Two of the most powerful banking regulators—the Office of the Comptroller of the Currency (OCC), which supervises national banks, and the Federal Deposit Insurance Corporation (FDIC), which oversees insured state banks, have quietly redefined how financial institutions can interact with crypto.
Between March and May 2025, both agencies rescinded guidance that, for the past three years, had imposed procedural and reputational barriers to digital asset activity. The OCC, through Interpretive Letter 1183, withdrew its requirement for supervisory non-objection letters and reaffirmed that activities such as crypto custody, stablecoin reserve management, and blockchain node participation are permissible, provided they are conducted in a safe and sound manner. Around the same time, the FDIC rescinded FIL-16-2022, eliminating the requirement for banks to provide advance notification before engaging in crypto-related activities.
Together, these changes quietly reverse the tone of a 2023 joint statement from the Fed, OCC, and FDIC, which had broadly warned that crypto was incompatible with safe banking—replacing blanket caution with conditional acceptance based on risk controls.
The impact is sweeping: OCC- and FDIC-supervised banks are now allowed to engage in approved digital asset activities without prior supervisory clearance. The removal of the pre-approval process eliminates a longstanding chokepoint—one that often operated less as a safeguard and more as a deterrent.
This isn’t just policy cleanup, it’s a supervisory recalibration. By removing procedural blocks, the agencies are signaling a shift from preventive restriction to posture-based accountability. Regulators are effectively placing a bet on institutional competence. Banks are now expected to define, measure, and manage their own crypto risk exposures and be accountable when those frameworks fall short.
Proponents may argue this is deregulation—but it’s better understood as risk delegation, with shared accountability. While regulators remain engaged, the practical burden of execution—translating permissibility into operational readiness and execution, now falls on banks. They must assess blockchain risks in real time, navigate evolving supervisory expectations, and maintain consumer trust without waiting for perfect clarity. Many aren’t structurally ready. But they need to get there fast.
It also confronts a long-unchecked friction: reputational risk. For years, banks cited reputational exposure to justify debanking crypto firms or avoiding the sector altogether. Now, implicitly, regulators are saying: reputation alone is no longer a defensible basis for refusal, especially when the underlying activity is expressly permitted. The pivot—from permission to preparedness is what defines this new phase of banking supervision
Crypto Risk Management Demands More Than Traditional Controls
With procedural barriers removed, the question now is not whether banks can engage with crypto—but whether they are operationally ready to do so without introducing new forms of risk into the financial system.
The short answer: not yet.
To be clear, banks already maintain robust financial risk controls—from capital adequacy testing to liquidity risk management and third-party vendor oversight. But crypto introduces risk vectors that don’t fit cleanly into legacy models. The supervisory message is to apply “traditional risk norms” to digital assets is conceptually sound. It seeks to extend financial protections to novel markets without rewriting the rulebook. Yet in practice, the execution gap is stark. Supervisory intent and institutional capacity remain misaligned.
The exposure types are technically distinct and institutionally unfamiliar:
-
Smart contract execution risk, where operational failures stem from logic errors or code vulnerabilities, not counterparties
-
Protocol-level disruptions where operational failures stem from logic errors or code vulnerabilities, not counterparties
-
Stablecoin depegs and reserve opacity, where standardized, auditable frameworks are still being built
-
Sanctions and counterparty risk, where exposure is determined as much by wallet behavior as identity
These aren't marginal issues—they are core challenges to financial stability in a programmable environment. Without proactive adaptation, they don’t remain on-chain—they migrate to balance sheets. A flawed protocol integration or a rapidly depegged stablecoin isn’t just a technical failure; it can trigger solvency and contagion risks across the institution.
Addressing these challenges demands systems purpose-built for digital assets—paired with an institutional mindset. Illicit finance controls must move beyond basic screening to include anomaly detection, geolocation tracing, real-time transaction risk scoring, sanctions filtering, and automated SAR workflows. Custody infrastructure must be re-architected for programmable assets, with hybrid custody models, multi-layered key management, and business continuity tailored to decentralized systems. And proof-of-reserves frameworks—using cryptographic attestations and Merkle-based verifications are fast becoming essential for maintaining client trust and meeting supervisory expectations.
But tooling alone is not enough. Risk frameworks will falter without the fluency to interpret them. Training must go beyond policy checklists to include conceptual fluency. Teams must be able to distinguish between superficially similar activities—like staking versus staking-as-a-service, and understand how protocol upgrades, validator incentives, and liquidity pool mechanics materially shift exposure. Without this internal fluency, oversight becomes reactive and risk becomes invisible until it’s too late.
This isn’t about plugging crypto into legacy systems. It’s about rebuilding operational readiness to match the speed, transparency, and complexity of the environment banks are now allowed to enter.
Phased Crypto Integration Is Key to Financial Stability
The regulatory shift now underway is grounded in a sound principle: that digital asset activities, if governed with the same safety and soundness standards as traditional finance, can be responsibly integrated into the banking system. But principle alone doesn’t translate into execution. If regulators are asking banks to apply “traditional risk norms” to programmable assets, the industry must confront a basic truth: those norms weren’t designed for systems that can reconfigure themselves in real time.
What’s needed now is not just infrastructure, but sequencing. Banks should adopt a phased approach to integration, starting with limited-use cases such as crypto custody or stablecoin reserve, validating internal controls at each stage before expanding. This creates space to absorb operational lessons, pressure-test compliance systems, and build fluency before risk becomes systemic.
At the same time, regulatory permission should not be mistaken for policy clarity. As procedural guardrails are withdrawn, the burden of interpretation shifts decisively to institutions. Banks must now engage more actively with regulators—federal and state alike—not just to meet expectations, but to shape them. This is especially urgent in a legal landscape where jurisdictional boundaries remain fluid, and supervisory coordination is incomplete.
To date, examples like the New York Department of Financial Services’ BitLicense regime, FinCEN’s red flags for crypto-related suspicious activity, and OFAC’s FAQs following the Tornado Cash sanctions show where regulators have provided concrete, actionable guidance. Until digital asset-specific banking standards are established covering custody, reserve attestations, AML/KYC requirement, and protocol exposure, banks will need to bridge the gap through sustained regulatory dialogue, policy engagement, and internal preparedness.
Success in this new phase will depend on how well banks sequence ambition with capability and how deliberately they build governance around that trajectory. Fluency, tooling, and resilience must rise in tandem. Otherwise, the promise of applying traditional norms will remain just that: a promise.
Regulators have signaled trust. But that trust comes with conditions. What happens next will show whether the banking system is prepared to evolve not just to meet crypto, but to manage it with the same institutional discipline that has long underpinned public confidence in the financial system.
