On April 13, the State of Wyoming took the extraordinary step of filing a request for permission to intervene in the ongoing dispute between Custodia Bank, Inc. (“Custodia”) and the Board of Governors of the Federal Reserve System (“the Fed”) and the Federal Reserve Bank of Kansas City. This dispute involves a complaint (now amended) filed by Custodia – a state-chartered special purpose depository institution (“SPDI”) based in Cheyenne, Wyoming – against the Fed and the Federal Reserve Bank of Kansas City, alleging that the defendants improperly denied Custodia’s application for a “master account” with the Fed. Generalizing greatly, having a master account allows financial institutions to operate in the normal course as a custodial bank in the U.S. Having a Fed master account is therefore critical to any institution looking to operate in the U.S. financial system.
In a nutshell, Wyoming’s request to intervene critiques the defendants because of their “view of perceived inadequacies in Wyoming’s laws and regulations for SPDIs, [which are] partially responsible” for the denial of Custodia’s master account application. More specifically, Wyoming accuses the defendants of seeking to treat Wyoming SPDIs in an inequitable manner, thereby “treating state-chartered non-federally regulated banks as second-class banks ineligible to compete with federally-regulated ones.”
This blog post focuses on an important issue referenced seemingly in passing in Wyoming’s request for permission to intervene, which is clearly motivating in part the filing by Wyoming: on March 24, 2023, the Fed made public its January 27, 2023 Order Denying Application for Membership (the “Order”) by Custodia, which had requested the Fed’s approval under Section 9 of the Federal Reserve Act to become a member of the Federal Reserve System. According to Wyoming, the Fed’s decision to deny Custodia’s application has the effect of preventing Custodia and other Wyoming SPDIs from ever being able to attain the status of federal regulation. We focus here on the Order because of its much broader anti-money laundering (“AML”) and sanctions implications for any banks which are contemplating targeted services for the digital asset industry. The 86-page Order is very detailed, and often also discusses safety and soundness concerns, as well as other issues.
As we discuss, the Order suggests that any bank will have a hard time convincing the Fed that crypto-heavy banking services can comply with the requirements of the Bank Secrecy Act (“BSA”) and U.S. sanctions law. Likewise, the Fed has expressed its skepticism in the Order that blockchain analytics services, even when applied skillfully and with the best of intentions, actually can satisfy the BSA and U.S. sanctions law due to limitations inherent in crypto transactions relating to knowing with confidence who is actually conducting the transactions. This same issue was also noted by the recent report by the U.S. Treasury regarding perceived AML and sanctions vulnerabilities in decentralized finance providers.
According to the Order, “Custodia intends to focus its business model almost entirely on the crypto-asset sector, and has described itself as seeking to become a ‘a compliant bridge’ between the U.S. dollar payment system and the crypto-asset ecosystem.” Under the Wyoming SPDI Act, Custodia may engage in a nonlending banking business, provide payment services for depositors, and, with the approval of the state banking commissioner, engage in any other activity that is usual or incidental to the business of banking. Wyoming does not require SPDIs to obtain federal deposit insurance, and Custodia was not seeking to obtain such insurance. This lack of federal deposit insurance was a key concern for the Fed.
Custodia sought to offer deposit accounts for businesses and eventually high-net worth individuals and provide such customers access to ACH and wire transactions, and online banking services. The Order likened the services which Custodia sought to provide as similar to many of the services offered by crypto-asset exchanges. In particular, Custodia sought “to issue, redeem, and transfer Avits—dollar-denominated tokens that Custodia describes as programmable ‘electronic negotiable instrument[s]’ and as deposits for purposes of federal banking law.” According to the Order, “[w]hile Custodia does not refer to Avits as ‘stablecoins,’ the tokens would likely function similar to ‘stablecoins’ like Tether and USDC.”
In the Order, the Fed expressed concerns with the “novel and unprecedented features” of Custodia’s proposal – concerns that were elevated by the facts that Custodia’s business plan focused on a narrow sector of the economy, and because Custodia is an uninsured depository institution. Ultimately, the Fed determined that Custodia’s “risk management and controls for its core banking activities were insufficient, particularly with respect to overall risk management; compliance with the BSA and U.S. sanctions laws; information technology (‘IT’); internal audit; financial projections; and liquidity risk management practices.”
