A comprehensive explanation of SAB 121 and how it prevents safe crypto custody

Given recent wallet hacks, extensive counterparty risk, and ubiquitous stories of lost funds in the cryptoasset industry, the proliferation of high-quality custody services should be a policy priority for U.S. policymakers. Unfortunately, when it comes to the U.S. Securities and Exchange Commission’s (SEC’s) Staff Accounting Bulletin no. 121 (SAB 121), that doesn’t appear to be the case. The prejudicial guidance breaks from established regulatory and accounting standards and prevents banks, who could be high-quality cryptoasset custodians, from offering custody services to consumers.

This esoteric guidance has been getting more and more attention recently, so I wanted to assemble a canonical resource that explains SAB 121, why it harms consumers, how the effect can be ameliorated, and what effect the policy has on the market. Hopefully, this resource will help policymakers and the crypto community understand the issue and mobilize to change it.

Contents
What SAB 121 is

SAB 121 is an interpretive statement that expresses the view of SEC staff about how SEC-reporting companies should file their financial reports when they hold cryptoassets for customers. Companies that might do this include Coinbase, Square/Cash App, and Bank of New York Mellon. In the bulletin, SEC staff reason that, because the safeguarding of cryptoassets involves unique risks and uncertainties that are not present when companies safeguard traditional assets, investors would be best served by supplementary disclosures about the nature of the company’s safeguarding activities. The staff also prescribe special accounting treatment for the cryptoassets held in custody.

Under SAB 121, companies safeguarding customer cryptoassets must record cryptoassets held in custody as a liability on their balance sheet with a corresponding asset. This breaks with normal practice where assets safeguarded for clients are not recorded on a company’s balance sheet. The convention is logical because safeguarded assets are owned by the client, not the custodian, so they shouldn’t be reported on the custodian’s balance sheet. This break from tradition has significant ramifications for publicly reporting banks that prevent them from providing cryptoasset custody services at scale.

Why bank custody matters

One of the primary touted benefits of public blockchains is the ability for blockchain users to “self-custody” their assets, i.e., to maintain and prove control of their assets without the involvement of anyone else. However, “self-custody” is most accurately thought of as choice-in-custody: users can choose to hold their assets independently, but they can also choose to rely on a custodian if they’d like. This is possible because assets are controlled cryptographically, so whoever controls an asset’s private key has control of the asset. A user can keep the key to himself, but he’s also free to share the key with anyone else. This kind of true digital ownership is a fundamental improvement on the state of traditional financial services because, again, the involvement of a specific party is not required. It is an example of how the native interoperability of open, public blockchains is better for users.

Relevant to this article, some users may wish to rely on established asset custodians like banks for custody services. Just as many Americans hire banks to safeguard traditional assets today, crypto users might wish to hire a bank to safeguard their cryptoassets for them as well. This should be welcomed by regulators and industry alike. Banks have a long tradition of providing custody services and generally have rigorous controls and supervision in place. While banks will be unlikely to innovate as quickly as more agile organizations, the limited services they may initially establish (e.g., BTC custody) seem likely to be reliable. At the very least, enabling banks to participate in free market competition for custody services should be uniformly good, all else equal.1

SAB 121’s special effect on banks

For many companies, SAB 121’s prescribed accounting treatment is probably a relatively innocuous change in procedure. For banks, though, SAB 121 has a significant constraining effect because they face regulatory obligations that are based on their balance sheets. By requiring cryptoassets held in custody to be recorded on their balance sheets, SAB 121 increases the amount of regulatory capital that banks must hold.

In the United States, all banks are required to hold minimum levels of regulatory capital that can be used to absorb losses in the bank’s asset portfolio. At a high level, regulatory capital is funding that is loss-absorbing, meaning it must have certain legal characteristics that result in the regulatory capital bearing losses before losses are borne by more senior forms of funding provided by creditors, especially depositors or the government. This is generally common shareholder’s equity or a similar asset. From a regulator’s perspective, these characteristics are good because they mean the capital can, of course, absorb losses. From equity shareholders’ perspective, though, providing capital that must absorb losses is very risky, so they demand compensation to take the additional risk (in the form of a claim on assets or an expectation of returned future cash flows). And therefore, from a bank’s perspective, loss-absorbing capital is the most expensive form of funding, so all else equal banks would prefer to hold less of it.

