The OCC’s Crypto Intermediary Ruling: How Banks Can Prepare to Offer Crypto Services

The Office of the Comptroller of the Currency (OCC) has made one thing clear:

banks are permitted to offer crypto-asset services—but only if they are operationally ready.

This guidance marks a shift from uncertainty to conditional permission. Crypto is no longer viewed as experimental; it is now treated as a regulated financial service that must fit squarely within a bank’s existing governance, risk, and compliance framework.

“The question for banks is no longer if crypto is allowed, but whether the institution is ready to support it safely.”

What the OCC Is Allowing Banks to Do

Under the OCC’s guidance, national banks and federal savings associations may act as crypto intermediaries by:

• Providing crypto custody services

• Facilitating customer crypto transactions

• Supporting stablecoin-related payment activities

• Partnering with third parties to enable fiat-to-crypto services

Noteworthy, banks are not required to trade or hold crypto on their own balance sheets.

“Banks can participate without becoming crypto exchanges.”

Preparing the Bank: Where Leadership Must Focus

To offer crypto services, banks must demonstrate maturity across five operational pillars.

1. Strengthen Governance and Risk Oversight

Crypto activities must be aligned with the bank’s enterprise risk appetite and approved at the board level. Clear ownership, escalation paths, and decision rights are essential.

“If crypto is not governed at the board level, it is not ready for production.”

2. Enhance Compliance and Financial Crime Controls

Crypto services must fully comply with BSA/AML, KYC, sanctions, and transaction monitoring requirements. Traditional controls often need enhancement to address blockchain-specific risks.

Banks should invest in blockchain analytics, enhanced due diligence, and updated AML scenarios.

“Compliance expectations do not change in crypto—they intensify.”

3. Prepare for Third-Party Dependencies

Most banks will rely on external custodians, wallet providers, or exchanges. The OCC expects robust third-party risk management, including enhanced due diligence, contractual safeguards, and ongoing monitoring.

“Your crypto risk is only as strong as your weakest vendor.”

4. Build Secure Technology and Custody Capabilities

Crypto custody introduces new operational and cybersecurity risks, particularly around private key management. Banks must define custody models, implement secure key controls, and maintain tested incident response and recovery plans.

“In crypto, operational resilience starts with custody design.”

5. Engage Regulators Early and Often

Before launching crypto services, banks must notify the OCC and demonstrate that controls are effective. Documentation, testing, and transparency are critical.

“Regulatory engagement is not a final step—it is a prerequisite.”

The Strategic Opportunity for Banks

Banks that prepare deliberately can:

• Retain customers seeking digital-asset exposure

• Generate new fee-based revenue

• Position themselves as trusted providers in a maturing market

Those that move too quickly risk regulatory findings, operational losses, and reputational harm.

“In crypto banking, slow and controlled beats fast and ungoverned.”

Bottom Line

The OCC’s guidance sends a clear message to banks:

Crypto is permitted—but only for institutions that treat it like banking.

Preparation, not speed, will determine which banks succeed as digital assets become part of the regulated financial system.

Author: Denise Mejia, Founder

Reach out to Potestas Solutions for a holistic preparedness framework: dmejia@potestassolutions.com