The agencies, acting under President Donald Trump’s administration, issued a joint statement Monday, explaining exactly how traditional lenders should manage crypto holdings for their clients.

According to the statement reviewed by Cryptopolitan, these new instructions replace earlier warnings and restrictions that made it harder for banks to enter the crypto market.

The update comes just months after regulators pulled back previous guidance on crypto-related risks in April and revoked the 2022 directive that forced banks to notify regulators in advance before engaging in any crypto activity.

From now on, crypto operations will be monitored as part of routine supervision, just like any other banking business. The agencies warned that any bank stepping into crypto custody must understand what it’s getting into and build out systems that can handle it.

The regulators made clear that safekeeping crypto means having control of the cryptographic keys that give access to those assets, and that control must meet every relevant law and regulation.

Before even launching custody services, banks are expected to assess how these operations fit into their overall risk profile and strategy. They need to know the tech, stay updated on industry practices, and prepare for surprises.

“An effective risk assessment would consider such things as the banking organization’s core financial risks given the strategic direction and business model,” the agencies said in their joint statement.

Every employee, whether sitting in the C-suite or working on IT, must have the training and operational knowledge to run crypto custody services properly. The statement added that all parts of the bank must be able to “establish adequate operational capacity and appropriate controls to conduct the activity in a safe and sound manner.” Without this foundation, they’re simply not allowed to offer these services.

The guidelines also require contingency plans. That means having a real plan when systems break or if a crypto custody process fails. This isn’t optional. It must be built into the bank’s setup from day one. The agencies said the entire framework should be flexible enough to adapt to the fast-changing crypto landscape. What works today might not work tomorrow.

Banks are allowed to work with third-party companies to handle crypto safekeeping—like using sub-custodians or tech providers. But the statement stressed that banks will still carry all the responsibility. “Subject to the terms and conditions in the customer agreement, a banking organization is responsible for the activities performed by the sub-custodian,” the regulators said.

That responsibility covers everything, from which crypto assets the bank supports to how the sub-custodian’s tech works. Even if the third party is doing most of the work, the bank must do due diligence ahead of time.

That means checking how keys are created, stored, and deleted, and confirming that the sub-custodian uses strong safeguards. Banks are also expected to look at what would happen to customer assets if the sub-custodian goes bankrupt or suffers operational problems.

Regulators also addressed another common setup: when a bank handles custody in-house but still uses third-party technology. Whether it’s software, hardware, or anything in between, banks are expected to evaluate the risks. 

That includes deciding whether it’s safer to build their own systems or rely on someone else’s tools. The statement said, “Effective risk management… will generally include weighing the risks of purchasing third-party software or hardware versus maintaining such software or hardware as a service.”

Auditing also made the list of requirements. The agencies said that banks must create audit programs specifically for their crypto custody operations. That includes reviewing key generation, storage, and deletion processes, verifying transfer controls, and checking that IT systems meet security standards. These audits should also assess whether staff have the skills to manage crypto-related risk—and if not, outside help must be brought in.

“When audit expertise does not exist within the banking organization, management should engage appropriate external resources, with sufficient independence, to assess crypto-asset safekeeping operations,” the agencies said.

KEY Difference Wire helps crypto brands break through and dominate headlines fast