The effect of the interaction between SAB 121’s special prescribed accounting treatment and bank capital rules is that it’s financially unviable for any publicly reporting bank to provide cryptoasset custody. For a more detailed discussion of why it’s economically unviable to raise regulatory capital against safeguarded cryptoassets, see Appendix 1.

SAB 121 is bad for three reasons. First, because publicly reporting banks can’t provide cryptoasset custody at any meaningful scale, crypto users turn to unsafe options like Celsius and FTX, cryptographically weak wallets like Atomic Wallet, or poorly administered self-custody setups. This is an at-least-indirect result of a U.S. regulatory decision.

Second, the guidance may also create an unlevel playing field between SEC-reporting banks and banks that do not file reports with the SEC. SAB 121 only applies to public banks that file quarterly reports with the SEC. Therefore, absent guidance otherwise, privately owned banks may not have to reserve capital against safeguarded cryptoassets like publicly traded banks. They have a distinct commercial advantage simply because they are privately owned. This is an apparently arbitrary and unfair discrepancy in the banking market that should be favored by no one.

Finally, despite its significant effect on consumer protection, SAB 121 was not the result of notice-and-comment rulemaking, the primary method by which significant public policies are supposed to be enacted. In general, significant policies, such as the regulation requiring public companies to file an annual report, are developed and promulgated as “legislative rules.” Legislative rules must be proposed by an agency, published in the Federal Register, and posted for public comment. The agency is then required, by law, to consider and respond to the comments. Agencies interested in good governance often publish other kinds of agency actions for public review even when that is not required; it is genuinely helpful for rulewriters to receive public feedback so that members of the public can voice their opinion, raise unanticipated challenges, or suggest constructive ways to improve a rule.

Legislative rules may also be challenged in the courts if a plaintiff believes the agency did not properly formulate the rule. As a staff interpretive statement, SAB 121 did not undergo the same procedural steps, and the public has not been afforded any opportunity to comment on the policy. Given its significant effect on the market and investors, SAB 121 should be rescinded and re-proposed in notice-and-comment rulemaking.

Pathways for resolution

To recap, SAB 121 is merely an explanation of staff views and a statement of the practices SEC staff will follow when evaluating company reports. As such, it’s not clear whether SAB 121 could be easily challenged in the courts.2 Instead, here are three other ways by which the conflict between SAB 121 and bank capital requirements can be eliminated:

Bank regulators could direct banking organizations to not consider cryptoassets held in custody as on-balance-sheet assets for the purposes of calculating capital ratios

In my view, the easiest path for resolution is through the U.S. bank regulators. U.S. bank regulators could simply direct banking organizations to not consider assets safeguarded for clients as organization assets for the purposes of calculating their capital requirements. As Chair Powell affirmed in response to Senator Lummis’ June 2022 questions, “custody assets are off-balance sheet, always have been.” Therefore, it would be consistent with existing practice for the U.S. bank regulators to issue such guidance.

Indeed, the recently finalized BCBS Crypto Standard recognizes this fact and seems to nod to the current heterodoxy in the United States. In the introductory section, the standard clarifies that cryptoasset exposure is balance sheet agnostic and instead depends on the reality of whether an exposure creates specific risks. It reads:

the term ‘exposure’ includes on- or off-balance sheet amounts that give rise to credit, market, operational, and/or liquidity risks. Certain parts of the chapter, such as the operational risk requirements and the risk management and supervisory review sections, are also applicable to banks’ cryptoasset activities, such as custodial services involving the safekeeping or administration of client cryptoassets on a segregated basis, that do not generally give rise to credit, market or liquidity requirements.

BCBS Crypto Standard at SCO 60.4.

