Introduction

The first months of 2025 have marked two watershed moments in the digital evolution of US banks. Suddenly, crypto custody is possible.

The SEC's release of SAB 122 in January removed one of the largest barriers to digital asset custody, eliminating the punitive capital requirements that kept many institutions on the sidelines.

Today, just two months later, the OCC (the primary federal regulator overseeing national banks in the U.S) released Interpretive Letter 1183, further streamlining the regulatory path by removing supervisory pre-approval requirements for crypto custody activities. This one-two punch of regulatory clarity creates unprecedented opportunity for banks.

‍

Golden Opportunity

The timing couldn't be better. Institutional demand for digital assets is surging, as evidenced by over $100bn flowing into US based Bitcoin ETFs. But ETFs represent just one piece of the opportunity. Digital asset custody services currently offer banks significantly higher margins than traditional assets and allow deeper client relationships for future products. And if Larry Fink and others are right that the future of finance is tokenized, digital asset custody is a logical first step for banks that want to do more than just stay relevant in the midst of technological change, but also benefit from new opportunities.

Until now, regulatory barriers made digital asset custody impractical for banks. Those barriers are now gone. This opens a huge opportunity to be taken advantage of. Banks have mastered custody over centuries, digital assets simply introduce new technical challenges to solve.

Smart institutions are already moving. They're building capabilities and setting up infrastructure now. The playbook is clear: Use traditional custody principles as foundation, leverage existing technology and apply proven security frameworks.

In this guide, we'll:

1. Break down the current regulatory landscape
2. Outline essential operational requirements
3. Provide practical steps for implementation
4. Show how institutions can prepare their infrastructure now

‍

Regulatory Evolution

SEC - SAB121

Issued in March 2022, SAB 121 created a fatal problem for banks subject to SEC oversight who wanted to custody digital assets: they had to record custodied assets as liabilities on their balance sheet, requiring matching assets as an offset.

The math killed the business case. Custody $1bn in client’s crypto? You needed $1bn in capital on your books. No bank could justify tying up that much capital for a custody business. Meanwhile, crypto-native custodians not subject to SEC oversight faced no such requirements, creating an uneven playing field in the custody market.

SAB 122 removes this barrier. Banks subject to SEC oversight no longer need matching assets against custodied crypto. The accounting treatment now aligns more closely with traditional custody models, making the business viable for banks.

OCC - Interpretive Letter 1179

Issued in November 2021, OCC Interpretive Letter 1179 put a hard barrier in place for banks wanting to engage in crypto activities. It required a written supervisory non-objection from the OCC before being able to do so. We are not aware of the OCC having actually issued any such letters, effectively shutting down an entire business line for banks.

Under the prior administration, non-objections were effectively impossible to get, preventing banks from engaging with digital assets.

Letter 1183 effectively removes this requirement. Banks no longer need explicit pre-approval to move forward with digital asset custody, provided they have strong risk controls internally. However, the letter also notes that "as with any activity, banks must conduct all crypto-asset activities in a safe, sound, and fair manner and in compliance with applicable law." While the path to operating this space is now easier, banks must still demonstrate they can effectively manage the risks associated with digital assets.

Path Forward

With these major barriers removed, we expect banks to swiftly enter the space to capture first mover advantage. They will need to set up operations and develop risk management approaches that clearly demonstrate institutional-grade security, resilience, and compliance from day one.

‍

Building Secure Custody Operations

Digital asset custody presents unique considerations for banks. In traditional banking, if someone accidentally wires $100m to the wrong account, you can usually fix that. Call up the receiving bank, explain the error, reverse the transaction. The money hasn't really gone anywhere, it's just database entries.

But in digital assets? If someone sends $100m to the wrong blockchain address, that's it. Game over. The assets are gone forever. You can't call the blockchain manager and explain the mistake. There is no blockchain manager.

