

Infrastructure planning defines how key management, signing workflows, policy controls, monitoring tools, and reconciliation processes will operate. These decisions shape staffing models, training requirements, and audit workflows.

Risk and compliance teams expand their frameworks to incorporate blockchain analytics, sanctions screening, event monitoring, and incident response. Digital assets introduce new signals that require updated procedures and specialized oversight.

Operational workflows bring design into practice. Banks document onboarding, approvals, settlements, reconciliations, and exception handling. These workflows must be measurable, repeatable, and auditable.

The readiness process concludes with cybersecurity, disaster recovery, and insurance structures that show supervisors the institution can protect client assets under adverse conditions.

Why Banks Choose BitGo for OCC-Aligned Custody

The OCC has made digital asset custody accessible to select institutions that can demonstrate control, discipline, and operational resilience. Banks that build on strong technical foundations and transparent processes will move faster, face fewer supervisory challenges, and earn lasting client trust. BitGo provides the infrastructure that helps institutions meet these expectations with clarity, confidence, and speed.

In 2025, the OCC issued an approval for BitGo to operate under a national trust charter, subject to ongoing supervisory conditions and requirements. This status places BitGo under direct federal oversight and aligns its custody infrastructure with the same regulatory framework and supervisory standards described in OCC guidance.

Within that framework, BitGo provides institutional-grade infrastructure designed to meet OCC expectations, including MPC-based key management that eliminates single points of failure, granular policy controls that support consistent transaction governance, and an audited operating environment built for transparency and resilience.

Institutions use BitGo to strengthen key management, support supervisory documentation, and integrate policy enforcement with compliance systems. BitGo’s operational maturity and global licensing footprint give banks a reliable foundation for launching custody programs that align with supervisory standards and institutional requirements, helping institutions move quickly and confidently into the digital asset space.

FAQ

What has the OCC said about banks providing crypto custody?

The OCC has confirmed that national banks may provide digital asset custody if they demonstrate strong risk management, internal controls, and adherence to safe and sound practices.

Which types of banks can offer OCC-supervised crypto custody services?

National banks and federal savings associations may offer digital asset custody when their operations align with OCC expectations.

What operational steps must banks take to launch crypto custody?

Banks must develop secure key management, transaction governance, cybersecurity protections, supervisory documentation, and operational workflows tailored to digital assets.

How should banks approach risk management for digital asset custody?

Institutions should integrate blockchain analytics, sanctions screening, monitoring tools, and audit-ready documentation into broader risk and compliance frameworks.

How can banks partner with infrastructure providers to meet OCC expectations?

Banks often work with regulated digital asset infrastructure providers to access key management, policy enforcement, compliance integrations, and resilient technical environments that support OCC-level readiness.