Assets safeguarded for clients do not expose a bank to credit or market risks because, again, the assets are not the property of the bank. Consider a hedge fund that hires BONY to safeguard 100 BTC for its portfolio. If the dollar value of the bitcoin declines (market risk), BONY’s solvency and balance sheet are not threatened. Therefore, it would not make sense for BONY to reserve capital against such a possibility. BONY could still face operational risk, just as it does for its other custodial activities, but that should be uncontroversial. It is the inclusion of safeguarded cryptoassets in the calculations of capital ratios that defend against credit and market risks that is inappropriate.

The BCBS Crypto Standard was finalized in December 2022, and national regulators are charged with implementing the standard by January 1, 2025. U.S. prudential regulators have not yet proposed a rule to implement the BCBS Crypto Standard, so an upcoming proposed rule seems like an elegant and surreptitious venue in which bank regulators could paper over the potentially inadvertent problem the SEC has caused.3

Sustained political pressure could prompt SEC staff to withdraw the bulletin

Ultimately, the most straightforward way to get rid of SAB 121 is for SEC staff to rescind the guidance. They might do this, probably at the direction of the Chair, if it became politically untenable to maintain SAB 121. Core to the political pressure would be the reality that SAB 121 causes needless problems for banks. It deprives crypto users of safe cryptoasset custody services, which is undesirable regardless of one’s stance on crypto itself.

There is some indication that SAB 121 is a politically salient topic. For example, two Representatives, Rep. Andy Barr (KY-06) and Rep. Mike Flood (NE-01) asked Chair Gensler about SAB 121 during the House Financial Services Committee’s (HFSC’s) April 18th oversight hearing. Rep. Flood also wrote a letter to the SEC chair expressing his disapproval of the policy.

Other US government officials have also been asked about SAB 121. For example, in June 2022, Senator Cynthia Lummis (WY) asked Federal Reserve Chair Jerome Powell about whether the Federal Reserve was considering the effect of SAB 121 (he said it was), and she expressed her concern with the guidance.4 A day later, the American Bankers Association, the Bank Policy Institute, and the Securities Industry and Financial Markets Association wrote a lengthy joint letter to the prudential bank regulators and Treasury Undersecretary for Domestic Finance Nellie Liang urging the regulators to urge the SEC to exempt prudentially regulated organizations from the obligations of SAB 121 due to banking organizations’ rigorous controls and supervision. Senator Lummis and HFSC Chairman Patrick McHenry (NC-10) wrote an additional letter to the prudential bank regulators earlier this year asking various questions about SAB 121’s development and its effect on bank balance sheets.

A continuation or, better, increase in political pressure could cause a change in SAB 121 policy. One upcoming catalyst could be the finalization of the SEC’s proposed Safeguarding Rule. While the status of that rule is uncertain, one seemingly large flaw in the rule is the relative dearth of qualified custodians for cryptoassets. The Safeguarding Rule would require all registered investment advisers (RIAs) to use qualified custodians to hold client cryptoassets. Banks are qualified custodians, generally speaking. Several prominent commenters including the ABA+FSF+BPI (pgs. 5 and 24), the Blockchain Association (pg. 14), the Chamber of Commerce (pg. 6, n. 5), the Committee on Capital Markets Regulation (pg. 9), Coinbase (pg. 21), Circle (pg. 4), BNY Mellon (pgs. 4, 18, 19), and all Chairmen of the HFSC and its subcommittees (pg. 3) highlighted the conflict between SAB 121 and the goals of the proposed rule.

Finalization of the Rule could catalyze a change in SAB 121 policy because the Rule may not otherwise be very effective without broad availability of high-quality qualified custodians. Additionally, rescinding the guidance in light of a new rule prescribing safe cryptoasset custody practices could provide SEC staff a graceful way to say that the original concerns motivating SAB 121 are no longer as pressing (i.e., because the rule establishes standards for the safeguarding of cryptoassets such that the unique risks and uncertainties that prompted the Bulletin are no longer relevant).