Fortunately, even if regulatory clarity is still new, the fundamentals of digital asset custody are already well established. As detailed in "Demystifying Digital Asset Custody," securing digital assets requires multiple layers of digital and physical protection wrapped around a blockchain address. For a deeper understanding of how these security layers work together, see Circuit’s detailed breakdown here.

Each layer in the model serves a specific purpose, basically a different way of making sure nobody can accidentally (or intentionally) send assets to the wrong place, building outward from the blockchain address where assets live.

From the inside out, each layer serves a critical purpose:

• Blockchain Address: Where assets actually live
• Key Management: Securing private keys through advanced cryptography
• Physical Security: Protecting hardware and infrastructure
• Transaction Policies: Controlling how assets move
• Access Control: Managing who can do what
• Logging and Attestation: Tracking every action
• Audit and Compliance: Ensuring oversight

But security layers alone aren't enough - banks also need operational resilience. If your primary infrastructure fails, can you still serve clients? If key systems freeze, do you have alternate paths?

‍

Building Resilient Custody Operations

Backup providers and wallets are a start but they’re not the full solution on their own. Having a fallback is one thing. Reaching it when everything else is failing is another. If your custody infrastructure provider locks up, how do you actually access and move assets quickly? Without a way to extract funds independently, even the best backups can become ineffective.

Best practice in digital asset custody isn’t relying on a single provider; it’s having multiple independent custody tech providers. This ensures operational redundancy, allowing institutions to maintain control regardless of which infrastructure provider they use.

But redundancy alone isn’t enough. The real challenge is execution. What happens if a custody tech provider fails - freezing transactions, becoming unresponsive, or suffering a security breach? How do you recover assets quickly even in the worst-case scenario, without relying on an unresponsive provider?

This is where Automatic Asset Extraction (AAE) comes in.

AAE enables institutions to withdraw assets directly from provider-supplied wallets and move them to an alternative provider, even if the failing infrastructure provider is completely unresponsive.

Crucially, this must be done without exposing sensitive private key material. Traditional solutions often rely on trust assumptions that require custodians or intermediaries to coordinate asset recovery. Asset extraction eliminates this dependency, ensuring that institutions maintain direct, independent control over their assets.

Circuit enables this capability by providing:

• Immediate asset recovery: Even if your custody tech provider fails
• Seamless fund migration: Move assets between providers with minimal third-party risk
• Continuous operations: Ensure assets remain accessible under any conditions

Custody isn’t just about storage, it’s about ensuring that institutions always retain the ability to move assets, regardless of failures.

With asset extraction, institutions achieve true operational resilience, ensuring that assets remain secure and always under control.

‍

Conclusion: Strategic Decisions

The digital asset custody landscape is transforming. SAB 122 has removed the key accounting barrier, and Letter 1183 eases the supervisory blocker. Now is the time to prepare and get ahead of competitors before the race begins. The firms that move thoughtfully now will shape this market.

Buy vs. Build – What to Consider

For institutions preparing custody operations, the key decision is whether to build infrastructure in-house or leverage external providers.

• Building offers control but demands deep security expertise and 18-24 months of development time alongside significant capital investment.
• Buying accelerates time to market but means integrating with third-party infrastructure.

A Layered Approach to Custody Security & Resilience

Whatever approach you take, a resilient custody setup requires multiple layers of protection. Institutions should ensure they have:

• Core Custody Infrastructure: Access controls, transaction policies, secure signing
• Backup Custody Tech Solutions: Secondary provider capabilities
• Asset Extraction: Business continuity protection designed to safely sweep assets between custody providers
• Backup and Recovery Mechanisms: Disaster scenario planning and/or trusted third parties to recover keys

The key is maintaining control of assets regardless of which providers you use. If primary systems fail, you need clear paths to maintain operations and protect client assets.

‍

Looking Ahead

The digital asset custody market won't wait for perfect regulatory clarity. The institutions that build robust, resilient operations now will define industry standards and capture market share.

Success requires more than just secure storage, it demands operational resilience. The winners will be those who can maintain continuous operations and asset control under any conditions.