Third-Party Risk Management for Crypto Activities | US Banking Regulations & XRP Adoption | XRP Academy - XRP Academy
XRPAcademy
Course Progress0/18
3 free lessons remaining this month

Free preview access resets monthly

Upgrade for Unlimited
Skip to main content
intermediate45 min

Third-Party Risk Management for Crypto Activities

Learning Objectives

Explain the regulatory framework for third-party risk management (OCC, Fed, FDIC guidance)

Identify heightened risk factors in crypto third-party relationships

Describe required due diligence elements for crypto service providers

Analyze contractual provisions essential for crypto partnerships

Develop monitoring approaches for ongoing third-party oversight

When BNY Mellon announced crypto custody, it didn't build its own key management infrastructure from scratch. It partnered with Fireblocks—a crypto-native company with specialized expertise in institutional key management.

  • Fireblocks had years of experience and proven technology
  • Building in-house would cost $50-100M+ and take years
  • Time-to-market mattered

But regulators were clear: using Fireblocks doesn't transfer BNY Mellon's regulatory responsibility. If something goes wrong—client assets lost, compliance failures, operational outages—BNY Mellon is accountable, not Fireblocks.

The regulatory principle:

"A bank's use of third parties to perform bank functions does not diminish the bank's responsibility to ensure those activities are performed safely and soundly and in compliance with applicable laws." — OCC Bulletin 2023-17

This creates a framework where banks must rigorously evaluate, contract with, and monitor their crypto partners—even when those partners are more technically expert than the bank itself.

June 2023: Interagency Guidance on Third-Party Relationships

The OCC, Federal Reserve, and FDIC jointly issued comprehensive third-party risk management guidance that superseded previous separate guidance from each agency.

Key Principles:

  1. Risk Management Throughout Lifecycle

  2. Risk-Based Approach

  3. Board and Management Accountability

Definition of Critical Activities:

  • Could cause significant risk to the bank if the third party fails
  • Could significantly affect customers
  • Require significant investment to implement
  • Have significant impact on bank operations

Crypto Implications:

  • Sub-custody: Customer assets at risk

  • Blockchain analytics: Compliance depends on it

  • Technology infrastructure: Operations depend on it

  • Trading execution: Client service depends on it

  • More thorough due diligence

  • Enhanced contractual protections

  • More frequent monitoring

  • Board-level oversight

THIRD-PARTY RISK MANAGEMENT LIFECYCLE

┌─────────────────────────────────────────────────────────────┐
│ │
│ 1. PLANNING │
│ → Identify business need │
│ → Assess inherent risks │
│ → Define requirements │
│ │
│ 2. DUE DILIGENCE │
│ → Evaluate provider capabilities │
│ → Assess financial condition │
│ → Review compliance status │
│ → Verify security controls │
│ │
│ 3. CONTRACT NEGOTIATION │
│ → Define scope and responsibilities │
│ → Include required protections │
│ → Establish performance standards │
│ → Define audit and termination rights │
│ │
│ 4. ONGOING MONITORING │
│ → Track performance against standards │
│ → Review control assessments │
│ → Monitor financial health │
│ → Escalate issues │
│ │
│ 5. TERMINATION │
│ → Plan for orderly transition │
│ → Protect data and assets │
│ → Ensure continuity of service │
│ │
└─────────────────────────────────────────────────────────────┘
```

  • Key management failures (lost keys = lost assets)
  • Cybersecurity breaches
  • Technology failures
  • Business continuity gaps
  • Sub-custodian insolvency
  • Inadequate insurance
  • Financial instability
  • AML/BSA failures at sub-custodian
  • Sanctions violations
  • Regulatory enforcement actions
  • Dependence on single provider
  • Limited market alternatives
  • Market dominance by few providers
  • Incorrect address attribution
  • Incomplete coverage
  • Stale information
  • Service outages
  • Integration failures
  • Performance issues
  • Reliance on vendor for compliance decisions
  • Vendor changes methodology without notice
  • False negatives leading to SAR failures
  • Platform vulnerabilities
  • Access control weaknesses
  • Encryption failures
  • Uptime guarantees
  • Disaster recovery capability
  • Scalability under stress
  • API reliability
  • Data format changes
  • Version compatibility

Unique Crypto Considerations:

  • Young companies (limited track record)

  • Privately held (limited financial transparency)

  • Rapidly growing (potential growing pains)

  • Concentrated market (few alternatives)

  • May not have audited financials?

  • Have 5-year track record maximum?

  • Operate in nascent regulatory environment?

  • Have limited institutional client history?

  • Adjust expectations appropriately

  • Focus on compensating controls

  • Document rationale for risk acceptance

  • Monitor more closely

  • Audited financial statements (if available)
  • Revenue and profitability trends
  • Capital adequacy
  • Funding sources and runway
  • Insurance coverage
  • If no audited financials: Require management accounts, investor documentation
  • If unprofitable: Understand burn rate, funding runway, capital commitments
  • Insurance: Verify crypto-specific coverage (not just general liability)
  • Business continuity and disaster recovery plans
  • Key management procedures
  • Cybersecurity controls
  • Staffing and expertise
  • Scalability

Crypto-Specific Focus:

SUB-CUSTODIAN OPERATIONAL DUE DILIGENCE

KEY MANAGEMENT:
□ Multi-signature or MPC architecture?
□ Cold/hot wallet segregation?
□ Key backup and recovery procedures?
□ Geographic distribution of key material?
□ Insider threat controls?

CYBERSECURITY:
□ Penetration testing frequency and results?
□ SOC 2 Type II certification?
□ Incident response capabilities?
□ Bug bounty program?
□ Security team qualifications?

BUSINESS CONTINUITY:
□ RTO and RPO commitments?
□ Disaster recovery testing?
□ Data backup procedures?
□ Alternative processing capability?
□ Key person dependencies?
  • Regulatory status and history
  • AML/BSA program adequacy
  • Licensing and registrations
  • Litigation and enforcement history
  • Compliance staffing
  • FinCEN MSB registration (if applicable)
  • State licenses (money transmitter, etc.)
  • Trust charter status
  • Recent enforcement actions industry-wide
  • Qualified custodian status
  • Information security controls
  • Data protection measures
  • Access management
  • Encryption standards
  • Vulnerability management
  • Blockchain-specific security expertise
  • Private key protection measures
  • Smart contract audit history (if applicable)
  • Hardware security module (HSM) use
  • Third-party security assessments

OCC/Fed/FDIC Required Elements:

  1. Nature and Scope of Arrangement

  2. Performance Standards

  3. Compliance Requirements

  4. Audit Rights

  5. Data Security

  6. Business Continuity

  7. Termination

  8. Subcontracting

Sub-Custody Agreements:

CRYPTO SUB-CUSTODY CONTRACT ESSENTIALS

- Client assets segregated from sub-custodian assets
- Bankruptcy-remote structure
- Individual client accounting

- Minimum coverage amounts
- Crypto-specific coverage (theft, hack)
- Bank named as additional insured
- Certificate of insurance required

- Specific key management methodology required
- No changes without bank approval
- Key access audit trails
- Recovery procedures documented

- Specific standards required (SOC 2 Type II)
- Penetration testing requirements
- Incident notification (within hours, not days)
- Remediation obligations

- Sub-custodian cooperates with bank examiners
- Access to records and personnel
- No confidentiality barriers to examination
- Advance notice of regulatory actions

Typical Coverage Types:

Coverage Type Purpose Typical Limit
Crime/Specie Theft of crypto assets $100M-$500M
Cyber Liability Data breach costs $50M-$200M
E&O Service failures $50M-$200M
D&O Management failures $25M-$100M
  • Verify coverage is in place
  • Confirm coverage applies to services provided
  • Understand coverage limits relative to assets custodied
  • Require notice of coverage changes

Required Ongoing Activities:

  1. Performance Monitoring

  2. Control Monitoring

  3. Financial Monitoring

  4. Compliance Monitoring

Risk-Based Approach:

Risk Level Review Frequency SOC Report Financial Review
Critical Continuous + quarterly formal Annual Annual
High Monthly + quarterly formal Annual Annual
Moderate Quarterly Annual Annual
Low Annual As needed As needed
  • Continuous operational monitoring
  • Quarterly formal reviews
  • Annual comprehensive assessments
  • Real-time incident escalation

Escalation Triggers:

ESCALATION FRAMEWORK

- Minor SLA misses
- Documentation delays
- Routine questions

- Repeated SLA failures
- Control deficiencies identified
- Minor security incidents
- Compliance questions

- Material control failures
- Significant security incidents
- Financial concerns
- Regulatory actions against provider

- Major security breach
- Regulatory enforcement
- Provider insolvency risk
- Fundamental service failures

---
  • BNY Mellon provides custody for RLUSD reserves
  • This is a third-party relationship FOR RIPPLE (Ripple uses BNY Mellon)
  • But BNY Mellon also has its own third parties for crypto operations

Multiple Layers:

CUSTODY RELATIONSHIP LAYERS

Ripple → BNY Mellon (Custodian)

Fireblocks (Sub-custodian technology)

HSM Providers (Hardware security)
```