Legislation from Congress could set U.S. financial regulatory policy

Ultimately, Congress is the primary entity that should set U.S. policy. The two current, primary legislative proposals for modern regulation of the cryptoasset industry would rectify the conundrum of SAB 121 if enacted. First, Section 312 of the Financial Innovation and Technology for the 21st Century Act, which was recently reported by the House Financial Services Committee and the House Agriculture Committee, would prohibit any U.S. bank regulator, the National Credit Union Administration, or the SEC from requiring a depository institution to recognize assets held in custody on its balance sheet or to hold regulatory capital against assets held in custody. Separately, Section 705 of the Lummis-Gillibrand Responsible Financial Innovation Act, sponsored by Sens. Lummis and Kirsten Gillibrand (NY), sets new legal definitions for assets held in custody and explicitly says they “shall be maintained on an off-balance sheet basis.” Both bills would eliminate the conflict of SAB 121 and would be a healthy reassertion of Congress’ voice in defining U.S. public policy.

Market implications

This article, including the following section, is for informational purposes only and is not an offer or solicitation to buy or sell any securities and should not be relied upon to make any investment decisions.

The public policy choices of U.S. financial regulators and Congress establish the market structure for the cryptoasset industry and affect capital flows and business models. The following are some ways in which SAB 121, or a change to the status quo for bank cryptoasset custody services, could implicate capital allocation.

A more amenable policy could facilitate capital formation in the cryptoasset industry

While privately owned cryptoasset custody banks such as Anchorage Digital and BitGo exist, large traditional financial institutions may not trust cryptonative firms with relatively short track records to safeguard cryptoassets, particularly after the crypto firm collapses of 2022. They may not feel they have the expertise or experience to properly diligence a crypto custodian, especially for such a crucial part of their operation. Alternatively, traditional firms may not want to use a different custodian than they normally use. As such, they may decline to invest in the cryptoasset industry until they can use custody services offered by a top global custodian such as State Street, BONY, J.P. Morgan, or Citigroup.

A change that allows publicly traded custody banks to offer cryptoasset custody services could lead to capital flows into the cryptoasset industry. Investors could monitor movement in any of the three avenues for resolution I identified above, or they could check quarterly earnings reports to monitor the emergence of cryptoassets on bank balance sheets (which could, for example, signal a concession on bank capital requirements that has not been broadly announced). In particular, it could be a good idea to monitor earnings from Federal Reserve-supervised banks given the Fed’s relative flexibility (relative flexibility) in allowing its institutions to offer custody services, provided they are offered in a safe and sound manner. The bellwether would obviously be Bank of New York Mellon, which has already been approved by the Fed to offer cryptoasset custody, but the Fed also supervises foreign financial institutions who may wish to offer cryptoasset custody services.

Privately held custodian banks may have an advantage right now

While some firms may not currently trust cryptonative custodian banks, these banks may also have an advantage because, for the firms that are willing to use a newer custodian, privately held companies may be the only bank custodians that can currently provide custody services. Firms such as Anchorage, BitGo, and others (although, obviously, not every trust company) are able to offer regulated cryptoasset custody services without the complication of SAB 121. If these companies can build brand equity and reputational goodwill before other banks are able to offer their cryptoasset custody services, it could help them establish a foothold in the custody services industry.

Bank custodians may be particularly important if the SEC finalizes its proposed requirement for RIAs to use a qualified custodian (see earlier discussion of the Safeguarding Rule proposal). To the best of my knowledge, the only non-bank qualified custodian that can provide cryptoasset custody is Prometheum Ember Capital, which received its special purpose broker-dealer license from FINRA in May. If the rule were finalized, bank custodians would be in high demand but limited supply.

Startups or companies wishing to partner with banks might consider limiting assets held in custody to certain stablecoins

Finally, a very minor effect of the current regulatory situation could be that crypto companies wishing to use banks for cryptoasset custody might consider limiting their use of bank custodians to stablecoins only. Under the BCBS Crypto Standard, stablecoins that meet certain conditions are considered Group 1B cryptoassets. As such, they are subject to a lower risk-weighting that is generally similar to the backing assets of the qualifying stablecoin.5 Therefore, for the purposes of a bank’s risk-weighted capital ratio it may only be possible for the bank to hold Group 1B stablecoins on its balance sheet.

