In today’s financial regulatory environment, two of the hottest topics are cryptocurrency and cybersecurity. Within the past year, multiple agencies have released various regulations and guidance regarding cryptocurrency, banking, and cybersecurity, both individually and collectively.

As my teachers would say, if something is said more than once, it is probably important, and you will likely see the material again. Similarly, cryptocurrency and cybersecurity threats are likely here to stay, and regulators are preparing for those implications. Banks are now put on the spot to adapt to the market shift and the regulations that will surely follow.

What is cryptocurrency?
The Merriam-Webster’s dictionary defines cryptocurrency as “any form of currency that only exists digitally, that usually has no central issuing or regulating authority but instead uses a decentralized system to record transactions and manage the issuance of new units, and that relies on cryptography to prevent counterfeiting and fraudulent transactions.”

How does cryptocurrency relate to banking?
For bankers, the question of how cryptocurrency relates to banking is pressing and hard to answer. Crypto-currency usage is typically stereo-typed between two different groups: underground-market transactions (i.e., drug market or selling a kidney online) and GameStop/Reddit kids who almost crashed the stock market in 2021. Volatility and illicit activity are two of the biggest regulatory fears for bankers, so how do banking and cryptocurrency relate?

First, who are the individuals actually investing or using cryptocurrency?

According to a November 2021 article from Pew Research, 16% of Americans have used or are invested in cryptocurrency. Of that 16% of Americans, 52% of those individuals are between the ages of 18-49. The individuals in this age group are not typical “in-person” banking customers. As the market is shifting and these individuals have more market power, banks scramble to advertise to this group. Cryptocurrency may be a way to do that successfully.

The guidance from regulators is that banking, one of the most highly regulated industries in the country, is supposed to mix with cryptocurrency, one of the most unregulated commodities in the world. The two seem like oil and water, but the Office of the Comptroller of the Currency (OCC) argues in Interpretive Letter #1170 that it is more like M&Ms and popcorn, an unlikely yet satisfying combination.

The OCC didn’t actually say that, but they did argue that for banks, providing custodial services related to cryptocurrency would be in line with a bank’s intended purpose: “safe keeping” of assets.

The banking world has been shifting from physical currency and safekeeping to virtual safekeeping for many years now. Therefore, the argument is that providing services for cryptocurrency is not a far-fetched idea, but a natural progression.

How does cryptocurrency relate to cybersecurity?
Because cryptocurrency is “so hot” right now and because of its anonymity, it is a prime target for hackers and bad actors around the world. From what the banking industry is seeing with P2P activity in relation to Regulation E and the new Interagency Guidance on cybersecurity, the question many bankers are asking is, “Do we want to add cryptocurrency to this dumpster fire?”

The answer: Maybe.

The Interagency Guidance defines a “cybersecurity incident” as one that rises to the level of a “notification incident.” A cybersecurity incident is an occurrence that:

(i) Results in actual or potential harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits; or

(ii) Constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.

This new guidance is giving rise to new policies, procedures, and safeguards for banks to have to implement. Ultimately, this is giving time to prepare for the inevitable cybersecurity attack, but this is not without cost to the bank.

The next question is: If a bank takes on servicing cryptocurrency customers, does this increase the risk of a cyber-security incident?

The answer: Probably.

Ultimately, this will be more of a cost-benefit analysis for the bank. According to a recent CNN article, there were over $1.9 billon worth of cryptocurrency stolen in 2022, so far. According to FinCEN, ransomware attacks are at an all-time high and only continue to increase.

There is an argument that combining the banking with cryptocurrency will only lead to an increase in cyberattacks on banks, which is likely true.

Is it worth it?

The answer: Maybe.

Banks need to have safeguards in place to protect current assets, private information, and to comply with the myriad of new guidance. There is an argument that the infrastructure is already there.

Lastly, several agencies acknowledge the risk associated with servicing cryptocurrency and still push for banks to consider servicing this group.

At the end of the day, a bank is one of the safest places to keep assets, virtually or physically. Therefore, banks may want to consider servicing this group, because banks have specialized in safekeeping throughout their existence. If they choose not to service this group, they may miss out on a lucrative market opportunity.