  • Financial condition: Strong (largest custodian globally)
  • Operational capability: Proven (institutional track record)
  • Compliance: Extensive (federal bank supervision)
  • Security: Institutional-grade (SOC certifications)
  • Sub-custodian evaluation (Fireblocks)
  • Blockchain analytics provider evaluation
  • Technology partner assessments
  • Ongoing monitoring of all partners
  • BNY Mellon performed extensive due diligence on Ripple/RLUSD
  • Partnership implies BNY Mellon's risk assessment was favorable
  • Institutional validation of Ripple's compliance posture
  • Creates precedent for other bank partnerships

Third-party risk management is a core competency banks must apply to crypto relationships. The "you can outsource operations, not responsibility" principle means banks must rigorously evaluate, contract with, and monitor crypto partners—even when those partners have more technical expertise. For XRP ecosystem participants, this creates both barriers (compliance complexity) and opportunities (institutional validation when banks choose partners). The BNY Mellon/Ripple relationship demonstrates that rigorous due diligence can result in institutional partnerships that benefit both parties.

Assignment: Develop a comprehensive due diligence checklist for evaluating a crypto sub-custodian, suitable for use by a bank's third-party risk management team.

Requirements:

Part 1: Due Diligence Checklist (Primary Deliverable)

Create a checklist covering:

  • Specific documents to request

  • Key metrics to evaluate

  • Red flags to identify

  • Minimum standards to require

  • Key management evaluation criteria

  • Security assessment elements

  • Business continuity requirements

  • Scalability considerations

  • Regulatory status verification

  • AML/BSA program elements

  • Litigation/enforcement review

  • License verification

  • Control environment evaluation

  • Certification requirements

  • Testing evidence needed

  • Specific crypto security elements

  • Specific items to review

  • Questions to ask

  • Documents to obtain

  • Scoring/rating criteria

Part 2: Risk Rating Framework (200-300 words)

  • Overall risk rating methodology
  • Component scoring (financial, operational, compliance, security)
  • Thresholds for approval/rejection
  • Risk acceptance process for gaps

Part 3: Monitoring Plan (200-250 words)

  • Monitoring frequency by component

  • Key metrics to track

  • Escalation triggers

  • Annual review scope

  • Checklist comprehensiveness (40%)

  • Crypto-specific relevance (25%)

  • Risk rating framework quality (20%)

  • Monitoring plan practicality (15%)

Time investment: 3-4 hours
Value: Creates practical tool applicable to real bank third-party risk management

1. Regulatory Principle (Tests Foundational Understanding):

When a bank uses a third party for crypto custody operations, who is accountable to regulators for the safety and soundness of those operations?

A) Only the third-party provider
B) Neither—third-party relationships are unregulated
C) The bank remains accountable, regardless of the third party's expertise
D) Regulators share accountability with the bank

Correct Answer: C

Explanation: The fundamental regulatory principle is that banks cannot outsource responsibility. Using third parties for operations doesn't transfer regulatory accountability. If the third party fails—security breach, compliance failure, operational outage—the bank is held responsible by examiners. This is why due diligence, contracting, and monitoring are required. The provider has its own obligations, but the bank's accountability is not reduced.

2. Critical Activities (Tests Classification Understanding):

Why do most crypto third-party relationships qualify as "critical" under interagency guidance?

A) Because crypto is specifically listed as critical in regulations
B) Because they could cause significant risk, affect customers, require significant investment, and significantly impact operations
C) Because crypto companies are always high-risk
D) Because all third-party relationships are classified as critical

Correct Answer: B

Explanation: "Critical" classification follows from the guidance definition: activities are critical when they could cause significant risk if the provider fails, significantly affect customers, require significant investment, or significantly impact operations. Crypto relationships typically meet these criteria: sub-custody affects customer assets, analytics affects compliance, technology affects operations. Not all relationships are critical (D), and the classification follows from characteristics, not automatic crypto designation (A).