An example of a company that could consider this strategy could be a wallet provider or payments firm that wishes to use a bank as a backend custodian. The firm could examine whether it would make sense to limit their use of the bank custodian to the custody of Group 1B stablecoins alone. However, as discussed in Appendix 1, this may only be the case for banks that are limited by their risk-based capital ratio. For banks whose regulatory capital lower-bound is effectively set by the leverage ratio, it would still be impractical to recognize even Group 1B stablecoins on their balance sheets. As such, I think this is an edge case and not likely to apply to many firms or banks, if any.

Conclusion: bad policy must change

One thing I think some people gloss over is that public policy ultimately has to make some sense. Bad public policy is not politically sustainable, and people don’t like supporting or advancing public policy that is counterproductive for no reason. That’s why I’m optimistic that there will be some movement on SAB 121’s interaction with bank regulatory capital requirements in the future, either through action by the SEC, bank regulators, or Congress. It is the reality that SAB 121 prevents publicly traded banks from offering cryptoasset custody services that would likely be very safe for crypto users. This is the result of U.S. policy decisions, whether intentional or not. If financial regulators and lawmakers want to see a safer crypto industry then they must find a way to eliminate this impediment to bank cryptoasset custody. When they do, consumers will be better off for it.

These are my independent thoughts and do not necessarily represent the views of my employer. Thank you to Tyler Whirty, Bill Hughes, and other unnamed persons for comments.


Futuristic adventurer standing in the ruins of a bank. secure feeling.
The world of public blockchains can be intimidating; wouldn’t it be great if we reduced risk for consumers?

Endnotes
1 Let me preempt two anticipated criticisms: First, no, it is not ironic that crypto holders would use banks. Again, self-custody is really choice-in-custody. Instead of being required to involve a single financial institution in all of my financial transactions, I can choose who I want to involve, or if I want to involve anyone at all. This is a step improvement over the existing financial system.

Second, while it’s not guaranteed that bank custody of cryptoassets would be safe, it seems reasonably likely given their long history of offering custody services, extensive regulation and supervision, and commercial interests. Banks can subcontract with cryptonative custody providers such as Fireblocks to ensure state-of-the-art custody solutions for their customers when they lack the technical expertise to create a technological solution themself. And, at the end of the day, cryptonatives would still be free to choose cryptonative services, which might be made even better by competition with banks.
2 See, e.g., Congressional Research Service, Agency Use of Guidance Documents (Apr. 19, 2021), https://crsreports.congress.gov/product/pdf/LSB/LSB10591 (discussing mixed case law record regarding right of plaintiffs to seek judicial review of different types of agency action). If a party wanted to challenge SAB 121, they might have to violate the guidance and be sued by the SEC... probably not a desirable escapade. 
3 It wouldn’t surprise me if the complications stemming from SAB 121 were unintended by the SEC. First, Chair Gensler appeared to admit, in response to questioning from U.S. Reps. Barr and Flood, that SEC staff did not consult with the banking regulators prior to publishing the SAB. Second, based on the timing of the joint ABA/BPI/SIFMA letter relative to the quantity of meetings the letter records, it seems like the joint trades were surprised by the guidance and its effect on banking organizations. This also implies bank regulators were not aware because they might have consulted with banks or their trades, or someone would have heard about it beforehand. Finally, when it comes to U.S. governmental bodies, ALWAYS ASSUME THERE IS AS LITTLE COORDINATION AS POSSIBLE. These three things make me think that SAB 121’s effect on banks is the inadvertent result of clumsy policymaking (i.e., policy developed without public comment) and that all governmental parties desire a subtle and convenient resolution.
4 Recording of “The Semiannual Monetary Policy Report to Congress” (Jun. 22, 2022), https://www.banking.senate.gov/hearings/the-semiannual-monetary-policy-report-to-congress at 1:43:00.
5 BCBS Crypto Standard at SCO 60.26 - SCO 60.51.