Moreover, and in potentially very broad language relevant to future applications, the Fed found that “[c]rypto-assets pose significant ML/TF risks due to the lack of transparency, ease and speed of transfer, and general irrevocability of transactions—all of which make crypto-assets attractive for use in money laundering.” Accordingly, “given the absence of developed policies, procedures, and controls for crypto-asset-related activities at this stage, the examiner findings suggest that Custodia is unlikely to be able to effectively comply with the BSA and OFAC requirements applicable to the proposed, more complex, higher-risk crypto-asset-related activities that are central to its business model.”
One primary source of the Fed’s AML and OFAC concerns was the fact that “[o]wnership of and transactions with Avits would not be limited to customers of Custodia. Persons unknown to Custodia would be able to purchase Avits on the secondary market and use them to conduct transactions. Custodia has also indicated that noncustomers would be able to redeem Avits after a screening process without being required to become customers of Custodia.” This concern is not limited to Custodia. To the contrary, it could apply to all similar token transactions, in which an entity does not and cannot know its customer’s customer.
Similarly, the Order expresses concerns about the possibility of effective transaction monitoring, finding that “[w]hile the financial institution that issued the stablecoin might have information on the transaction flows on the applicable blockchain, it would likely not know the identity of the transactors other than the initial purchaser and the ultimate redeemer. Without information about the transactors, it is extremely difficult for financial institutions to comply with AML/CFT requirements to identify suspicious activity and sanctioned parties, especially within mandated reporting periods.”
The Order then turns to the important issue of private blockchain analytics services designed to mitigate and comply with AML and OFAC concerns. The Fed, correctly or not, does not seem optimistic about the utility of such services, particularly as to day-to-day sanctions compliance, as opposed to their use in after-the-fact investigations into potential criminal conduct. The problem, in the eyes of the Fed, is that even if one is reasonably confident that one is not dealing with someone located in, for example, North Korea, you still cannot be confident about precisely who you are dealing with, or what precisely they might be doing through your tech:
While there are private companies that investigate transactions on crypto-asset blockchains solely based on public information, such as from the blockchain or social media, without customer identification information, the services are highly imperfect. Law enforcement and specialist blockchain analytics firms, like Chainalysis, can learn information about a wallet and its holder, including whether the wallet may be associated with illicit activity or other wallets identified as suspicious or sanctioned; however, it can be difficult, relying on blockchain analysis alone, to establish the real-world identity of the person with ownership or control of a wallet with available information at the time of the transaction. Even following an investigation, such information can be difficult to establish, particularly if blockchain obfuscation techniques are used.
The Order stresses that “Custodia has acknowledged that it ‘faces the risk that is products may be used for money laundering activity or activity that violations U.S. sanctions’ particularly in light of the fact that users would have the ‘ability . . . to make or accept transactions to or from non-Custodia wallets, which would not have undergone an onboarding process with Custodia.'”
Likewise, the Order states that “Custodia has acknowledged that ‘due to the nature of pseudonymous blockchains in which Custodia will enable customers to transact, the name of a non-customer involved in a transaction may not always be available.’ Custodia indicates that noncustomers will be able to hold Avits and redeem Avits without undergoing the due diligence required for customer onboarding.”
In other words, the Fed is concerned that Custodia will not truly know the customers of its customers transacting in Avits: “The first party that receives Avits from Custodia and the party that attempts to redeem Avits with Custodia would be known to the bank.” However, “any other entity, anywhere in the world, would be able to acquire or transfer Avits in the secondary markets without being known to Custodia, so long as the wallet to which the transfer is made has not been blacklisted due to sanctions concerns.” This apparent compliance blind spot identified by the Fed is hardly confined to Custodia’s proposed operations, but rather could apply to many businesses operating in the crypto space.
More concretely, the Fed further expressed concern that Custodia could pay transaction fees to unknown persons, which could result in payments being made to OFAC-sanctioned persons.
General Crypto Concerns
Finally, the Order contains language suggesting that the Fed will react negatively to other banks attempting to focus on crypto-assets, at least as to some services. For example, the Order repeats approvingly a finding by the Financial Stability Oversight Council that “the value of most crypto-assets is driven in large part by speculation and sentiment, and is not anchored to a clear economic use case.” Further, the Order states that some of what Custodia wanted to do would be impermissible for any national bank. Specifically: “The Board has not identified any authority to support the position that national banks are permitted to hold bitcoin, either, or most other crypto-assets as principal, in any amount or for any purpose.” Thus, “the Board would presumptively prohibit state member banks from holding such assets as principal.”