3. Due Diligence Adaptation (Tests Practical Application):

How should banks adapt financial due diligence for crypto service providers that don't have audited financial statements?

A) Decline to partner with any provider lacking audited financials
B) Waive financial due diligence requirements entirely
C) Require alternative documentation (management accounts, investor materials) and document rationale for risk acceptance
D) Use industry-average financials as a proxy

Correct Answer: C

Explanation: Many crypto providers are young companies without audited financials. Banks should adapt—not abandon—due diligence. This means requesting alternative documentation (management accounts, investor commitment letters, funding runway analysis), applying enhanced scrutiny, and documenting the rationale for accepting the risk. Blanket rejection (A) would preclude all crypto activity. Waiving requirements (B) violates regulatory expectations. Using proxies (D) doesn't reflect the specific provider's condition.

4. Contract Essentials (Tests Specific Knowledge):

Which contract provision is specifically important for crypto sub-custody agreements beyond standard third-party contracts?

A) Termination rights
B) Asset segregation and bankruptcy-remote structure for client assets
C) Payment terms
D) Confidentiality provisions

Correct Answer: B

Explanation: While all options are typical contract provisions, asset segregation and bankruptcy-remote structure are specifically critical for crypto sub-custody. If the sub-custodian becomes insolvent, client crypto assets should not be available to creditors—they should be protected and returnable to clients. This requires specific contractual provisions and structural arrangements beyond standard contracts. Termination (A), payment (C), and confidentiality (D) are important but not crypto-specific.

5. Monitoring Requirements (Tests Ongoing Obligations):

What is the minimum recommended monitoring frequency for critical crypto third-party relationships?

A) Annual review only
B) Continuous operational monitoring plus quarterly formal reviews
C) Monthly informal check-ins
D) Semi-annual assessments

Correct Answer: B

Explanation: Critical relationships require intensive monitoring: continuous operational monitoring (tracking performance, incidents, issues in real-time), quarterly formal reviews (structured assessment of performance, controls, compliance), and annual comprehensive assessments. Annual review alone (A) is insufficient for critical relationships where issues could affect customer assets or compliance at any time. Monthly check-ins (C) without formal structure may miss systematic issues. Semi-annual (D) is too infrequent for critical activities.

  • OCC Bulletin 2023-17, "Third-Party Relationships: Risk Management Guidance"
  • Federal Reserve SR 13-19 (Updated 2023), Third-Party Relationships
  • FDIC FIL-44-2008, Third-Party Risk (Updated)
  • Interagency Guidance on Third-Party Relationships (June 2023)
  • AICPA SOC 2 Type II examination standards
  • NIST Cybersecurity Framework
  • ISO 27001 Information Security Management
  • Fireblocks security documentation
  • BitGo institutional custody whitepaper
  • Chainalysis compliance documentation
  • OCC Comptroller's Handbook: Third-Party Relationships
  • Federal Reserve Commercial Bank Examination Manual
  • Industry association third-party risk management frameworks

For Next Lesson:
Lesson 12 will examine state banking regulation and its intersection with federal frameworks—how states like New York, Wyoming, and others create additional requirements for crypto activities, and how banks navigate dual regulation.

End of Lesson 11

Total words: ~5,000
Estimated completion time: 45 minutes reading + 3-4 hours for deliverable

Key Takeaways

1

Banks cannot outsource regulatory responsibility.

Using third parties for crypto operations doesn't transfer accountability. Banks remain responsible for ensuring activities are performed safely, soundly, and in compliance with applicable laws.

2

Most crypto relationships are "critical."

Sub-custody, blockchain analytics, and technology platforms typically qualify as critical activities, requiring intensive management: thorough due diligence, enhanced contracts, frequent monitoring, and board oversight.

3

Crypto providers present unique due diligence challenges.

Many providers are young companies with limited track records, private ownership, and operating in nascent regulatory environments. Banks must adapt traditional due diligence without abandoning standards.

4

Contracts must address crypto-specific risks.

Beyond standard provisions, crypto contracts need asset segregation, specific key management requirements, crypto insurance verification, and enhanced security standards.

5

Ongoing monitoring is continuous, not annual.

Critical crypto relationships require continuous operational monitoring, quarterly formal reviews, and real-time incident escalation. Annual reviews alone are insufficient. ---

Further Reading & Sources

Federal Reserve
Officialdocumentation
SEC Official Website
Officiallegal