Pub. 10 2022 Issue 3

Issue 3. 2022 11 According to a November 2021 article from Pew Research, 16% of Americans have used or are invested in cryptocurrency. Of that 16% of Americans, 52% of those individuals are between the ages of 18-49. The individuals in this age group are not typical “in-person” banking customers. that 16% of Americans, 52% of those individuals are between the ages of 18-49. The individuals in this age group are not typical “in-person” banking customers. As the market is shifting and these individuals have more market power, banks scramble to advertise to this group. Cryptocurrency may be a way to do that successfully. The guidance from regulators is that banking, one of the most highly regulated industries in the country, is supposed to mix with cryptocurrency, one of the most unregulated commodities in the world. The two seem like oil and water, but the Office of the Comptroller of the Currency (OCC) argues in Interpretive Letter #1170 that it is more like M&Ms and popcorn, an unlikely yet satisfying combination. The OCC didn’t actually say that, but they did argue that for banks, providing custodial services related to cryptocurrency would be in line with a bank’s intended purpose: “safe keeping” of assets. The banking world has been shifting from physical currency and safekeeping to virtual safekeeping for many years now. Therefore, the argument is that providing services for cryptocurrency is not a far-fetched idea, but a natural progression. How does cryptocurrency relate to cybersecurity? Because cryptocurrency is “so hot” right now and because of its anonymity, it is a prime target for hackers and bad actors around the world. From what the banking industry is seeing with P2P activity in relation to Regulation E and the new Interagency Guidance on cybersecurity, the question many bankers are asking is, “Do we want to add cryptocurrency to this dumpster fire?” The answer: Maybe. The Interagency Guidance defines a “cybersecurity incident” as one that rises to the level of a “notification incident.” A cybersecurity incident is an occurrence that: (i) Results in actual or potential harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits; or (ii) Constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies. This new guidance is giving rise to new policies, procedures, and safeguards for banks to have to implement. Ultimately, this is giving time to prepare for the inevitable cybersecurity attack, but this is not without cost to the bank. The next question is: If a bank takes on servicing cryptocurrency customers, does this increase the risk of a cyber-security incident? The answer: Probably. Ultimately, this will be more of a cost-benefit analysis for the bank. According to a recent CNN article, there were over $1.9 billon worth of cryptocurrency stolen in 2022, so far. According to FinCEN, ransomware attacks are at an all-time high and only continue to increase. There is an argument that combining the banking with cryptocurrency will only lead to an increase in cyberattacks on banks, which is likely true. Is it worth it? The answer: Maybe. Banks need to have safeguards in place to protect current assets, private information, and to comply with the myriad of new guidance. There is an argument that the infrastructure is already there. Lastly, several agencies acknowledge the risk associated with servicing cryptocurrency and still push for banks to consider servicing this group. At the end of the day, a bank is one of the safest places to keep assets, virtually or physically. Therefore, banks may want to consider servicing this group, because banks have specialized in safekeeping throughout their existence. If they choose not to service this group, they may miss out on a lucrative market opportunity. n Carol Ann Warren, JD, is an Associate General Counsel at Compliance Alliance, and can be reached at compliancealliance.com.

RkJQdWJsaXNoZXIy ODQxMjUw