Appendix 1: Explanation of relevant bank capital requirements

There are two general requirements that are the primary determinants of a bank’s absolute level of regulatory capital. The first requirement considers a bank’s capital relative to its “risk-weighted” assets, the intuition being that if a set of assets is very risky, banks should reserve relatively more capital to offset the increased risk of loss. A bank must keep its ratio of regulatory capital relative to its risk-weighted assets above a certain level.

The following formula expresses a bank’s capital ratio:

Therefore, a bank’s absolute level of regulatory capital, for the purpose of its risk-based regulatory capital requirement, is primarily a product of its capital ratio requirement and its risk-weighted assets:

Additionally, banks are subject to leverage-based capital requirements. These capital requirements treat all assets equally, regardless of their perceived riskiness, such that as a bank’s total assets increase, so too does the amount of capital it is required to have to meet its leverage ratio requirement. Leverage-based capital requirements work in conjunction with risk-based capital requirements to ensure that different balance sheet compositions are adequately covered by the regulations.

Naturally, both requirements use a bank’s balance sheet as their starting point. This is where SAB 121 comes in: when publicly reporting banks record cryptoassets safeguarded for customers on their balance sheets for accounting purposes, they must also reserve capital against those assets to fulfill their regulatory capital obligations.

When it comes to the risk-based capital ratio, cryptoassets are treated as very high-risk. The Basel Committee on Banking Supervision (BCBS), the standard-setting body for cross-border, coordinated prudential bank regulation, recently finalized its standard for the prudential treatment of cryptoasset exposures. For Group 2b cryptoassets like bitcoin, ether, and the like, banks are instructed to assign a 1250% risk-weight to their cryptoasset exposures. This is a very, very conservative risk-weight. For reference, U.S. government debt has a risk-weight of 0%, Greek debt has a risk-weight of 100%, and Salvadoran debt has a risk-weight of 150%. The 1250% weight was chosen because it is the risk-weight necessary to ensure banks reserve at least an equivalent amount of capital against the value of the cryptoassets a bank holds on its balance sheet.1 Essentially, banks are instructed to assume that the cryptoassets will lose all of their value and hold capital to absorb that anticipated loss.

For leverage-based capital requirements, all assets are treated equally, but that simply means that adding any assets to a bank’s balance sheet may require the bank to raise additional regulatory capital. BONY safeguards almost $50T in client assets yet has just $430b in on-balance sheet assets. If assets held in custody were required to be recognized on BONY’s balance sheet, it would be prohibitively expensive for the bank to maintain sufficient capital against its clients’ assets.

1 Basel Committee, Consultative Document, Prudential treatment of cryptoasset exposures (Sep. 2021), https://www.bis.org/bcbs/publ/d519.pdf at 14, n. 19. The minimum total capital requirement for all banks is 8%.At an 8% capital ratio, $12.50 of risk-weighted assets requires $1 in regulatory capital (1/12.5 = 0.08). In practice, most banks hold capital in excess of the 8% minimum capital ratio, either because of supplementary capital requirements or by choice. Bank of New York Mellon, for example, is required to maintain a Common Equity Tier 1 (CET1) capital ratio of 8.5% and regularly maintains a CET1 capital ratio of >11%, which allows it to avoid any restrictions on capital distributions.

3 responses

  1. Alexandra Barrage Avatar
    Alexandra Barrage

    Good insights. There is another lens to this discussion, which involves the recent reg capital proposal. Even if SAB 121 was rescinded, a number of fee-based businesses (wealth management, custody) would be hit pretty hard on the op risk aspect of the proposal (currently under comment through end of November). Not simple; lots of moving parts.

    1. Zach Wong Avatar
      Zach Wong

      Thank you! That’s a great point. I didn’t read much more than an overview of the proposal, but I know that generally the regulators want to increase bank capital and of course op risk is an easy way to do that.

      In the near term for the crypto industry specifically, I think we should push for crypto custody to be treated at parity with traditional asset custody – especially if the discrepancy is due to an *SEC* policy. But great point that a ton of other things weigh on the situation.

  2. […] Zach Wong, A comprehensive explanation of SAB 121 and how it prevents safe crypto custody […]